Man in the Middle (MITM) Attack

What is a MITM attack

A man in the middle (MITM) attack is a general term for when a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway.

The goal of an attack is to steal personal information, such as login credentials, account details and credit card numbers. Targets are typically the users of financial applications, SaaS businesses, e-commerce sites and other websites where logging in is required.

Information obtained during an attack could be used for many purposes, including identity theft, unapproved fund transfers or an illicit password change.

Additionally, it can be used to gain a foothold inside a secured perimeter during the infiltration stage of an advanced persistent threat (APT) assault.

Broadly speaking, a MITM attack is the equivalent of a mailman opening your bank statement, writing down your account details and then resealing the envelope and delivering it to your door.

Man in the Middle (MITM) Attack

MITM attack progression

Successful MITM execution has two distinct phases: interception and decryption.

Interception

The first step intercepts user traffic through the attacker’s network before it reaches its intended destination.

The most common (and simplest) way of doing this is a passive attack in which an attacker makes free, malicious WiFi hotspots available to the public. Typically named in a way that corresponds to their location, they aren’t password protected. Once a victim connects to such a hotspot, the attacker gains full visibility to any online data exchange.

Attackers wishing to take a more active approach to interception may launch one of the following attacks:

  • IP spoofing involves an attacker disguising himself as an application by altering packet headers in an IP address. As a result, users attempting to access a URL connected to the application are sent to the attacker’s website.
  • ARP spoofing is the process of linking an attacker’s MAC address with the IP address of a legitimate user on a local area network using fake ARP messages. As a result, data sent by the user to the host IP address is instead transmitted to the attacker.
  • DNS spoofing, also known as DNS cache poisoning, involves infiltrating a DNS server and altering a website’s address record. As a result, users attempting to access the site are sent by the altered DNS record to the attacker’s site.

Decryption

After interception, any two-way SSL traffic needs to be decrypted without alerting the user or application. A number of methods exist to achieve this:

  • HTTPS spoofing sends a phony certificate to the victim’s browser once the initial connection request to a secure site is made. It holds a digital thumbprint associated with the compromised application, which the browser verifies according to an existing list of trusted sites. The attacker is then able to access any data entered by the victim before it’s passed to the application.
  • SSL BEAST (browser exploit against SSL/TLS) targets a TLS version 1.0 vulnerability in SSL. Here, the victim’s computer is infected with malicious JavaScript that intercepts encrypted cookies sent by a web application. Then the app’s cipher block chaining (CBC) is compromised so as to decrypt its cookies and authentication tokens.
  • SSL hijacking occurs when an attacker passes forged authentication keys to both the user and application during a TCP handshake. This sets up what appears to be a secure connection when, in fact, the man in the middle controls the entire session.
  • SSL stripping downgrades a HTTPS connection to HTTP by intercepting the TLS authentication sent from the application to the user. The attacker sends an unencrypted version of the application's site to the user while maintaining the secured session with the application. Meanwhile, the user’s entire session is visible to the attacker.

Man in the middle attack prevention

Blocking MITM attacks requires several practical steps on the part of users, as well as a combination of encryption and verification methods for applications.

For users, this means:

  • Avoiding WiFi connections that aren’t password protected.
  • Paying attention to browser notifications reporting a website as being unsecured.
  • Immediately logging out of a secure application when it’s not in use.
  • Not using public networks (e.g., coffee shops, hotels) when conducting sensitive transactions.

For website operators, secure communication protocols, including TLS and HTTPS, help mitigate spoofing attacks by robustly encrypting and authenticating transmitted data. Doing so prevents the interception of site traffic and blocks the decryption of sensitive data, such as authentication tokens.

It is considered best practice for applications to use SSL/TLS to secure every page of their site and not just the pages that require users to log in. Doing so helps decreases the chance of an attacker stealing session cookies from a user browsing on an unsecured section of a website while logged in.'

How to protect from packet sniffers

 

What Are Packets?

