How to help Prevent MITM attacks

Discussion in 'other security issues & news' started by CloneRanger, Sep 6, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    See what you think of it, & if you find some interesting www's with other ratings/colours as well, show them :thumb:

    cz.gif

    scr.gif

    wil.gif

    DNSSEC "supposedly" protects against man-in-the-middle exploits.

     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Can you think of another way to protect against MITM?

    Question: Would you trust an extension to run in the same browser you use to access your bank account?

    If the answer is no, then think of another way to protect against MITM, in such situation.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    No, can you ? Please enlighten us if you can :thumb:

    I don't do online banking :p You mean this extension, or Any ? You think it's dodgy ?

    *

    Funny thing, DNSSEC Validator has an OARC DNS checker option to use, but shows the RED key on their www :D I would have expected them to be GREEN

    d1.gif

    Test my DNS http://entropy.dns-oarc.net/test

    I got GREAT on Everything :thumb: but still see the RED key for their www :p

    Also Google is listed as Gold in OARC Members https://www.dns-oarc.net but i see RED ?

    goog.gif

    Same without HTTPS ?
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Think about the quote you provided from the BitDefender article.

    What can you come up with based on that info?

    Any extension. Would you access your bank account with a browser running extensions? Or, with a clean one?
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Depends on the type of MITM attack. I don't know enough about this service.

    The best thing to do is to just try and prevent the entire attack entirely by securing your router.
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Unless you mean for eg, using Tor or a VPN ? In that case they "should" prevent MITM's, other than those options though, & several of my BHO's/Plugins/Extensions, i wish i could say for certain what "might" help prevent such a thing !

    You mean, hypothetically if i did bank online, which i don't, as i said ;) Yes i would, these.

    Calomel SSL Validation / Force-TLS / Ghostery / HTTPS-Everywhere / NoScript / JavaScript Options / RequestPolicy / BetterPrivacy / Adblock Plus / & maybe the DNSSEC Validator too, but i havn't made my mind up on it yet, as i only installed it today.

    Also my Prevx PSOL has a browser BHO/Plugin/Extension which is designed for banking protection, amongst other things, & i & lots of people consider that safe to bank online with.

    If you could be more specific as to why you believe BHO's/Plugins/Extensions "might" not be a good idea, i'm sure more than just myself would like to hear :thumb:

    @ Hungry Man

    From what i've gathered, even having the best router in the world won't prevent MITM attacks. That's because they are performed "somewhere" between your router/modem & your final destination www, in the "infamous" cloud. Feel free to correct me if i'm in error, and/or anyone else :)
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    MITM attacks consist of a few methods. All of them center around the attacker being between you and your destination.

    1) Take over someone's personal router and "set up shop" there.
    2) Attack via public/ shared network (starbucks etc)
    3) Control their DNS/ route them to a DNS you control (through malware)
    4) Control their ISP (you're boned)
    5) Contorl their government (you're really boned)

    So you should choose a DNS service that you know secures their servers (not by preventing malware but by the methods to actually secure the servers themselves) and you should harden your router as much as possible.

    I don't know of any decent ways to detect certain MITM attacks. There are various methods though and some are more effective than others.
     
  8. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,515
    Only useful if your important website uses DNSSEC. Thanks for the new freebie anyhow.
     
  9. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    wow that is helpful

    i've been a subject for a lot of MITM attacks in the last month


    GOV spying on us :ninja:
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What happens with this MITM?

    BitDefender says this (Who am I to say otherwise? :rolleyes:)

    The part where I made emphasis is the key sentence. The fake version of the site will be in a server the attacker controls, correct? Different IP, correct? The only difference being that the domain name is the same, hence DNS spoofing. But, the IP is different.

    Now, I won't say that this will be possible for everything, because it won't, as it will be impossible to keep track, but for things like home banking you can protect yourself against it by restricting communications to your bank server IPs.

    Bank IPs don't change that often, and 2, 3 IPs tops (it's the number of IPs both my relative's bank and mine (different banks) have), constantly changing, even in a single session. Find out what the IPs are and restrict the browser you use to connect only to those IPs.

    In case a MITM attack occurs, you won't* be able to communicate with either of the servers, bank's and attacker's. You'll know something is wrong.

    The IP is different, and that's what you got to remember.

    -edit-

    You won't ever communicate witht the bank. You would be communicating with the attacker, and the attacker with the bank in your behalf. Hence, you wouldn't be able to get in touch with either of the servers.
     
    Last edited: Sep 6, 2011
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    What i said ;)

    Great, please spill the beans :thumb:

    Pleasure :)

    @ m00nbl00d

    Re - redirecting users to a fake version of the site

    Yeah i get all that :) What about the BHO's/Plugins/Extensions you asked about me using ? How would they affect MITM ?
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    When I say "various methods" I don't mean of protection. I mean of using MITM.

