Introducing Man-in-the-Middle Attacks

[00:00:00]
>> Mike North: So that rounds out our unit on client-side security. So just as a recap, we began with cross-site scripting. We talked about cross-site request forgery, CSRF, and we added a CSRF token. We talked about clickjacking where we took our iframe and positioned it over another button on the landing page.

[00:00:22]
A UI redress attack that tricks a user into interacting with an application other than the one that they think they're interacting with. And then finally we wrapped up with subresource integrity, where we learned to basically take assets and kinda lock them into place, and make it so that if those assets change in content in any way.

[00:00:43]
We're going to basically fail secure and we're gonna break, and possibly like report that something just went wrong and looks someone's tampering with your JavaScript or CSS. So now, we're going to jump into another are of security. This can be another workshop in itself. It's a deep, deep topic.

[00:01:04]
Networking is complicated and security around it is similarly complicated. I'm going to be focusing on a small subset of areas that we as front end developers and as application developers need to be directly concerned about. So first we're gonna talk about a man in the middle attack. And here's what a man in the middle attack looks like.

[00:01:28]
The scenario we're setting out to discuss here is the user they are. They're a user of your app they're currently in a Starbucks or somewhere. They're on a public network and so they're HTTP requests go from their device to the Wi-Fi radio into the router and then they go from that router off to the Internet with a lot of stuff happening in between.

[00:01:57]
So to stage a man in the middle attack I'm gonna take advantage of a couple of things. The first is that your default device settings on all of your laptops, all of your tablets, all of your phones, is that they remember which networks they've been connected to in the past.

[00:02:14]
They remember this forever until you go and you clear it out. And the default setting is that basically when you come back to a network like this, of the same name, you'll attempt to rejoin it. It'll be like you just arrived back home, wifi network is called Home, let's hop back on that.

[00:02:35]
You don't have to, every single time you get home, hop back on your wifi. It just happens. So they need to basically hold on to this information. Your devices need to hold on to this information because it's part of how they search for networks that they may be able to join.

[00:02:55]
So I want to take a little break here and show you something that's been running in the background. All right, so what I've got here, this called a Wi-Fi pineapple. It is a device that you can use for penetration testing. And I have been scanning all of the devices that are currently in the room here.

[00:03:19]
And they're all basically broadcasting everywhere they've been, rIght. So we've got a lot of Xfinity customers in here. I'm not sure Troy and Obbit the Motem, so somebody in here knows what that means. They've been in that network before. So we've got MJG Workshop. Obviously a lot of us have been there.

[00:03:39]
So we could keep going down and keep going down, but this is a lot of different, your devices are constantly asking to join things that they've already joined before. So I've done this before at conferences and you can basically find out the composition of the audience of the room where you could see, we've got some MEC employers, a couple Googlers, LinkedIn employees, cuz they're always saying, LinkedIn corporate network.

[00:04:06]
Are you there there LinkedIn corporate network? So again, I've just been listening here your devices have been announcing themselves this whole time. So we're gonna take advantage of that too, right? Broadcasting what they are looking for. The third thing we take advantage of is the fact that when you join a public wi-fi network, you trust that router as the first DNS server in line.

[00:04:32]
DNS is called the domain name service and it is what translates host names into IP addresses. So it may seem odd that like you would trust some strange router to translate host names into IPs for you. It has become kind of a necessary thing if you wanna use WiFi networks, because in order to see a screen like this, and to sort of click through and actually get Internet access, what these networks typically do is something called DNS poisoning.

[00:05:04]
Where they say, all of your host names now route to the router so that you can hit this login page, right? So they will basically send you to a place where you can agree to terms and conditions and you can proceed forward. Until you do that, you won't be able to get to the Internet.

[00:05:23]
So this is why most people don't pick their own DNS server. They leave their configuration as the default that your device ships with.
>> Mike North: So here's the basic idea behind this attack. So a attacker comes along and also connects to the Starbucks Wi-Fi. They can then begin to send a series of packets of garbage data to, sorry let me start over.

[00:05:52]
So attacker arrives at the Starbucks. They are going to do this reconnaissance. They'll scan through and see what types of networks is everybody asking for? Where has everybody been before. And they can pop up a network name that seems familiar, right? We've all joined the network called airport free WiFi.

[00:06:10]
Probably every single one of our device has that remembered and would gladly join it again. So then we send a bunch of garbage packets to the connection between our target or targets and the router basically de-authenticating them from the router. So we kinda interrupt them and they drop that Wi-Fi connection.

[00:06:31]
At which point they kinda start scanning around for networks they've seen before. And eventually they are going to find airport free Wi-Fi and the'll join us. And now we have become the man in the middle and all plain HTTP traffic that the user sends there that's gonna basically go from their client into us, and then out to the Internet.

[00:06:50]
And that is why this device here is made for this kind of attack. It's why it has two antennas and two Wi-Fi cards. One to connect to the Starbucks, and one to create the other network. It is why you have two. I can create and be on a network at the same time.

[00:07:07]
So what kind of stuff can an attacker do at this point? They can mess with the responses, right? As we saw this morning, I was able to inject a little piece of script into an http response. So as soon as you can become a man in the middle, you can cross-site script at will.

[00:07:27]
You can basically cross CSRF at will because now you can read that token as it comes through you. You can get that CSRF token and you can write your script just perfectly, so that they have that token there and they work. So this is a pretty serious thing to happen.

[00:07:43]
It is our responsibility as developers to do what we can to save our users from getting into this situation. Some things are under our control. And also keep in mind, like you may not, the most effective attacks are ones where they'll gather information and then use that information later on.

[00:08:01]
So it's not like you can put you phone into airplane mode and nothing happened up until that point and so you're safe. You dodged a bullet. Probably not.