Your task is to read the paper and to answer the following questions:
1. Summarise in your own words the attacks proposed in the paper.
2. Describe the threat model required for the attacks to work. Discuss the main reasons for the high success rates of the described attacks.
3. Provide your own analysis of the proposed solutions and explain how they work. Note: your answer should compare their advantages and disadvantages.
The Danger of Website Attacks
Websites are exposed to the dangers of attacks from the attackers who invade the privacy of the users who are not suspicious about it. As explained in the paper on “The Password Reset MitM Attack”, as the name suggests, the password reset MitM attack is one of the attacks exploited by the attackers over the websites. The attack is quite easy to implement, however, that’s not an indication that, the attack itself is not hazardous. In this attack, the user is enticed in signing up for an account in order to get or subscribe to a certain service that is being controlled by the attacker (such as, the attacker can display a download that is free which can be used to entice the user), whereby, as the user keys in values for signing up, the attacker manipulates the flow of the registration in a manner which enables the attacker to reset the password for the account of the user in other accounts of the user. A target that can be easily exploited by the attacker is the email account of the user. Through the details obtained, the attacker is able to take control of the accounts of the user in other websites.
Other attacks that the account of the user is vulnerable to are the cross-site attacks which include the cross-site scripting, cross-site script inclusion, clickjacking and cross-site request forgery. These kinds of attacks are only possible as a result the vulnerability of the website. Clickjacking for example, the page that has been click jacked tricks the victim into carrying out unintended actions through clicking a link that has been concealed. The attacker then loads a similar page over the actual page in a layer that is transparent on the page that has been click jacked. The user then carries out actions on the page that is invisible unknowingly and then through that, the attacker obtains the credentials of the user. This is unlike password reset MitM where the user needs to carry out an action in the page that is attacking and give out at least one detail that is correct about them.
Another attack is the phishing. In this kind of attack, the page that is attacking impersonates a website that is legitimate and then entices or uses tricks to entice the user that is the victim to key in credentials such as the password and the username. This kind of attack differs slightly with the Password Reset MitM attack since the user is just needed to provide information that is personal such as the mobile number which the victims concur with in giving out for them to receive the services offered. However, attacks of phishing that are sophisticated may also to an extent align with the MitM level of application approach of copying websites that are legitimate or during the whole process of login. Phishing attack applying the approach of MitM may overcome as well the scheme of authentication of two factors, since the user keys in passwords and codes into the website of phishing. As a result, one may not be able to differentiate between the attacks of password reset MitM and phishing which is the weakness itself. The difference between phishing and password reset MitM attack is that, for the case of password reset MitM attack, the bugs found in the design of the process of resetting the password are exploited while, when it comes to phishing, the users are exploited. The design of the website attacked by the attacker does not contain any bug hence, in this case, the attacker attacks the users that are unsuspecting who are just ignorant of the instructions provided by the browsers to them.
Password Reset MitM Attack
For the password reset MitM attack to be implemented, the attacker just requires the control of the website. Capabilities of eavesdropping or MitM are not needed in this kind of attack. The visitors of the website of the attacker are attacked by the attacker and then exploits their accounts in the rest of the websites where they hold an account. The same also applies to the attacks of the cross-site such as the clickjacking, cross-site scripting and the cross-site request forgery. For the attacker to begin the process of resetting the password in the name of the user, he or she requires the typical set of information such as the email, username or the number of the phone. The attacker can obtain the information from the user as the process of registration is going on to the website attacking or afore processes such as the download of file, when the user is needed to give his or her identity through the use of their phone. In other websites, the attacker may exploit attacks of cross-site for example, cross-site script inclusion, cross-site scripting or other advanced methods in collection of details regarding the user. The fact that attackers implement the techniques discussed above means that there are various restrictions such as for the attack to happen, the victim ought to be logged into the website attacking. After the victim visits the website of the attacker, the page attacking needs to entice the user into inputting or registering their number of phone so that the user can receive the code. In order to achieve that, the attacker may use common techniques or even those that are known. A good example may be an attacker creating a website offering services that are free such as download of files or streaming. The website may then need authentication that is just basic afore one can access any service or for restricting them just for users that are registered.
Users are also tricked into providing personal details into the websites that they don’t know about. They agree into registering or having a code that is one-time that is sent to their phones for them to enjoy the online services provided to them. In reality, the website that is attacking only claim to offer services that are valuable to the users while in the real sense, it would be a good idea for the website that is attacking to provide those services for it to gain victims that are potential.
