New Phishing Toolkit Poses Danger To Consumers - Technology News by TechWeb
I noticed this article and have become a bit concerned. It states that there is a man in the middle attack kit out on the internet for sale. Now a man in the middle attack is typically considered a rather sophisticated attack that is almost impossible for the client machine to detect.
Basically what it is is a combination of multiple attacks in order for a hacker to intercept all traffic from clients to a particular website. Typically the attack happens with 3 phases:
1.) Traffic Redirection
DNS entries on a server are modified using specially formed packets confusing the server into mapping the incorrect IP Address to a DNS name.
The attacker can also use ARP-Spoofing to confuse the client machine to send information to the attackers computer, by sending a modified packet to a machine which corrupts the users ARP table which maps MAC addresses to IP Addresses.
2.) Traffic interception
Once the traffic has been re-directed all the client machine is forwarded to the hackers IP address. What the hacker does is create a website that looks identical to the one requested and acts as a proxy between the two computers. Traffic in both directions can been seen and or modified at will by the attacker.
3.) Credential Theft
The hackers can now intercept any usernames, passwords, etc. at their will.
Why this is a problem?
The internet has become a place where all manner of transactions occur and hackers are well aware of this. The hacker kit will allow non-skilled hackers (aka script kiddies) to compromise more peoples private information such as bank details etc. This could also pose a problem if a PACS system where to be compromised in such as manner, because lots of private patient information could be leaked out if the web interface of a PACS system where to be caught in such an attach.
What to do about it?
I would start by implementing some form of secure access to the site. HTTPS connections will encrypt the information making it a little more difficult for the attacker to intercept information. I would alos implement monitoring systems that would allow you to determine source addresses and such and see if there are any anomalous IP Addresses with unusually high hits on the site.
Extra Reading
http://www.cs.umu.se/education/examina/Rapporter/MattiasEriksson.pdf
http://en.wikipedia.org/wiki/Man_in_the_middle_attack
http://www.computerhope.com/jargon/m/mitma.htm
http://blogs.ittoolbox.com/wireless/networks/archives/wireless-man-in-the-middle-attack-part-i-7422