Often, we have conversations where there's confidential information flow between you and another
party. Now consider the probability that there's leakage of information during this communication.
What kind of an attack can this be, when both of you are sure that no one else was involved? Or was
there someone intercepting your conversations? In such scenarios, it's most likely that you
encountered something known as a man in the middle attack.
In a man in the middle attack, the attacker becomes an intermediary between all communications happening between victim systems and the gateway. He can easily sniff and modify information at will. A
Possible at the Intranet and Internet levels, a man in the middle attack is one of the most common and dangerous kinds of attacks. In such attacks, you may not even realize that you are affected since the attack is more or less passive in nature. It is not like phishing attacks where a user has to enter information for the attack to be successful. During (or after) a man in the middle attack, you will not realize that your traffic is being intercepted; unless if the attacker makes modification(s) which gives him away.
Possibility of these attacks: A man in the middle attack is quite prevalent, and freely available hacking tools can allow attackers to automatically set up these attacks. Typically, an Intranet network is less secure than an external network, because it's generally assumed that people working in an organization are trust worthy. However, malicious personnel working in the company may be able to intercept all the data—right from the CEO's email, to other internal communication flowing on the network. This can be extremely damaging. Such man in the middle attacks over the Intranet is predominant in companies with a strong and tech savvy team, where an employee intercepts the traffic resulting in leakage of confidential information.
On the other hand, a man in the middle attack can be very damaging in an external network. If you use a public network for accessing confidential information, then there is a possibility of this information being intercepted by an attacker.
Identifying attacks: Detecting a man in the middle attack can be very difficult. In this case, prevention is better than cure, since there are very few methods to detect these attacks. Typically, you should not use public networks for working on any confidential matters (or even for checking your personal emails). It's best to use the public network only for basic purposes like surfing news; even if your traffic is intercepted, the damage is limited or nil.
Man in the middle attacks is prevalent in companies which do not use secure email. Today, email is the lifeline for many organizations, but we find that a lot of them (especially in India), use unencrypted email. So, the attacker can literally see email contents as they go out on the network—there's no encryption or other protective measures that prevent attackers from accessing that information.
Preventive measures: To avoid internal man in the middle attacks you can set up an intrusion detection system (IDS). The IDS will basically monitor your network, and if someone tries to hijack traffic flow, it gives immediate alerts. However, the downside of IDS is that it may raise false attack alerts many a times. This leads to users disabling the IDS.
Tools which use the advanced address resolution protocol (like XARP or ARPOn) and measures like implementing dynamic host configuration protocol (DHCP) snooping on switches can limit or prevent ARP spoofing. This in turn can help you prevent man in the middle attacks.
Another solution for preventing man in the middle attacks is to use the virtual private network (VPN). The use of such encrypted tunnels creates additional secure layers when you access your company's confidential networks over links like Wi-Fi. Additionally, companies should have proper process auditing and monitoring in place so that they are aware of their staff activities.
About the Author: Sahir Hidayatullah is the senior consultant, research & development at MIEL e-Security Pvt. Ltd.
(As told to Anuradha Ramamirtham)
This was first published in July 2010