Other Cross-Site Attacks
The attacks are likely to be done because a good number of the users are ignorant in that, they easily provide their credentials to unknown websites when asked which exposes them to the risk of being attacked. Sometimes, codes sent to the phone are used as a way of verifying the user. The phones are vulnerable hence making it easy for the attacker to attack the victim.
Another reason is that, the security questions provided are also a problem. The users tend to provide honest and common answers to those security questions which can be easily guessed by the attacker who then utilizes that to gain access to the accounts of the users and then exploit that knowledge in their other accounts.
Another problem is that, the attackers when they are used attacks such clickjacking, the website attacking is transparent and over the website the user is performing their action. Therefore, the user may not even notice that they are performing operations they did not intend to and hence provide their personal data to the attacker.
Finally, another reason as to why the attacks are successful is that, the attackers use some exciting and enticing offers which tempt the victim to try out without knowing what it would lead to. For example, the user is offered free downloads, streaming among other offers which sometimes they are not able to resist. Through that, the attacker is able to successfully carry out the attacks.
There are a number of solutions that can be applied or implemented to deal with the attacks. They include use of security questions that are good. Use of questions of security which are not related to the website may not be the best idea as they are vulnerable to the attacks of password reset MitM. Use of a numerous number of questions that are related directly to the actions carried out by the user of the site is a good method since the same questions cannot be used by a user as questions of security that are legitimate for the rest of the websites. Some good example that has implemented this technique is Google. Google uses a combination of questions of security together with the other aspects such as the browser originating and the address of IP. Google additionally also requests questions regarding contacts that are common, labels that are user defined and use of services of Google that multiple besides using the general questions of security.
Solutions for Preventing Attacks
Use of good questions of security is advantageous in that, use of related questions makes it hard for the attacker to use the same questions to unravel the accounts in other sites while it can also have its limits as they can be easily bypassed by the attackers especially those who have a relationship with the victim.
Another solution could be the use of the method that is secure in resetting the password by use of the SMS. In this case, the code of resetting the password ought to be sent in a text that is clear through the SMS. The message should be detailed and containing a long link. The advantage of this method is that, for the attacker to exploit, he or she is needed to implore the user in copying the link which would make the user suspect it and hence making it hard for the attacker. Its disadvantage is that; it is possible that the user may not go through the link first to find out what it entails.
Another method involves securing the process of resetting the password through the use of a phone call. For the method to be successful, the message received by the user should contain the sender and the code meaning while the call ought to push the user listening and understanding its content. Its advantage is that, the chances of the attacker of tricking the user as minimized as they have to identify themselves to the user. Its disadvantage is that; the users may fail to strictly follow the instructions provided for them to obtain the code hence making the technique ineffective.
Use of notifications is another healthy method of preventing attacks. In this method, the site has to notify the user in case a request is made regarding the password resetting as well as when the password is changed through an email notification and the SMS. This method is effective in that, the user cannot fail to see a notification on the SMS indicating the request and the change but as far as the email is concerned, the attacker can just delete the notification and the user may never realize about the change. (Nethanel et al, 2017)
DigiNotar hack refers to the attack carried out on the DigiNotar Certification Authority whereby its network was breached by an intruder. The authority offered services of digital certificates. The certificates are meant to ensure that traffic of the internet is secure, provide certified signatures that are electronic and also offer encryption of data. In addition to that, DigiNotar also gave out PKIoverheid certificates that have been accredited by the government. However, a breach was carried out on the authority and as result it lead to issuance of certificates that were rogue. As a result, a rogue certificate of Google was highly abused which targeted users of internet in Iran. The attacker was issuing rogue certificates to the clients in order to try and perform an attack on those platforms such as the attack on the email user accounts that was quickly identified by a user who in return notified Google about the same since his google chrome browser was blocked. The attack led to removing of the Authorities of Certificates that DigiNotar had hosted from the lists of trusts which lead to the company becoming bankrupt.
Use Good Security Questions
For the MITM attack to occur, the attacker illegally obtained access to the network of DigiNotar since their network was vulnerable to attack. They were using software that was outdated which made it possible for the intruder to exploit that weakness. Then he abused the links to AttIPs by initiating them using the systems located inside. The intruder then was able to access servers inside the Office-net from DMZ-ext-net through the use of the server of MSSQL located in the same network. The intruder then utilized customized tools that were unauthorized to alter the traffic meant for port 3389 through port 443. The alteration enabled the intruder to link to the Office-net systems and segments of the Secure-net so that he could operate via the graphical interface of the user where in this case he utilized internet explorer. He then exploited the used numerous number of IP addresses so that he could hide his identity. After gaining or accessing the Certificates, the intruder used the rogue certificates to gain access to the websites so that he could perform the SSL attack.
