36

How likely are "Man in the Middle" attacks in internet security?

What actual machines, apart from ISP servers, are going to be "in the middle" of internet communications?

What are the actual risks associated with MITM attacks, as opposed to the theoretical risks?

EDIT: I am not interested in wireless access points in this question. They need to be secured of course but this is obvious. Wireless access points are unique in that communications are broadcast for everyone to hear. Normal wired internet communications are routed to their destination - only machines in the route will see the traffic.

CJ7
  • 653
  • 9
  • 24
  • 13
    Theoretical risks and real risks are generally the same thing when you're talking about IT security – Mark Henderson Jun 20 '10 at 10:31
  • 3
    Farseeker x2, it's theoretical today, tomorrow it's real. That's the difference. – Chris S Jun 20 '10 at 15:01
  • 1
    @Farseeker: the difference is that the theoretical risk involves a scenario that may be highly unlikely in the real world. While it is possible that a machine in the middle can decrypt internet packets, one must ask: when is there ever going to be a machine in the middle that would do this? – CJ7 Jun 21 '10 at 00:34
  • @Craig - the thing with IT exploits is that someone can do them from their bedroom 10,000 kilometers away from the target. This gives a sense of security for the perpetrator that say, breaking into a bank doesn't provide. Thus, if it's theoretically possible then someone is going to try it, somewhere, and one day it'll be your turn to receive this theoretical attempt. Thus "Highly Unlikely" doesn't really exist. MITM is a bit of an edge case though because it does require inside knowledge of the network, and often physical access... – Mark Henderson Jun 21 '10 at 00:51
  • @Farseeker: but it still requires a rogue machine to be in the middle of communications. Unless you have a rogue ISP, what machine is it going to be? – CJ7 Jun 21 '10 at 00:58
  • If I had ill-intent my first point of call would be inserting something right before the gateway of my organisation – Mark Henderson Jun 21 '10 at 01:06
  • @Farseeker: How are you going to do this? – CJ7 Jun 21 '10 at 01:10
  • Farseeker, Plenty of exploits are never tried against targets. I think you widely overestimate the number of actively working computer hackers ("Crackers" for the pre-1990s hippy mystique). AV firms may have you believe the number to be in the millions, in reality, It probably rarely tops 10k at any given moment. If even. – zetavolt Jun 21 '10 at 01:14
  • 1
    @Zephyr: Even small numbers of hackers focused intently on small numbers of targets can do significant damage. I'm looking at you Chi...er..."Fred". It's not necessarily the numbers that make the difference, it's the motivation. – Dennis Williamson Jun 21 '10 at 02:24
  • @Craig, well, let's say I'm a disgruntled sysadmin who's been fired for jerking off at work (this happened at my workplace). Within my 4 weeks notice, I'm going to go into the server room with a Small Form Factor machine and hide it somewhere and put it on the network and configure it (maybe ARP poisoning? I haven't done much research into MITM - this did not happen at my work). – Mark Henderson Jun 21 '10 at 02:36
  • @Farseeker: a disgruntled sysadmin can go into the database and print off private data, put it in his breifcase and take it home with him. How are you going stop this? This is hardly a MITM issue. He is inside the organisation! – CJ7 Jun 21 '10 at 02:41
  • @Craig, my point is that any theoretical attack can be a actual attack if you've got the wrong person in the right position, but this isn't really adding value to the question, so I'll just let it be ;) P.S. do people still carry briefcases? – Mark Henderson Jun 21 '10 at 02:59
  • @Dennis - The premise that farseeker has espoused implies that many hackers are trying all number of attacks, as well known or theoretical as they may be on many different types of systems in the world, this simply is not the case. Talented attackers are capable of significant things, this firstly doesn't imply they are behind all significant things nor are they capable of all significant things. – zetavolt Jun 21 '10 at 04:23
  • @Farseeker-I have a backpack I carry at work. – Bart Silverstrim Jun 21 '10 at 10:11
  • Also threats are becoming more blended and sophisticated. Having been in tech for a couple decades, I've seen virus attacks mutate from things that were clever ways to torture noobs that publicized their presence with poems, alarms, animations, etc. to stealthy interceptors of passwords and traffic redirectors that turn your system into zombies. Malware has evolved much like other areas of security. – Bart Silverstrim Jun 21 '10 at 10:20
  • 1
    See also [Are "man in the middle" attacks extremely rare?](http://security.stackexchange.com/q/12041) on [security.se] – Gilles 'SO- stop being evil' Feb 22 '12 at 20:56

