01 Mar 2017
What is a Man-in-the-Middle Attack and How Can You Prevent It?
In 2015, a cyber-criminal group in Belgium stole a total of €6 million by hacking through middle-sized and large European companies. The hackers were able to gain access of corporate email accounts and request money from clients using the hacked accounts. According to Europol’s official press release, the modus operandi of the group involved the use of malware and social engineering techniques. Once they found their way in, they carefully monitored communications to detect and take over payment requests. This impressive display of hacking prowess is a prime example of a man-in-the-middle attack. The thing is, your company could easily be any of those affected European companies.
What is a Man-in-the-Middle (MITM) attack?
A MITM attack happens when a communication between two systems is intercepted by an outside entity. This can happen in any form of online communication, such as email, social media, web surfing, etc. Not only are they trying to eavesdrop on your private conversations, they can also target all the information inside your devices.
Taking away all the technicalities, the concept of an MITM attack can be described in a simple scenario. Imagine being brought back to the days of old when snail mail was rife. Jerry writes a letter to Jackie expressing his love for her after years of hiding his feelings. He sends the letter to the post office and it’s picked up by a nosy mailman. He opened it and, just for the hell of it, he decided to rewrite the letter before delivering the mail to Jackie. This results in Jackie hating Jerry for the rest of her life after “Jerry” called her a fat cow. The moral of the story is the mailman is a jerk, and so are hackers.
A more modern example would be a hacker sitting between you (and your browser) and the website you’re visiting to intercept and capture any data you submit to the site, such as login credentials or financial information.
How Does a Man-in-the-Middle Attack Work?
Over the years, hackers found various ways to execute MITM attacks and believe it or not, it has become relatively cheap to buy a hacking tool online, just proving how easy hacking someone can be if you have enough money. Here are some common types of MITM attacks your business will most likely encounter:
Email Hijacking
Similar from the case above, hackers who use this tactic target email accounts of large organizations, especially financial institutions and banks. Once they gain access to important email accounts, they will monitor the transactions to make their eventual attack a lot more convincing. For example, they can wait for a scenario where the customer will be sending money and respond, spoofing the company’s email address, with their own bank details instead of the company’s. This way, the customer thinks they’re sending their payment to the company, but they’re really sending it right to the hacker.
It’s not just large companies that can fall victim to this type of attack. A similar situation happened to London’s Paul Lupton. After selling his home, he emailed his bank account details to his solicitor to collect the over £333,000 proceeds, unaware that hackers had accessed his email and were monitoring communications. Seeing a golden opportunity, the hackers quickly sent another email to the solicitor under Lupton’s name saying to disregard the previous email and send to another (hacker-owned) account instead. The transfer went through to the hacker’s account, but fortunately Lupton quickly realized what happened and was able to recover the majority of funds. Unfortunately, most of these attacks don’t have such happy endings.
Wi-Fi Eavesdropping
Most MITM attacks thrive on Wi-Fi connections. In one approach, hackers will set up a Wi-Fi connection with a legitimate-sounding name. All the hacker has to do is wait for you to connect and he’ll instantly have access to your device. Alternatively, the hacker can create a fake Wi-Fi node disguised as a legitimate Wi-Fi access point to steal the personal information of everyone who connects.
Session Hijacking
Once you log into a website, a connection between your computer and the website is established. Hackers can hijack your session with the website through numerous means. One popular option they use is stealing your browser cookies. In case you don’t know, cookies store small pieces of information that makes web browsing convenient for you. It can be your online activity, login credentials, pre-fill forms, and in some cases, your location. If they got hold of your login cookies, they can easily log into your accounts and assume your identity.
How Can You Protect Your Networks from These Attacks?
MITM attacks can really overwhelm you just by hearing its basic concept, but that doesn’t mean they are impossible to avoid. PKI technology can help protect you from some of the types of attacks we discussed above.
S/MIME
Secure/Multipurpose Internet Mail Extensions, or S/MIME for short, encrypts your emails at rest or in transit, ensuring only intended recipients can read them and leaving no spaces for hackers to slip their way in and alter your messages.
