Cloak and Dagger: Man-In-The-Middle and Other Insidious Attacks

Introduction

Information has always been very valuable. Computers are entrusted to maintain and process massive amounts of information. This makes them valuable targets to attackers. One of the most devastating forms of attack is when an attacker gains access to the information without the victim even being aware of it.

This paper explores some of the means by which this surreptitious access to information can occur. Background material on basics of cryptography, the Diffie-Hellman key exchange, networking, Transport Layer Security and Secure Sockets Layer, and drive by downloads is provided in section 2. MITM attacks are defined in section 3. ARP spoofing, a form of a MITM attack, is explored in section 3.1. Futile defenses to MITM attacks are examined in section 3.2. A MITM attack on SSL using fake certificates is givenin section 3.3. Even more forms of MITM attacks are explored in section 3.4. Defenses are discussed in section 3.5. Finally, a new attack known as man in the browser is detailed in section 3.6.

MITM attacks are not the only stealthy means by which information security is breached. Rootkits and botnets, which are capable of doing much more harm, can reside on victim’s computer while evading detection. Rootkits are defined in section 4. An example rootkit, Mebroot, is analyzed in section 4.1. Defenses against rootkits are discussed in section 4.2. Botnets, which are often used in conjunction with rootkits, are defined in section 5. Attacker’s motivation is examined in section 5.1. The Torpig botnet, and its recent takeover by security researchers, is investigated in 5.2.

We conclude with some general discussion on how to prevent these attacks in section 6.