7 Answers7

44

First, let's talk Border Gateway Protocol. The internet is composed of thousands of endpoints known as ASes (Autonomous Systems), and they route data with a protocol known as BGP (Border Gateway Protocol). In recent years the size of the BGP routing table has been exponentially increasing in size, breaking well over one 100,000 entries. Even with routing hardware increasing in power, it is barely able to keep the pace with the ever-expanding size of the BGP routing table.

The tricky part in our MITM scenario is that BGP implicitly trusts routes that other autonomous systems provide it, which means that, with enough spamming from an AS, any route can lead to any autonomous system. It is the most obvious way to MITM traffic, and it's not just theoretical - Defcon security convention's site was redirected to a security researcher's website in 2007 to demonstrate the attack. Youtube was down in several Asian countries when Pakistan censored the site and mistakenly declared its own (dead) route the best for several ASes outside of Pakistan.

A handful of academic groups collect BGP routing information from cooperating ASes to monitor BGP updates that change traffic paths. But without context, it can be difficult to distinguish a legitimate change from a malicious hijacking. Traffic paths change all the time to cope with natural disasters, company mergers, etc.

Next to discuss on the 'Global MITM attack vectors' list is Domain Name System (DNS).

Although ISC's Fine DNS server BIND has stood the test of time and come out relatively unscathed (as have Microsoft and Cisco's DNS offerings), a few notable vulnerabilities have been found that could potentially jeopardize all traffic using canonicalized names on the internet (i.e. practically all traffic).

I won't even bother discussing Dan Kaminsky's research into the DNS cache poisoning attack, as it has been beaten to death elsewhere, only to be awarded 'most overhyped bug ever' by Blackhat - Las Vegas. However, several other DNS bugs exist that have severely compromised internet security.

The Dynamic Update Zone Bug crashed DNS servers and had the potential to remotely compromise machines and DNS caches.

The Transaction Signatures Bug allowed for full remote root compromise of any server running BIND at the time the vulnerability was announced, obviously allowing DNS entries to be compromised.

Finally, we must discuss ARP Poisoning, 802.11q Retracing, STP-Trunk Hijacking, RIPv1 routing information injection and the slew of attacks for OSPF networks.

These attacks are the 'familiars' to a network admin for an independent company (rightfully so, considering these may be the only ones they have control over). Discussing the technical details of each of these attacks is slightly boring at this stage, as everyone who is familiar with basic information security or TCP has learned ARP Poisoning. The other attacks are likely a familiar face to many network admins or server security aficionados. If these are your concern, there are plenty of very good network defense utilities that exist, ranging from Free and Open Source utilities like Snort to the enterprise level software from Cisco and HP. Alternatively, many informative books cover these topics, too numerous to discuss, but several I've found helpful in the pursuit of network security include The Tao of Network Security Monitoring, Network Security Architectures, and the classic Network Warrior

In any case, I find it somewhat disturbing that people assume that these sort of attacks require ISP or Government level access. They require no more than the average CCIE has in networking knowledge and the appropriate tools (i.e. HPING and Netcat, not exactly theoretical tools). Stay vigilant if you want to stay secure.

