Skip to main content

What is a Man in the Middle Attack?

Mitm 750x425 02nov15 en

Many years ago, your local telephone service may have been shared among you and many of your neighbors in what was called a party line. This shared configuration had two characteristics. If you wanted to place a call, you had to wait until the circuit was idle, i.e., all the other parties on the shared circuit weren’t also trying to place calls. More disturbing, however, was that other parties on the shared circuit could listen in on, join in (welcomed or not), or disrupt any conversation.

Ethernet and WiFi share these same characteristics, and an important reason why everyone is encouraged to use encryption is to prevent the forms of eavesdropping common to shared media or party lines.

Eavesdropping is one of several kinds of attacks we call man in the middle attacks. Each man in the middle or MITM attacks involves an attacker (or a device) that can intercept or alter communications between two parties who typically are unaware that the attacker is present in their communications or transactions. Let’s look at two examples of Internet MITM attacks.

The first is called an Evil Twin Access Point attack. When you attempt to connect to a wireless network, your Wi-Fi devices will try to “associate” with a nearby access point (AP). Attackers can use software to turn an ordinary laptop into an access point, and then will use the name of an access point you may recognize or trust so that you or your device will connect to this “evil twin” rather than the “good one” (Original series Star Trek fans will recall the episode “Mirror, Mirror”. Once your device connects to the evil twin AP, the attacker can intercept your company login or credit card information, and he may connect you to the site you intended to visit to perpetuate the deception. The attacker may redirect you to fake web sites, mail servers or other sites where you might unsuspectingly enter personal information or download additional malicious software. (Note: Lisa Phifer offers two excellent technical articles on evil twin AP attacks here.)

The other is called a Man-in-the-browser attack (MiTB). Imagine all the mischief an attacker might make if he could sit “inside” your browser and read or modify what you type or what a website sends to you. Sadly, attackers have gone beyond imagining such scenarios. MiTB attacks make use of a proxy Trojan horse, software that inserts itself between your browser and a web server, typically during a financial transaction or an e-merchant purchase. The attacker can use the proxy Trojan, which is a keylogger, rootkit, a malicious browser helper object or a plug-in, to steal your banking credentials, alter amounts of transactions, or make additional transactions, often during your banking or merchant session.   

Encryption or antivirus software can help, but your best defense against evil twin APs is to exercise caution when connecting to free or unsecured WiFi networks. To protect against MiTB attacks, consider using an anti-keylogger or rootkit detection software, but keep in mind that such malware are commonly delivered via phishing emails or drive-by downloads from sketchy or compromised web sites, so stop and think before you visit sites or open hyperlinks in email messages.

Comments

    Femme mature  01:22 UTC on 22 December 2015

    Nice article

    Celine Boulanger  04:29 UTC on 31 July 2016

    08/01/16 Montreal, QC Montreal is non-copacetic. Naive French-Quebec unilingual uninformed citizens, by the thousands, are unknowingly enabling the MITM schemes for lack of government vulgarized or adapted information via medias. Predators are costing the province $$$$$s. Quebec City's mission should inform all Quebecers since these scams deceive one generation to the unsuspecting generation etc...

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."