"I heard on the news about how some sites and mobile apps are vulnerable to Man-in-the-Middle attacks. What is a Man-In-The-Middle Attack, how does it work, and how can I protect myself?"
Man-in-the-Middle (MitM) attacks are basically one website stepping in-between you and a legitimate website so that whatever you do on the legitimate website can be seen and stolen by the attacker who owns the site in the middle. There are two common ways this happens:
1 - An attacker can take over the Domain Name System (DNS) server that tells your browser where to find something online. The short explanation of this is that when you type a URL into your browser (like www.secureauth.com), the browser goes to a DNS server provided by your Internet Service Provider or company that tells your browser where to find the actual website. If an attacker were to take over the DNS record (the individual site listing in a DNS server) - or the entire DNS server itself - then it could re-route you to a completely different site that only looks and acts like the site you wanted to go to. There are drawbacks to this as if you requested information from the site that needed to be constantly updated, the fake site has no way to make that happen.
2 - Sophisticated MitM attacks can go even further than simply re-routing you to a fraudulent site. These attacks start the same way, but instead of serving you up a site of their own, they simply note all the information you're sending/receiving, but otherwise pass data back and forth between you and the real site. So if you go to your bank's website, you wouldn't see anything different at all. You'd send your account number to the bank, which the attacker would intercept, save, and then pass on to the bank. The bank would send back your account information, which the attacker would save and then pass back to you. While you don't see it happening, the attacker got a copy of all that information and can use it for whatever they want. This type of MitM attack is much more technically difficult to pull off, but is often much more successful since both sides see exactly what they expect to see throughout the entire website visit.
Now, how to protect yourself against it. This is difficult because you don't have direct control over the DNS servers we spoke about earlier. They're managed by multiple groups out on the Internet, including the websites themselves, your Internet Service Provider, your company's IT department, and many others. If they get compromised by an attacker, there's little to no way for you to be able to see that until it's too late. That being said, there are ways you can make it a lot harder for MitM attacks to work, and to defend yourself against them:
1 - Always use https: whenever possible. Until recently, most websites used un-secured http: communication to send and receive data. Banks and other security-focused companies used the secured https: protocol, but it's more complex to set up and more expensive to maintain; so most sites didn't use it. Over the last few years; however, the majority of websites have started to use it because of all the potential and actual attacks that have been going on. Make sure that your browser shows the URL starting with https:// and that you have a green padlock icon in the address bar. If not, manually replace http:// with https:// and see if the site loads. If it does load and the padlock shows up, that means the connection has been secured. Since secure connections require both ends (your browser and the website server) have to agree on security properties (known as certificates); a MitM attack would usually fail as the server in the middle can't match either side's certificate and cannot establish the secure link. I say usually here because it's possible to fool https: in rare cases, but insanely difficult if you keep your system updated and the website you're visiting does the same.
2 - Which leads to the second thing to do - always keep your system, your web browser, and any apps you use on your desktop, laptop, and smartphones updated. As attackers find ways around MitM prevention, software is updated to overcome the attackers. Keeping everything updated will help a lot. While you can't force the website you're visiting to stay updated, keeping your side of the equation up to date can foil most MitM attacks.
3 - Finally, don't change the settings your IT department sets up on your machine. Your company IT department will configure your machine to use approved DNS servers; which either they control or they know how to secure. Changing these settings by using unauthorized VPN systems, TOR browsers, or other tricks may seem to make your workday easier; but could also open you up to MitM attacks.
While it may not be possible to stop every MitM attack, websites and companies like Microsoft, Apple, Spectrum, Verizon, and others are working to make sure the attacks don't work, or are stopped from working very quickly. Your IT department is also keeping a close eye on anyone trying to attack your DNS servers. Work with them to make sure you don't fall victim to the man in the middle.
Security Answers in Plain English is a regular column here on the SecureAuth blog, aimed to help end-users understand why IT Security enforces policies and how to best protect themselves in a digital world. If you have a question for this blog, email us at firstname.lastname@example.org and let us know!