Thwarting the Age Old Man in the Middle

Man in the middle (MITM) attacks are as old as transportation. In the Wild West, these attackers would be the stage coach bandits or the train robbers that rerouted riches to a new destination.

In the digital world, the attackers steal packets of information rather than chests of gold, but the modus operandi remains the same: Theft in transit.

However, the means of theft vary quite extensively.

“Traditional Layer-2 networks such as wired Ethernet and wireless 802.11 are plagued with man in the middle vulnerabilities and weaknesses, the attack taxonomy of which includes ARP cache redirection and poisoning, rogue DHCP servers, VLAN encapsulation within encapsulation, and network switch lookup table flooding to force unauthorized traffic broadcasting, explained Gregory Perry, CEO of GoVirtual Education.

“Source routing and fragmentation attacks can also be used against higher order Layer-3+ presentation and application protocols, in a similar vein to Layer-2 MITM attack methods.”

The hackers’ goal is not to infect your computer but to steal information; particularly to steal financial and identity information from individuals, but also to conduct corporate espionage against corporations.

“Malware and man in the browser (MITB) attacks — a fast-growing variation of ‘man in the middle’ — are of growing concern, particularly in online banking environments where they are causing the highest rates of financial fraud beyond phishing and identity theft,” warned Tsion Gonen, corporate VP of Products and Marketing at SafeNet.

Modes of attack

While MITM attacks have been around for quite awhile, the newer tools are far more sophisticated and dangerous.

“This most recent wave of attack tools and their progeny can be used without authorization to intercept and redirect network traffic, perform surreptitious analysis and clandestine interception of confidential and privileged network communications, insert and/or remove information from live communication streams, extract plain text user accounts and passwords from applications and the transport network, intercept and decrypt applications protected with the secure sockets layer (SSL) encryption method, and intercept and decrypt network communications purportedly secured with IPSEC VPN tunnels,” explained Perry.

These tools are do-it-yourself malicious tool kits that make creating malware easy even for a novice. However, they are not cheap. A ZeuS kit, for example, can go for $8000 or more — although that seems to be the high end. Even so, the price is a steal considering ZeuS was used to heist ?675,000 pounds from a UK bank alone in July, 2010.

The most used attack kits are MPack, Neosploit, ZeuS, Nukesploit P4ck and Phoenix, according to Symantec.

Spyeye is a ZeuS knockoff that is supposed to be available soon in a mashup with ZeuS code to make it even more efficient. ZeuS is considered by experts to be the most pervasive banking Trojan in the world. Recently, Zeus code was leaked and security professionals are bracing for a swell in criminal activity. Weyland-Yutabi Bot is a Mac OS X version of ZeuS and Spyeye.

ZeuS and its kin are especially adept at seamlessly inserting fraudulent fields into forms on legitimate websites, typically retail and online banking sites, tricking the user into providing information that is sent straight to criminals. However, these tools can be used in numerous ways to intercept traffic.

The latest ZeuS-like release is the BlackHole exploit kit that originally sold on darkware sites for $1500 for a year’s license and $200 for a week. This month it was released for free. Its traffic detection script (TDS) is far more powerful than its predecessors but requires significant skills to use.

But even that list of horrors is not the entire scope of MITM attacks.

But wait … there’s more

ARP poisoning, for example, must be performed locally on the network. That makes it a bit trickier to accomplish but no less dangerous. The attacker ties his MAC address to the IP address of another host. Essentially, the attacker is eavesdropping and controlling the conversation or transaction between two parties. This is the most common attack found in unprotected WiFi networks such as public hotspots or home routers with only WEP settings.

“ARP poisoning is just one type of MITM attack; others include BGP MITM, rogue access points and man-in-the-browser. Of these, man-in-the-browser has proved to be the biggest threat,” explained Terry Nelms, research director for cyber security firm Damballa.

MITB attacks are designed to slip around normal defensive plays such as traditional antivirus solutions and strong authentication technologies such as tokens or network access control (NAC) systems. Generally, MITB attacks are Trojans that infect a Web browser to modify transaction content or to insert additional transactions. The Trojan uses objects, extensions, user scripts and other common facilities designed to enhance browser activities. Thus, the Trojan is virtually undetectable by virus scanning software.

