Command Line Heroes - Menace in the Middle
Episode Date: April 19, 2022All communication leaves the possibility for crossed wires. And as we become more connected, there’s a chance for those with ill intentions to steal our information and meddle in our daily lives—w...ith devastating results. Smriti Bhatt breaks down the complexity behind machine-in-the-middle attacks. Johannes Ullrich tells us why we shouldn’t always trust that free WiFi. And the “father of SSL” Taher Elgamal notes that while cryptography can address the increasingly sophisticated nature of malware, there are no safe bets in security.If you want to read up on some of our research on machine in the middle attacks, you can check out all our bonus material over at redhat.com/commandlineheroes.Follow along with the episode transcript.
Transcript
Discussion (0)
Hello, operator. I'd like to place a call to Murray Hill. 35097.
Hello? Operator?
So, you understand the plan?
Yeah, sure. I got it.
Who is this?
Hello? I'm trying to place a call.
Be there by 10 o'clock. And keep your gun hidden.
Yeah, no problem boss. This will be an easy job. The crossed wires problem has been around ever since we started using tech to send each other messages.
Letters get intercepted.
Phone lines get tapped.
These days, we have to worry about Wi-Fi eavesdropping, IP spoofing, SSL hijacking.
People have even used submarines to dive down and tap into the fiber optic cables that span our oceans.
I mean, the list goes on.
Every new form of communication technology creates a new opportunity to intercept private notes.
In some cases, we're just talking about privacy being invaded.
In others, an insecure connection could mean a payment you just made gets scooped up in transit.
Or corporate secrets are stolen.
Some of our most valuable assets
are shuttled around the world via digital technology,
and bad actors try to catch them where they can.
These are machine-in-the-middle attacks.
You might have heard them called man-in-the-middle attacks.
You can call them monster in the middle,
meddler in the middle, whatever.
Point is, something is messing around
in the middle of your communication.
And these attacks grow more dangerous
the more connected our lives become.
I'm Saranya Dbarik, and this is Command Line Heroes,
an original podcast from Red Hat.
All season, we're tackling the biggest problems in digital security.
The viruses and Trojan horses and botnets that keep InfoSec teams awake at night.
And this time, we're focused on secret Sly Interceptors.
The machine-in-the-middle attacks that interfere with our supposedly safe transmissions.
Packages, messages, money, anything that travels from one place to another could get snatched
along the way. It's 2015, and all across Europe, ordinary citizens are noticing that their bank accounts have a mysterious leak.
Money seems to be disappearing.
It's almost as though a ghost is making withdrawals.
A million euros is stolen, then two, then three.
Soon, six million euros has simply vanished.
Sometimes they take out even, you know, $10 and that will, together from so many different
millions of users, it will contribute to a very large amount for the cyber criminal group.
Smriti Bhatt is an assistant professor at Purdue University in Indiana.
She researches cybersecurity with a focus on access control and authorization. And if she'd
been in Europe back in 2015, she might have had an idea what was going on. Machine-in-the-middle
attacks are very much on her radar, and she knows these attacks have evolved to be a lot
more complicated than our opening cross wires example. So how could an attack start bleeding
millions of euros? To begin with, a bit of malware gets planted. They tried to gain access to these
medium and large scale European companies through different attack vectors,
and then social engineering techniques,
sending them phishing emails for the employees to click on those links.
Episode 2 in this season features the Trojan horses criminals use to gain your confidence,
get you to click on links and download malware.
It can be painfully easy to trick people in some cases.
You can get a malware or a piece of code that is specially designed to be sent out to a specific organization.
So whoever was behind this attack in 2015, they would have sent out phishing emails to big companies throughout Europe.
Employees click on bad links and let malware get installed on their computers.
That malware starts monitoring emails for payment requests.
And this is when the machine-in-the-middle attack
is most disturbing.
It's easier for them because they are actually
within a communication channel
that's happening between two ends
and they both are believing
that they are actually talking to each other,
but there's someone in the middle who is actually intercepting and maybe changing those messages.
Here's how it plays out.
Let's say an individual has downloaded the attacker's malware.
We'll call him John Smith.
Now the criminals are monitoring his email.
They can easily see that a payment is coming due.
