MITM via Proxy Example
Now your associate does his online banking, and you sit in the middle and watch him do it, get his username and password information, and alter information that he is transacting with. Most importantly, when he decides to log out of the bank, you give him a "bye-bye" message and actually keep open the link between your computer and the bank's server, so you can keep accessing his account.
This is a serious attack.
Above is the BURP user interface.
You will see that the proxy program mimics the MITM receives your browser request for an Internet page.
Upon selecting to forward that page, the result is again returned to the proxy.
As a simple example, set up your proxy in your browser options screen. Now all traffic will travel through your proxy software. In the browser, look for Google. In the search screen type "achilles proxy" and submit.
You will see the HTTP request show up in the proxy.
In the intercept tab, look for the word "achilles".
Change that word to "burp".
Now, select the forward button and wait to receive the response from Google. Once you receive the response in the proxy, elect to allow it to go through to the browser.
You will notice that although you originally submitted "achilles" in the Google search, you have received back a search based on "burp".
"Ok," I hear you say. "Sure, why wouldn't it change, given that you told me to change it in the proxy." And therein lies the point of the exercise.
You opened a Google page and entered "achilles". You then intercepted that page in the proxy program and altered the word "achilles" to read "burp". Google received the changed word and executed and returned data based on that search.
If someone were doing this for real, you would have no control over what happened to your browser request page after you had submitted it. And it wouldn't be an innocuous site like Google to which the information was being sent. If this were your bank page, and you elected to pay your credit card bill of $1000, and a MITM intercepted it and changed it to $1, you would be a bit miffed. It doesn't take much imagination to think of even worse possible scenarios.
So, in the future, when you see the padlock icon in the browser, don't let your feeling of security get the better of you. And if you have been prompted with any message that implies that something is wrong, pay attention to it!
Incidentally, SSL can be configured to resist MITM attacks. We'll come back to this in a future article.
There are some in the security business who advocate that strong passwords will solve most of the difficulties associated with identity management and authenticating users. But all of the previously mentioned attacks will break any non-ciphered password entered. Others advocate using Two Factor Authentication (covered next in the series), but even that is susceptible to the MITM attack.
With this information in hand, take a fresh and critical look at that login page when you next use it. You will be able to make your own mind up about the level of security afforded to you by your site administrator. This is particularly true in cases where you are parting with sensitive information.
So, you may ask, what can I do? Actually, not all that much. You can be wary of certificates, look out for malicious software on your computer, and so on. In the end, however, it is up to the security industry to create solutions that go to the roots of these problems, and systems administrators to implement those solutions and get ordinary users to employ them. There are many initiatives in progress to protect against these attacks, but not everyone has access to them yet. In the meantime, beware!
Pat McKenna is a security consultant and CTO with 2SA Plus, a company specializing in Two Factor Authentication and matters of Identity Management. He is 45 and has been in the IT business for 15 years, during which he has held many positions, including company director. Prior to a career in IT, he worked in the security & intelligence field. He is proficient with many computer languages, old and new, and has trained hundreds of programmers. His hobbies are chess and penetration testing (aka ethical hacking).