When using the internet to send emails, access bank accounts, upload images, or even type in a URL, the data being sent is broken into pieces. These pieces, or packets, are sent from your computer to the receiving end. The receiving end could be another computer or a server.

These packets must travel through the Internet to their destination, which could leave the packets vulnerable to packet sniffers.

 

What Is A Packet Sniffer?

A packet sniffer is also known as a packet or protocol analyzer. Furthermore, this tool works by intercepting and logging the traffic between two computers on a network. Additionally, a packet sniffer can be bought and used as an independent physical piece of hardware or used as software on a computer.

The software would use the device’s network card to monitor network traffic. A popular and open-source packet sniffer is Wireshark, which is typically used by security researchers as a penetration testing program.

How Does A Packet Sniffer Work?

For wired networks, a packet sniffer is able to have access to all or a portion of the traffic being transmitted depending on the configuration of the network switches.

For wireless networks, a packet sniffer is only able to scan one channel at a time. If the host device running the packet sniffer has multiple wireless network interfaces then it is possible to scan multiple channels.

Who Uses Packet Sniffers?

The original purpose of a packet sniffer was for administrative uses, such as penetration testing and monitoring the traffic on a network. Therefore, network admins utilize packet sniffers on a corporate network to run diagnostics and to troubleshoot problems.

Hackers now use packet sniffers to steal information and data from victims. Traffic is more susceptible to being seen and stolen when it is sent on an unencrypted network.

Sometimes, packet sniffers can be used with other tools and programs to intercept and manipulate packets. These manipulated packets can be used to deliver malware and malicious content.

Public wireless networks are especially susceptible to packet sniffing attacks, as they are usually unprotected and can be connected to by anyone.

Protecting Yourself From Packet Sniffers

Aside from refraining from using public networks, encryption is your best bet to protect yourself from potential packet sniffers. Using HTTPS, the secure version of HTTP, will prevent packet sniffers from seeing the traffic on the websites you are visiting.

To make sure you are using HTTPS, check the upper left corner of your browser.

One effective way to protect yourself from packet sniffers is to tunnel your connectivity a virtual private network, or a VPN.

A VPN encrypts the traffic being sent between your computer and the destination. This includes information being used on websites, services, and applications. A packet sniffer would only see encrypted data being sent to your VPN service provider.

Security Briefs

On September 25, 2017, hackers gained access to Deloitte’s global email server through an administrative account that was not properly secured. Ensure your network is prepared to ward off hackers from gaining access to your business-sensitive information. Find out what we know about the breach, how the attack took place and what we can learn from this breach.

On September 7, 2017, a large-scale data breach was announced. Equifax, one of the three major credit reporting agencies, revealed that a data breach may have affected 143 million consumers by exposing Social Security numbers and other personal information. Learn what Equifax revealed, who was affected and steps you can take to protect your personal information.

On May 3, 2017, a massive phishing attack targeted Google Docs, and anyone with a Gmail account was a potential victim. Learn how the attack slipped by Google, how this type of phishing attack was different and tips to avoid becoming a phishing attack victim.

Read this security brief to better understand how the Dyn DDoS attack in October 2016 took place, and what you can do to ensure your devices don’t fall victim to hackers.

Locky: Security Brief

Find out what Locky ransomware is, how it’s spread, how it works and what you can do to protect yourself and your network.

COVID-19 - Tips para Home Office

En este momento donde estamos confinados a estudiar y a trabajar desde casa, (mientras se desarrolla la pandemia) debemos tomar recaudos en nuestra red domiciliaria, que ha pasado a ser un nuevo eslabón en la cadena de conexión entre el estudio de nuestros hijos y el colegio, como el de nuestro trabajo y la oficina.

Generalmente, tanto en el ámbito laboral como en el colegio, nuestros dispositivos están contenidos y protegidos por la red local del lugar (empresa / colegio) pudiendo filtrar / bloquear contenido peligroso a través de Firewalls. Pero normalmente una red doméstica no cuenta con esas herramientas de protección que protejan a nuestros dispositivos, y más aún: nuestra información e intimidad (entiéndase por información nuestros archivos, fotos, videos, cuentas de correo, acceso a homebanking, sistema de cámaras, etc.)

