• United States



by David Geer

Meet the man-in-the-middle of your next security crisis

Oct 28, 20155 mins
Advanced Persistent ThreatsCloud SecurityCybercrime

That pesky, stealthy man-in-the-middle shows up everywhere from the cloud to SSL. You could be at a disadvantage if you don’t know where he’ll strike next.

Credit: Thinkstock

Man-in-the-middle attacks are pesky and stealthy maneuvers that show up everywhere from the cloud to SSL. They appear as attackers find ways to secretly insert themselves between any two points of communication in any new or existing technologies.

“Any communications path can have its own form and methods to exploit MITM attacks,” says Michael H. Davis, CISO, American Bureau of Shipping.

You could be at a disadvantage if you don’t know where he’ll strike next. CSO presents an array of MITM attacks, detailing methods to secure the enterprise against them. For this medley of MITM threats, CSO takes a look at fake Wi-Fi access points, Session Hijacking, DNS Spoofing, SSL Hijacking, ARP Cache Poisoning, and Man-in-the-Cloud attacks.

The fake Wi-Fi access point MITM attack is one of the more common relay attacks out there, says Davis. Using commonly available tools such as Kali Linux, Aircrack-ng, Wireshark, and Ettercap, an attacker captures wireless traffic, identifies users on a WLAN, and determines the access point they use. The cyber thief can then log them off their existing connection and get them to reconnect to a cloned version of the access point instead.

Session Hijacking occurs when an attacker compromises the security token for the web browser session occurring between the end-user and the web server. This enables the cyber crook to access the web server, the user, or both. There are a number of ways to go about this including packet sniffing the session for the session ID, guessing session IDs that are not long enough, and launching man-in-the-browser attacks, which use a proxy Trojan horse to tap communications between the server and browser.

DNS Spoofing preys on unsecured DNS servers, replacing cached records of domain name and IP address associations using false IPs that could for example, lead someone surfing to to land on an IP address designated by the attacker. These attacks work where the DNS server does not check the associations it receives using a legitimate authority.

Amichai Shulman, CTO, Imperva and head of Imperva’s Application Defense Center

SSL Hijacking insinuates the attacker into the handshake and encryption process. The attack uses an attack demonstration / proof of concept tool created by a computer security researcher who works under the pseudonym Moxie Marlinspike. The tool runs the SSLStrip attack, which is easily identified by the fact that a site that would normally produce a link in the URL that starts with https:// now produces a link that starts with http://.

ARP Cache Poisoning attacks the ARP protocol that translates IP addresses to the MAC addresses of the associated machines. As soon as this translation completes for the first time, the address resolution data reside in a cache, known as the ARP cache. ARP Poisoning sends bogus IP-to-MAC associations in ARP replies, causing hosts on the network to update their ARP caches with false information, which enables the attacker to impersonate the machine that has the true corresponding MAC address for that IP address and receive data intended for the genuine host.

Man-in-the-Cloud attacks steal OAuth tokens in order to target the automated synchronization processes of file sharing tools. Box, Dropbox, Google Drive, and OneDrive are examples of these tools, which synchronize data across devices automatically. These tools use OAuth tokens to validate the user. An attacker phishes a user, grabbing the OAuth token from their machine. The attacker places the token on their own device and the file sharing tool synchronizes shared data to their device as well. “It is possible for an attacker to maintain the synchronization activity with the victim’s account from anywhere, anytime without notification to the account owner,” says Amichai Shulman, CTO, Imperva and head of Imperva’s Application Defense Center (ADC).

Silencing the eavesdropping Man-in-the-Middle

Fake Wi-Fi access points use SSIDs of the same name as the cloned access point, boost their signal so it’s stronger than that of the genuine access point, and count on devices using auto-connect to automatically reconnect the device to the access point of the same name with the strongest signal. To avoid this attack, do not use auto-connect but rather examine available SSIDs and pay attention when two access points present themselves using the same name.

Session Hijacking leverages vulnerabilities and tools such as weak (short) session IDs, packet sniffing, or proxy Trojan horses. The enterprise should use strong session IDs, secure traffic using technologies such as IPsec and VPN, and use virtual machines that you can close when infected and reopen anew with no infection.

By using DNSSEC and DNSSEC extensions to secure DNS, enterprises can secure DNS against DNS Spoofing. For SSLStripping, consider certificate management tools based on the most recent version of TLS and avoid using SSL. Check endpoint authentication technologies such as TLS for vulnerabilities. “The RC4 cipher in TLS is vulnerable to MITM attacks and you should avoid using it,” says Shulman. Make sure to properly configure TLS and other authentication methods.

It will help the enterprise to used layered protection including deep packet network traffic monitoring tools in order to address ARP Cache Poisoning and other MITM attacks. “This will help the enterprise to identify probe packets and to track those sources early on,” says Davis. It is important to secure these security tools themselves as well.

Enterprises should consider using cloud access security brokers (CASB) to thwart Man-in-the-Cloud attacks. These brokers check adherence to existing enterprise security policies, which can separate attackers from authorized users. “Monitoring the access and usage patterns of enterprise cloud services by enterprise users using a CASB can effectively detect and flag anomalies in real-time,” says Shulman.