Malcom in the Middle

It almost sounds like the TV show 'Malcom in the Middle', but it isn't, and there isn't anything funny about it.
Man-in-the-middle attacks involve sophisticated ways an attacker injects themselves into the communication stream to intercept information.

If you have ever worked in a large corporate office, you have most likely seen a type of Man-in-the-Middle attack without even knowing it. 
Most large organizations filter web traffic in order to protect themselves from malicious actors; this type of traffic interception by authorized companies is legitimate. 

The type of traffic interception we are talking about is the illegal kind.

Bad actors (no pun intended) intent on intercepting your traffic will hijack your DNS (Domain Name Service) in order to control the flow of traffic over the Internet.  The DNS is simply a service that everyone in the world uses in order to navigate the Internet; it converts domain names like into an IP address.  If the bad guys control your DNS, they can route your traffic through an intermediary and unpack your secure information, then re-package it and send it to you.

Ok, imagine your Aunt Patty,
Aunt Patty with Mittens and Furball
She is sending you a box of cookies and she mails you a box that has her own brand of tape securing the box.  The box makes its way to your local post office where Dan, an unscrupulous individual, wants a cookie.  He sees that Aunt Patty has secured the box with her own special tape, but Dan also has that special tape, so he cuts into the box, gets a cookie, maybe even replaces the cookies with fruitcake, and reseals the package and sends it on to you, none the wiser because the box is secured by the same tape Aunt Patty uses.  You get the box, open it up, and let's say you know Aunt Patty doesn't make fruitcake, so you send her a letter asking about the unexpected contents.  Dan, always on the lookout to cover his tracks, intercepts your letter, opens it and changes the letter to say 'Thank you for the cookies!', re-packages the letter and sends it on to Aunt Patty.  Nobody is the wiser because Dan is controlling all communication between you and your Aunt Patty.

So how does this actually work? 
Let's say you have your wireless router but you have failed to change the default router username and password and left it as admin/admin.  The bad actor is constantly scouring the Internet looking for these types of mistakes in order to exploit them.  Your wireless router will obtain DNS server settings from your Internet Service Provider (ISP), but those settings can be changed and our bad guy can put DNS server settings in there to something they control.  Once they are 'in the middle', they can control where you are going and can see everything, even if it is encrypted.

How do we know if there is a Man-in-the-Middle attack going on?
The best way to see if you are falling victim to a Man-in-the-Middle attack is to look at the certificate for the site you are visiting. 
In the address bar of most web browsers you will see a little lock indicating you are on a secured site using SSL (encrypted):
SSL Encrypted Web Page
If you click on the lock, you can get more information about the site.  Depending on your browser, you can look at the certificate information for that site:

You can view the certificate of any page

Google's certificate information

Keep looking until you find the fingerprints:

Google fingerprint

Now, if you were a bad guy, this fingerprint would be hard to forge, and you wouldn't be able to falsify your 'Organization' name information.
In companies that use this method to control the flow of data in-out of their organization, the 'Organization' name will most likely be your company's name, or the name of the vendor they use to decrypt & re-package secure data.

In order to confirm there is no Man-in-the-Middle, or to check to see if your organization is looking at your secured data, go to
Steve Gibson, a well known expert in the field of Information Technology, and co-host of the podcast 'Security Now' (you can get it here, or you can subscribe to the series as an RSS podcast).
Steve has put together a page of well known fingerprints of sites.  If you examine the security certificate's fingerprint against the sites he has listed on this page, you can verify if someone has been messing around in-between you and your intended website.

Let's verify the fingerprint of Twitter using Steve's page.  First, let's see what Steve has: fingerprint site

Let's open up Twitter in a web browser and click the lock, then click on 'View Certificate':

Twitter security page

We can see that the SHA-1 certificate number matches Steve's on his fingerprinting page:

Twitter certificate information

Now we know that there isn't anything between us and this website decrypting and re-packaging our traffic, therefore it is secure!

How do we avoid the Man-in-the-Middle attack?
1. Make sure the equipment in your control has all default usernames and passwords changed (wireless routers, IOT devices, etc.)
Use a VPN ( of course!) when connecting to unsecured or public WiFi; encrypting your connection with a VPN overwrites the DNS that those access points use.
Be aware of oddly formed web pages or unexpected pop-ups, and broken page encryption (certificate mismatches that the browser reports).


Keep watching our articles for more information on Information Security, and VPNs.


Je li Vam ovaj odgovor pomogao? 12 Korisnici koji smatraju članak korisnim (12 Glasovi)

Powered by WHMCompleteSolution