Cryptography was created by thinking about how to achieve secure communication. Person "A" wants to send a message to Person "B". How can "A" send a private message to "B" over an insecure channel? How to avoid someone non-authorized from reading it? A Man-In-The-Middle (MITM) is an attacker in the channel where "A" and "B" are transmitting information, impersonating both.
The attacker reading their messages (that is, compromising confidentiality) is not necessarily the worst thing that could happen. It could also use the trust of "B" in "A" to commit fraud. It could inject malware into the messages to compromise Alice and Bob's systems without them suspecting anything. The limit is the imagination.
"A" and "B" are sending messages to each other in an ongoing MITM attack, believing they are communicating directly. But every message from both sides is arriving with the attacker, who controls the conversation and its content.
Several remarkable examples of these attacks were perpetrated by big players targeting their own users. For example, in 2003, it was discovered that the popular router company, Belkin, was redirecting some of the users' HTTP traffic to their product's pages.
An even more worrying example involves a nation-state intelligence agency, the NSA. According to reports from 2013, they were "in the middle" between the giant Google and Users, gathering information.
If, for example, you try to browse a web page, and it sends a certificate that the authority signature is not in your browser's database, you will receive a warning about that, stating the party to which you are connecting has a non trusted certificate.
Even though this is very useful to confirm you are connecting to the domain you want to, you still need to be careful.
Diginotar, a Dutch Certificates Authority, was breached in 2011. MITM attacks were performed using false certificates. These were not detectable as they had a valid authority signature.
MITM attacks can happen anywhere.
For example, in your Local Area Network (LAN), between you and your router or another device.
Or even remotely when trying to access a server through a gateway.
It is usual to classify these attacks by the technologies and protocols involved. Some of the most commons are:
Address Resolution Protocol (ARP) maps Media Access Control (MAC) addresses of the devices to IP addresses in a LAN.
DNS translates domain and hostnames into IP addresses. If an attacker can "poison" your DNS table, by mapping a domain you want to browse with an IP under its control...you are in trouble.
Even worse, perhaps the attacker can trick you into using its own malicious DNS resolver. The above-mentioned can be achieved, for example, if the attacker can see your traffic and reply faster to your requests than your DNS. This risk is present in LAN networks when trying to connect to a remote host.
HTTP is the protocol used when browsing. The "S" in HTTPS stands for "secure" because it has an additional layer of cryptography aimed to encrypt and authenticate the communication between you and a server.
The cryptographic protocol used for that is named Transport Layer Security (TLS) which had in older versions the name Secure Sockets Layer (SSL).
However, even though HTTPS provides authentication, an attacker could trick you into connecting to a different website under its control with a similar name, as discussed in the previous section.
As MITM is an old-known; there exists plenty of tools and frameworks to perform these attacks. You can even find specialized tools for certain applications, like sniffing traffic, injecting, denying service, etc.
For example:
As mentioned before, HTTPS is more secure than HTTP because it provides authentication and encryption. In fact, HTTP sends data in clear. That means anyone watching the network traffic can read and understand what was sent and received. This includes sensitive data, like your passwords.
When browsing, we usually input the addresses in the search bar without specifying the protocol http:// or https://. In these cases, the browser will default to insecure HTTP, which can make a non-encrypted connection or even allow an attacker to redirect our traffic to a page under their control.
To avoid that, it was created a security feature named HTTP Strict Transport Security (HSTS). It can be set in the HTTP packet header.
What does it do? If implemented, it will allow your browser to connect to a server if and only if it uses HTTPS protocol.
That is great! However, here comes the shocking fact. This feature is available in all modern browsers today, but it is implemented only by 20% of all Internet Websites. Even several banking websites lack it!
To defend against this risk, you need to ensure the packets sent or received have not been tampered with on the way.
Also, you need to verify the identity of with whom you are communicating. The authenticity of each endpoint has to be checked. The best idea is to adopt a communication protocol with already built-in measures for integrity, and use it properly.
For example, for web browsing, HTTPS (with TLS Protocol under the hood) prevents tampering by sending hashes of all previous messages and authentication with a Public Key Infrastructure (PKI). The last is what we mentioned before related to Certificates and an Authority.
However, as we saw, this can be not enough. We should enforce the use of secure communications with HSTS, and check periodically that certificates are valid.
If you are a victim of a MITM attack, the attacker will try to redirect you to malicious websites and/or install harmful files in your server to take control and/or retrieve sensitive information. This is when BitNinja can protect you as it knows best.
With innovative and unique techniques for Malware detection, BitNinja's "Structure Analysis" can detect malware in real-time, even if its code is obfuscated.
But not only that, BitNinja's "DefenseRobot" goes a step further to find the source of the infection, block the involved IPs, and apply Honeypot technologies to isolate the affected domains.
This last measure is especially helpful for avoiding deeper compromise of the affected systems and log information that can help catch the attackers.
BitNinja Malware Detection Module's way of looking for threats is unique and patent-pending.
Custom Malware signatures are supported and easy to add.
BitNinja AI-powered Defense Robot Module automatically works to find the root cause of an infection.
When managing several HTTPS connections, the server can get overloaded with too many operations, like checking signatures, doing encryption, and decryption. BitNinja SSL Terminating Module allows Certificate Miners and offload HTTPS requests, enhancing the server stability and performance.
A MITM attack is not in actual lists like OWASP Top 10, where you can find the Web Application Security Risks of major concern regarding consequences and statistics of last year's attacks. But the outcomes associated with a victorious MITM attack are so catastrophic that defenses come built-in for all the main communication protocols we use nowadays
BitNinja counts with a crowd-sourced and constantly updated database of over 100 million IP Addresses. This is a unique asset in the market to enhance protection—even against zero-day attacks.
MITM attacks can compromise the confidentiality, integrity, and availability of important assets. Cybersecurity is not optional anymore. It is a must! If you haven't tried BitNinja yet, don't forget to register for the 7-day free trial! No credit card needed!
We are always happy to help you! If you have any questions, check out our Knowledgebase, feel free to ask at info@bitninja.io, or you can even reach us on the Dashboard chat!
Let's make the internet a safer place together!
