Show logo
Explore all episodes

Menace in the Middle

  |  Command Line Heroes Team  
Security
Tech history

Command Line Heroes • • Menace in the Middle | Command Line Heroes

Menace in the Middle | Command Line Heroes

About the episode

All communication leaves the possibility for crossed wires. And as we become more connected, there’s a chance for those with ill intentions to steal our information and meddle in our daily lives—with devastating results.

Smriti Bhatt breaks down the complexity behind machine-in-the-middle attacks. Johannes Ullrich tells us why we shouldn’t always trust that free WiFi. And the “father of SSL” Taher Elgamal notes that while cryptography can address the increasingly sophisticated nature of malware, there are no safe bets in security.

Command Line Heroes Team Red Hat original show

Subscribe

Subscribe here:

Listen on Apple Podcasts Listen on Spotify Subscribe via RSS Feed

Transcript

Hello, operator. I'd like to place a call to Murray Hill 35097. Hello. Operator? So you understand the plan? Yeah, sure. I got it. Who is this? Hello? I'm trying to place a call. Be there by 10:00 and keep your gun handy. Yeah, no problem, boss. This will be an easy job. You just make sure it looks like an accident. I've got it. I've got it. Who were they and how could they not hear me? The crossed wires problem has been around ever since we started using tech to send each other messages. Letters get intercepted. Phone lines get tapped. These days, we have to worry about wifi eavesdropping, IP spoofing, SSL hijacking. People have even used submarines to dive down and tap into the fiber optic cables that span our oceans. I mean, the list goes on. Every new form of communication technology creates a new opportunity to intercept private notes. In some cases, we're just talking about privacy being invaded. In others, an insecure connection can mean a payment you just made gets scooped up in transit or corporate secrets are stolen. Some of our most valuable assets are shuttled around the world via digital technology and bad actors try to catch them where they can. These are machine in the middle attacks. You might have heard them called man in the middle attacks. You can call them monster in the middle, meddler in the middle, whatever. Point is something is messing around in the middle of your communication and these attacks grow more dangerous the more connected our lives become. I'm Saron Yitbarek And this is Command Line Heroes, an original podcast from Red Hat. All season, we're tackling the biggest problems in digital security, the viruses and trojan horses and botnets that keep InfoSec teams awake at night. And this time we're focused on secret sly interceptors, the machine in the middle attacks that interfere with our supposedly safe transmissions. Packages, messages, money, anything that travels from one place to another could get snatched along the way. It's 2015 and all across Europe ordinary citizens are noticing that their bank accounts have a mysterious leak. Money seems to be disappearing. It's almost as though a ghost is making withdrawals. A million euros is stolen, then two, then three. Soon, six million euros has simply vanished. Sometimes they take out even, you know, $10 and that will, together from so many different millions of users, it will contribute to a very large amount for the cyber criminal group. Smriti Bhatt is an assistant professor at Purdue University in Indiana. She researches cyber security with the focus on access control and authorization. And if she'd been in Europe back in 2015, she might have had an idea what was going on. Machine in the middle attacks are very much on her radar and she knows these attacks have evolved to be a lot more complicated than our opening cross wires example. So how could an attack start bleeding millions of euros? To begin with, a bit of malware gets planted. They try to gain access to these medium and large scale European companies through different attack vectors, and then social engineering techniques, sending them phishing emails for the employees to click on those links. Episode two in this season features the trojan horses criminals use to gain your confidence, get you to click on links and download malware. It can be painfully easy to trick people, in some cases. You can get a malware or a piece of code that is specially designed to be sent out to a specific organization. So whoever was behind this attack in 2015, they would've sent out phishing emails to big companies throughout Europe. Employees click on bad links and let malware get installed on their computers. That malware starts monitoring emails for payment requests and this is when the machine in the middle attack is most disturbing. It's easier for them because they are actually within a communication channel that's happening between two ends and they both are believing that they are actually talking to each other, but there's someone in the middle who is actually intercepting and maybe changing those messages. Here's how it plays out. Let's say an individual has downloaded the attacker's malware. We'll call him John Smith. Now the criminals are