MITM – And Why Your Servers Need Protection
Man In The Middle, or M-I-T-M attacks are nothing new, but they can still be the cause of huge data breaches. So this week, we’re continuing our investigation into popular hacking techniques by lifting the covers on MITM attacks. MITM – And Why Your Servers Need Protection.
In The Middle Of What?
Between your server and your user, listening and recording everything.
What if I came with you to the bank. Instead of telling the bank manager all your details, you tell me, and then I tell the bank manager. Well, after I write it all down in my notebook that is. Doesn’t sound ideal does it?
Of course that wouldn’t happen in real life, because you’d know I’m not a bank manager. I’m not sure I’ve ever had enough money to warrant seeing such a figure, so I’m not certain I know what they would look like. I am, however, sure that they don’t cut about in whichever jeans were closest that morning, the first tee shirt that came out of the drawer, and a pair of trainers caked in whatever the dog dragged me through yesterday. But as we have learned through our other posts, computers just aren’t that discerning. If I tell it I’m the bank computer, that’s who I am (not quite, but we’ll get to that).
And that’s the essence of how a man in the middle attack works. If I can convince your computer that my computer is the one it intends to talk to, it will talk to me. I then make a copy of the request your computer sent to mine, and send it on to the real endpoint. Then I do the same on the way back; I take a copy of everything, then pass it on to your computer.
If there are usernames, passwords, or other sensitive data inside that communication – I’ve got a copy of them now.
HTTPS
Going back 5 or 10 years, the advice to users was that you should look out for the padlock icon in the address bar of a website to know whether it was operating on HTTPS as opposed to HTTP. HTTPS is a method of encrypting the communication between a client and a web server. That means that someone tapping the line between those two points cannot see the requests you’re making, because everything is encrypted with the secret keys negotiated right when the two computers connect.
This system is so ubiquitous now that our web browsers actually flag up the absence of HTTPS. This pretty much stops man in the middle attacks dead. Or does it?
Well, as with everything in security, nothing is as black and white as that. We just said that the two computers agree on a secret right at the start of their communication. Everything is encrypted using the agreed secret thereafter. So what if I were able to steal that secret from the computer you think you’re talking to? I would know everything the real web server knows, and so I would be able to decrypt all that super secure information you’re swapping. In the case of web servers, that secret takes the form of a certificate. That’s a point – we should totally cover web server certificates in detail sometime soon…
So the moral of the story is, use HTTPS wherever you can, and guard those certificates with your life!
Encryption Everywhere
Being an AWS Certified Cloud Solutions Architect means you must have deep knowledge of the AWS Well Architected Framework. A key component of the framework is security, and a large part of that is around encryption. Whenever any part of an AWS solution is being developed, we must think about encryption of data in transit, and at rest. One of the main reasons for this is just to make man in the middle attacks as difficult as possible. If you use encryption for all of your data whenever it moves around the network, or is being stored, it’s super difficult for someone to get in the middle of communications.
So use encryption everywhere you can!
Boring Old Firewalls
With all the cool cloud technology I get to play with every day now, firewalls honestly feel a bit boring at this point – but they’re absolutely necessary. This doesn’t really apply to normal web servers, since you never know where in the world your users might come from. But other systems only ever talk to a couple of other systems. If we take a web server and database server architecture for an example, we know that the database only ever needs to talk to the web server, so we can design a firewall rule to accommodate that. This gets a little more abstract in the cloud when we start autoscaling web servers, but still, the idea is the same.
So lock down your firewalls to only allow communication between servers you expect to need to talk to one and other.
So really what we’re saying is that a combination of other security best practices is what guards us against man in the middle attacks. And as always, now you know how it works, you’re ready to defend against it!