The attack on the DigiNotar led to the government of Dutch publicly revoking DigiNotar trust as well as the certificates that the company had issued to its clients. As a result of that step, a good number of the manufactures of the browsers as well revoked their DigiNotar trust on the off chance that they had revoked the trust already. Another implication that resulted from the attack was that OPTA terminated the registration of the company like an authority of certificate for signatures that were qualified as according to the law of telecommunication of Dutch. As a result of all those activities of revoking, the company became bankrupt and was declared so by the Court of Haarlem. Afterwards all certificates of PKIoverheid and the qualified ones too were as well revoked and almost all the public certificates that were active and still remaining were as well revoked.
After the investigation carried out by the Fox-IT company, they discovered a good number of facts related to the attack on DigiNotar. First, they discovered that, the intruder used the webservers located on the outskirts of the network of DigiNotar as the entry points and that webservers of Docproof2 and the main web were being run on a version of DotNetNuke that was outdated and was likely to suffer from vulnerabilities of the security which were later attacked on June 17, 2011. Also scripts located in directory / beurs which were the up.aspx and settings.aspx were utilized as the file managers and also the server was used to access the rest of the systems located in the network. A total of 21 external and 12 internal IP addresses that were suspicious and linked to the / beurs directory in the time of DigiNotar attack together with other 125 file that were unique were recognized to have been copied.
Use SMS for Password Reset
Attempts to connecting to the server of MSSQL first happened from the DMX-ext-net to Office-net. Afterwards, the user account of MSSQLusr was used to carry out an activity that was suspicious on the server. On 18th June of the year 2011, traffic was generated by servers internally to addresses of IP which obviously were exploited by the intruder. On 29th June, numerous attempts of scanning were performed to enhance foothold in other segments of the network. On 1st July, the first activity of scanning happened in the Secure-net. On 2nd July, the first connection that was successful was carried out from the Secure-net towards DMZ-ext. on 3rd July, time was modified in the script of XUDA with a message that was personal to the server of Public-CA from the intruder. On 4th July, tools were automatically set for transferring files from the server of Public-CA. On 10th July, the first set of certificates that were rogue were generated successfully on the Relation server of Public-CA, followed by another set of 85 and 198 certificates that were rogue. The requests were made from a subscriber of DSL based in Iran. On 18th July, the logs of file indicated 124 certificates of rogue that were generated the server of Public-CA. On 20th July, the files of log indicated another 124 certificates that were rogue which were generated in the server of Public-CA which was the date that was known for the generation of certificates that were rogue. On 22nd July, the final traffic was generated within the network of DigiNotar to the IP addresses of the intruder that were known based on the examination carried out on the logs of firewall.
Fox-IT addressed a number of lessons that could be learnt from the incident of attack of the network of DigiNotar Certificates Authority. The lessons included the following:
Businesses and users that are average are at the verge of being attacked through the attacks which are against Third Parties that are Trusted in the Infrastructure of the Public Key. The only way of protection for them on networks that are public is by ensuring that their software is always updated, using a product of antivirus and to be extra careful regarding content from sources that are not trusted. This kind of countermeasure is advantageous in that it is simple and can easily be implemented by anyone and use of latest versions of software is more secure as newer versions contain lesser vulnerabilities. The only disadvantage is that; continuous update of the software can be expensive on the user.
Use Phone Call Password Reset
Another issue is that; users are required to have trust on the security of the members that form the Public Key Infrastructure so that the entire system can carry out its operations effectively. Based on the knowledge of the repercussions of breach in the Certificate Authority’s security on the PKI at large and generally the internet, maintaining the security of all Certificate Authority is vital regarding the PKI trust in provision of security for a wide range of internet activities. Having trust in the security provided is advantageous such that in case of any suspicious events, the user can easily notify the authority while the disadvantage may be that, due to the trust, the attacker may exploit that trust and perform attacks on the user. This approach can easily be implemented as well.
Certificate service providers need to implement methods of detection besides prevention. It is not possible to assume that the preventive measures will guarantee total prevention from an attack. When measures of detection on the attempts of intruding an infrastructure that is secured are implemented together with the measures of prevention, it results to minimal chances of intrusions that are successful. The advantage of the method is that, the attacks will be detected even before they can be exploited while its disadvantage is that, the methods may fail to work at some point and the technicality involved may be complicated and expensive for some to implement.
