02 Oct 09 Security Consultant – Man In The Middle Attacks (MITM)

A Man In The Middle (MITM) attack is a popular network based attack in order to hijack a connection or to sniff traffic. A MITM attack actually covers a variety of different methods. A MITM attack is literally positioning yourself as the attacker between the two communicating parties. Whether you do that via an ARP attack, some type of cryptographic attack, or a physical attack depends on the requirements and scenario. As a security consultant it is important to ensure that the network and it’s communications are as secure as possible against this type of attack. I will cover a simple physical MITM attack, then an ARP attack, and then prevention techniques.
(more…)

Tags: arp, arp attack, arp poisoning, cryptographic attack, default gateway, gateway, layer 2, layer 3, man in the middle, managed switch, MITM, network bridge, nic, openvpn, router, Security Consultant, self signed certificate, SSL, switch

30 Sep 09 Self Signed Certificates

SSL – ‘Secure Sockets Layer’ is an encryption protocol. How it works is beyond the scope of this article, our only concern for now is self signed certificates. Sufficient to say, that SSL is based upon public key cryptography (PKI). It makes use of a private key and a public key. Being a Linux Security Freelancer it’s important to be able to advise on when certain technologies are acceptable, and when they aren’t.

If SSL certificates rely on public key cryptography, why do we need a certificate? Simply put, the certificate is usually signed by a ‘trusted’ Certificate Authority (CA)  thus informing the other party that the host is who he claims to be.

Whether the certificate is signed by a CA, or not, your level of encryption and underlying SSL is the same. You might want your CSR (Certificate Signing Request) signed by a trusted CA certain instances. Most websites that use ‘SSL’ today have their certificates signed by a trusted CA. If your web visitors trust you, and your CA has verified that you are who you claim to be, then logic follows that your visitors trust your signed certificate.

You may decide to use a self signed certificate in the instance that you want your data encrypted between your host and the remote host, and know that the remote host is who he claims to be, without needing to convince anyone else of it. In the instance that you are using SSL over HTTP, your browser would warn you that the certificate has not been signed by a known authority. As long as you accept this, your connection is just as encrypted as it would have been should a trusted CA have signed it.

One often overlooked problem though is the potential for a MITM (Man In The Middle) attack. A machine between yours and the remote host could sniff but as of writing, not decrypt your data. However should he perform a MITM attack and essentially fool you into connecting to his webservice with his self signed certificate, you wouldn’t know any better.. You’d receive the same popup warning, which you’d dismiss, and begin your session with an attacker instead of the remote host you were expecting.  One way of confirming, is that you could inspect the certificate, and look at it’s fingerprint. How many people would do that though?

Tags: CA, certificate authority, CSR, http, man in the middle, MITM, PKI, public key cryptography, SSL