#maninthemiddle

Ortak Ağlardaki Gizli Tehlike: Ortadaki Adam Saldırısı (Man In The Middle)

Günümüzde kafelerde, restoranlarda, havalimanlarında ya da alışveriş merkezlerinde ücretsiz Wi-Fi ağlarına bağlanmak hepimiz için sıradan bir alışkanlık haline geldi. Telefonumuzun ekranında "Ücretsiz Wi-Fi" yazısını gördüğümüzde, bir an önce bağlanıp işlerimizi halletmek ya da sosyal medyada gezinmek istiyoruz. Peki, bu kadar masum görünen bir bağlantının ardında ciddi bir tehlike yatabileceğini hiç düşündünüz mü? İşte burada devreye "Ortadaki Adam Saldırısı" (Man in the Middle Attack) giriyor.

Ortadaki Adam Saldırısı Nedir?

Adından da anlaşılacağı üzere, bu saldırı türünde bir siber suçlu, sizinle internet arasındaki iletişime gizlice "ortadan" dahil oluyor. Örneğin, bir kafede oturmuş e-postalarınızı kontrol ederken, aslında tüm verileriniz (şifreleriniz, mesajlarınız, hatta banka bilgileriniz) önce bu "ortadaki adam"ın elinden geçiyor olabilir. Saldırgan, sizin haberiniz bile olmadan iletişim hattınızı dinliyor, verilerinizi çalıyor ya da manipüle ediyor. Wi-Fi ağları bu tür saldırılar için adeta bir mıknatıs. Özellikle şifresiz ya da zayıf şifreleme kullanan ortak ağlar, siber korsanlar için bulunmaz bir fırsat. Bir düşünün: O "Kafe123" ağı gerçekten kafeye mi ait, yoksa yan masada oturan birinin kurduğu sahte bir ağ mı?

Wi-Fi Ağlarındaki Tehlike Nasıl İşliyor?

Ortadaki adam saldırısı genellikle birkaç basit yöntemle gerçekleştiriliyor. Saldırgan, sahte bir Wi-Fi erişim noktası (hotspot) oluşturabilir ve bunu gerçek bir ağ gibi gösterebilir. Siz "Havalimanı WiFi" sandığınız bir ağa bağlandığınızda, aslında tüm verileriniz doğrudan saldırganın cihazına yönlendirilir. Bir diğer yöntem ise ağ trafiğini izlemek için özel yazılımlar kullanmak. Eğer ağ yeterince güvenli değilse, şifrelenmemiş verileriniz (örneğin, bir form doldururken girdiğiniz bilgiler) kolayca ele geçirilebilir.

Peki, Kendimizi Nasıl Koruruz?

Neyse ki, bu gizli tehlikeden korunmak için alabileceğimiz bazı pratik önlemler var: VPN Kullanın: Sanal Özel Ağ (VPN), verilerinizi şifreleyerek ortadaki adamın işini zorlaştırır. Ortak Wi-Fi kullanırken bir VPN uygulaması açmak, güvenliğinizi ciddi şekilde artırır.  HTTPS’ye Dikkat Edin: Web sitelerinin adres çubuğunda "https://" olduğundan emin olun. Bu, verilerinizin şifreli bir şekilde iletildiğini gösterir.  Ağları Doğrulayın: Bağlanmadan önce ağın adını ve güvenilirliğini işletme çalışanlarına sorun. "Misafir_WiFi" gibi belirsiz isimlere temkinli yaklaşın.  Hassas İşlemleri Erteleyin: Bankacılık işlemleri veya şifre gerektiren girişler gibi önemli işleri, güvenli bir ağa geçene kadar bekletin.

Son Söz

Ücretsiz Wi-Fi ağları hayatımızı kolaylaştırıyor, evet, ama bu kolaylığın bir bedeli olabilir. Ortadaki adam saldırısı gibi tehditler, dijital dünyada her an tetikte olmamız gerektiğini hatırlatıyor. Bir dahaki sefere o "ücretsiz" ağa bağlanmadan önce iki kez düşünün; çünkü ekranınızın ardında sizi izleyen bir çift göz olabilir. Güvenliğiniz, birkaç dakikalık dikkatle korunabilir.  Unutmayın: Dijital dünyada da kapınızı kilitlemeyi ihmal etmeyin! Ahmet BEKMEZCİ’nin Edux Academy’deki “Wordpress Temel Web Sitesi Yapımı” eğitime bağlantıdan ulaşabilirsiniz. Av. Ali ERŞİN’in “Siber Güvenlik Başkanlığı” hakkındaki yazısını bağlantıdan okuyabilirsiniz. Hukuk ve Bilişim Dergisinin son sayısına buradan ulaşabilirsiniz.

