A by-the-book man-in-the-middle attack occurs in three steps:

  1. Gather information about the victim server, to enable a fake server to take over
  2. Take control of the data flow, at either network level (ARP, routing) or domain name (DNS) or application level (firewall, proxy)
  3. Insert fake server and trick end user into connecting

The counter-measures include

  1. Protect victim server: Verify communication with server by using TLS/SSL, restrict secret information about the server (private keys, passwords etc)
  2. Data flow control: surveillance, monitoring with alarms about unusual patterns for all infrastructure components, configuration verification
  3. Fake servers: pop-up warning to end user about certificate inconsistency, train users to recognize danger, Extended Verification certificates

The two first points are mainly about infrastructure and work on this is included in the regular risk and vunerability analysis that are carried out.  The last point includes training end users to recognize danger, and involves working with user interfaces as well as with technology itself.  Regular user interface testing should in my opinion be part of the usual risk analysis for distributed systems.  It would not hurt to include some work on the end user’s risk perception, to the extent that this is known.

Advertisements