monitoring his email. They can easily see that a payment is coming due. So they send John Smith a note pretending to be the company that's collecting the payment. They say, "Hey, time to pay up, John," and even include a link for ease. Just click here to make your payment. John then sends his banking info to a fake website that they've built. Then the attackers can turn around, visit the real website of John's bank and use that information to withdraw his money. So they will initiate two simultaneous connections, one with the victim acting as the bank webpage or website, and then one with the bank where they act as the user, where they will just relay all the information back and forth. The attackers sit in the middle like a puppet master, pulling the strings of both John and the bank. John thinks he's talking to his bank. The bank thinks it's talking to John. Neither realizes there's someone else in the middle, orchestrating the whole thing and pocketing the money. This kind of attack is sometimes called a relay attack and it's become a popular technique for cybercriminals. The user will provide all the authentication information like the username, the password, maybe the two-factor authentication code, and all of this information will be relayed in real time to the actual banking website. This real-time relay is key to the success of these attacks. Even if the bank has sophisticated security measures like two-factor authentication, the attackers can bypass them because they're essentially piggybacking on a legitimate user session. So once they have established the session with the bank, now they can do any transactions that the user is authorized to do. The attack that Smriti described, where criminals stole six million euros from European bank accounts, was carried out by a group called Carbanak. They weren't just targeting individual consumers, though. They were also going after the banks themselves, using machine in the middle techniques to steal directly from financial institutions. They were able to gain access to the internal networks of these banks and then they could monitor the transactions that are happening within the bank and also modify them. Machine in the middle attacks aren't just about financial fraud, though. They can be used to steal any kind of sensitive information that travels over networks. Corporate secrets, personal communications, government intelligence - anything that moves from point A to point B can potentially be intercepted. These attacks can happen at different layers of the network stack. They can happen at the physical layer, where someone actually taps into network cables. They can happen at the network layer, where attackers intercept and modify network packets. Or they can happen at the application layer, where attackers create fake websites or applications that look legitimate. One of the most common places where machine in the middle attacks occur is on public WiFi networks. When you connect to free WiFi at a coffee shop or airport, you're potentially exposing yourself to these kinds of attacks. Public WiFi is essentially like shouting your conversation across a crowded room. Anyone in that room can potentially listen in. Johannes Ullrich is the dean of research at the SANS Technology Institute. He's spent years studying network security and has seen firsthand how public WiFi can be exploited by attackers. When you connect to public WiFi, your data is being transmitted over radio waves that anyone in range can intercept. And it's surprisingly easy for attackers to set up fake WiFi hotspots that look legitimate but are actually designed to steal your information. These fake hotspots are sometimes called evil twin attacks. An attacker sets up a WiFi network with a name that looks similar to a legitimate one - maybe "Airport_WiFi" instead of "Airport-WiFi" - and unsuspecting users connect to it thinking it's the real thing. Once you're connected to an attacker's WiFi network, they can see everything you're doing online. They can intercept your passwords, read your emails, and even inject malicious code into the websites you visit. But it's not just public WiFi that's vulnerable. Even supposedly secure networks can be compromised if attackers gain access to the right equipment. We've seen cases where attackers have compromised routers, switches, and other network infrastructure to intercept traffic. If an attacker can get access to a key piece of network equipment, they can potentially monitor all the traffic that passes through it. This is why network security professionals are so focused on securing not just the endpoints - the computers and devices that users interact with - but also the infrastructure that connects them. Security is only as strong as the weakest link, and in networking, there are a lot of potential weak links. Every router, every switch, every access point is a potential target for attackers. Machine in the middle attacks have also evolved to target newer technologies. As more devices become connected to the internet - everything from smart thermostats to connected cars - the attack surface for these kinds of attacks continues to grow. The