[Cryptography] stories from the real life MITM book

Wed Sep 3 15:06:30 EDT 2014

Sounds like an important step in the right direction.

On 09/03/2014 01:57 AM, ianG wrote:

> Evidence of MITMs is so rare it has to be trumpeted.

Thanks for the pointers to recent articles.  We agree that
reported /evidence/ of MITM attacks is somewhat rare.  
However, the attacks themselves are not particularly rare.

Actually the evidence is starting to get some play.  You
can find interesting stuff by googling:
  https://www.google.com/search?q=MITM&tbm=nws

For example:

   Adrian Mettler, Vishwanath Raman and Yulong Zhang
   "SSL Vulnerabilities: Who listens when Android applications talk?"
   http://www.fireeye.com/blog/technical/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html

> (MITM) attacks ... are wreaking havoc on data security

> We reviewed the 1,000 most-downloaded free applications in the Google
> Play store as of July 17, 2014. Of these, 674 (~68%) have at least
> one of the three SSL vulnerabilities that we studied

Here's a particularly detailed, interesting report:

  Lin-Shung Huang, Alex Rice, Erling Ellingsen, and Collin Jackson
  "Analyzing Forged SSL Certiﬁcates in the Wild"
  https://www.linshunghuang.com/papers/mitm.pdf

> We analyzed 3,447,719 real-world SSL connections and successfully 
> discovered at least 6,845 (0.2%) of them were forged SSL 
> certificates.

And another:

  Ryan Gallagher 
  "New Snowden Documents Show NSA Deemed Google Networks a 'Target'"
  http://www.slate.com/blogs/future_tense/2013/09/09/shifting_shadow_stormbrew_flying_pig_new_snowden_documents_show_nsa_deemed.html

> Aside from targeting Petrobras [the Brazilian state oil company], 
> Fantastico revealed that in a May 2012 presentation reportedly used 
> by the agency to train new recruits how to infiltrate private 
> computer networks, Google is listed as a target. So are the French 
> Ministry of Foreign Affairs and SWIFT, a financial cooperative that 
> connects thousands of banks and is supposed to help “securely” 
> facilitate banking transactions .... the NSA has apparently targeted
>  the computer networks of Saudi Arabia’s Riyad Bank and Chinese 
> technology company Huawei ....

> spy agencies have [used] so-called “man-in-the-middle” attacks to 
> circumvent the encryption by impersonating security certificates in 
> order to intercept data.

It must be emphasized that NSA is *not* the only player in this
arena.  Maybe one of these days Ed Snowden's Chinese cousin,
Sou-Den E-Duan, will leak a few gigabytes telling us what the
Third Directorate has been up to.

=====================================

There was a time when networks had no security at all, not even
against passive snooping.  You could login using telnet, sending 
your password in the clear.  That would be considered gross 
malpractice today.  SSH has been around for 20 years.

Until recently, in some circles, worrying about active MITM attacks
was considered tin-foil-hat paranoia.  Not anymore.  Nowadays we 
need strong protection against such attacks ... much stronger than 
what is presently deployed.  IMHO, continuing with things as they 
are would constitute gross malpractice.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVAdmtvO9SFghczXtAQIb6Q//X+WHYnMEsZ7Lap4iJ3+0OkBc3pHnOmgt
oYHFsRmsCuKCwHolLiTMFMB09sZ5WTkgEK333u3wNAOrtnMdQ0Y/v8rbdEwa1qbq
1h4gWCnsVLJ3sLPumyVaVT7DsByaE0hMOgH6A7WshkVkTFvLdIT+hUUWBQlzaBU4
6jyHYomcrV5K2A1Hi7Sh4n8kxADkQeobhaXtSENVA5KQpap5FN5L6GepwcX4bdYe
B8ydjiyIoGzIkcIYBoJDOQjmvSSDS2h9dUxhccLMHpb90taBr9FEIHfkL0ykH09f
ekB4KouOp0XL3NzZghCsuO1Gmvd8LqviwUzaK6K1TbjKT4RtAXyBtYGT7G/GWtH8
LWHHN00npp/UVCbgzdr87FyBnmgK04flw9kwLjJ0d1Ei6SA+3+LqwlPX9qpjArug
oGyaihOS38f91/MUZ5GrCn/ZtqJdbb6SbKy4YvC6rsApstNoDwCCpe6wVBdCfuXu
FnoxjYfGCRxZn7FCYTp3WReepJGXoJGFggdRl7Gk+94StQNpE72QoXyQZd+N2W/e
nTPeA4ttH4pvVmfJHkktq6azocwzMzXPcXeSi5ee6imyGzkeeHFh9WYmPi8piRmt
nCPJF0fhqWySz/A1vKBzCjxkKx4odY/LYV6SPqX8Iexgyf0CTWhvwdc30B7Ny3bg
cxhx00gUnNA=
=YQfG
-----END PGP SIGNATURE-----