gkrogers
  • 105
  • 4
zetavolt
  • 1,352
  • 1
  • 8
  • 12
  • @Zephyr: but this is not MITM. Redirection of routing or DNS means that the traffic goes directly to the hacker. – CJ7 Jun 21 '10 at 01:18
  • 8
    Sure it is. You think that you're going to https://bank.example.com, and instead you're going to some other site that is proxying or masquerading as your intended destination. If you don't think that is a MITM attack, you don't understand what MITM is. – duffbeer703 Jun 21 '10 at 01:55
  • @duffbeer: and how is the malicious site going to communicate with the genuine destination if the DNS or routings are messed up? – CJ7 Jun 21 '10 at 03:07
  • 1
    Well, As far as DNS is concerned, semi-obviously you could just send the packets to the ACTUAL IP of the site you are attempting to reach. And it is possible to do things like rapidly switch between the connect and active states for BGP whilst sending out the REAL BGP routes. Or, if like most of the internet, There exists an alternate route to your host besides the route you poisoned, you could specify that as a routing parameter. However, Its great that you are interested in this Craig, Security is quite a field, when you think you've got something sorted, something else pops up. – zetavolt Jun 21 '10 at 04:30
  • @zephyr: so the answer for DNS poisoning is to use IP addresses instead of domain names? As for the routing issue, how would the packets get back and forth if the routing's been changed? Sure you could redirect traffic but how could traffic be sent on to the genuine destination and then back again if the routing for that destination has been changed? – CJ7 Jun 21 '10 at 09:51
  • I think there is no practical answer to DNS poisoning other than verification methods that the site is who it claims to be (like those SSL warnings that people ignore) and common sense (why is this site asking for my banking information?) and caution (That's funny, why's this email asking me to reset a password to an account I don't remember having?). – Bart Silverstrim Jun 21 '10 at 09:54
  • 1
    To answer your other question about DNS issues, I think you might be missing how the steps work. The attacker knows the proper destination and acts as a proxy for you. You think you're talking to C, when in reality traffic flows A<->B<->C, not the A<->C you think it is. YOUR routing information is compromised. The attacker has the correct data, or is using a DNS server that isn't compromised. – Bart Silverstrim Jun 21 '10 at 09:55
  • You can test some of the principals yourself with a Linux system on your network. Set it to forward packets like a gateway. Use ARP poisoning tools to redirect traffic invisibly against a particular host (or your whole network if you want). Then start sniffing the traffic flow. We've used it to recover passwords for mail server accounts for people. – Bart Silverstrim Jun 21 '10 at 09:58
  • Your initial question was asking how likely these things are. Truth is that it exists, it happens via angry employees, people screwing with access points, maybe disgruntled ISPs, etc. Chances are high that if it happens you'll never know it or only stumble upon it without knowing how long it has happened. – Bart Silverstrim Jun 21 '10 at 10:00
  • Now you're asking specifics on how to do it, or the mechanisms of how it works. Since it's going off topic, you should probably narrow it down to sets of specific questions and ask them separately, because network security is a HUGE topic unto itself. There are several tomes dedicated to it at brick and mortar bookstores and Amazon if you're interested in researching it, because people here will try to help but the books will flesh it out for you far better than people here could dedicate to explaining. – Bart Silverstrim Jun 21 '10 at 10:01
  • When you read a couple of the books you'll see why it's a whole field unto itself. You may even become a little more paranoid about security, or you'll write it off as a bunch of hooey. In the end of the day it's about risk management, how much you're willing to risk exposing versus how much of a PITA you want to make using your network for yourself and your users. – Bart Silverstrim Jun 21 '10 at 10:03
  • If you're being TARGETED for an attack (do you work for a bank? Government entity? Google? Pissed off your wanna-be script kiddie neighbor kid?), there are a myriad ways to mess with you and your network. Your network printer could even be infiltrated with the proper attack to in turn spy on your network traffic. It's crazy. Likely? No. Possible? Let's put it this way...there's a tool you can use with a linux laptop to tap into newer cars on the freeway and play back sound clips through people's bluetooth transceivers in the car. Likely? No. Possible? It's been done and posted online for fun. – Bart Silverstrim Jun 21 '10 at 10:05
  • If you want to truly get schooled and have to probably reformat your laptop while after getting said education, go to defcon one year. I'd love to go there but I'd leave my tech miles away while I'm there. It's @#% crazy but you'll get first hand lessons on security and just how insecure you are on a network. – Bart Silverstrim Jun 21 '10 at 10:07