Yazar: Ahmet BEKMEZCİ

It is easy to feel complacent when you regularly get advance fee scams full of laughable spelling mistakes, broken English and hilariously badly faked documents. It’s easy to think “it will not happen to me!” when you watch channels on YouTube like Kitboga or Atomic Shrimp, who make entertainment out of making scammers look like fools. It is easy to think just because you’re generally vigilant to such things that you won’t get scammed. Well I’m here to remind you that it’s possible for someone with years of computer and IT industry experience to come close to getting scammed.

My name is Matt, I’m in my 40s, I’ve worked in IT or with computers since leaving university in my early 20s. I’m not a black hat hacker by any stretch, but I know what Kali Linux is, how to brute force a non salted hash or run a script to crack a WEP key. I use PGP, two-factor authentication, password managers and regularly annoy companies by insisting on better security than their usual clients do.

Today, I came within inches of being scammed. In fact, had a PDF document I opened contained a malicious payload (and I suppose I can’t discount the fact that it did and I just cannot detect it) I would have been “pwned”. As it stands, I ‘merely’ nearly lost thousands of Euros.

What was the attack I very nearly fell for? It was a simple “man in the middle” attack on e-mail. That universally used and almost completely insecure means of communication that we all still rely on.

My accountant had just finished up the books for the year end here in Ireland and sent me a final invoice for the amount due. He sent this by e-mail, which is not an uncommon thing to do.

A few moments later I get another e-mail from the same person, which I’ll reproduce here:-

There’s not really much here to set off any alarm bells. The sender’s name, e-mail address, return address, reply-to address etc were all normal. “error mistake” is kind of an unusual turn of phrase, but not outside the realms of possibility for something you might type if you were in a hurry.

Notice the fraudster also says “You can also find the same bank information on the attached invoice”. I foolishly opened this PDF and what they say is correct. The original PDF had been edited with the new bank account details, making for a pretty convincing scam. Again, in the PDF there are some small tell-tale signs, but nothing that you would notice from a cursory glance. There was some smudging around where the attacker copy pasted the new bank account information over the old, and the links to pay by credit/debit card had been taken out.

Monday morning the fraudster e-mailed me again, asking me politely if I’d got the previous e-mail. I replied to say I had and I would deal with it soon, but said no more to them as I was already suspicious. They then asked me to let them know as soon as I made payment, which set even more alarm bells ringing. Fraudsters will often try to get some sense of urgency going to try and make you send the payment without giving you time to be diligent. Again, let me emphasise that the attacker had full control of this e-mail account, it wasn’t a case of a spoof account where you can spot that the return address does not match. As far as anyone could tell, this was a legitimate e-mail from a company domain e-mail account.

Honestly, had this been for a smaller amount I would probably have paid it. The attacker already made me open a PDF document which as we know is dangerous. That makes me feel pretty silly, but at least I didn’t wire the money. Instead I took it upon myself to ring the accountants using the phone number on their website and check. They then were able to confirm that, indeed, their senior accountants e-mail had been hacked and they reported it to An Garda Síochána.

A clever, patient fraudster like this could have been watching the e-mail account for months, waiting for a juicy opportunity like this to come along.

I’m telling you this story because I think there are two important takeaways from this tale.

1) If you haven’t enabled two-factor authentication for your e-mail accounts yet, for Gods sake enable it!

2) Whenever adding a new payee, or updating an old one, always verify the new bank account information via another means, such as telephone.

A Public Key Infrastructure (often abbreviated as PKI) is a set of processes and technological means that allow trusted third parties to verify and / or guarantee the identity of a user, as well as to associate a public key to a user: These public keys typically take the form of digital certificates. In this article we will try to provide a general overview of this type of infrastructure, starting with the definition and the main examples of use.

