Active man in the middle (MITM) attacks: Latest threat on the block

Newer man in the middle attack forms are slowly making their presence felt. In this feature, we take an overview of such active man in the middle attacks.

Today, surfing the internet over an unsafe network may result in being subject to man in the middle (MITM) attacks — a major threat for such surfing activity. While this is public knowledge, most users are not very worried about websites which don't require username or password details. Imagine the situation where you visit such a (news, weather or sports) site, and the blackhat hacker still manages to get critical data (like your bank account's username and password)! This is a possible scenario, according to a team of engineers from the Rational Application Security group at IBM's Israel Software Lab.

Popular MITM methods allow attackers to listen, as well as alter requests and responses transmitted over the network. In such breaches, the attacker has to wait till victims to connect to a specific site. Adi Sharabani, the Security Research Group Manager of Rational Application Security for IBM's Israel Lab refers to such interception methods as a passive man in the middle attack. In case of the new threat which Sharabani refers to as an "active MITM", attackers don't need to wait for victims to surf through specific sites. "The attacker can cause victims to automatically surf specific sites by injecting IFRAME," explains Sharabani.

Characteristics of active MITM attacks
• Not noticed by the user.
• Web sites do not detect active MITM.
• IPS and IDS usage will not block active MITM attacks.
• Can be persistent.
• May be used to hack into the organization's local network.
• Bypasses firewalls and VPNs.
• Can be used to access non-HTTP servers.
• May be clubbed with DNS pinning techniques.
• Requires only a single plain HTTP request to be transmitted.

 Assume a scenario where you visit a site which offers weather forecasts. Using an "active" MITM attack, the hacker can inject an invisible frame that connects to your bank site. As soon as you open the weather site, the browser is modified to open this invisible frame and automatically send a request to the bank. "The attacker steals sensitive information such as cookies, cache and auto completion information from your browser. Then he waits for your browser to fill in the username and password to get access into your account," says Sharabani.

Using the active attack method, a hacker can not only steal information connected to your past Web browsing sessions (including cookies or form fillers), but also use scripts to grab entered information. So while you browse a particular site of interest to the attacker, he can poison the cached webpage. A compromised webpage is delivered when you try to connect with this site in the future. Sharabani says that active MITM attacks can happen in wireless and wired networks.

Although active MITM displays all characteristics of being a dangerous attack, Sharabani is unable to provide real life examples of such attacks. He explains that users can proactively protect themselves from such attacks by clearing sensitive repositories (which include cache, cookies and auto form fillers) before and after surfing on an unsafe network. It can also be performed automatically by the organization. However, such a 'clean slate' policy could create usability problems, observes Sharabani.

The user can also use two different browsers to browse over safe and unsafe networks. Browsers like Google Chrome offer such a solution, where the browser can open a separate window (which does not store his activity history) for the user. Another way to prevent active MITM attacks is to tunnel all communication through a secure proxy, since even a single HTTP request can result in such an attack.

When it comes to wireless connections, organizations must focus on using secure WiFi connections to avoid active MITM attacks. "Protocols to prevent man in the middle attacks are now available in wireless routers, but these functionalities are not widely used. If organizations start to implement these wireless components, vendors of such wireless routers will enable these protocols by default. In turn, this will substantially reduce man in the middle attacks," says Sharabani.

Sharabani also offers active MITM remedial measures for website owners. According to him, active MITM leverages the default inability to maintain integrity over the Internet. This attack is executed by manipulating the original HTTP request. SSL tries to address this issue to a certain extent by clubbing integrity and confidentiality using encryption. However, SSL takes a heavy toll on CPU resources, thus restricting its usage. Hence Sharabani feels that there should be a new standard protocol that provides only integrity, and is faster than SSL.

Read more on Hackers and cybercrime prevention