  • Again, the question of likelihood has been answered. Since most attacks, including MITM, can be automated with malware and worms, it can happen without specifically targeting you. It's low risk that someone is going to target John P. Public, but it can happen from automated attacks similar to your hobby website getting probed for vulnerabilities to become a warez zombie. For specifics and scenarios, you really want to ask new questions individually from this, or grab some nice books to flesh it out and come here for clarifications. – Bart Silverstrim Jun 21 '10 at 10:09
  • @bart: with respect you seem to be conflating DNS with routing. If my DNS server is compromised I can avoid this risk by using IP addresses. I accept that if I don't know the IP address I am out of options. As for routing, my question remains: if the routing tables are changed, how will the packets ever get to the genuine destination? – CJ7 Jun 21 '10 at 10:26
  • 2
    @Craig-You're missing the picture. MITM involves inserting an agent between your target and their destination. Whether it's routing or DNS or whatever else you want; these attacks aren't like movies where you tap a button marked MITM and crack the code. It's a means to an end, and is part of a blended attack. – Bart Silverstrim Jun 21 '10 at 11:35
  • 3
    And I answered your question about packets getting to the proper destination. The attacker system *knows* the proper route. It's telling your system that it's the "correct" site, then forwards them like a proxy, sending your requests on your behalf, then replies back. That's the whole "in the middle" part. YOUR machine is duped and doesn't know what's going on. It's like an in-joke that your system is left out of the loop on. – Bart Silverstrim Jun 21 '10 at 11:37
  • It's like you want to send a letter to your bank, and I represent myself as a representative and give you the address of the bank's corporate office. Instead it's my home address. I get your letter, open it, edit out the bad parts, insert some stuff about how I need to transfer money to my own address, then reseal the envelope and forward it to the correct address. They reply, it comes to me, I remove the parts about my theft, reseal the envelope and forward it to you. – Bart Silverstrim Jun 21 '10 at 11:42
  • You're talking to a middleman that I control when there's a MITM attack. The middleman handles the "correct" routing for your system without ever telling your system. That's the point of the attack. Your system will never know the correct route, they're being proxied. – Bart Silverstrim Jun 21 '10 at 11:45
  • Same with DNS. Someone else is spoofing it to act as a middleman to insert themselves in between you and your destination. I guess the answer to your question is that the attacker is sending the packets to the correct destination for you. – Bart Silverstrim Jun 21 '10 at 11:46
  • Again, there are books that illustrate these concepts better than can probably be done here. – Bart Silverstrim Jun 21 '10 at 11:46
  • @Craig, You cannot nessasarily avoid this risk by using IPs alone. Consider the fact that when you send a frame over the network, **OTHER** networks must route it, Many Cisco routers refer to hosts outside their local network by their FQDN (I.E router33.example.com), A sufficiently advanced attacker could compromise the DNS of that host and compromise you yourself. – zetavolt Jun 21 '10 at 13:53
  • @Zephyr: explain how a compromised DNS (not routing) can affect me if I am using IP addresses? As for routing, you still need to explain how if the routing is compromised the genuine destination can be reached. – CJ7 Jun 22 '10 at 02:36
  • Ok, Say you, Sitting in my netblock at 209.85.1.1 for example sends a message to Google.com. You, wanting to find the hops between you and Google.com do a tracert - You would see that 9 hops in you are at ae-2-2.ebr2.Dallas1.Level3.net. Now, at that point (I'm assuming compromise of several DNS servers at this point on behalf of the attacker). When that router sees that it needs to send information out Interface X to iy-in-f99.1e100.net in order to be appropriately routed, How does it find the IP address? You guessed it. – zetavolt Jun 22 '10 at 05:25
  • @zephyr: the output from tracert will resolve IP addresses to names if it can, however this is no indication that the DNS is used in the routing. When have you ever seen an IP packet containing FQDMs inside it? – CJ7 Jun 22 '10 at 10:54
  • Yes, Working with Cisco all day you see it resolve other routers DNS names to IPs. – zetavolt Jun 22 '10 at 14:11
  • @Zephyr: so routing tables include FQDNs? – CJ7 Jun 23 '10 at 00:35
  • @zephyr: how do you know this? Are you looking at tracert output? Because as I mentioned, tracert resolves IP addresses to names where possible. – CJ7 Jun 23 '10 at 03:35
  • @zephyr: are you still saying that routing tables contain FQDNs? – CJ7 Jun 24 '10 at 02:26
15