Definition

In recent years, the term PKI has been used to indicate both the Certification Authority (CA) and related agreements, and, more broadly, the use of public key cryptographic algorithms in electronic communications. However, the use of the term in the latter sense is incorrect, as a PKI does not necessarily require the use of public key algorithms. Furthermore, the PKI structure does not only concern the CA but a plurality of subjects and services connected to them, namely: - Certification Authority (CA), a public or private trusted third party authorized to issue a digital certificate through a certification procedure compliant with current regulations; - Registration Authority (RA), which is the system for registering and authenticating users who request the certificate; - Validation Authority (VA), which is the system that certifies the correspondence between the certificate issued and the issuing entity. - Security policies that defines the general principles; - Certificate Practice Statement (CPS), a document that illustrates the procedure for issuing, registering, suspending and revoking the certificate; A PKI infrastructure is hierarchically composed of several Certification Authorities at the top of which is a root CA that certifies all the others. The first step in building a PKI is therefore to create the root CA. At this point, however, a problem arises: if the root CA is the root of the tree, who signs its certificate? The answer is very simple: the CA signs its own certificate, issuing the key pair itself. From this it is clear the importance that the root CA has a good / excellent reputation, as there is no guarantor authority over it.

Use cases

The main purpose of PKIs is to provide users' public keys and, at the same time, guarantee their identity. Public keys, once released, are usually used to perform the following functions: - Encryption and/or authentication in email messages (e.g. using OpenPGP or S/MIME). - Encryption and/or authentication in standard documents (such as XML Signature or XML Encryption). - User authentication for applications (e.g. when logging into a system via smart card or authenticating a client via SSL/TLS). - Bootstrap procedures in secure communication protocols, such as the main protocols used for VPN and SSL connections. In both, the initial setup of a secure channel is done through public keys, while actual communications use faster secret key systems (aka Symmetric Key Cryptography).

Asymmetric Key Cryptography

Unlike symmetric encryption which uses a single key to encrypt and decrypt, asymmetric or public key encryption uses a pair of keys: a public key and a private key, respectively used to encrypt and decrypt. In such scenario, CAs are required to guarantee the association between a public key and the person who owns the corresponding private key. - Alice and Bob want to exchange signed and encrypted messages; for this purpose they both create their own key pair and publish the public ones on a keyserver; - Alice writes a message for Bob, signs it with her private key and encrypts it with Bob's public key, then she sends the message; - in reception Bob decrypts the message with his own private key and verifies the signature with the public key headed to Alice. At this point, Bob is able to determine two things: - the message was directed to him, as he managed to decrypt it with his own private key; - the message was encrypted with the private key that matches the public key he used to verify the signature. Man in the Middle If we look at the example we started earlier, we can easily see how Bob is unable to determine with certainty that the message really came from Alice; as a matter of fact, it's possible that a third party has managed to intercept the communication in which Bob obtains Alice's public key and has managed to replace it with his own, thus pretending to be Alice. If this happens, Bob has no way to discover the deception. This is a type of attack known as Man in the Middle, a term used to refer to all situations in which a third person stands between a communication between two subjects. To solve situations of this type, CAs are born that take care of verifying and guaranteeing the correspondence between key and owner, verifying the user's identity when he requests a certificate and then signing a digital certificate that certifies the user's identity. . In this way, the Man in the Middle no longer has a way to pretend to be Alice, as he is unable to reproduce the CA's signature. The Italian legislation, in implementation of the European Directive 1999/93 / EC, has identified in the CNIPA, now known as the Agency for Digital Italy, the public body that accredits the main certifying entities (eg Infocert, Aruba, Poste Italiane, etc.): in addition to accrediting the certifiers, AgID also controls their work and issues regulations in accordance with the current applicable legislation.

Conclusions

Spoofing and "Man in Middle" attack in Kali Linux - Using Ettercap

Sennheiser’s headphone software could allow attackers to intercept data

Sennheiser’s HeadSetup and HeadSetup Pro software poses a cybersecurity risk, according to a vulnerability disclosurefrom Germany’s Secorvo Security Consulting. The headphone-maker is now urging users to update to new versions of the software after researchers revealed it was installing a root certificate, along with an encrypted private key, into the Trusted Root CA Certificate store,…