Meet the man-in-the-middle of your next security crisis

That pesky, stealthy man-in-the-middle shows up everywhere from the cloud to SSL. You could be at a disadvantage if you don’t know where he’ll strike next.

Man-in-the-middle attacks are pesky and stealthy maneuvers that show up everywhere from the cloud to SSL. They appear as attackers find ways to secretly insert themselves between any two points of communication in any new or existing technologies.

“Any communications path can have its own form and methods to exploit MITM attacks,” says Michael H. Davis, CISO, American Bureau of Shipping.

You could be at a disadvantage if you don’t know where he’ll strike next. CSO presents an array of MITM attacks, detailing methods to secure the enterprise against them. For this medley of MITM threats, CSO takes a look at fake Wi-Fi access points, Session Hijacking, DNS Spoofing, SSL Hijacking, ARP Cache Poisoning, and Man-in-the-Cloud attacks.

The fake Wi-Fi access point MITM attack is one of the more common relay attacks out there, says Davis. Using commonly available tools such as Kali Linux, Aircrack-ng, Wireshark, and Ettercap, an attacker captures wireless traffic, identifies users on a WLAN, and determines the access point they use. The cyber thief can then log them off their existing connection and get them to reconnect to a cloned version of the access point instead.

Session Hijacking occurs when an attacker compromises the security token for the web browser session occurring between the end-user and the web server. This enables the cyber crook to access the web server, the user, or both. There are a number of ways to go about this including packet sniffing the session for the session ID, guessing session IDs that are not long enough, and launching man-in-the-browser attacks, which use a proxy Trojan horse to tap communications between the server and browser.

DNS Spoofing preys on unsecured DNS servers, replacing cached records of domain name and IP address associations using false IPs that could for example, lead someone surfing to to land on an IP address designated by the attacker. These attacks work where the DNS server does not check the associations it receives using a legitimate authority.

Amichai Shulman, CTO, Imperva and head of Imperva’s Application Defense Center

SSL Hijacking insinuates the attacker into the handshake and encryption process. The attack uses an attack demonstration / proof of concept tool created by a computer security researcher who works under the pseudonym Moxie Marlinspike. The tool runs the SSLStrip attack, which is easily identified by the fact that a site that would normally produce a link in the URL that starts with https:// now produces a link that starts with http://.

ARP Cache Poisoning attacks the ARP protocol that translates IP addresses to the MAC addresses of the associated machines. As soon as this translation completes for the first time, the address resolution data reside in a cache, known as the ARP cache. ARP Poisoning sends bogus IP-to-MAC associations in ARP replies, causing hosts on the network to update their ARP caches with false information, which enables the attacker to impersonate the machine that has the true corresponding MAC address for that IP address and receive data intended for the genuine host.

Man-in-the-Cloud attacks steal OAuth tokens in order to target the automated synchronization processes of file sharing tools. Box, Dropbox, Google Drive, and OneDrive are examples of these tools, which synchronize data across devices automatically. These tools use OAuth tokens to validate the user. An attacker phishes a user, grabbing the OAuth token from their machine. The attacker places the token on their own device and the file sharing tool synchronizes shared data to their device as well. “It is possible for an attacker to maintain the synchronization activity with the victim’s account from anywhere, anytime without notification to the account owner,” says Amichai Shulman, CTO, Imperva and head of Imperva’s Application Defense Center (ADC).

Silencing the eavesdropping Man-in-the-Middle

Fake Wi-Fi access points use SSIDs of the same name as the cloned access point, boost their signal so it’s stronger than that of the genuine access point, and count on devices using auto-connect to automatically reconnect the device to the access point of the same name with the strongest signal. To avoid this attack, do not use auto-connect but rather examine available SSIDs and pay attention when two access points present themselves using the same name.

Session Hijacking leverages vulnerabilities and tools such as weak (short) session IDs, packet sniffing, or proxy Trojan horses. The enterprise should use strong session IDs, secure traffic using technologies such as IPsec and VPN, and use virtual machines that you can close when infected and reopen anew with no infection.

By using DNSSEC and DNSSEC extensions to secure DNS, enterprises can secure DNS against DNS Spoofing. For SSLStripping, consider certificate management tools based on the most recent version of TLS and avoid using SSL. Check endpoint authentication technologies such as TLS for vulnerabilities. “The RC4 cipher in TLS is vulnerable to MITM attacks and you should avoid using it,” says Shulman. Make sure to properly configure TLS and other authentication methods.

It will help the enterprise to used layered protection including deep packet network traffic monitoring tools in order to address ARP Cache Poisoning and other MITM attacks. “This will help the enterprise to identify probe packets and to track those sources early on,” says Davis. It is important to secure these security tools themselves as well.

Enterprises should consider using cloud access security brokers (CASB) to thwart Man-in-the-Cloud attacks. These brokers check adherence to existing enterprise security policies, which can separate attackers from authorized users. “Monitoring the access and usage patterns of enterprise cloud services by enterprise users using a CASB can effectively detect and flag anomalies in real-time,” says Shulman.

Join the CSO newsletter!

Error: Please check your email address.

More about ADCCacheCSODropboxGoogleImpervaLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By David Geer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place