May 08, 2007

Threatwatch: Still searching for the economic MITM

One of the things we know is that MITMs (man-in-the-middle attacks) are possible, but almost never seen in the wild. Phishing is a huge exception, of course. Another fertile area is wireless lans, especially around coffee shops. Correctly, people have pointed to this point as a likely area where MITMs would break out.

Incorrectly, people have typically confused possibility with action. Here's the latest "almost evidence" of MITMs, breathtakingly revealed by the BBC:

In a chatroom used to discuss the technique, also known as a 'man in the middle' attack, Times Online saw information changing hands about how security at wi-fi hotspots of which there are now more than 10,000 in the UK can be bypassed.

During one exchange in a forum entitled 'T-Mobile or Starbucks hotspot', a user named aarona567 asks: "will a man in the middle type attack prove effective? Any input/suggestions greatly appreciated?"

"It's easy," a poster called 'itseme' replies, before giving details about how the fake network should be set up. "Works very well," he continues. "The only problem is,that its very slow ~3-4 Kb/s...."

Another participant, called 'baalpeteor', says: "I am now able to tunnel my way around public hotspot logins...It works GREAT. The dns method now seems to work pass starbucks login."

Now, the last paragraph is something else, it is referring to the ability to tunnel through DNS to get uncontrolled access to the net. This is typically possible if you run your own DNS server and install some patches and stuff. This is useful, and economically sensible for anyone to do, although technically it may be infringing behaviour to gain access to the net from someone else's infrastructure (laws and attitudes varying...).

So where's the evidence of the MITM? Guys talking about something isn't the same as doing it (and the penultimate paragraph seems to be talking about DNS tunnelling as well). People have been demoing this sort of stuff at conferences for decades ... we know it is possible. What we also know is that it is not a good use of your valuable time as a crim. People who do this sort of thing for a living search for techniqes that give low visibility, and high gathering capability. Broadcasting in order to steal a single username and password fails on both counts.

If we were scientists, or risk-based security scholars, what we need is evidence that they did the MITM *and* they committed a theft in so doing it. Only then can we know enough to allocate the resources to solving the problem.

To wrap up, here is some *credible* news that indicates how to economically attack users:

Pump and dump fraudsters targeting hotels and Internet cafes, says FBI Cyber crooks are installing key-logging malware on public computers located in hotels and Internet cafes in order to steal log-in details that are used to hack into and hijack online brokerage accounts to conduct pump and dump scams.

The US Federal Bureau of Investigation (FBI) has found that online fraudsters are targeting unsuspecting hotel guests and users of Internet cafes.

When investors use the public computers to check portfolios or make a trade, fraudsters are able to capture usernames and passwords. Funds are then looted from the brokerage accounts and used to drive up the prices of stocks the frudsters had bought earlier. The stock is then sold at a profit.

In an interview with Bloomberg reporters, Shawn Henry, deputy assistant director of the FBI's cyber division, said people wouldn't think twice about using a computer in an Internet cafe or business centre in a hotel, but he warns investors not to use computers they don't know are secure.

Why is this credible, and the other one not? Because the crim is not sitting there with his equipment -- he's using the public computer to do all the dangerous work.

Posted by iang at May 8, 2007 02:18 PM | TrackBack
Comments

one of the issues is that the professional attackers, in it for the money ... don't divulge anything ... or go around advertising ... not like the kids that frequently are after the bragging rights.

a lot of the defenders ... when they do find a serious attack ... seem to be quite motivated not to advertise it also.

this is one of the issues behind the early cal. security breach notification legislation ... that institutions weren't making it public ... even after they found out about it.

when we were called into help word-smith the cal. electronic signature legislation ...
http://www.garlic.com/~lynn/subpubkey.html#signature

we also happen to observe some of the stuff going on around the discloser legislation. Since then, federal legislation has been see-sawing back and forth between something the equivalent of the cal. state legislation and a federal "pre-emption" bill (nullifying state statutes) more along the lines of some of the "CAN-SPAM" characteristics.

some recent posts mentioning the subject:
http://www.garlic.com/~lynn/2007f.html#72 Securing financial transactions a high priority for 2007
http://www.garlic.com/~lynn/2007g.html#8 Securing financial transactions a high priority for 2007
http://www.garlic.com/~lynn/2007g.html#55 IBM to the PCM market(the sky is falling!!!the sky is falling!!)
http://www.garlic.com/~lynn/2007i.html#40 Best practices for software delivery
http://www.garlic.com/~lynn/2007i.html#58 John W. Backus, 82, Fortran developer, dies

other posts mentioning MITM-attacks
http://www.garlic.com/~lynn/subintegrity.html#mitm

many of the public wireless operations ... have bootp/dhcp setup for client configuration (DNS server, ip-gateway, ip-address, etc) for initial contact that directs all the client's traffic to a special server ... which pre-empts everything until some sort of authentication is performed.

After the initial authentication ... then the client will get normal configuration update for standard internet operation, DNS server, ip-gateway, etc.

So are we talking about an attacker being able to force standard internet operation configuration (DNS server, ip-gateway, etc) w/o having to first authenticate handshake with the initial server?

Other attacks can be more serious attempting to harvest information (evesdropping, mitm reroute, etc) that can be used in replay attacks (userid/passwords, account numbers, etc).

minor recent news item

Cyber-thieves 'richer than drug dealers'
http://www.computing.co.uk/vnunet/news/2189322/cyber-thieves-richer-drug
Cyber-thieves 'richer than drug dealers'
http://www.vnunet.com/vnunet/news/2189322/cyber-thieves-richer-drug

which somewhat compliments some past articles about cyber crime now involving more money than drug crime.

Posted by: Lynn Wheeler at May 8, 2007 03:08 PM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.