Here's one MITM scenario that concerns me:

Let's say there's a big convention at a hotel. ACME Anvils and Terrific TNT are major competitors in the cartoon danger industry. Someone with a vested interest in their products, especially new ones in development, would seriously love to get his paws on their plans. We'll call him WC to protect his privacy.

WC checks in at Famous Hotel early in order to give him some time to set up. He discovers that the hotel has wifi access points called FamousHotel-1 through FamousHotel-5. So he sets up an access point and calls it FamousHotel-6 so it blends in to the landscape and bridges it to one of the other APs.

Now, the conventioneers start to check in. It just so happens that one of the biggest customers of both companies, we'll call him RR, checks in and gets a room near WC's. He sets up his laptop and starts exchanging emails with his suppliers.

WC is cackling maniacally! "My devious plan is working!", he exclaims. BOOM! CRASH! Simultaneously, he's hit by an anvil and a bundle of TNT. It seems the security teams of ACME Anvils, Terrific TNT, RR and Famous Hotel were working together anticipating this very attack.

Beep beep!

Edit:

How timely*: Travel tip: Beware of airport wi-fi "honeypots"

* Well, it was timely that it just showed up in my RSS feed.

Dennis Williamson
  • 60,515
  • 14
  • 113
  • 148
  • OK, but isn't wireless a whole different ball game? Perhaps I should have confined my question to wired connections. – CJ7 Jun 20 '10 at 14:53
  • 1
    @Craig: The point is the same. It's most likely that someone is on your local network listening, wireless or wired. Finding a MitM on the Internet basically isn't going to happen. – Chris S Jun 20 '10 at 14:59
  • 6
    +1 for ACME Anvils and Terrific TNT – Fahad Sadah Jun 20 '10 at 16:05
  • @Chris: How is someone going to be on my local network if there is no wireless access point? Malware on one of the machines? If so, how is the data going to be sent out of the network to the hacker? – CJ7 Jun 20 '10 at 23:44
  • @Craig: Bad actors (malicious employees, competitors, etc), employees installing rogue access points, etc. – duffbeer703 Jun 21 '10 at 02:02
  • As duff said, there's plenty of potentials on your network; everything from malware to people you don't know are working against you. How would the get it out? I'd start with POSTing to a HTTP server, most organizations would let that out. Regardless, if you have critical sensitive data that you need to insure nobody but the intended recipient ever sees, you need something that isn't susceptible to MitM attacks. Fortunately most data isn't that sensitive. – Chris S Jun 21 '10 at 02:10
  • @chris: so that is malware issue then, not MITM. Malware means that someone is already on your network. They're not in the middle, they've already infiltrated your site! Same with rogue employees etc. – CJ7 Jun 21 '10 at 02:23
  • @duffbeer: ok, wireless is not what I'm talking about, as I said. And in any case, if you have 'bad actors' then they're already infiltrated your site - they're not in the middle. – CJ7 Jun 21 '10 at 02:25
  • One thing to remember is that wired networks are wireless, too, if you want the information badly enough. Fiber is only an improvement. See [TEMPEST](http://en.wikipedia.org/wiki/TEMPEST), but that's off the topic of MITM. – Dennis Williamson Jun 21 '10 at 02:37
  • @Dennis: do you mean satellites? Are you worried about someone intercepting satellite signals? – CJ7 Jun 21 '10 at 03:18
  • @Craig: No, read the article I linked to. You can eavesdrop on the EMF that emanates from PC circuitry, keyboards, monitors, network wiring, etc. If it's got wires, it can be eavesdropped on wirelessly given sufficient motivation. – Dennis Williamson Jun 21 '10 at 03:29
  • @Dennis: no disrespect but I think this is going a bit far! Going back to your answer, your scenario is the same as someone going to a bogus web address - eg. server_fault.com (note the underscore). This is not the risk of MITM that people are concerned about. Clearly if you go to the wrong site you are in for some trouble, but what can anyone do about this? – CJ7 Jun 21 '10 at 04:26
  • @Craig, I think suffice to say, the threat is real, but with a relatively peaceful global political climate (I say relatively in relationship to say, World War 2), Its unlikely that any actors will take advantage of this scenario. – zetavolt Jun 21 '10 at 04:32
  • @Craig: Sure, my little parable is rather simplistic in that the attacker could simply sniff the wifi traffic passively using Wireshark. But by inserting himself as an intermediary in the traffic flow he could make it appear that he's a legitimate participant and prompt for and then pass along authentication information. Having captured this, he could then access the target system at will. – Dennis Williamson Jun 21 '10 at 08:47
  • @Dennis: Yes but this is still no different to someone going to an incorrect web address. There's no way to stop this. As for sniffing the wifi traffic, yes, that's why wireless is a different ball game. How could you do this type of sniffing on the internet when packets are routed to their destination - only machines on the route will see the packets. Wireless, however, allows other people to see the packets. That is the difference. – CJ7 Jun 21 '10 at 09:46
  • 2
    @Craig: You're absolutely right, MITM attacks don't exist. Don't worry about it, we're just a bunch of paranoid nerds hiding from the NSA. – duffbeer703 Jun 21 '10 at 18:11
  • @duffbeer: that is a pointless comment. – CJ7 Jun 23 '10 at 03:39
  • That's why you create a VPN connection first when connecting to any public access point. – OliverS Feb 23 '12 at 09:15
5

