In the area of cryptography and computer security, the concept of MITM (Man in the Middle), allows that in a communication between two subjects (Subject A and Subject B), there is secretly a third subject (Subject C), which performs the re-lay of communications between A and B, bi-directional.

In order to explain this concept better, I present an illustrative image:

I am not going to present attack methods, nor how they can be carried out, but we can easily say that MITM is heavily used by various security agencies around the world

However, I present some of the methods of defense against MITM attacks, which can and should be implemented by the Sysadmin:

• DNSSEC: Secure DNS Extensions;

• PKI: Public Keys Infrastructures;

• DKIM: Domainkeys Identified Mail;

• SSL pinning;

• Quantum cryptography;

The defense of these attacks is not something easy to implement, since it involves not only technical knowledge, but more importantly the layer of users to which it is always very difficult to explain scenarios of exploit cryptographic and routing of data between one or more points in a network.

In addition to the MITM concept, there are other similar concepts, with identical approaches, but with different actors. I speak of the concept MITB (Man in the browser). One of the most famous BOTS with which these attacks have developed is the Trojan Spy:W32/ZBOT.

References:

• http://www.kurzweilai.net/a-multi-photon-approach-to-quantum-cryptography

• http://arxiv.org/abs/1402.4797

• http://blog.codinghorror.com/captcha-effectiveness/

• http://petmail.lothar.com/design.html#auto35

• http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1014&context=ism

• https://www.f-secure.com/v-descs/trojan-spy_w32_zbot.shtml

Macro-categories

Interception attacks can be classified into three large groups - Eavesdropping, Man-in-the-Middle and Denial of Service - depending on what the attacker does (or is able to do) with the intercepted data - only read, read and modify, or simply throw them away (do not forward to destination).

Eavesdropping

Alice is communicating with Bob, and the communication goes through Eve. Eve observes all the communication, yet without altering it in any way. In other words, Eve only has access to reading to communication.

• Causes: if the content of the communication is signed (guaranteeing its integrity and authenticity), but not encrypted (which would guarantee its confidentiality), the doors to this attack open. In this case, the attacker would need to be either in the media (i.e. controlling one of the nodes between Alice and Bob) or merely be one of the participants in the same (e.g. : be on the same network as both, for example a wireless network).

• Consequences: leakage of confidential information.

• How to prevent: encrypting the communications channel. The use of TLS/SSL not only guarantees confidentiality but also authenticates at least one side - provided it uses a valid security certificate when performing the handshake (if the client does not properly authenticate the server, it is still possible for Eve to convince both Alice and Bob to communicate with her, not with each other).

Man-in-the-Middle

Alice is communicating with Bob, and the communication goes through Mallory. Mallory not only observes the entire communication but can also fail to deliver messages, send his own messages and/or replace a message from the original sender with one of his own.

• Causes:
  • Alice and Bob did not authenticate each other correctly; Mallory personified (impersonated) Bob to Alice and vice versa, so each of them thinks they are communicating with their partner, when in reality they are both communicating with Mallory. This can occur even if the communications channel is protected.
  • The communication is encrypted but not authenticated/signed; a common error, at least in its design - that just encrypt the data to be safe. In reality, if Alice sent several messages to Bob, and Mallory kept these messages, it may occur that in the future a new message will be replaced by one of the old ones (which Mallory assumed/deduced was interesting for his purposes).
• Consequences: the data exchanged is unreliable, and is potentially harmful, since they have been manipulated by an adversary.
• How to prevent: using a protocol that ensures authenticity, integrity and confidentiality, such as TLS/SSL, and being careful when performing the mutual authentication (the client has to verify that the server certificate is valid, and the server needs to check the client credentials - user/password, certificate, key...).

Mitm Institucional

Variant of Mitm, but executed by one of the anchors of trust (trust Anchors) system. By way of example, if a Certification Authority (CA) creates for itself an invalid certificate (e.g. associating the name facebook.com to its own key pair), or if the manufacturer/distributor of a key browser install a Root Certificate in it (root Certificate) of a fraudulent CA, these could perform a Mitm in the manner of the first item above, in "causes".