Another thing that needs to be considered is enforcement of strict separation in jobs which contains aims that are competing which are carried out by employees, since the jobs may pose effects on the organizations’ security or may be on the infrastructure of the organization. Its advantage is that; every employee will work only to perfect their area of jurisdiction. This can also be implemented easily by an organization as only an officer is required to carry out the dividing of allocating the tasks.
Finally, businesses such as the Certificate Service Providers and users may be able to protect themselves against numerous kinds of threats of security. They can achieve this through the reading through several books of security as well as the articles, undertaking standards and courses which may offer information that is detailed regarding appropriate measures that may be taken. Also, they may also implement a formal system of management of the security of information like the ISO-27001. (BV, Fox-IT, 2012)
Use Notification Systems
In the scenario described, it is possible for the man in the middle attack to be performed by an attacker. Some versions of the OpenSSL contain the Heartbleed bug which is a crucial vulnerability in the cryptographic software of the OpenSSL. The bug enables a third party to steal the information guarded by the TLS/SSL encryption which is used to offer privacy and security over the applications of the internet such as messaging that is instant and email which were to be used in the scenario described. The bug would enable an intruder to access the private key to be used in the communication and use it to decrypt the information being passed on. The intruder would then be able to eavesdrop the message the whistleblower is sharing with the reporter, alter it and then impersonate the reporter and the whistleblower and change the conversation.
The piece of paper would help in reminding each other of the public and private keys to be used. Hence, I would scribble the keys and pass them on to the whistleblower just as a reminder. Then, towards going to the store, we would proceed there are different time intervals. I can first leave the bench at the park and proceed to the store and start locating a computer to use just like any other customer. The whistleblower would then join me in the store sometime later and locate a different independent computer as well some meters away from me and then each one of use logs in to the email account and start chatting.
For example, I would encrypt a message, m, using the public key kA and then send it to the whistleblower who then reads it by decrypting it using private key eA, that is; {m} kA. For the whistleblower to prover that the message came from him, he can encrypt the message using private key eA, that is, {m}eA. The whistleblower would then encrypt a response to me and send the message, m, using private key eA and then encrypts it with public key kB so that I can verify the message came from him, that is, {{m}eA} kB.
In this scenario, authentication can be performed by the use of the protocol of Station-to-Station. This protocol supplements the key establishment of Deffie-Hellman by introducing the signing of exponents by the agents to ensure authentication.
M 1. a → b: gx mod n
M 2. b → a: gy mod n, {{gy mod n, gx mod n}sk(b)}k
DigiNotar Hack
M 3. a → b: {{gx mod n, gy mod n}sk(a)}k .
The use of k encryption was meant to indicate to the other agent that they are aware of the key being used.
However, the station to station protocol can be attacked by an intruder in this manner:
M α.1. D → IE: gx mod n
M β.1. I → E: gx mod n
M β.2. E → I: gy mod n, {{gy mod n, gx mod n}sk(E)}k
M α.2. IE → D: gy mod n, {{gy mod n, gx mod n}sk(E)}k
M α.3. D → IE: {{gx mod n, gy mod n}sk(D)}k .
In the model above, D has the idea that, the protocol run that he was performing with E has been completed while on the other hand, in the mind of E, he does not think that the protocol he was running was with D. To prevent this attack, inclusion of identities with the components that are signed should be considered. (Sean and John, 2007)
The best way to transfer data securely is to use simple mail transfer protocol that is complemented by the TLS encryption or the SSL encryption although the current version of TLS is adequate as it incorporates all the functions of the SSL. TLS uses the encryption of the private and public key and creates a connection of transport that is secure between the servers of the email and the transfer protocol of simple mail. The content of the encrypted email cannot be intruded by attackers since they cannot access the required key for the encryption. Regardless of the source used to send the email such as the browser of the web and the client of email such as the Outlook, it is almost impossible to snoop the email content. The protocol of TLS uses the function of pseudo-random which makes it difficult for the intruders to intercept the data being transmitted. It also uses the standard of digital signature as an exchange key together with the algorithm of Diffie Hellmann which ensures that it becomes difficult for the intruder to decode the coded content of the email. Another aspect of security of TLS is that, it is separated into a number of protocols which must be intercepted subsequently by an attacker when they want to access the content. This makes is hard for the attacker to try intruding. Finally, another advantage of the security of TLS is that, its encryption cannot be easily deciphered. (Barton et al, 2016)
Despite all the advantages of using the TLS in the transfer of email, it has some issues which includes that, it relies on the DNS which contains some weaknesses that are known world wide like spoofing. Another issue is that, the encryption of email on TLS fails to provide auditing that can be easily accessed or fails to provide transmission proof. On the offchance that a sender sends an email to a server that is not verified or the email is sent in text that is plain, the protocol does not provide notification of trails for auditing for access for the administrators of the system.