Internet of Things has created millions of new potential targets for attackers. Many of these devices weren't designed with security in mind, so they're often easy to compromise. And once an attacker has access to one device on a network, they can often use it as a stepping stone to attack other devices. This is particularly concerning when you consider that many IoT devices are always connected to the internet and often left unmonitored by their users. People will spend thousands of dollars on a security system for their home, but then they'll connect it to their WiFi network without thinking about whether the device itself is secure. If an attacker can compromise that security system, they might be able to disable it or even use it to spy on the homeowner. So how do we protect ourselves against these kinds of attacks? The first line of defense is awareness. Understanding how machine in the middle attacks work and being cautious about where and how we connect to networks. The most important thing users can do is to be skeptical of public WiFi. If you must use public WiFi, avoid accessing sensitive information like banking sites or work email. And always look for that HTTPS in the URL - that little lock icon in your browser that indicates the connection is encrypted. But even encrypted connections aren't foolproof. Attackers have developed techniques to bypass HTTPS encryption in certain circumstances. There are attacks like SSL stripping, where an attacker downgrades a secure HTTPS connection to an insecure HTTP connection. The user might not notice the change, especially on a mobile device where the browser interface is limited. This is why many security experts recommend using a VPN, or virtual private network, when connecting to public WiFi. A VPN creates an encrypted tunnel between your device and a trusted server, making it much harder for attackers to intercept your traffic. A good VPN can protect you even if you're connected to a malicious WiFi network. All of your traffic is encrypted before it leaves your device, so even if an attacker is monitoring the network, they won't be able to see what you're doing. But VPNs aren't a silver bullet either. It's important to choose a reputable VPN provider and to understand that you're essentially shifting your trust from the local network to the VPN provider. You want to make sure you're using a VPN provider that has a good privacy policy and doesn't log your activity. Otherwise, you might be protecting yourself from local attackers only to expose yourself to the VPN provider. For organizations, protecting against machine in the middle attacks requires a comprehensive approach to network security. This includes securing network infrastructure, implementing strong encryption, and training employees about the risks. Organizations need to think about security at every layer of their network. That means securing the physical infrastructure, implementing network monitoring to detect unusual activity, and using strong encryption for all sensitive communications. Many organizations are also implementing zero-trust network architectures, where no device or user is trusted by default, regardless of whether they're inside or outside the network perimeter. The old model of network security was like a castle with high walls - once you were inside, you were trusted. But that model doesn't work anymore when attackers can compromise devices inside the network. Zero trust assumes that any device could be compromised and requires verification for every access request. Individual users can also take steps to protect themselves. Beyond being cautious about public WiFi and using VPNs, there are simple digital hygiene practices that can help. There are lots of simple things we can do, but at the end of the day, digital hygiene only gets you so far. We will rely on something else to keep us safe. Cryptography. Here's the basic idea. If we scramble a message well enough, it doesn't matter whether it gets intercepted because that hacker isn't going to be able to read the message they steal. It'll be useless. We noticed really early on the internet is way too open. Taher Elgamal is the CTO for security at Salesforce. But back in 1995, he was the chief scientist at Netscape and Netscape wanted to develop eCommerce. They were excited about a whole new world of commercial transactions bouncing around the internet. Only problem was ... We needed to do something to make sure that whatever travels on the open internet satisfies security requirements. Netscape developed SSL, the secure sockets layer protocol and Elgamal, who is sometimes called the father of SSL, led the team that put out the first public version. SSL would deliver three things that made eCommerce viable. First, integrity. If I'm transferring $1,000, I don't want someone to add a zero to that number. Second, privacy. I don't want everyone to know I'm transferring that money. And third, authentication. I want to know that you are really you before I send that cash. So these three things is what we developed SSL on, and it was basically developed so that the consumer and the merchant, which is the server, can