Additionally, S/MIME lets you digitally sign your email with a Digital Certificate unique to every person. This ties your virtual identity to your email and gives your recipients the assurance that the email they received actually came from you (as opposed to a hacker who access your mail server). You can see how this could have been helpful in the Europol example discussed earlier. While the hackers had access to the companies’ mail servers, in order to digitally sign the messages, they would have also needed access to employee private keys, which are generally securely stored elsewhere. Standardizing on digitally signing messages and educating recipients to only trust messages from your company that have been signed can help differentiate legitimate emails from those that have been spoofed.
Authentication Certificates
Hackers will never go away, but one thing you can do is make it virtually impossible to penetrate your systems (e.g. Wi-Fi networks, email systems, internal networks) by implementing Certificate-Based Authentication for all employee machines and devices. This means only endpoints with properly configured certificates can access your systems and networks. Certificates are user-friendly (there is no additional hardware to manage or much user training needed) and deployments can be automated to make things simple for IT and make them hackers split their hair, as the cool kids would say.
What Is HTTP Interception?
HTTP is the most common internet protocol. Most of the things we do online are implemented on HTTP, from the usual web browsing to instant messaging. Unfortunately, HTTP communications are unprotected and relatively easy to intercept, making them a prime target for MITM attacks. As mentioned earlier, hackers can sit between end users and the website they’re connected to and eavesdrop on their communications, including any information they submit to the website, without them having any idea.
How Do You Prevent HTTP Interception?
SSL/TLS Certificates
If your website still uses the more vulnerable HTTP protocol, it’s time to upgrade to the safer HTTPS protocol through SSL/TLS Certificates. A TLS Certificate will activate the HTTPS protocol, which is the safer version of HTTP. This allows an encrypted, secure connection between your server and your clients’ computers, keeping all information from prying hackers.
TLS Certificates can also bind together your domain name and your organizational identity if you get an Organization Validated (OV) or Extended Validation (EV) level certificate. EV Certificates bring your identity information front and center by displaying your organization name right in the URL bar. This can boost trust among your visitors that your site is legitimately operated by your company and not an imposter site.
System and Server Configurations
Don’t sit on your laurels just yet. Once TLS is up and running, you need to do some configuring. Make sure your website doesn’t have any mixed content or any page element loading over an HTTP protocol (e.g. photos, scripts, widgets) to avoid leaving a backdoor for aspiring hackers. It’s also good practice to make sure any links you are pulling in from other sites are via HTTPS. Make sure your login forms are HTTPS-protected to avoid credential hijacking. Mozilla is already doing a great job preventing users from filling up forms under HTTP protocols by “unsecure connection” warning prompts and a slashed padlock icon. Make sure all hyperlinks contained in your website all use the HTTPS protocol.
It’s also important to make sure you have your server configured correctly (e.g. using the current best practices for protocols, algorithms, etc.). For example, you should make sure you have SSL2, SSL3, and TLS1 protocols disabled; only TLS 1.1 and 1.2 should be enabled. There are many other configuration items to consider and recommended best practices are continually changing as new vulnerabilities are discovered. GlobalSign’s SSL Server Test is an easy-to-use and thorough tool for making sure your server is properly configured.
HSTS over HTTPS
As discussed above, hackers have found ways to get around TLS. For example, even if you request an HTTPS connection (e.g. you type in https://www.example.com), they can change the request to HTTP so you go to http://www.example.com, preventing the encrypted connection. Implementing HTTP Strict Transport Security or HSTS can help prevent this type of attack. This web server directive forces any web browser or app to connect to HTTPS and block any content that uses HTTP as its protocol. HSTS will also prevent hackers from extracting information from your browser cookies, effectively defending your website from session hijackers.
Do you have further questions about man-in-the-middle attacks? Send us your questions and suggestions at the comments box below. You can also click here to learn how man-in-the-middle attacks affect the Internet of Things.
Visit our website to check out more solutions for your business’ security needs.