• Causes: corruption; abuse of customer trust (e.g.: Opera Mini, which implements institutional Mitm by default as part of its "web accelerator"; the "Browser" of Velox - not to be confused with browser, the name was chosen with the intention of causing confusion).
• Consequences: illegitimate power of surveillance (Surveillance) to an agent who does not have (or should not have) access de jure the private content of users.
• How to prevent: no viable means on a large scale; in specific cases, one can abandon the Public Key Infrastructure (PKI) in favor of the Web of Trust (ex.: using PGP, and exchanging certificates personally with your peers). A way to mitigate (but not eliminate) this risk in the browser is through the use of tools such as the Convergence - that adds certain redundancy in the process of establishing trust, making it more difficult for a single isolated agent to carry out this attack without conspiring with most of the others.

Denial of Service (Of)

Unlike the other categories, one does not "intercept" data in order to read or change them, however I chose to include it here because it can be used as an instrument of censorship (i.e. the attacker does not know what is being communicated or interferes with the content of the communication, only prevents the communication from actually being completed). For more details on this scenario, see this question related to the subject.

Main techniques

The most common form of interception occurs on the local network where a computer/device is, through techniques such as ARP Poisoning, 802.11q Retracing, STP-Trunk Hijacking, Ripv1 routing information Injection (Note: I only know them by name, I could not explain what they do). This can be done by anyone who belongs to the network, so that unless you are on a "secure" network (i.e. where you know all the participants, and they are reliable) you are vulnerable to this type of attack. It’s also a good argument in favor of protecting your Wi-Fi network properly, not leaving it open even if you have the resources to share it with anyone you like.

But a local network is not the only place a Mitm can occur: the Internet is made up of thousands of endpoints known as Ases (Autonomous Systems), and they route the data according to a protocol called BGP (Border Gateway Protocol). As BGP relies on the routes provided by the other Aces, with sufficient handling of one of them any route can lead to any AS. And since route changes are not uncommon, it’s hard to distinguish between a normal occurrence and an attack in progress. The consequence of this is that it is not enough for you to trust your ISP, or the hosting server where your server is, etc., halfway between one and the other can be an attacker.

There are also attacks involving the DNS. Similarity to the ARP spoofing there’s the DNS spoofing, where incorrect data is entered into the DNS systems cache so that the names are resolved to a different IP address (controlled by the attacker). Other attacks that allow you to gain control of a DNS system can also be used to drive traffic to the attacker’s system.

_{Source. Another interesting reference.}

Attacks that enable the interception of data

In addition to attacks specifically aimed at interception, there are those that have other objectives - broader - but which also end up including the possibility interception. I will mention only two, because they serve to illustrate how external factors to the process of ensuring communication can end up compromising it despite care:

Injection

The injection attacks (Injection) - not only SQL Injection, Shell Injection, etc, but also Cross-Site Scripting (XSS) - can be used to perform data interception. In case they act before the secure communication protocol start (when the data is still in flat format on the sending side) or afterward of that protocol terminating (when the data has already been converted back to its flat format on the receiving side).

Confused Deputy

To confuse one of the agents responsible for the security of the system to perform actions apparently legitimate, but orchestrated by the attacker in order to benefit him. The agent in question is often the user himself! The Clickjacking is the "canonical" example, but for an example more focused on interception, think about the situation where the user thinks he is using the site X when in reality he is on site Y. This can result from the simple lack of attention (do not check the address bar, mainly the "padlock"), from limitations on the media used (a full-screen application that "simulates" a browser visiting another address), to more sophisticated attacks such as this one - where one site is exchanged for another in an almost imperceptible way, leading the user to interact with the website of the attacker thinking that it is still on the legitimate site.

I cited these examples just to point out that - no matter how much attention is paid to data protection and communication - none of this is worth if the system (hardware, software) is unreliable and/or if users are not aware the need and importance to do their part. They are attacks that - in a similar way to side-Channel Attacks cryptography - do not attempt to act "within the system" (i.e. assuming that the security protocols were successfully executed, and acting in that context) but rather "subvert the system from the outside in" (preventing the protocols from fulfilling their role in security).