communicate with all of these three properties maintained. A simple proposition, but SSL opened the gates and every business came marching through. And the world actually went crazy with it. Two decades after Netscape supercharged internet traffic with its SSL protocol, it was ubiquitous. For some businesses, SSL must have felt like a silver bullet, allowing them to stop worrying about hackers entirely. To this day, it lends a sense of safety to our online lives. Every time you look at a URL and see that S in HTTPS, the S stands for secure. It's one more instance of data that's been secured by Elgamal's team, and they manage this by taking advantage of a particular kind of cryptography, public key cryptography. Each entity has two keys. One is a private key, and one is a public key, and they construct it in such a way that I can provide you with my public key so you can send something back that is encrypted with my public key and only my private key, which I have never shared with anyone, can use to decrypt. So this is the base of public key cryptography. Public key cryptography is sometimes called asymmetric cryptography. In symmetric cryptography, both parties have a shared secret key that they use to unlock information. There's only this one private key they're using, and that's not feasible when you have billions of consumers and millions of merchants. Asymmetric or public key cryptography allows eCommerce to scale. It allowed for the safe expansion of our digital lives. Soon, SSL was renamed TLS, transport layer security, but the basics are the same. And TLS is continually being updated to this day in response to new weaknesses found in operating systems, applications, or the cloud. It's an endless arms race because somebody will always find a weakness in something and then the community has to find a better way of doing it. This is just never going to end, basically. It's the digital world that we live in. Elgamal suggests that the same development of protocols that made eCommerce possible can now help to secure the internet of things from machine in the middle attacks. But the idea of SSL, of TLS is the right thing. So I can prove to my fridge that it's actually me because I'm authenticated, therefore nobody else can get access to it. So, the use of a protocol like TLS in the IoT world will solve certain issues. Elgamal says this kind of work, this constant securing against machine in the middle attacks presents a new challenge every day. The attacker needs to find one door that they can enter from and the defense needs to secure every single door and window and this and that and the other thing. That's why there's an arms race and that's why we're always trying to catch up. I've been in security for such a long time. I want people to stop thinking of what is the silver bullet. Okay. No silver bullet, but what we do have is vigilance and curiosity. We can remind ourselves with every new piece of communication technology, there's always a way to slip into someone else's private conversation. We've been making progress. Command Line Heroes, like Taher Elgamal, are securing communication against machine in the middle attacks. More than half of all internet traffic is now encrypted. We're adopting HTTPS and in browser warning systems. We're scrambling our messages so that they're useless when they get stolen. And down the road, quantum cryptography could change the encryption game again, but that's a message nobody can read quite yet. I'm Saron Yitbarek and this is Command Line Heroes, an original podcast for Red Hat. Next time, we encounter another scary security threat, ransomware. Files get locked and attackers demand cash for the decryption key, unless a few brilliant heroes can save the day. Subscribe, follow wherever you get your podcasts to make sure you don't miss an episode. And until next time, keep on coding.

More about security

Security for modern systems is defined by its adaptability to newer attacks, and its integration into infrastructure and product lifecycles.

Blog Post

Red Hat’s response to OpenPrinting CUPS vulnerabilities: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177

September 26, 2024  |  Blog posts from Red Hat

...

Linux
Security

Blog Post

Red Hat’s path to post-quantum cryptography

July 15, 2024  |  Emily Fox, Simo Sorce

...

Security
Technically Speaking, an original podcast from Red Hat

Original Shows

A new software supply chain security recipe | Technically Speaking

DevOps
Security
Technically Speaking, an original podcast from Red Hat

Original Shows

WebAssembly breaks away from the browser | Technically Speaking

Edge computing
Security
Technically Speaking, an original podcast from Red Hat

Original Shows

Compute confidential: In hardware we trust | Technically Speaking

Edge computing
Security

About the show

Command Line Heroes

During its run from 2018 to 2022, Command Line Heroes shared the epic true stories of developers, programmers, hackers, geeks, and open source rebels, and how they revolutionized the technology landscape. Relive our journey through tech history, and use #CommandLinePod to share your favorite episodes.