It's entirely dependent on the situation. How much do you trust your ISP? How much do you know about your ISP's configuration? And how secure is your own setup?

Most "attacks" like this now are very likely with trojan malware intercepting keystrokes and passwords from files. Happens all the time, just that it doesn't get noticed or reported so much.

And how often does information get leaked inside the ISP level? When I worked for a small ISP, we were reselling another higher tier of access. So a person that dialed into us came into our network, and if you weren't talking to our web server or mail server, traffic went to a higher tier provider, and we have no idea who did what with your data in their network, or how trustworthy their admins were.

If you want to know how many spots someone could "potentially" see your traffic do a traceroute and you'll see as much as will respond at each routing point. That's assuming cloaked devices aren't in between some of those. And that those devices are each actually routers and not something masquerading as routers.

The thing is that you can't know how prevalent the attacks are. There aren't any regulations saying companies have to disclose attacks that are discovered unless your credit information is compromised. Most companies don't because it's embarrassing (or too much work). With the amount of malware floating out there, it's probably far more prevalent than you'd think, and even then the key is to have discovered the attack. When the malware works properly, most users wouldn't know when it happens. And the actual person-who-gets-miffed-and-snoops-traffic-at-a-provider scenario are the ones that companies don't report unless they have to.

Of course these ignore the scenarios where companies are compelled to keep records of your traffic and disclose them to government agencies without telling you. If you're in the US, thanks to the Patriot Act, libraries and ISP's can be compelled to record your data travels and emails and browsing history without telling you that they're collecting information on you.

In other words, there is no hard data on how prevalent MITM and interception attacks are on users, but there's evidence that would suggest it's higher than would be comfortable, and most users don't care enough to get that information.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
3

The real question is "how much of my limited resourcing should I devote to MITM attacks instead of elsewhere?"

This depends a lot of the nature of the communications involved, and has no single answer. In my experience it's not a big risk relative to other security risks, but it's usually a cheap one to minimize (e.g.: an SSL certificate and and use HTTPS is often enough) so it is cheaper to fix than spend the time evaluating how much of a risk it could be.

DrStalker
  • 6,676
  • 24
  • 76
  • 106
  • https or ssl does not protect you against MITM. Simply I act as the user agent to the intended target, receiving the cert and unencrypting, while I simply reencrypt with a new cert assuming I can find a willing root ca. – YoYo Jun 16 '19 at 02:20
2

Do you have a wireless access point at home? A proxy server at work?