So they send John Smith a
note, pretending to be the company that's collecting the payment. They say, hey, time to pay up, John,
and even include a link for ease. Just click here to make your payment. John then sends his banking
info to a fake website that they've built. Then the attackers can turn around, visit the real website of John's
bank, and use that information to withdraw his money. So they will initiate two simultaneous
connections, one with the victim acting as the bank webpage or website, and then one with the
bank where they act as the user, where they are communicating with the bank. So they are in the middle, getting information from the victim,
whatever they need, username, passwords.
And they have a simultaneous connection going on with the bank
where they are acting as the user and providing that information
that they are getting from the user to the bank.
So they are in the middle and they are facilitating this communication.
They're hijacking it.
Stopping this European scam in 2015 was an enormous project.
It wasn't as simple as pulling the plug on a server.
Attackers in the dark web, they have these bulletproof hosting platforms that are available
where different malicious attackers you know, attackers
can go in and host these phishing websites. Hunting these bulletproof sites across the
dark web isn't easy. Standard checks and balances don't apply there. And tracking people down can
feel like you're trying to put handcuffs on a shadow. It is very large scale in the sense that
it's very spread out, you know, very scaled out.
It's not a specific country. It's not a specific region.
So that's another factor that makes it successful because it's so hard to track back where it is originating, where it's coming from, how widely is it spread across the internet.
Europol did manage to take that ring down, but the work required was intense.
They needed a lot of coordination between different agencies,
so you can see how many different countries, Italy, Spain, they have to come together.
The UK law enforcement and the Europol itself has to come together to conduct these simultaneous raids.
Those raids led to the seizure of documents, laptops, telephones, SIM cards, memory sticks.
49 cyber criminals were arrested in the end.
Police searched 58 separate properties to pull it all together.
And even then, a massive machine-in-the-middle attack like this one
almost has a life of its own.
They might already have backup of all those resources, you know, the attackers.
And if they come back, they can set these similar operations again.
As long as the attacks are within the boundaries of Europe,
coordinating a response from Europol is at least feasible
because it's
within the European Union. Things get more difficult, though, if countries that don't trust
each other have to share information. And of course, all this just compounds when attackers
start adapting their machine-in-the-middle attacks to new technologies where secure
transmissions aren't established. Every new piece of communication tech opens the possibility of new kinds of eavesdropping,
new ways to intercept messages as they run down wires or through the air.
You're in the playground and you're eating an apple.
You want to give that apple to your friend and some bully comes and takes the apple from you,
taking a bite out of it and then passing it to the friend.
That would be a machine-in-the-middle attack.
Johannes Ulrich is the Dean of Research at SANS Technology Institute in Florida.
He researches attacks that play out on the internet,
and he says there are endless ways a criminal could execute a machine-in-the-middle attack.
It can happen on a local network.
He has something called ARP spoofing, where I'm essentially taking over the role of the router
and redirect traffic to the attacker instead of the actual legitimate router.
It can happen when someone manipulates the routing protocols of the internet.
Where I'm just claiming to the internet that I'm owning a certain IP address or a certain
range of IP addresses and trick the internet into routing that traffic to me.
It can happen via DNS spoofing.
I basically just give you the wrong IP address to send the traffic to.
You get the idea.
Machine-in-the-middle attacks are only limited
by the creativity of criminals.
And like I've said, even before the internet,
bad actors always found ways to hack into communication tech.
For example, Mr. Marconi was a bit naive when he developed the radio in the 1890s.
He imagined his radio could be a point-to-point communication system, sort of like a wireless telegraph.
Pretty quickly, though, he realized that radio signals allow anyone to eavesdrop.
Today, a couple big advances have opened our world up to new fields of machine
in the middle attacks. The first one was the advent of Wi-Fi. In particular, the widespread
use of Wi-Fi that isn't encrypted. So the usual coffee shop scenario, we are just connecting
to some open access point. In that case, because the traffic is not encrypted,
it's not authenticated,
an attacker can easily impersonate
any part of the conversation.
Unsecured public Wi-Fi is a classic site
for machine-in-the-middle attacks.
As an attacker, I would turn my laptop
into an access point.