 

Tener bien configurado el Wi-Fi hogareño.

Es conveniente que utilicen claves de wifi complejas, una combinación compleja es más difícil de descifrar por fuerza bruta (lo que usan los hackers para obtenerlas), no usar nombres ni fechas que puedan asociarse a los integrantes de la familia, o la dirección de la casa y mucho menos las consabidas 123456, 1234, 1111, etc.

Un ejemplo de clave compleja pero fácil de recordar puede ser: #2000Perritosjuegan# de esta forma se utilizan símbolos (#) una mayúscula (P) números (2000) y una frase.

En tiempos de crisis los hackers están listos para robar datos de personas y empresas, o de secuestrar computadoras (ransomware) encriptándolas y pidiendo rescate por recuperar sus archivos (conozco casos reales de ello).

Si no se necesita estar online todo el tiempo de trabajo, apagar el Wi-Fi y el Bluetooth de la PC es una forma de aumentar la seguridad. Lo mismo con el Bluetooth del celular si no se usa.

No comparta el wifi con terceros, ya que al no tener control sobre otros dispositivos no podemos garantizar que estén infectados y comprometan nuestra red. Si tiene un router de mercado (Tplink, Linksys, D-Link, etc) cambie la contraseña del mismo!!! Ese es uno de los puntos más vulnerables de la red, ya que por él pasa todo el tráfico de sus dispositivos.

 

Cuidar la información digital.

Mantenga actualizado el sistema operativo de su computadora con las últimas actualizaciones de Windows o IOS (Mac) y no saltee las últimas actualizaciones de seguridad. Lo mismo con los programas antivirus y antimalware (son amenazas distintas). No olvide tampoco hacer copias de seguridad de sus archivos en forma regular en un disco externo o en un pendrive para que sus datos estén resguardados ante un problema, ataque o error.

 

Protéjase con contraseñas.

Todos los dispositivos digitales deben estar protegidos con un PIN o contraseña segura. Sea un celular, Tablet o notebook. Y guarde sus contraseñas también en papel, muchas personas las guardan en el navegador porque es cómodo, pero si son atacados un hacker podría obtenerlas. Tenga siempre sus dispositivos bloqueados con contraseña, aún en su casa.

 

Cuidado con hacer clic en cualquier lugar.

El phishing es un intento fraudulento de obtener información confidencial, haciéndose pasar por una entidad o persona conocida del atacado. Y las estadísticas indican que es exitoso en un tercio de los incidentes. No cliquee en archivos adjuntos enviados por desconocidos o que ud. no haya solicitado. Esto también se ve en la publicidad que aparece en las páginas que visitamos: nunca vieron un aviso que diga “su pc esta lenta? Haga click aquí para revisarla” en el momento del click estamos siendo redireccionados a un sitio que puede infectarnos la pc.

 

Aplicaciones móviles.

Hay numerosas estafas circulando que utilizan el tema COVID-19 de distintas maneras, en forma de consejos, información, videos, etc. Pero hacer clic en ellos puede ser la entrada para que se infecte o se instale algún malware que comprometa la seguridad de la computadora o móvil. Siempre digo que en cualquier aplicación móvil gratis, el precio es nuestra información, ya sea para recibir publicidad direccionada o para espiar nuestro comportamiento.

Fíjense cuando instalan un jueguito u otra app que permisos solicita: un juego no debería acceder a nuestros contactos, fotos o vídeos.

 

Software gratuito recomendado

Nota: Nunca descargar software de Softonic, siempre descargar del sitio oficial.

Antivirus: Kaspersky Free Antivirus, Avast Free Antivirus.

Antimalware: Malwarebytes

Firewall: El que viene con Windows, o ZoneAlarm Free Firewall,

Bloqueo de publicidad: Adblock Plus (descargarlo de adblockplus.org)