Either of those ingress/egress points can be compromised without some vast government/isp conspiracy. It's also possible for components of an ISPs infrastructure to be compromised.

Do you use a web browser? It's pretty trivial to configure a browser to direct traffic to a man in the middle. There has been browser malware that re-routed certain banking and brokerage transactions using this method, particularly for small businesses with wire privileges.

Security is about risk management... there are two basic attributes to how you approach dealing with a risk: probability of occurrence and impact. The actual probability of you getting into a serious car accident is very low, but the impact to your personal safety is high, so you buckle your seatbelt and put your infant in a car seat.

When people get lazy and/or cheap, disaster is often the result. In the Gulf of Mexico, BP ignored all sorts of risk factors because they believed that they transferred risk to contractors, and figured that they had drilled enough wells without incident, so the probability of an incident was very low.

duffbeer703
  • 20,077
  • 4
  • 30
  • 39
  • 1
    Wish I could upvote this > 1. I have no problem with people taking these kinds of calculated risks with their **own** data, but disregarding things like MITM when **others'** data is on the line -- be it customers, patients, or whatever -- is lamentable (and far too common). You can't be expected to anticipate every attack vector or scenario, but a layered, defense-in-depth approach to mitigation and risk management is essential. – nedm Jun 21 '10 at 06:29
0

MitM attacks are pretty much exclusively encountered in the local network. Tapping into a connection across the internet requires either ISP or Government level access - and it's very rare that anyone with that level of resources is going after your data.

Once someone gets into your network, then you've got serious problems, but outside of that, you're probably fine.

Dentrasi
  • 3,672
  • 23
  • 19
  • Not true. Look at zypher's post. – duffbeer703 Jun 21 '10 at 01:57
  • @duffbeer: see my comments to zephyr's post – CJ7 Jun 21 '10 at 03:12
  • MITM is anything inserted between the source and destination. It can be local network, or at the ISP, anywhere in between. How do you know that someone at your destination or at the transport doesn't want your information? There are police who have abused their information to stalk people. Common? No. But do you really know who has or hasn't abused their power and was never discovered? – Bart Silverstrim Jun 21 '10 at 10:28
0

@Craig: In your edit you have some misinformation. Wireless networking is not broadcast based. The data being transmitted in a wireless communication session (between wireless client and wireless access point) is not "broadcast" for everyone to hear. The wireless client associates with the AP and communication occurs between said client and AP. If you meant that the data is being broadcast because it's encapsulated in a radio signal that is "broadcasted", then yes it can be sniffed with very specific wireless equipment (RMON capable wireless adapters) and software tools. Wireless clients that haven't associated with the same AP have no mechanism to intercept or "hear" the wireless traffic except with the aforementioned equipment. Wireless communications in TCP\IP networks works essentially the same as for wired networks except for the transmission media: radio waves as opposed to physical wires. If WiFi traffic was broadcast for everyone to eavesdrop on it would have never left the drawing board.

That being said, I think that wireless networks pose a greater risk to MITM attacks because physical access is not required to access the wireless network to "inject" a rogue system in order to intercept the traffic.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • you said that wireless radio signals are broadcast and can be intercepted by equipment. How does my question contradict this? – CJ7 Jun 21 '10 at 04:10
  • You said that wireless traffic was broadcast for everyone to hear, which is not technically correct. The radio signal is broadcast in the sense that it's radio wave based, but the communication is point to point between the wireless client and the wireless AP. The wireless client does not broadcast it's traffic for all to hear. The statement that the traffic is broadcast for all to hear may give someone the impression that wireless networking works in a way in which it doesn't. – joeqwerty Jun 21 '10 at 10:54
  • The broadcast issue with respect to modern 802.11 wireless is somewhat moot in that the transport layer is protected by some form of WPA encryption in most cases. Your wired traffic is protected by its physical location and the lock on your wiring closet. In most environments that I have worked in, the client networks where switch and wiring infrastructure are easily available are treated as untrusted networks. – duffbeer703 Jun 21 '10 at 18:24