“When an infected unmanaged computer accesses enterprise resources via VPN connections and Web portals, the malware is able to elude perimeter security mechanisms, said Amit Klein, CTO of Trusteer.

“It then captures all data processed by that browser including logon credentials and large quantities of sensitive corporate information, and transmits it back to the criminals. All this can be achieved without infecting a single computer within the physical boundaries of the enterprise or setting off alarms.”

The threat increases with the use of mobile devices.

“These days, it’s not uncommon for virtually every employee, contractor or partner to have enterprise access rights remotely and from the device of their choosing,” said Klein. “It is this proliferation of unmanaged home and work laptops and personal PCs that often lead to malware snaking into secure enterprise networks.”

Tools and techniques to thwart attacks

Defensive products such as XArp are helpful for small business and home networks. XArp reports changes in the IP to MAC mapping in order to identify ARP poisoning, the classic MITM attack. However, XArp is not much help with larger networks containing layered switches.

For larger networks, Perry recommends the following:

  • The effective use of port security on Ethernet switches;

  • Enabling port authentication such as 802.1x on Ethernet switches;

  • ARP cache monitoring software at both at the NMS, Ethernet switch, and individual host(s) level;

  • Host-based intrusion detection and prevention agents that are configured with Layer-2 signatures and alarming;

  • The use of hardcoded static ARP entries for mission critical gateway and server assets;

  • Application-level encryption methods such as SSL with PKI-mandated certificate signing policies;

  • Transport-level encryption methods such as IPSEC and SSL with PKI-mandated certificate signing policies;

  • The use of multiple factor authentication methods for both network and application-level access; and,

  • The use of one time password (OTP) hardware tokens for network and application access.

Yet more concerns: Mobile and VoIP

VoIP is also subject to MITM attacks and requires additional counter measures to protect voice, text and video communications.

“Encrypted VoIP using secure RTP (SRTP) still requires a secure key agreement approach,” warned Alan Johnston, adjunct instructor at Washington University in St. Louis, and a Distinguished Engineer at Avaya. Johnston is also co-author of a VoIP privacy protocol specifically designed to protect against MITM attacks called ZRTP. It is published as RFC 6189 by the Internet Engineering Task Force (IETF).

“Unfortunately, most SRTP systems involve sharing the encryption key over the signaling channel, which can result in key disclosure,” he said.

As far as man-in-mobile (MIM) and MITB attacks, the best defense to date is in virtual firewalls installed onside a user’s device. This firewall should activate whenever the enterprise network or an enterprise application is accessed.

“It should differentiate between enterprise-related sessions and those taking place on individual machines,” said Klein. Using this method, malware can be blocked from exploiting protected Web sessions. “For example, when a machine infected with malware attempts to access the enterprise, it is immediately identified and the malware stripped from the device.”

In addition, the virtual firewall should provide strong keystroke encryption to prevent keyloggers from intercepting confidential data such as login credentials and account numbers.

“It should secure communication between the browser and the network or application to prevent unauthorized modifications and provide API blockage to prevent unauthorized access,” said Klein.

ZeuS, Spyeye and BlackHole-like threats are prevalent banking threats. Financial institutions try hard to hide the problem and have made little progress in defense mechanisms.

“Highly sensitive organizations like financial services have grown increasingly concerned not just with authenticating users, but the protection of transactions themselves,” said Gonen. “Unfortunately, traditional user authentication methods that can protect against phishing, pharming and password hacking aren’t enough to protect against transaction attacks like MITB, since users could be legitimately authenticated during an attack.”

New products on the market, however, are designed to ensure that not only is the user who he claims to be, but that he is authorized to do what he’s doing.

“An ‘out-of-band’ authentication method can validate the integrity of a specific transaction itself and such are quickly becoming an imperative because they can better circumvent MITB attacks by confirming the transaction through means other than the customer’s PC and browser, said Gonen.

“This ensures that only the person in possession of the transaction security device can receive details of the transaction and approve it. These types of security solutions will become increasingly important over the next few years as advances in mobile technology are making online transactions a mainstay of global commerce.”

A prolific and versatile writer, Pam Baker’s published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine,, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).

Top Products

Related articles