Share this Post
Write for Us
Apply NowSubscribe to our Blog
GlobalSign Privacy Policy Version 3.1
Updated June 5, 2018
GlobalSign respects your right to privacy. This privacy policy has been developed to inform you about the privacy practices followed by GlobalSign in connection with its websites, products and services. This privacy policy does not apply to GlobalSign services offered by or through our partners, resellers or other third parties, or other third party services or websites, and we encourage you to read the privacy policies of those parties.
This privacy policy will inform you about what data is collected, how we use such data, where data is processed, how you may opt out of your data being used, the security provisions around storing your data and how to correct, update or delete your data.
1. Data Controller
The data controller for personal data collected within the EU is GMO GlobalSign, Ltd., having its registered offices at Springfield House, Sandling Road, Maidstone, Kent, ME14 2LP, United Kingdom. All questions or requests regarding the processing of data may be addressed to: dpo@globalsign.com.
2. Collection of Personal Information
We collect information from you when you (i) place an order for a GlobalSign digital certificate product or other product or service, (ii) scan your servers for digital certificates using our Certificate Inventory Tool (CIT), (iii) apply for access to our managed service platforms, (iv) subscribe to our newsletter, (v) use our online chat service, (vi) download a white paper, (vii) register for a webinar, (viii) respond to a survey, (ix) fill out a form for pre/post sales assistance, (x) open a support ticket, or (xi) your use of social media.
GlobalSign is a Certification Authority and trusted third party. To fulfill requests for digital certificates or other products or services, you may be asked to enter your name, email address, physical address, phone number, credit card information and/or organizational details or other personal information.
- - Contact information such as your name, email address, physical address, and phone number.
- - Relationship information that helps us do business with you, such as the types of products and services that may interest you, contact and product preferences, languages, marketing preferences and demographic data.
- - Transactional information about how you interact with us, including purchases, inquiries, customer account information, billing and credit card information, organizational details, transaction and correspondence history, and information about how you use and interact with our website.
We may develop and acquire additional information about you using third-party (public and private) data sources such as third party databases and government agencies, as well as your browsing and purchasing history in order to process orders for certificates and to improve our services.
GlobalSign treats personal information as confidential, except for the information included in an issued digital certificate. Such information may be verified using third party commercial and government resources, and as such, is deemed to be public information.
3. Purpose of Processing
Your personal data will be used for the purposes specified below:
3.1 To process applications for GlobalSign products and services
Your information is used to provide our products and services and order processing as well as to conduct business transactions such as billing.
3.2 To improve customer service
Your information helps us to more effectively respond to your pre/post sales requests and provide technical support.
3.3 To send renewal notices
The email address you provide for order processing may be used to send you renewal notices for your expiring digital certificate.
3.4 To send service updates
In addition, subject to your consent where required, we may send you new service updates, security updates, related product or service information, and status updates on maintenance windows or service availability.
3.5 To tell you about our products and services
Subject to your consent where required, we may send you periodic company newsletters, information about our products and services that may be of interest to you based on your use of other GlobalSign products and services, your attendance at GlobalSign sponsored marketing events such as webinars, your requests for information about similar products and services, or your sharing of data with social media sites such as LinkedIn or Facebook.
4. Legal Basis for Processing Personal Data
We will process your data for the purpose of performance of our contract with you or the legitimate interest of GlobalSign, which are our usual business activities. In other cases, we will request your consent for the processing of the personal data you may submit.
Your refusal to provide personal data to us for certain products and services may hinder us from fulfilling your order for those products or services. Also, if you deny or withdraw your consent to use personal data or opt out of receiving information about GlobalSign products and services this may result in you not being made aware of renewal notices, periodic company newsletters, new service updates, security updates, related product or service information, and status updates on maintenance windows or service availability. See Section 10 below for how to withdraw your consent.
5. Use of Cookies and web beacons
The GlobalSign Certificate Center (GCC) uses cookies to enable the fulfillment of services. Cookies may be used when you log into the GCC, purchase products or use certain GCC functions.
