[BreachExchange] Man-in-the-Middle (MITM) Attacks: What They Are And How To Prevent Them?

[Destry Winant]

https://www.equities.com/news/man-in-the-middle-mitm-attacks-what-they-are-and-how-to-prevent-them

A Man-in-the-Middle (MITM) attack is a form of attack that allows a
hacker to secretly intercept a wired or wireless connection between
two parties who believe they are communicating safely and directly
with each other.

When performed successfully, a MITM attack allows the hacker not only
to eavesdrop on the communication between the victims but also tamper
the data they exchange with each other. Most importantly, it may give
the eavesdropper full access to the victims' valuable information
(login credentials, financial information, and so on).

This is why it’s so important to know more about different types and
techniques of MITM attacks, as well as the ways to prevent these
attacks.

How Does a MITM Attack Work?

The basic principle of every MITM attack is pretty similar: an
attacker virtually puts themselves between two communicating parties,
leaving the victims unaware of their presence. Remaining undiscovered,
the intruder can intercept messages the victims send to each other,
extract valuable information and change the original messages if he
wants.

There are two kinds of MITM attacks: passive and active. Passive MITM
attacks are possible when the RSA (Rivest–Shamir–Adleman) keys are
used. Then, the attacker can use server private keys to decrypt the
user traffic.

When it comes to an active MITM attack, the hacker's main goal is to
split an SSL/TLS session into two completely separate sessions. Then,
the attacker can act as a proxy, monitoring and possibly altering all
the data transmitted through a compromised channel.

Also, there are several forms of MITM attacks that exploit
vulnerabilities in internet browsers (Main in the Browser), cloud
services (Man in the Cloud), mobile applications (Man in the Mobile),
or the Internet of Things (Man in the IoT).

Common Types of MITM Attacks

Depending on their goals and targets, an attacker may use different
types of MITM attacks. Below, we listed the most common ones.

SSL and TLS Hijacking

When browsing the internet, the users usually encounter one of the two
types of protocols: HTTP (Hypertext Transfer Protocol) or HTTPS (HTTP
Secure or HTTP over TLS). It is preferable to use HTTPS since it is
protected via encryption through SSL/TLS. Still, even HTTPS protocols
can be vulnerable to MITM attacks if a user doesn't access them
directly. When the victim first tries to access an unsecured HTTP
site, the hacker may hijack the session before the user will be
redirected to a safer HTTPS site.

ARP Cache Poisoning

The Address Resolution Protocol (ARP) is a protocol used for mapping
an Internet Protocol (IP) address to a physical machine address, such
as MAC address.

The main problem with ARP is its lack of an authentication protocol.
There is a possibility of the attacker sending spoofed or fake ARP
messages to the Local Area Network (LAN) and mapping the attacking MAC
address to the target host's IP address. As a result, the attacker can
intercept all the traffic that was originally meant for the victim.

DNS Spoofing

The Domain Name Server (DNS) spoofing, otherwise known as DNS cache
poisoning, is another common type of MITM attacks. When DNS translates
names of domains to numerical IP addresses, it asks other servers for
unknown translations and caches these translations for some time. And
if DNS caches a false translation, it may return an incorrect IP
address, redirecting the victim to another computer.

Aside from MITM attacks, DNS spoofing is widely used for phishing
attacks, where an attacker creates a fake version of a genuine website
to gather users' personal information.

Rogue Access Point

When targeting wireless networks, an attacker may use a rogue access
point – a wireless access point connected to the network without an
approval from the network administrator. In some cases, a rogue access
point may be added by a well-meaning employee as a way to ease access
to the network from mobile devices. Such access points also may be
used by attackers for gaining access to the company's network.

Common MITM Attack Techniques

Just as there are different types of MITM attacks, there are also
several techniques a hacker may use for performing a MITM attack. The
most common ones are:

sniffing
packet injection
session hijacking
SSL stripping

Sniffing is used for performing passive MITM attacks. The attackers
inspect packets at a low level using different packet capture tools
and gather information for further attacks.

Packet injection is used for compromising data communication streams
by injecting malicious packets into it. Usually, this technique is
used when sniffing was already performed because the attacker needs to
know when exactly to craft and send malicious packets.

Session hijacking is a technique used for intercepting a session
established between two endpoints, for instance, a session between two
machines communicating within a local network or a session between a
user and a web application or a platform.

SSL stripping is used for downgrading HTTPS and forcing the victim to
establish a connection with a more vulnerable unencrypted HTTP. Using
different tools, such as SSLstrip or MITMproxy, the attacker may try
to split an SSL/TLS session into two completely separate sessions: one
between the victim and the attacker and the other between the attacker
(who acts as a legitimate user) and the server.

For instance, SSLsplit, a penetration testing and research tool, is
able to replace HTTPS links with their HTTP analogs whenever it's
possible, placing the attacker “in the middle” of the connection, thus
allowing them to intercept the connection.

How to Prevent MITM Attacks?

There are two common ways you can defend your network, web application
or website against MITM attacks: by using authentication certificates
and HTTPS protocol.

For ensuring the security of local networks and systems, you can use
certificate-based authentication. It means that every employee device
should have a properly configured certificate in order to gain access
to your system or network.

When it comes to protecting web services, the best way is to use an
HTTPS protocol instead of a much less safe HTTP. Using SSL/TLS
certificates, you can upgrade the protocol of your website from HTTP
to HTTPS and keep all the connections set between the website and end
users encrypted and secure.

It is also important to make sure that all pages of your website are
encrypted with HTTPS and there is no elements left loading over an
HTTP, including widgets, scripts, pictures, and even hyperlinks. Your
website's login forms also should be HTTPS-protected to prevent
possible hijacking of your users' login credentials.

You may also use an Organization Validation (OV) SSL certificate or an
Extended Validation (EV) SSL certificate to improve the level of your
website's encryption and confirm its authenticity. OV SSL and EV SSL
certificates help boost your website's credibility by showing the name
of the company in the URL bar and making the address bar turn green.
With these signs, the end user can be sure they are connecting to a
legitimate website and not its faked copy.

Another option for preventing MITM attacks on your website is to
implement HTTP Strict Transport Security (HSTS) on your server. This
mechanism forces web browsers and applications to connect only
HTTPS-protected content and block any attempts to connect unencrypted
HTTP pages. In addition to this, HSTS helps prevent cookie hijacking,
thus protecting your users' sensitive information.

And remember: hackers will never stop trying to get their hands on
valuable information, so you need to make everything in your power to
protect your website, platform, or application from as many risks as
possible. The least you can do is use the methods listed above. And
for a higher level of protection, you can always turn to experienced
professionals who will take care of defending your business against
MITM attacks of all kinds.