I may either use a little LTE modem or connect to the shop's
own Wi-Fi network to provide internet connectivity. And then I just use for that access point that I'm
deploying the same SSID, the same name that the coffee shop uses legitimately. So a victim
connecting to the Wi-Fi network wouldn't really be able to tell the difference between my access point and the shop's access point.
This is sometimes called an evil twin attack, where the entire Wi-Fi access point is mirrored.
They hope I'll pass it on to the Internet.
But of course, before I do so, I could, again, manipulate the traffic.
I could eavesdrop on the traffic.
You'll notice there are some sneaky social engineering tricks at play here.
For example, say the coffee shop Wi-Fi requires a password.
You have to walk all the way to the counter to get it.
But then you see another network, and it uses the cafe's name too.
But this one doesn't need a password.
You'll give that a try, and then you are actually connected to my free Wi-Fi.
And with that, of course, I can intercept your traffic.
Wi-Fi has been around for a while now, and more people are aware of the risks when using random
cafe internet. But of course, a new avenue for machine-in-the-middle attacks has emerged.
Think about IoT, the Internet of Things.
Billions of new internet-connected devices are showing up in our everyday lives.
And when there's a rush to put out new products,
security issues can sometimes take a backseat.
That leaves these IoT devices especially vulnerable.
The In-N-Out of Things is somewhat a problem in particular because often TLS, the main
defense against these attacks, isn't working that well with In-N-Out of Things.
That would be Transport Layer Security, a cryptographic protocol.
They often don't verify certificates correctly.
Then, for example, things like firmware updates can be intercepted.
It's a very common vulnerability within enough things where a machine-in-the-middle attack could be used to manipulate firmware that's being downloaded.
And as a result, then an attacker could, for example, launch their own code on that particular thing they're
trying to attack. Whether we're talking about hacking Wi-Fi or your smart TV or any place an
attacker can weasel themselves in, these machine-in-the-middle attacks are usually very intentional.
The hacker is there to get away with something. Many of these attacks are about stealing credentials,
your username, password, anything they can use to pretend to be you. I'm intercepting login screens.
I'm collecting automatically transmitted credentials like cookies, like API keys and the
like. Other attacks are designed to install malicious code.
Now when you're going to a website
and you're being offered additional download
or additional content
that then actually triggers vulnerability in your systems
or tricks you into installing a malicious code.
But remember, that's not all that can happen.
Theoretically, any information you're sending to a website
or any system at all can be collected.
This could be financial information
if you're connecting to your bank account's website.
The reason credentials are most interesting
is once the attacker has those credentials,
they don't really have to bother with collecting all the other data
because they can just go there and get it themselves
by logging in as you.
The crime itself can be as complex
as that banking heist we heard about Europol busting.
Or it can be something as seemingly simple
as stealing the cookie that authenticates you on a website.
If someone steals the cookie that a website has been using
to autofill your username and password,
well, like Ulrich says, they can essentially become you. the cookie that a website has been using to autofill your username and password? Well,
like Ulrich says, they can essentially become you,
whether that means logging into your bank or just spying on your social media.
Scared yet? Don't be too freaked out, because we have some brilliant defense strategies in place. Professionals and everyday folks are finding ways to secure that big open space
where attackers like to pounce.
To a certain degree, we can all save ourselves from machine-in-the-middle attacks.
If I'm doing some online banking, for example, I'm going to check the URL,
make sure it's right, and I'm going to check again throughout the session.
I'm never going to log into a site after clicking on a link in an email either.
I'm typing in that URL myself.
And I never trust a login page that doesn't use HTTPS.
Look for that padlock icon in the search bar if you're unsure. There are lots of simple
things we can do, but at the end of the day, digital hygiene only gets you so far. We rely
on something else to keep us safe. Cryptography. Here's the basic idea. If we scramble a message
well enough, it doesn't matter whether it gets intercepted. Because that hacker isn't going to be able to read the message they steal.
It'll be useless.
We noticed really early on, the internet is way too open.
Tahir El Gamal is the CTO for security at Salesforce.
But back in 1995, he was the chief scientist at Netscape.
And Netscape wanted to develop e-commerce.
They were excited about a whole new world of commercial transactions bouncing around
the internet. Only problem was...
We needed to do something to make sure that whatever travels on the open internet satisfies
security requirements.
