Search the Community
Showing results for tags 'mitm attacks'.
Found 3 results
steven36 posted a topic in Security & Privacy NewsStarting with version 66, Firefox will let you know when antivirus products, malware, or your ISP are tapping into your HTTPs traffic. The Firefox browser will soon come with a new security feature that will detect and then warn users when a third-party app is performing a Man-in-the-Middle (MitM) attack by hijacking the user's HTTPS traffic. The new feature is expected to land in Firefox 66, Firefox's current beta version, scheduled for an official release in mid-March. The way this feature works is to show a visual error page when, according to a Mozilla help page, "something on your system or network is intercepting your connection and injecting certificates in a way that is not trusted by Firefox." An error message that reads "MOZILLA_PKIX_ERROR_MITM_DETECTED" will be shown whenever something like the above happens. The most common situation where this error message may appear is when users are running local software, such as antivirus products or web-dev tools that replace legitimate website TLS certificates with their own in order to scan for malware inside HTTPS traffic or to debug encrypted traffic. Another scenario, also quite common, is when a user's computer gets infected with malware that attempts to intercept HTTPS traffic by installing untrusted certificates. A third scenario would be when an ISP or a malicious user on the same network is also hijacking the user's internet traffic, and replacing certificates in order to spy on the user's HTTPS traffic. The new MitM error page aims to serve as an early warning sign that something is wrong and that a deeper investigation may be needed. This Mozilla support page comes with various recommendations for each situation and how to configure various antivirus products. The MitM detection feature was initially scheduled to be released with Firefox 65. Its release was delayed after the MitM error page needed more fine-tuning to avoid false positives. Firefox is the second browser to add a MitM error page. The first was Google Chrome, which received support for showing MitM errors in version 63, released in December 2017. Source
steven36 posted a topic in Security & Privacy NewsBut there's been no evidence that the vulnerability has been exploited Bluetooth flaw exposes kit from Apple, Intel, Qualcomm and more to MITM attacks SECURITY BOFFINS have discovered a vulnerability in Bluetooth that allows attackers to potentially intercept communications between paired devices. The flaw, known as CVE-2018-5383, was unveiled by Lior Neumann and Eli Biham, cybersecurity researchers from the Israel Institute of Technology, who note that two Bluetooth features - Secure Simple Pairing and LE Secure Connections - are affected. The issue stems from the fact that the Bluetooth specification recommends, but does not require, that a device supporting Secure Simple Pairing or LE Secure Connections validate the public key received over the air when pairing with a new device. "In such cases, connections between those devices could be vulnerable to a man-in-the-middle attack that would allow for the monitoring or manipulation of traffic," Bluetooth SIG said in its advisory. "For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure," the outfit added. "The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful." A whole host of devices are affected, and Apple, Broadcom, Qualcomm Intel are among those who have already pushed out fixes. According to Microsoft, its devices remain unaffected. Bluetooth SIG said that it has now updated the Bluetooth specification to require products to validate any public key received as part of public key-based security procedures, adding that there is no evidence of the flaw being exploited. "There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability," it said. Source
WPAD name collision issue can lead to MitM attacks WAPD name collision issue visually exlained US-CERT has issued a public alert after researchers from the University of Michigan, and Verisign Labs have discovered a method of leveraging the WAPD protocol to launch MitM (Man in the Middle) attacks against corporate networks. WAPD stands for Web Proxy Auto-Discovery and is a protocol used to broadcast common proxy configurations across a network. The protocol's client is active only when the user connects to a network, searching for a WPAD server via DHCP or DNS, from where it requests a proxy configuration file, if one is available, and applies it to the local computer. New gTLD domains are the root of the problem The Michigan and Verisign researchers discovered that the introduction of the new custom top-level domains has created an unwanted name collision bug in how WPAD operates. The researchers explain that companies have a tendency of using custom domains for their internal network, for which they use internal name servers to resolve the names. For example, instead of an IP, system administrators often rename crucial servers with authentication.network or apiserver.dev URLs. These servers are only reachable inside the local network because the user needs to be connected to the internal name server to resolve the domain. Traveling employees can have their computers compromised via WAPD The research team explains that many of these custom URLs are actually quite common and use many of the new global top-level domains introduced in the past year. Researchers claim that when the user is outside the company network, on a public network, the DNS requests for these internal name servers get automatically forwarded to public Internet DNS servers. Verisign explains that during tests, it's seen over 20 million queries sent out to unregistered custom top-level domains, which looked like internal corporate addresses. An attacker could register some of these URLs and host a WPAD server that would broadcast a malicious proxy configuration that would send all of the victim's traffic through one of his servers. Using this method, attackers could intercept the victim's private and public traffic, and sniff for sensitive corporate credentials. Windows computers at risk, by default The attack affects Windows computers the most, where the protocol is enabled by default. WPAD is installed on OS X and Linux, but users need to turn it on manually. Even worse, because the protocol is turned on by default in Windows, the user's company wouldn't even have to use WPAD inside its network for the user to be vulnerable because the OS would check for it automatically. Nevertheless, if companies use WPAD for their network, it automatically means that both OS X and Linux machines would have to have it turned on, exposing this class of users as well. Previously, in 2007, 2009, and 2012, security researchers highlighted other flaws in the WAPD protocol that also allowed for MitM attacks. To counteract some of the issues caused by this latest issue in WPAD setups, Verisign has published a series of mitigation techniques. Article source