If you use a computer, tablet, smartphone, or any other Internet-connected device, your device is sending and receiving information every time it accesses the network. That information passes between one or more systems as it gets from one place to another.
That is good and bad news. The good news is that as a civilization, we’ve created a robust Internet that is easily accessible. The very nature of the Internet allows us to access vast amounts of information from virtually anywhere, as long as we have proper access. We have the ability to connect many different systems together quickly to send and receive all kinds of information. The bad news is that as information travels across these networks, it can be intercepted at any point and downloaded, copied, or even altered. That means that we need to be able to trust the networks that we’re using, or we run the risk of having our privacy violated in a big way.
Before I scare everyone, remember that most of the time you probably access the Internet from a home or work network that is provided through a reputable Internet Service Provider (ISP) – in the Northeastern U.S. where I live, that’s usually a company such as Verizon, Comcast, or Time Warner. The connection between your device and the ISP is either managed by you (if it’s your home network) or [hopefully] a professional system administrator at work. Great – you can trust those networks.
There are a lot of “other” ways we get online though – especially using our mobile devices. Wi-Fi hot spots are everywhere, from coffee shops to airports to hotels. Those are harder to trust – who maintains them? What ISP are they connected to? If someone else was connected to that network and watching your activity, would you know?
Trying Some Attacks
A few months ago, I visited the Cyber Security Club at Bethesda-Chevy Chase (BCC) High School in Bethesda, Maryland and we talked about Man-in-the-Middle (MitM) attacks, which is one tactic for intercepting another device’s Internet traffic without their knowledge. We also did some demonstrations to show that with the right tools and a little bit of network knowledge, we pretty easily perform a MitM attack on an untrusted network.
If you’re interested in trying MitM attacks for yourself, I posted a HOWTO on MitM attacks to this page – check it out!
As it turns out, the network we were using was a trusted network with good security, so our attack didn’t work as planned. Although that was a disappointment to some of the club members, it was a good thing overall. We did do some playing around at home afterward, and as expected we realized that some information was secure while others not so much. Here’s a basic breakdown of what was and wasn’t vulnerable:
Web Browsing and Banking – we could see all of the URLs being visited by the “victim”, as well as the data being sent and received from those sites. Some websites used HTTPS encryption, which prevented us from seeing what the victim was actually doing on those sites, however we were able to bypass the encryption in some instances (less so with banking, thankfully).
E-Mail – If using POP or IMAP e-mail without security, we saw everything, to include attachments. We could also bypass encryption most of the time.
Social Networking and Messaging – This was one of the few areas where we couldn’t eavesdrop. Facebook, Google Hangouts, Skype and iMessage were all encrypted and we couldn’t use anything to get around the encryption.
In terms of protection, the number one factor is trusting the network that you’re connected to. If you’re on a home network and it’s properly secured (preferably with WPA2), you should be fine, unless the person living with you is doing the attacking (in which case, you might have bigger problems). If you’re on a work network, you hopefully have competent system administrators that will protect against such a threat.
If you’re on a public network (such as a hotel, airport, or some other area with free or public wi-fi), all bets are off. You really have no idea if the system administrators for that network are reputable, and you have no idea who else might be connected and trying to intercept data. If you are going to access public wi-fi, that’s fine, but be aware of the possible consequences and adjust your behavior accordingly. Don’t view your banking information or log into sensitive websites. Make sure you’re not transferring sensitive information over unsecure e-mail. Finally, if you start to observe odd behavior, such as your computer asking you to allow untrusted certificates, be aware that this could mean someone is trying to subvert your encryption mechanisms.
If you absolutely must do sensitive business over an untrusted network, you should use a secure Virtual Private Network (VPN) that will encrypt all of your traffic. Many businesses require VPNs when remotely accessing corporate resources, and some home routers provide VPN capabilities. You can also use a stand-alone, Internet-based service such as LogMeIn Hamachi.
If you need advice on security services, MitM attacks, or defenses such as VPN, we’re happy to provide assistance, even if it’s just a quick question. Contact Us with the details and we’ll get you on the right track!
* Credit to the famous “All Your Base” video for inspiring my subtitle 🙂