Often, we have conversations where there's confidential information flow between you and another
party. Now consider the probability that there's leakage of information during this communication.
What kind of an attack can this be, when both of you are sure that no one else was involved? Or was
there someone intercepting your conversations? In such scenarios, it's most likely that you
encountered something known as a man in the middle attack.
In a man in the middle attack, the attacker becomes an intermediary between all communications
happening between victim systems and the gateway. He can easily sniff and modify information at
will. A
Requires Free Membership to View
man
in the middle attack happens in both wired and wireless networks.
Possible at the Intranet and Internet levels, a man in the middle attack is one of the most common
and dangerous kinds of attacks. In such attacks, you may not even realize that you are affected
since the attack is more or less passive in nature. It is not like phishing attacks where a
user has to enter information for the attack to be successful. During
(or after) a man in the middle attack, you will not realize that your traffic is being
intercepted; unless if the attacker makes modification(s) which gives him away.
Possibility of these attacks: A man in the middle attack is quite prevalent, and freely
available hacking tools can allow attackers to automatically set up these attacks. Typically, an
Intranet network is less secure than an external network, because it's generally assumed that
people working in an organization are trust worthy. However, malicious personnel working in the
company may be able to intercept all the data—right from the CEO's email, to other internal
communication flowing on the network. This can be extremely damaging. Such man in the middle
attacks over the Intranet is predominant in companies with a strong and tech savvy team, where an
employee intercepts the traffic resulting in leakage of confidential information.
On the other hand, a man
in the middle attack can be very damaging in an external network. If you use a public network
for accessing confidential information, then there is a possibility of this information being
intercepted by an attacker.
Identifying attacks: Detecting a man in the middle attack can be very difficult. In this
case, prevention is better than cure, since there are very few methods to detect these attacks.
Typically, you should not use public networks for working on any confidential matters (or even for
checking your personal emails). It's best to use the public network only for basic purposes like
surfing news; even if your traffic is intercepted, the damage is limited or nil.
Man in the middle attacks is prevalent in companies which do not use secure email. Today, email is
the lifeline for many organizations, but we find that a lot of them (especially in India), use
unencrypted email. So, the attacker can literally see email contents as they go out on the
network—there's no encryption or other protective measures that prevent attackers from accessing
that information.
Preventive measures: To avoid internal man in the middle attacks you can set up an intrusion
detection system (IDS). The IDS will basically monitor your network, and if someone tries to hijack
traffic flow, it gives immediate alerts. However, the downside of IDS is that it may raise false
attack alerts many a times. This leads to users disabling the IDS.
Tools which use the advanced address resolution protocol (like XARP or ARPOn) and measures like
implementing dynamic host configuration protocol (DHCP) snooping on switches can limit or prevent
ARP spoofing. This in turn can help you prevent man in the middle attacks.
Another solution for preventing man in the middle attacks is to use the virtual private network
(VPN). The use of such encrypted tunnels creates additional secure layers when you access
your company's confidential networks over links like Wi-Fi. Additionally, companies should have
proper process auditing and monitoring in place so that they are aware of their staff
activities.
About the Author: Sahir Hidayatullah is the senior consultant, research & development at
MIEL e-Security Pvt. Ltd.
(As told to Anuradha Ramamirtham)
This was first published in July 2010