How can the man in the middle attack be prevented?

You may have heard about the man in the middle attacks, but to start our article, we will first see what a man in the middle attack is and how it works. Then, we will learn how we could detect them to get rid of them. We also will learn how we could prevent these attacks from happening.

is the MiTM attack?

A man-in-the-middle attack poses many security challenges for communication networks. MiTM is the abbreviation for the man in the middle attack. In a MiTM attack, the aggressor communicates between the two parties to eavesdrop on the information. In contrast, the data appears to be transmitted usually, but a third party listens to the data. Therefore, the attacker can perform false data injection (FDI) and wrong command injection (FCI) attacks to perform unusual activities on the victim's system. This can increase the CPU processing power of the victim computer, or in newer attacks, to direct the victim computer to the domains intended for extracting the cryptocurrencies. Unfortunately, few security experts are focused on detecting MiTM attacks, which makes it difficult to identify these attack patterns.

As we mentioned earlier, this attack is generally aimed at eavesdropping on users' information, but it also has other uses. For example, hackers may use a MiTM attack to attack the power grid or water treatment system, and by entering incorrect information, they may cause the relevant experts to make measurements and calculations based on incorrect data.

In the middle-man attacks, the hacker tries to position themselves between the sender and receiver of the information and receive any traffic between the two parties. The wiretapping mechanism is done so that the hacker can communicate directly with the two parties and sometimes reveal their identity to the victims.

The middle man attack is successful only if the hacker can see all the messages sent between the sender and the receiver and send messages that the other party assumes were sent by the other party. Sometimes the man in the middle attacks only target a specific user. For example, the CEO of an important company that is constantly online for business activities is an attractive target for hackers. In this case, the middle man attack is carried out to create a barrier between the CEO and the Internet so that the hacker can hear any exchange of information between the victim and the Internet.

What is the attack method of the middle man?

Let's see how the middle man attack is implemented. One of the most important things you need to know to prevent and deal with a man-in-the-middle attack is how to implement this attack model. It is better to explain the attack method of the middle man with a simple example.

Suppose Mick intends to send a message to Sam, and Joe seeks to overhear the conversation between these two and send the wrong message to Sam. In this case, Joe must somehow put himself between Mick and Sam. First, Mick asks to obtain the required public encryption key from Sam. If Joe can get the critical information when Sam intends to send the public key to Mick, he is ready to launch an attack as the man in the middle. In this case, Joe sends a fake message to Mick, and instead of the primary public key, he sends the fake key to show that he is Sam. Mick encrypts his message with Joe's fake key and sends the encrypted message to Sam by assuming that he has Sam's public key. Joe blocks the message twice, decrypts it with his private key, and if he likes, changes the message and encrypts the message using the public key he has and sends it to Sam.

Why is it difficult to identify a man-in-the-middle attack?

The most important reason that makes detecting man in the middle attacks is that the victim's system is not infected. In this method, the hacker tries to send wireless signal equipment such as routers, access points, and others to make their attack. One of the most common types of middle-aged attacks is implementing a public Wi-Fi network through a malware-infected router. In this method, any user connected to the public Wi-Fi network who attempts to send or receive data packets inadvertently sends a copy of the information to a third party. If this information is sent in plain text, it can be interpreted by a hacker. If the data is sent in encrypted form and 56-bit or 128-bit algorithms are used to send the encrypted information, the hacker can still decrypt the data and view it because some 56-bit or 128-bit algorithms are no longer working as before. Except for the Interlock protocol, all systems dealing with man-in-the-middle attackers must use secure channels to exchange information.

How to identify a man in the man-in-the-middle?

The fact is that identifying this model of attack requires technical knowledge, experience, and skill. The best and safest way to detect this attack is to monitor and analyze network traffic. Suppose network traffic monitors report a suspected malfunction, or you feel that the packet exchange rate between two nodes under the network has increased abnormally. In that case, you should assume that a man-in-the-middle attack has taken place. The first protocol you should look at is the Transfer Layer Security (SSL) protocol.

How can the man in the attack be prevented?

Proper cyber security measures generally help protect individuals and organizations from man-in-middle attacks.

1. Update and secure your home Wi-Fi routers: This is perhaps the most important point, as WFH policies typically require employees to have a home router to connect to the Internet and access the corporate network. Wi-Fi router software, known as firmware, needs to be updated from time to time. This process must be done manually because the firmware update is not done automatically. In addition, make sure that the router's security settings are set to the strongest mode, which according to the Wi-Fi Alliance, is currently WPA3.

2. Use a virtual private network (VPN) when connecting to the Internet: VPNs encrypt data between devices and VPN servers. Changing encrypted traffic is more difficult when a VPN is active.

3. Use end-to-end encryption: If possible for you, ask your employees to enable encryption of emails and other communication channels. For added security, use only communication software that encrypts messages. Some applications automatically enable encryption in the background—for example, WhatsApp Messenger. However, suppose employees want to verify the encryption of their messages. In that case, they must perform a special process such as scanning and comparing the QR codes in the WhatsApp application on each person's phone.

4. Install patches and use antivirus software: Although these are basic steps in cybersecurity, they are important to remember. In addition, with WFH policies, employees are now responsible for ensuring that all patches are installed, and security software updates are installed on their devices. IT staff may need to make this clear to employees to strengthen end-security.

5. Use strong passwords and password manager: As passwords do not expire soon, encourage employees to use strong passwords and a password manager. For company-owned devices, IT staff can install mobile device management software with a password policy with rules for password length, complexity (i.e., use of special characters), history/reuse, and maximum effort to enter the wrong password.

6. Only connect to secure websites: This means looking for a small lock icon to the left of the website URL in the browser's address bar. This signifies that the webpage you are visiting is secure and uses the HTTPS protocol. For security reasons, employees and web users, in general, should never connect to regular HTTP sites or sites whose lock symbol is not visible. To ensure this, users can install a free browser plug-in to enforce this rule. In addition, most cybersecurity operating systems include web filtering protocols that restrict employee access to non-HTTPS sites.

Man Identification Checklist

Typically, security experts try to identify a middle-man attack on the network based on the following checklist:

1. Check the IP address of the server used by both parties.

2. Check the Domain Name System (DNS) and make sure there is no change in the domain name system records. A PTR record is a reverse DNS record and refers to an IP to a domain address. The performance of the above record is exactly the opposite of the A record. The PTR record establishes a proper connection between the domain and the IP, so any distortion will cause requests to be sent to other servers.

3. Check Standard 509. This standard is used to define a template for a public key certificate. This standard is widely used in TLS / SSL encryption protocols and is the main component that hackers resort to manipulating public encryption keys.

4. Check certificates. Have the certificates been signed by a trusted issuing authority (CA), have their expiration dates changed, have they been changed, and have employees used similar certificates instead of the original option approved by the company without being noticed?