Netscape developed SSL, the Secure Sockets Layer Protocol.
And Elgamal, who is sometimes called the father of SSL,
led the team that put out the first public version.
SSL would deliver three things that made e-commerce viable.
First, integrity.
If I'm transferring $1,000,
I don't want someone to add a zero to that number. Second, integrity. If I'm transferring $1,000, I don't want someone to add a zero to that number.
Second, privacy.
I don't want everyone to know I'm transferring that money.
And third, authentication.
I want to know that you are really you before I send that cash.
So these three things is what we developed SSL on.
And it was basically developed so that the consumer and the merchant, which is the server,
can communicate with all of these three properties maintained.
A simple proposition.
But SSL opened the gates, and every business came marching through.
And the world actually went crazy with it.
Two decades after Netscape supercharged internet traffic with its SSL protocol, it was ubiquitous.
For some businesses, SSL must have felt like a silver bullet, allowing them to stop worrying about hackers entirely.
To this day, it lends a sense of safety to our online lives.
Every time you look at a URL and see that S in HTTPS, the S stands for secure.
It's one more instance of data that's been secured by Elgamal's team.
And they manage this by taking advantage of a particular kind of cryptography.
Public key cryptography.
Each entity has two keys. One is a private key and oneography, public key cryptography. Each entity has two keys.
One is a private key and one is a public key.
And they construct it in such a way that I can provide you with my public key so you
can send something back that is encrypted with my public key and only my private key,
which I've never shared with anyone, can use to decrypt.
So this is the base of public key cryptography.
Public key cryptography is sometimes called asymmetric cryptography.
In symmetric cryptography, both parties have a shared secret key that they use to unlock information.
There's only this one private key they're using.
And that's not feasible when you have billions of consumers and millions of merchants.
Asymmetric or public key cryptography
allows e-commerce to scale.
It allowed for the safe expansion
of our digital lives.
Soon, SSL was renamed TLS,
Transport Layer Security.
But the basics are the same.
And TLS is continually being updated to this day
in response to new weaknesses
found in operating systems, applications, or the cloud.
It's an endless arms race
because somebody will always find a weakness in something
and then the community has to find a better way of doing it.
This is just never going to end, basically.
It's the digital world that we live in.
Elgamal suggests that the same development of protocols that made e-commerce possible
can now help to secure the Internet of Things from machine-in-the-middle attacks.
But the idea of SSL or TLS is the right thing.
So I can prove to my fridge that it's actually me, because I'm authenticated.
Therefore, nobody else can get access to it. So the use of a protocol like TLS in the IoT world
will solve certain issues. Elgamal says this kind of work, this constant securing against
machine-in-the-middle attacks, presents a new challenge every day.
The attacker needs to find one door that they can enter from, and the defense needs to secure every single door and window and this and that and the other thing. That's why there's an arms race,
and that's why we're always trying to catch up. I've been in security for such a long time,
I want people to stop thinking of what is the silver bullet.
Okay, no silver bullet.
But what we do have is vigilance and curiosity.
We can remind ourselves, with every new piece of communication technology,
there's always a way to slip into someone else's private conversation.
We've been making progress.
Command line heroes like Tahir El Gamal are securing communication against machine-in-the-middle attacks.
More than half of all internet traffic is now encrypted.
We're adopting HTTPS and in-browser warning systems.
We're scrambling our messages so that they're useless when they get stolen.
And down the road, quantum cryptography could change the encryption game again.
But that's a message nobody can read quite yet.
I'm Saran Yadbarik, and this is Command Line Heroes, an original podcast from
Red Hat. Next time, we encounter another scary security threat, ransomware. Files get locked,
and attackers demand cash for the decryption key. Unless a few brilliant heroes can save the day.
Subscribe, follow, wherever you get your podcasts to make sure you don't miss an episode.
And until next time, keep on coding. at Red Hat. One of the most exciting things about edge computing right now is the potential to join forces with AI.
There's so much data on the ground
that businesses can use to improve services.
But running sophisticated AI workloads at the edge
is just not a do-it-yourself operation.
You get buried in the details very quickly.
Specialized hardware, custom-built this and that,
workloads in the cloud and at the edge.
How do you pick the right devices? What's the OS? How do you update everything? Thank you.