Man in the Middle Attack?

Discussion in 'other security issues & news' started by siblingrivalry, Dec 10, 2004.

Thread Status:
Not open for further replies.
  1. siblingrivalry

    siblingrivalry Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    2
    Hi all:

    I'm no IT guru or network admin but I am well enough acquainted with security to suspect something screwy is going on.

    To set the stage, I just deposed my oldest brother (a wannabe IT guru) from the role of power of attorney for my 83 yr old mom's affairs. Near as I can figure, he's taken or stolen ~$100K from her assets in the past 4 years. Now I hold the POA, and trying to piece together a forensic accounting of what he'd done (no job, but a new Harley in August, a Walther PPK in April, it just goes on and on).

    Wednesday, my brother and I were emailing by replying and appending to an existing email thread, in 3 way harangue with a 3rd brother, when suddenly the message went from ordinary HTML-looking text to the message
    "This body part will be downloaded on demand" which I assumed meant that he'd just attached some malicious code to and Mozilla left it on the server for me to decide to open it or not... to which I responded to him and my other brother by asking to send it again, in plain text only, looked like there was a virus or some other problem with the message. 3 new attempts, same "This body part will be downloaded on demand" message. (Maybe this is that some kind of ironical insider IT humor I'm not getting or whato_O) Anyway, I wrote each back individually suggesting that they shoud each respond to me to other (different) email addresses to continue the thread. Other mail arrived to the IMAP server just fine, even though coincidentally (I hope) it just so happened that my employer's self-generated SSL certificate had elapsed that very morning. I tested with a variety of emails, and was ready to pass it off as a networking glitch due to this but for what followed later.



    On the PC I use most often for mail, I use Mozilla Mail (v1.5), and am as MS-free as I can be on the old IBM ThinkPad laptop PC; I removed Outlook, don't use Office, still on patched Win98, behind two firewalls, one is a just-patched Win2000 server, I am also behind a Linksys router. Other machine on the LAN is a G4 Mac running OSX Panther (latest security patches). While my boss uses PuTTy/Pine and plain text only, from where I live my only option for connecting to the net is a satellite ISP, and I can't stomach the latency delay of typing at a dumb terminal over Starband link to remotely access my employer's Linux email server (as my PhD boss does... he's been using it since the 70's apparently). So I instead access our IMAP mail server using 128bit key SSL encryption/ tunnelling to get in. I never open any attachments that are screwy, and have had few problems til now, even though I don't have Norton AV or anything else running on the PC.

    Talked to both brothers via the phone and calmer emails today, so I might have simply shrugged it all off, but today I had to .pdf some documents to the attorney. Easier to do on the Mac, which sent via my hotmail account no problemo (stil cautious too that the security might have been compromised on my IMAP machine). Later when trying to connect to Hotmail from the G4 Panther machine, I got the following Mozilla v1.6 message:

    "Could not verify this certificate because the issuer is unknown."

    I've saved the details including the fingerprint strings.

    Should I be concerned about a man-in-the-middle attack? I did connect with it on this and other machines today, am I safe connecting with hotmail to change the p/w from another URL address?

    If it turns out that I have good reason to be concerned, what agencies deal with this (seem to recall that this is a Secret Service issue? I'm in CA and my brothers are in PA.)


    My attorney suggested looking for help on this forum, sorry about the looong post...
     
  2. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Interesting question. I would not discount a MITM especially considering your brothers familiarity with computers. As long as you and the third brother could possibly communicate using Mailvault.com or Hushmail, the problem of altered data and the integrity of your email should be a thing of the past. Or, as quaint as it may sound, consider a letter, envelope and postage stamp. Faxing handwritten letters is also an idea to thwart such an attempt by your brother to possibly cause confusion and mischief. I'm sorry to hear about your troubles. I recently experienced something very similar after the death of a loved one, it can be very stressful. Here's to a better 2005.
    Good luck.
    Gerard
     
  3. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Some points of interest for me while reading your thread...

    When you were emailing with your brothers you mentioned that you got a message that stated "This body part will be downloaded on demand." Is your email client configured to read emails in only plain text? Was there any type of encryption being used? Usually on demand means it will require some user action for the download/installation to take place though. But it is hard to tell in your situation what really happened.

    "from where I live my only option for connecting to the net is a satellite ISP"
    I am not too familiar with satellite but you may want to check if all communication is encrypted and by what standard. Non-encrypted wireless makes it a lot easier for man-in-the-middle type attacks.

    Are you using a program like stunnel when you say... "So I instead access our IMAP mail server using 128bit key SSL encryption/ tunnelling to get in."

    And I notice you mention not using Antivirus software. And you are using an old version of Mozilla. A vulnerability in 1.6 also "prevent users from accessing valid SSL sites by placing invalid root certificates." http://secunia.com/advisories/12076/ You should definitely take action in these two areas. And once again make sure all your computers are fully patched, especially your windows computers.

    man-in-the middle attacks are usually not very common. Especially when there are much easier ways to achieve the desired result. I would not rule it out completely in your case though.
     
  4. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    That's very good, rerun. I realized reading your reply that I focused on avoiding problems in the future rather than what may or may not have happened.
     
  5. siblingrivalry

    siblingrivalry Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    2
    Thank you for the replies.

    I just double checked; both "use SSL" and "use secure authentication" are checked in Mozilla IMAP server setting preferences. But I haven't been digitally encrypting each message beyond that, to date.


    Our IMAP mail server does ordinarily pass HTML text messages, of which I am very alert & cautious about opening attachments. I haven't had time to keep up with every vulnerability and I understand that there have been instances of malicious java code and other nasties that don't require opening up attachments on unpatched Active X enabled machines, etc. Hence good ole '98, Active X is disabled.

    Not long after I posted, I noticed the Secunia alert on the tabbed browsing vulnerability, got me to wondering if I may have had another tab open at the time of the Hotmail certificate alert. It's possible.

    Jus downloaded latest version of Moz 1.7 for the Mac, hopefully certificate spoofing vulnerability should be cured.

    Hopefully, this is all me just being paranoid-- but better safe than sorry.

    Thanks again
     
    Last edited: Dec 13, 2004
  6. CheckM8

    CheckM8 Guest

    If a user gets a message with an attachment and sees the following message:

    "This body part will be downloaded on demand"

    There is a setting in Mozilla you can check that should solve the problem.

    On the Menu Bar in Mozilla, click on "VIEW". Halfway down the list, there is an option "Display Attachments Inline". If there is no check mark to the left of this option, click on it to enable the option.
     
Loading...
Thread Status:
Not open for further replies.