Ouch - Kaspersky have been enabling MITM attacks on their customer base. The Register citig a Chrome bug report explains how you can use this to trick consumers in thinking a site is valid/safe when it is not.
This underlines the ease of MITM SSL/TLS - see my previous article for all the different ways this can be done!
I’ve been travelling quite a bit recently for work and have been reminded (again) how ‘human factors’ can defeat any attempt to improve security.
A good example of this is chip and pin/contactless. Chip and Pin is common and popular in Europe and as a result in Europe I never ‘give’ my card to members of staff for them to process it. This reduces the risk of fraud substantially as staff cannot easily clone/copy cards when they’ve never handled them.
Continue readingI’m often heard saying it’s quite easy to MITM HTTPS (also called SSL/TLS) and decided that maybe I should list all the methods I know of (there are quite a few).
The attacker has many options to try and get in the middle between the user and web server/API
The pure technical approaches rely on attacks that don’t require users to make any mistakes and anyone can be vulnerable.
Continue readingTo continue my MITM attacks theme - someone has just release a nice USB key that ransacks your PC - Ars Technica has a good write up.
This kind of thing is very dangerous as it’s really easy to get people to put USB keys into computers! I’m currently writing a longer article on the (many) ways to MITM TLS to help explain how easy it is!
I’m often heard worrying about the state of HTTPS and the ease to get users to do things that make it basically not function - but I’ll admit evidence of real world attacks is thin on the ground. There is a systematic reason for the lack of information - if a hacker uses a Man-In-The-Middle (MITM) technique to hack HTTPS there is very little evidence left and all thart will happen is the stolen data will turn up in a list at some point in the future. It’s nearly impossible to correlete the HTTPS hack and the stolen data - as it could have been stolen in dozens of places.
Continue readingWhy in 2016 are people still shipping software and devices with default passwords? The recent IOT/Botnet that broke large chunks of the internet was entirely avoidable if the devices had been shipped without default passwords.
This is perfectly within the capability of a device manufactuer - even British Telecom (who have many many issues) have been shipping their devices with randomized passwords printed on a sticker on the device for years. It’s not hard to do that! With software it’s even easier you just force the user to pick a password and don’t ship them with admin/password or whatever you’ve decided is good enough.
Continue reading