In addition, like most online businesses, GlobalSign uses cookies and web beacons on our websites and through marketing related emails to gather and analyze some personal data such as the visitor's IP address, browser type, ISP, referring page, operating system, date/time and basic geographical information.
We use cookies and web beacons to compile aggregate data about site traffic and site interaction so that we can gauge the effectiveness of our communications and offer better site experiences and tools in the future. We may contract with third-party service providers to assist us in better understanding our site visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.
First time visitors may choose to not have any activity monitoring cookies set in their browser. We use an opt-out identification cookie to tag these users as having made this decision. Those cookies that pertain to site performance, experience improvement and marketing are programmed not to execute when an opt-out cookie is present in a visitor's browser. Opt-out cookies persist until a visitor clears their browser cookies, or until their expiration one year after the set date. A visitor is required to opt out again after one year in order to disable any activity monitoring cookies.
More details of GlobalSign's use of cookies can be found on our website at https://www.globalsign.com/en/repository/cookie-policy/
6. Use of application logs for diagnostics or to gather statistical information
Our servers automatically record information ("Application Log Data") created by your use of our services. Application Log Data may include information such as your IP address, browser type, operating system, the referring web page, pages visited, location, your mobile carrier, device and application IDs, search terms, and cookie information. We use this information to diagnose and improve our services. Except as stated in section 8 (Data Retention), we will either delete the Application Log Data or remove any account identifiers, such as your username, full IP address, or email address, after 12 months.
7. Sharing of Information and Transfers of Data
We do not sell or trade your personal information to outside parties.
Within GlobalSign: GlobalSign is a global organization with business processes and technical systems in various countries. As such, we may share information about you within our group company and transfer it to countries in the world where we do business in connection with the uses identified in section 3 above and in accordance with this Privacy Policy. In cases where your personal data is transferred to countries that do not provide an adequate level of protection according to the European Commission ('adequacy decision'), we ensure your data is protected by entering into agreements containing standard contractual clauses approved by the European Commission with each of our group companies. A copy of these agreements may be obtained by contacting us as outlined in section 15 below.
Third Parties: We may also transfer your personal data to trusted third parties and our partners in order to serve purposes that are specified in section 3 above. GlobalSign uses a third party to process credit card payments and provides credit card numbers and identifying financial data directly to the third party credit card processor.
In circumstances where data is shared with such third parties, they are required to comply with confidentiality terms included in our data processing agreements. This prohibits such third parties from selling, trading, using, marketing or otherwise distributing GlobalSign customer data.
As Required by Law: We may also release your information when we believe release is appropriate to comply with the law or protect our rights, property, or safety.
It is our policy to notify customers of requests for their data from law enforcement unless we are prohibited from doing so by statute or court order. Law enforcement officials who believe that notification would jeopardize an investigation should obtain an appropriate court order or other process that specifically precludes member notification, such as an order issued pursuant to 18 U.S.C. §2705(b).
Mergers & Acquisitions: We may also disclose your personal information to third parties who may take over the operation of our site or who may purchase any or all of our assets, including your personal information. We will contact you using the details you provide if there is any change in the person controlling your information.
8. International Transfers
The third parties, subsidiaries and affiliates to which your personal information can be disclosed may be located throughout the world. Therefore, information may be sent to countries having different privacy protection standards than your country of residence. In such cases, we take measures to ensure that your personal information receives an adequate level of protection, which includes the EU Standard Contractual Clauses to protect your personal information.
9. Data retention
The personal information we collect is retained for no longer than necessary to fulfil the stated purposes in section 2 above or for a period specifically required by law or regulation that GlobalSign is obligated to follow.
To meet public CA audit requirements as detailed in the GlobalSign Certification Practice Statement, personal data used to fulfill verification of certain types of digital certificate applications will be retained for a minimum of 10 years depending on the class of product or service and may be retained in either a physical or electronic format. Please refer to the GlobalSign Certification Practice Statement for full details.
After the retention period is over, GlobalSign securely disposes or anonymizes your personal information in order to prevent loss, theft, misuse, or unauthorized access.
