Wednesday, February 12th, 2014
Man in the middle attacks
I was recently contacted by a journalist to give my views on some topical security issues around password security and man in the middle attacks.
Both topics have enough substance to warrant standalone blogs but in my view it doesn’t make sense to review in isolation because they are intrinsically linked. The journalist was initially interested in some prominent european websites that don’t save customer passwords in an encrypted format. The sites in question require their customers to register their email address and password of choice for setting up the user account. These sites will also provide a password retrieval facility which will email the password to the users when requested.
Our conversation then turned to wireless security and how easy it is to conduct man in the middle attacks MITM (Man in the middle attacks) and intercept users web traffic including email address, passwords etc. We discussed how this type of attack is most common over free wi-fi services but is now also becoming very prevalent in compromised apps downloaded to smart phones, tablets etc.
For anybody who is technically minded Its blatantly obvious that there is a serious problem with any web site that doesn’t provide a secure, encrypted password and by emailing it out to users is as secure as sending it by postcard. Also when using free wi-fi, users have to be prudent about the information they transmit unless they are 100% sure the website they are accessing has an up to date SSL certificate. When downloading apps people need to ensure it is the official app from the bank, financial institution etc. This is all ABC really obvious and everybody knows it already – right ? (NO)
The harsh reality is that in most cases people don’t HEADE the warnings about cyber security. The passwords being used are generally the same for most services, the format of the password will have a capital letter at the start and numbers at the end with a lot of passwords using an (!) exclamation mark at the tail of the password. Using the same password for all your services is like having one key that unlocks your office, house, car, bank. If you lose it you have a problem. A popular method of acquiring the user password is through MITM attacks. People are simply not diligent enough about checking the sensitivity of the information they transmit when using free wi-fi. This is happening to thousands of people on a daily basis. To assume that these threats are common knowledge and that everybody is tech savvy enough to fully appreciate the threat is simply rubbish. I’m a big fan of free wi-fi services and both myself and my staff use it on a daily basis. The problem isn’t the free wi-fi but the user behaviour and security practices.
But there is a more important lesson to learn here. This isn’t all about the levels of security being deployed by the websites, or the wireless internet providers. Even the larger website with significant budget for security get hacked.
The recent hack of Yahoo mail is an example of what I’m talking about here. By accessing a third party database the hackers gained access to a significant number of emails and associated passwords. If all of these users are following best practice and using a standalone password for their Yahoo mail they are fine. But in 95% of cases people will have gotten sloppy and associated this username and password with another service.
Some Tips
- Change your password every 90 Days
- Don’t use words that are in the Dictionary
- Use CAPS, Lower case and Symbols
- Never use the same passwords for online services
- Always assume the service will be hacked
hbspt.cta.load(356714, ‘53387afe-0c02-4f33-bf71-1b3c19a7ccd9’);
Posted By Ronan Murphy
Twitter : smarttech01
Web : Smarttech.ie
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.