The man-in-the-middle attack is rarely discussed when discussing major cybersecurity issues affecting veterinary practices. This is despite it being among the most commonly used methods of attack. Below is everything you need to know about the “man in the middle” attacks and how you can address them in your practice.
What is a Man in the Middle Attack?
A man-in-the-middle attack is a type of cybercrime that involves the interception of communication between two targets. The attacks often lead to stolen login credentials or personal information, spying on victims’ computer systems, sabotage of communication, and corruption of data. The attackers can also impersonate one of the parties, making it appear as if a normal exchange of information is underway.
The information obtained by cybercriminals during the main in the middle attack can be used for many purposes, including identity theft, transfer of funds from your veterinary practice linked bank accounts to cybercriminals’ accounts, illicit password changes, and lateral movement within your network to launch even bigger cyberattacks such as ransomware attacks.
Stages of a Man in the Middle Attack
There are two stages involved in a successful man in the middle attack: interception and decryption.
1. Interception
The first phase of a man-in-the-middle attack is intercepting the traffic before it reaches its destination. To intercept the traffic, cybercriminals can use methods such as passive attacks that involve the creation of WiFi hotspots that are available to the public. These WiFi hotspots are named in a way that corresponds to their target victims. The hotspots are also not password protected, allowing users to connect easily. Once victims connect to such a hotspot, the attackers are able to gain full access to all online data exchanges.
Other methods used to intercept internet traffic to launch man in the middle attacks include:
- DNS Spoofing: This method is also commonly known as DNS cache poisoning, and it involves infiltrating a DNS server and altering a website’s address record. This allows cybercriminals to intercept users attempting to access the website and send them to their malicious sites.
- The attack involves changing the packet headers in an IP address, which allows cybercriminals to masquerade as an application. Users trying to access the application that has been spoofed are then sent to the attackers’ website where other forms of cyberattacks, such as ransomware, can be launched.
- ARP Spoofing: Cybercriminals are able to link their MAC address with the IP address of a legitimate user on a local area network using fake ARP messages. This ensures that data sent by a user to the host IP address is intercepted and transmitted to attackers.
2. Decryption
The second phase of man in the attack is decryption, whereby cybercriminals have to decrypt SSL traffic intercepted without alerting the user or application. Some of the methods used to decrypt include:
- HTTPS Spoofing: The method involves sending a phony certificate to the victim’s browser once the initial connection request to a secure site is made. Cybercriminals are then able to use the certificate to get verified to an existing list of trusted sites. After verification, they are now able to bypass the decryption process and receive any data entered by their victims before it is passed to the application.
- SSL hijacking: Cybercriminals are able to pass forged authentication keys to both the user and application during a TCP handshake. This allows them to cheat browsers into passing the connection as secure, while the man in the middle attack is in progress.
- SSL Beast: The method involves intercepting encrypted cookies sent by web applications with malicious JavaScript. The method also involves compromising the app’s cipher block chaining (CBC), which allows cybercriminals to decrypt cookies and authentication tokens.
- SSL Stripping: This is when a secure connection is downgraded from HTTPS to HTTP to allow cybercriminals to get access to sessions on the site.
Detecting a Man in the Middle Attack
Unfortunately, detection of a man in the middle attack can be difficult. Chances are, if your veterinary practice is compromised by a man-in-the-middle attack, you will never notice until it is too late, and your data has been compromised, or a ransomware attack has been launched.
However, methods such as checking for proper page authentication and implementing some sort of tamper detection can help in detecting man-in-the-middle attacks.
The best way to address man-in-the-middle attacks is to prevent them from happening rather than attempt to detect them while they are actively occurring. Below are some of the methods you can use in your veterinary practice to prevent man-in-the-middle attacks.
- Use Virtual Private Networks: VPNs can be used to secure communication within a local area network. They are highly effective in addressing man-in-the-middle attacks through key-based encryption that creates a subnet for secure communication.
- Force HTTPS: Emphasizing and enforcing HTTPS-only access to websites can help prevent man-in-the-middle attacks.
- Strong Router Login Credentials: Veterinary practices should also ensure that their router password is changed regularly. This is because, if the credentials are accessed by cybercriminals, your DNS servers can be changed to their malicious servers during a man-in-the-middle attack.
- Public key-based authentication: Using RSA authentication keys can also help address man-in-the-middle attacks.
- Strong encryption mechanism: Consider using strong WEP/WAP encryption on access points to reduce the chances of your veterinary practice becoming a victim of a man-in-the-middle attack.
Clint Latham