    And MITM attacks do not necessarily show you a fake version of the site. They can show you a very much legitimate version of the site.

    And the IP doesn't necessarily have to be different. In an example with SSLStripper it absolutely doesn't have to be a different IP. What I'm curious about is whether the IP would actually be different with a spoofed certificate in a more typical MITM.
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Gotcha ;)

    Yeah that's a bad boy for sure :eek:

    Good question :thumb:
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I think your computer makes the IP request as always, the attacker gets it and does his thing, and then he continues to show google your address as per a typical connection. No IP changes necessary, unlike a DNS poisoning attack.
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Wouldn't restricting communication to port 443 (https) take care of that, though?

    I'm not that familiar with sslstripper. I've heard of it (not sure where), but never really looked much into, as I believed restricting communications to port 443 (https) would take care of that.
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes, I believe it would. But it would break any sites that don't use HTTPS.
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Which is why is a good idea to have two separate browsers. One for general browsing and another one for home banking. It's my opinion, anyway. ;)

    And, you're right that the website doesn't have to be a fake. I meant as a fake the server/website. I believed that the communication initiated by the user was/is diverted by the attacker to his/her own server, and from the attacker's server he/she (the attacker) would be the one actually contacting with the bank/other, while the user still believed he/she was communicating with the bank?

    I'm not talking about SSLstripper, as restricting to port 443 would take care of that.
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    That would break SSLStripper but not necessarily of MITM attack. (Ah, I see you got to that at the end of the post)

    Yes, it would go User -> Attacker -> Bank (or whatever) but the user would still be sending to the bank's IP and the bank would still be sending to the User's IP.
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Regarding the SSL certificate. I got this from OWASP website:

    Source: https://www.owasp.org/index.php/Man-in-the-middle_attack

    The user will be estabilishing a connection to the attacker's server, which I believe would be in a different IP? Then from there, the attacker would initiate a new SSL connection to the bank's web server (in my example).

    To make it look legit, then the attacker would use a stolen certificate, like recent events showed us.
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah, the thing I'm still wondering about is if it's a different IP. If your attacker has control over your router you'll make IP request X and the router will redirect to Y, Y goes to the endpoint Z and then back and forth. All the while X and Z should be making their typical IP requests with Y redirecting them.

    Gonna need someone who knows the specifics. I may ask a friend.
     
    Last edited: Sep 7, 2011
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  22. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ m00nbl00d

    Can you please expand more about the BHO's/Plugins/Extensions you asked about me using ? How would they affect MITM ?

    Look forward :)

    @ MrBrian

    Thanks :thumb: I've been using Calomel SSL Validation for some time :thumb:
     
  23. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    With Firefox it involves Javascript. Extensions can execute Javascript at the same level as the user and even sometimes as Admin. Also Firefox does a lot of DNS work itself, like with Prefetching. If the Firefox DNS info gets altered by malicious intention through an extension, it will affect what results are listed, like in Google, populating your results with malware infested links.

    Extensions that would be more of a problem, I think, are extensions that update themselves frequently. This would make it possible for the extension creator or another attacker to control the browser through Firefox's built in functionality.
     
  24. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Searching_ _ _

    Thanks for posting :thumb: wonder where m00nbl00d's gone ?

    As i mentioned earlier, amongst other things i have NoScript on Max. Also i have disabled Prefetching, & 99% of the time i use HTTPS Scroogle.

    I do however take on board your general points/advice about the Firefox DNS info, & extensions that can update themselves.

    *

    My main interest is not getting infected with malware via MITM, but rather how we could/can prevent, or help prevent, and/or detect MITM interference by WHOEVER, somewhere/anywhere between our router/modem & the www's we Choose to visit.

    *

     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    :ninja: :D

    My initial post regarding extensions had a simple fact: They can get access to whatever they want and send it back to their creators.

    Imagine you do home banking (I know you don't, but suppose you do.), would you trust ANY extension that much power? Would you put all of your trust in NoScript's developer, etc? Can't any of them simply go rogue?

    Extensions, if people must use them, are good for general web browsing to block ads and that crap if their browser doesn't do it natively, or if they don't want to use a hosts file, for example. But, keep them out of your browser when accessing your bank account and other sensitive information.

    The same could be said about security vendors. We all know some security vendors have been hacked in the past, and some twice/ more than twice.

    What if an attacker gets hold of, say, Prevx (I hope Joe won't come with a bat!) or Trusteer servers? :eek:

    In the end, it's all about trust. What do think would happen faster? An extension developer going rogue or a security vendor getting hacked? o_O

    If you really got to take care of bank affairs, go there in person. lol
     
Loading...
Thread Status:
Not open for further replies.