Man-in-the-Middle Attacks

  • Security Lock

The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), published an advisory in the March issue of its “Cybersecurity Newsletter” warning of a well-known attack method known as the man-in-the-middle (MitM) attack. This type of attack is used by attackers to, exactly as it sounds, become a man in the middle of a secure connection. So, while the victim thinks they are connecting to their destination website (e.g. bank, social media, email, etc), the attacker is taking over the connection and can see any data “in the clear” before it is forwarded on to the actual destination.

This type of attack can be described in a very simple diagram, shown below. The top part of the image shows a normal secure connection (that has been blocked by our attacker) and the bottom shows how a MitM attack works.

OCR went beyond warning that MitM attacks are possible. In fact, most modern devices are capable of warning users if something fishy is going on. When a user is connected directly to a legitimate secure website the browser will only show a green lock symbol (or something similar depending on the browser you are using). This is virtually seamless for the user, and there is rarely anything else to do if the website used a trusted Certificate Authority (the organizations that have been trusted across the web, like VeriSign and Google to distribute certificates). If the website is using a less-than-trusted certificate the user will see a warning something like this:

HTTPS Intercept Products

The problem is that the protections built into the browsers don’t work in large organizations that use what are commonly known as HTTPS intercept products. These devices are designed to sit between the users of an organization and the Internet. The devices’ certificates are added to the trusted store on all local systems and any traffic to an encrypted site is routed through the intercept devices. This means that regardless of the certificate on the destination website the users will see no warning because the certs on the devices are pre-approved.

The problem begins when the device talks directly to the destination website or application. Rather than the connection being established via the user’s browser, it is established directly from the intercept device. This eliminates the protections that have been put in place as the devices could accept an illegitimate certificate and the user would have no indication. This means that these devices, if they don’t verify secure connections to web hosts, make MitM attacks much simpler for attackers to perform.

Recommendations

One step that OCR recommends is to check any HTTPS Intercept devices used within the enterprise against the lists on “badssl.com” to determine if the products in use properly validates certificates. The best possible methods for remediating this issue are available in US-CERT guidance which can be found in Alert TA15-120A, the highlights of which are as follows:

  • Update Transport Layer Security and Secure Socket Layer (TLS/SSL) by upgrading to TLS 1.1 or higher and making sure that all versions of SSL (1, 2, and 3) as well as TLS 1.0 are disabled.
  • Use certificate pinning
  • Incorporate DNS-based Authentication of Named Entities (DANE)
  • Use network notary servers

OCR also recommends that covered entities and business associates using any type of HTTPS interception technology should consider the risks this could present to their ePHI. In short, these types of security products have a litany of potential pitfalls associated with them, and this potential to increase the organizations vulnerability to malicious MitM attacks should be considered carefully.

OCR’s monthly Cyber Awareness newsletters and other HIPAA Security Rule Guidance Material may be found at http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.

April 10th, 2017|

About the Author:

John Nye
John Nye is Senior Director of Cybersecurity Research and Communication for CynergisTek and has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications.Nye’s specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).