Meanwhile, little Lucy is laughing to herself. Her desk lies between Suzie and Johnny, so the notes were passed through her. Without either of them seeing, she replaced the notes with ones she had written: Johnny got a note that said "You're yucky and have boy cooties so don't talk to me ever," and when he wrote back, heartbroken, his letter was altered to be about booger brains.
Suzie has basically just done an analog man-in-the-middle attack. In cyber security, this is a type of eavesdropping where the Suzies of the Internet insert themselves into a communication between two parties. The attacker intercepts data from both sides, reading information never meant for them and inserting their own messages into the conversation.
 |
| The man in the middle breaks the normal flow of communication (source: veracode.com) |
The attacker splits the TCP connection between the parties into two new connections: client-to-attacker and attacker-to-server. As you might have guessed, this is bad. What if you're trying to communicate to a bank server so you can transfer money (to pay for that privacy visor you've always wanted). You send $24.99 for your purchase. If someone has man-in-the-middle'd you, they can not only grab all the passwords and account numbers you're using but also change the destination of your transfer to their own account and change the amount to $2499.00.
Unfortunately, this kind of attack is really difficult to prevent. Any time you're trusting someone who's not you with confidential information, you run the risk of having that information misused. Using HTTPS or a VPN can greatly reduce the chance that someone will insert themselves into your conversation: HTTPS uses your browser's SSL (secure socket layer) and verifies the identity of the servers you're connecting to. VPNs require access to a VPN access point. It is, however, possible for men in the middle to intercept HTTPS connections. In this case, the user's browser generally gives a warning.
 |
| You've probably seen one of these before |
And the user often ignores that warning because they don't know better. Admit it: you've clicked "proceed anyway," haven't you? I hope you didn't give your credit card information...
But besides the fact that we should know about Bad Things People Can Do (tm), why do we care? As long as we stay away from sketchy sites and use secure connections, we're probably going to be okay, right? Well let me ask you something: do you use an iPhone? A lot of people do. There's a slight problem, though: last month, Skycure announced to the RSA Europe conference that many iOS apps are vulnerable to a man-in-the-middle type of attack that "lets the attacker take dynamic control over the app." Again, when you think of financial data being sent and received through an app, this is bad news.
And it's not just people hacking your apps. Since Apple technically has the encryption information for its iMessage protocol and stores the public and private keys for each user, they can basically have a man-in-the-middle eavesdropping party any time they (or a friendly government agency) want to.
And speaking of friendly government agencies, they're pretty well-versed at being middle men. The NSA's Quantum servers are placed strategically enough to run man-in-the-middle interceptions to Google services.
The Snowden / NSA / communications security blowup has really brought this sort of eavesdropping attack to the forefront of everyone's mind. Hopefully this will mean more development in actually-secure communications, but I wouldn't hold your breath. If it can be built, it can be broken.
Also, since mentioning the NSA has probably put me on some sort of list, I'd like to say hello to whatever bored government agent has been told to read this over and make sure I'm not a terrorist. You should check out my other posts; you don't guest-star in any of them, but they might be a nice change from having to read every Facebook post that calls someone a terrorist.
And it's not just people hacking your apps. Since Apple technically has the encryption information for its iMessage protocol and stores the public and private keys for each user, they can basically have a man-in-the-middle eavesdropping party any time they (or a friendly government agency) want to.
And speaking of friendly government agencies, they're pretty well-versed at being middle men. The NSA's Quantum servers are placed strategically enough to run man-in-the-middle interceptions to Google services.
The Snowden / NSA / communications security blowup has really brought this sort of eavesdropping attack to the forefront of everyone's mind. Hopefully this will mean more development in actually-secure communications, but I wouldn't hold your breath. If it can be built, it can be broken.
Also, since mentioning the NSA has probably put me on some sort of list, I'd like to say hello to whatever bored government agent has been told to read this over and make sure I'm not a terrorist. You should check out my other posts; you don't guest-star in any of them, but they might be a nice change from having to read every Facebook post that calls someone a terrorist.
This post was very informative and interesting to read. First of all, I like how you introduced the topic by giving real life example. All the hyper-links that you have provided leads to great resources. Images that you have chosen for this post are related to what you are trying to explain in the post. It was interesting to read about how man-in-the-middle behaves and why we should be careful with them. I like your explanation about HTTPS and VPN. Just like your other blog posts, this post was a great read. I am looking forward to read your future posts.
ReplyDeleteKeep Blogging!
Hi Katharine, this was an interesting post. This is just another reason for websites to start using the HTTPS tag. With so many serviced like banking, moving to an online environment, it is irresponsible for companies to not take the appropriate steps to secure their users. I find it interesting that a VPN and also secure your system too. I might be looking into that in the future. I look forward to reading more from you.
ReplyDeleteThe analogy in the beginning is so simple and perfect. Computer security is one of those topics that many people find hard to understand because there is just so much computer jargon involved. I think it is important to note that while a VPN is somewhat impervious to MitM attacks, there are other ways around a VPN such as forging the VPN certificates. Really informative post.
ReplyDeleteI also just wanted to say, using the words or any variation of "I" and "terrorist" might get you on some sort of list faster.
Hi this is my third comment here. Your post again was interestingly technical. I learned much. Because no security techniques are perfect, we need to be very careful and conscious of what wireless/electric signals to go out in public electronics. Great advice of warning people not to go beyond browser's security check. I haven't come across that page that much because I choose to browse/buy from popular websites that have https enabled. Let's hope big brothers only use our information for legitimate purposes.
ReplyDelete