Barton, Christopher Andrew, Graham Andrew Clarke, and Simon Crowe. "Transferring data via a secure network connection." U.S. Patent 7,093,121, issued August 15, 2016.
Bellovin, Steven M., and Michael Merritt. "Encrypted key exchange: Password-based protocols secure against dictionary attacks." In Research in Security and Privacy, 2012. Proceedings., 2012 IEEE Computer Society Symposium on, pp. 72-84. IEEE, 2012.
BV, Fox-IT. "Black Tulip Report of the investigation into the DigiNotar Certificate Authority breach." Delft, The Netherlands, 2012.
Callegati, Franco, Walter Cerroni, and Marco Ramilli. "Man-in-the-Middle Attack to the HTTPS Protocol." IEEE Security & Privacy. 2009.
Desmedt, Yvo. "Man-in-the-middle attack." In Encyclopedia of cryptography and security, pp. 759-759. Springer US, 2011.
Franks, John, Phillip Hallam-Baker, Jeffrey Hostetler, Scott Lawrence, Paul Leach, Ari Luotonen, and Lawrence Stewart. HTTP authentication: Basic and digest access authentication. No. RFC 2617. 2009.
Nethanel, Senia, Bar and Hen Porcilan. “The Password Reset MitM Attack” on:
https://www.ieee-security.org/TC/SP2017/papers/207.pdf
Joshi, Yogesh, Debabrata Das, and Subir Saha. "Mitigating man in the middle attack over secure sockets layer." In Internet Multimedia Services Architecture and Applications (IMSAA), 2009 IEEE International Conference on, pp. 1-5. IEEE, 2009.
Maynard, Peter, Kieran McLaughlin, and Berthold Haberler. "Towards Understanding Man-in-the-middle Attacks on IEC 60870-5-104 SCADA Networks." In ICS-CSR. 2014.
Meyer, Ulrike, and Susanne Wetzel. "A man-in-the-middle attack on UMTS." In Proceedings of the 3rd ACM workshop on Wireless security, pp. 90-97. ACM, 2014.
Prins, J. Ronald, and Business Unit Cybercrime. "DigiNotar Certificate Authority breach’Operation Black Tulip’." Fox-IT, November (2011).
Ramachandran, A., Rupika Chawla, Jyotisha Jo??, and Amit Mukhopadhyay. A. Ramachandran. Lalit Kala Akademi, 2012.
Sean S. and John M. “Building Blocks for Secure Systems”. In the book of The Craft of System Security, 2007.
Tsuji, Takasuke, Takashi Kamioka, and Akihiro Shimizu. "Simple and secure password authentication protocol, ver. 2 (SAS-2)." In ITE Technical Report 26.61, pp. 7-11. The Institute of Image Information and Television Engineers, 2012.
To export a reference to this article please select a referencing stye below:
My Assignment Help. (2020). Preventing Website Attacks: Understanding Password Reset MitM And Other Cross-Site Attacks. Retrieved from https://myassignmenthelp.com/free-samples/spr-2018-security-principles/transfer-protocol.html.
"Preventing Website Attacks: Understanding Password Reset MitM And Other Cross-Site Attacks." My Assignment Help, 2020, https://myassignmenthelp.com/free-samples/spr-2018-security-principles/transfer-protocol.html.
My Assignment Help (2020) Preventing Website Attacks: Understanding Password Reset MitM And Other Cross-Site Attacks [Online]. Available from: https://myassignmenthelp.com/free-samples/spr-2018-security-principles/transfer-protocol.html
[Accessed 24 November 2024].
My Assignment Help. 'Preventing Website Attacks: Understanding Password Reset MitM And Other Cross-Site Attacks' (My Assignment Help, 2020) <https://myassignmenthelp.com/free-samples/spr-2018-security-principles/transfer-protocol.html> accessed 24 November 2024.
My Assignment Help. Preventing Website Attacks: Understanding Password Reset MitM And Other Cross-Site Attacks [Internet]. My Assignment Help. 2020 [cited 24 November 2024]. Available from: https://myassignmenthelp.com/free-samples/spr-2018-security-principles/transfer-protocol.html.