MITM Attacks and Prevx/SOL

Discussion in 'Prevx Releases' started by CloneRanger, Apr 13, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @PrevxHelp

    Hi, i saw you respond in post 12 here https://www.wilderssecurity.com/showthread.php?t=269917

    I would be very interested to know if P/SOL is able to protect us from MITM attacks etc, with regards to the following type of scenarios ?

    Law Enforcement Appliance Subverts SSL

    https://www.wilderssecurity.com/showthread.php?goto=newpost&t=268422

    In particular a product such as this for example http://www.packetforensics.com/govt.safe

    I believe now the cat is out of the bag, and these type of attacks, and similar, are not fiction any more, they potentially pose a real great threat. Whether it's .GOV snoops and the like, using those " not so secret anymore " :p pipes etc in San Francisco and elsewhere, or the other regular bad guys intercepting/altering etc our data flow.

    I know it sounds a lot to ask, but i'm asking :D as you mentioned MITM. I don't expect an immediate answer as there is a fair bit to digest, 10 minutes is ok though :D
     
  2. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    excellent post/contribution. was not aware that SSL chain break in is possible that way.

    recently had Opera problems with recognising VeriSign class 3 SSL certificate on https://www. gmx.net. At first I was suspecting a flaw in Opera, but now... ...Opera perhaps just doing its job right, the site mentioned belongs to one of the largest email providers in Germany and would certainly make a perfect target for any surveillance body

    On IE8 SafeOnline says the certificate is ok though. Cannot test on Firefox as being on 3.7 and SO not yet being compatible.

    Curios what PREVX will reply to you
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @vtol

    Thanks :thumb:

    Me too :)

    @PrevxHelp or someone from Prevx

    Nudge Nudge ;) ;)
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The issue of a physical man in the middle attack is indeed a difficult one to circumvent. If someone is able to track all of the traffic from your PC by inserting a physical device between your PC and the ISP, there isn't anything that any software product can do to fully circumvent it. Without trying to toss lighter fluid on the potential privacy fire, it would be fair to note that this type of situation is quite rare and it would likely be easier to break into one's house and steal their credentials from the physical PC sitting at their desk than to manipulate the connection at the ISP/routing point level :)

    However, it would be interesting to see what legislation comes from this - there are cases where a court can serve a warrant to an ISP to get traffic logs and irrespective of how secure the transmission may seem, there isn't much that can be done at that level to get around a government mandate.

    Although it may seem to be a great way to snoop on a user, it will require physical access so I'd recommend locking any cable connection points with a physical lock or still having an identity monitoring service if you are a high net worth customer and more likely to be a threat by a manual attack.

    Can a piece of drive-by malware from a Russian website cause this?... no it cannot :)

    Without trying to fuel any other conspiracy theories, it would still be far more likely in my personal opinion for a bank teller to steal data in person or physical ATM machines being compromised (i.e. http://www.fiercefinanceit.com/story/ex-bank-america-employee-accused-atm-fraud/2010-04-10)

    It is a difficult world to live in when trying to secure your livelihood, which is why SafeOnline tries to add as many layers of protection as possible :)

    I hope that answers your question without me being on my soapbox for too long! :D
     
  5. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Assuming we are talking about a MITM attack against a secure site, say your banking website, then there are two critical aspects/possibilities:

    1. a DNS hijack to a fraudulent site. That site may still have its own SSL certificate but the certificate validation checks will fail against the common name. It is down to the user whether they act upon the warnings their browser issues. There are steps SOL could take here to tighten up the security when this event happens, to ensure the connection doesn't proceed.

    2. The fraudulent website has obtained a copy of the private key of the genuine website. In that situation it is game over. However the liability clearly lies with the website. The only possible way SOL could help in that case is if it kept a list of the IP address ranges associated with each banking website when you visit it. If you suddenly find yourself going to the same site in Russia, even though it has the correct SSL certificate, alarms bells could be sounded.
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    A DNS level hijack will be detected by SafeOnline - it cross references the DNS that is being resolved on your PC with the global resolution either supplied by the bank itself or fed from out other users. It allows us to quickly get a picture of what websites are legitimate and which aren't :)

    Similarly to #1, SafeOnline compares the IP address during the DNS verification to try to find malicious websites automatically. We have blacklisting functionality for IPs/DNS servers but we primarily work off of our triangulation. Granted, there is some leeway allowed (i.e. for websites hosted via Akamai or servers that have multiple data centers in different countries) but if the target website is popular enough to have been seen by a handful of users across the Prevx community, it will automatically have full protection of the resolution and destination of the website :)
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @PrevxHelp

    Thanks for replying :thumb:

    Was one scenario, the other MITM Anywhere between our PC and our final destination/s ?

    If i've understood correctly, which i may not have :D P/SOL only prevents MITM attacks locally within our PC ?

    Not faulting that, even if that's what P/SOL does, it's great to have :thumb: Just wanted to be clear about it's capabilities, don't expect miracles ;) Well not this week anyway, but v4 :D

    So we're safe from the Ruskies :thumb: but what about everyone else :D Only kidding ;)
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    It seems to me that if your DNS servers would be hacked and you're being sent to another IP with a fake 'trap' site that SOL warns you that the IP is not correct, so that would mean the protection is not restricted to your locally within your PC.
    But I'm not 100% sure, so please correct me if I'm wrong.
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This is exactly correct - SafeOnline's protection extends from the local PC to the resources that the PC uses (the DNS servers and individual IP addresses).

    The point which I believe CloneRanger was making in the first post is that it is possible for someone along the line (physical line :D) to covertly insert another physical device which can capture traffic and at that level, it is virtually impossible for any software to detect it (the only possible way would be to track resolution times and warn if something appears to have been added, but because of the dynamic nature of the internet, this is likely unfeasible).
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @PrevxHelp

    Yes i was ;) and locally in general as well, in fact any which way.

    Re my earlier link http://www.packetforensics.com/govt.safe

    So we're all screwed then :( But wait, what about SteveTX's comments ? https://www.wilderssecurity.com/showthread.php?t=268422

    Sanctury or ?
     
  11. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    As Steve TX's is pointing out it is their certificate (issued by them?) inside their software. Which in my understanding does not work with e.g. webmail providers, because:

    A webmail provider does not issue their own certificates as not being a certifying body such as VeriSign

    B they do not have own software but rely on the user's browser

    This is just one example, of course it makes sense that banks work with own certificates and software, however the majority of SSL sites do not.

    Also Prevx would not work on the banking software but with browser and thus I would think is irrelevant for Prevx. Reckon Prevx cannot deal with certificates if forged/issued by a trusted signing authority in favour of any surveillance body
     
    Last edited: Apr 16, 2010
  12. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
  13. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Re: MITM Attacks and Prevx/SOL - DNSSEC the cure?

    We have not investigated this yet but it will likely be implemented at the operating system layer as it requires some fundamental protocol changes.
     
  15. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    Re: MITM Attacks and Prevx/SOL - DNSSEC the cure?

    great to hear, if you get it to work
     
Thread Status:
Not open for further replies.