10. Opting out; withdrawing consent
If at any time you would like to unsubscribe from receiving future emails, we include unsubscribe instructions at the bottom of each email.
Renewal notices may be cancelled on a per digital certificate basis by logging into your GlobalSign Certificate Center (GCC) account and disabling renewal notices.
Email preferences for CIT related/collected information can be updated and changed within CIT.
If GlobalSign is processing your personal data based on your consent, you may withdraw your consent at any time via the GlobalSign Preference Centre at https://downloads.globalsign.com/acton/media/2674/preference-center-login or by contacting us at one of the addresses shown in section 15 below.
11. Your Rights
You are responsible for providing GlobalSign with true, accurate, current and complete personal information. Also, you are responsible to maintain and promptly update the information to keep it true, accurate, current and complete.
You have the right to access and modify your personal data stored on GlobalSign systems. You can exercise your rights by contacting us in writing. We will require you to provide identification in order to verify the authenticity as the data subject. We will make reasonable efforts to respond to and process your request as required by law.
To the extent of applicable law, you may have the right to request erasure of your personal information, restriction of processing as it applies to you, object to processing and the right to data portability. You may also have the right to lodge a complaint with a supervisory authority.
If you provide any information that is untrue, inaccurate, not current or incomplete, or if we have reasonable grounds to suspect that such information is untrue, inaccurate, not current or incomplete, we have the right to suspend or terminate your account and refuse any and all current or future services.
12. How we protect your information
We implement a variety of security measures to maintain the safety of your personal information when you place an order or enter, submit, or access your personal information. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL).
After a transaction, your transaction-related information will be kept on file to meet audit requirements and facilitate renewals. We do not retain any credit card details.
13. Relevant laws
GlobalSign commits itself to protect the personal information submitted by applicants and subscribers for its public certification services. GlobalSign declares to fully respect all rights established and laid out in European Union and Member States' laws and regulations:
- - European Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and as replaced by Regulation EU 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the EU General Data Protection Regulation); and
- - Provisions of the GlobalSign CPS.
14. Changes to our Privacy Policy
If we make material changes to our privacy policy, we will inform customers by emailing a notice of the availability of a new version with a link to the new version.
15. Contact Us
If you have any inquires, or questions regarding our privacy policy, please contact us at:
- We use the data you submit only for purposes identified in section 3 of this privacy policy.
- You have the right to review your personal data that GlobalSign holds and check it for accuracy.
- You have the right to correct data in the case that errors may be found in our records.
- You have the right to request that any of your personal data be erased. i.e. right to be forgotten.
- You have the right to obtain and reuse use your personal data for your own purposes
- You have the right to request that GlobalSign restrict the processing of your personal data under certain circumstances.
- You have the right to object to our processing of your personal data.
14. Changes to our Privacy Policy
If we make material changes to our privacy policy, we will inform customers by emailing a notice of the availability of a new version with a link to the new version.
15. Contact Us
If you have any inquires, or questions regarding our privacy policy, please contact us at:
https://support.globalsign.com/
https://www.globalsign.com/en/company/contact/support/
https://jp.globalsign.com/support/
or
Deputy Data Protection Officer
GMO GlobalSign, Ltd.
Springfield House Sandling Road
Maidstone, Kent ME 14 2LP
United Kingdom
dpo@globalsign.com
16. Our Office Locations
GMO GlobalSign K.K., Tokyo, Japan
GMO GlobalSign Ltd., Maidstone, Kent, UK
GMO GlobalSign N/V, Leuven, Belgium
GMO GlobalSign, Inc., Portsmouth, NH, USA
GMO GlobalSign Russia LLC , Moskva, Russia
GMO GlobalSign Pte. Ltd, Anson, Singapore
GMO GlobalSign Certificate Services Pvt. Ltd., Delhi, India
GlobalSign China Co., Ltd., Shanghai, China
GMO GlobalSign Inc., Manila, Philippines
GMO GlobalSign FZ-LLC, Dubai, UAE
