> Hey All,
> Wouldn't it be more accurate to say that Man in the Middle attacks are really
> Man at the End attacks?
> I've been reading the IP-Watch Web Page about hijacking TCP connections and
> active packet sniffing. The "threat to the whole Internet" seems a bit
> exaggerated for the average Joe.
I would disagree.
> TCP connections flying over Internet today from say A.com to B.com aren't
> likely to be crossing over a network controlled by evil.com. What is the
> REAL potential of someone being able to nail a A.com to B.com connection
> without being inside A.com or B.com? Most companies connect to the 'net
> using a commercial Intner provider. Let's say MCI. I know for a fact MCI
> routes data internally along its DS3 back bone as much as it can so if
> you and I both use MCI we never leave MCI land. What is the real potential
> of someone tapping, hacking or sniffing one of MCI's links? Sure the
> possibility exists but so does the possibility I put a bomb in your car
> while you were reading this.
There can definitely be risk. First, not every person or company
connects to the Internet with a dedicated line. Many people and
companies dial up into a terminal server or some other kind of remote
access device. Put a network sniffer on the terminal server segment
and the man in the middle scenario is definitely there. I believe that
this situation happened to BARRnet (please correct me if I am wrong).
There also situations where an organization's mail connectivity to the
Internet is via UUCP. Penetrate the UUCP/Internet gateway host, and
then you have a man in the middle scenario again. Also, an Internet
Provider may have network monitor host on the backbone segment of their
POP. A packet sniffer there could see a lot of things.
Second, how can you always trust the phone company carrying the traffic?
There are some governments with monopoly PTTs that are known to spy on
foreign commercial organizations in order to gain advantage for their
Third, sometimes what looks like a.com or b.com really isn't. This
scenario happens when an organization is not diligent about deleting
accounts of people that leave. I have seen situations where someone
thought that they were sending mail only to internal people, but the mail
message went out on the Internet because someone left a .forward in an
account that should have been deleted. I remember someone sending a
note about highly confidential and proprietary technology to an internal
mailing list, and then getting a message from someone at a University
saying, "That's cool. Can you send me more info?"
> The real potential threat seems to be from the inside of B.com or A.com where
> direct access to the network is MUCH more easy to abtain. Or even worse is
> evil.com directly attacking A.com or B.com like the Tsutomu Shimomura attack
> last year.
> Is the real potential threat the Man at the End rather than the Man that
> maybe in the Middle? Particularly my end.
I would say that both Middle and End are real threats.
> My company seems to not view it this way so internal security is much
> looser than our outbound connections.
As secure network perimeters in organizations become more and more
porrous, this will have to change. I believe that we will see a future
with multiple perimeters and firewalls within a single organization.
> As a side thought, anyone got any numbers of how many hacks come from inside
> versus outside?
It's probably pretty substantial. Inside hacks definitely do happen.
> Flame Away!
> ----- Ed Maillet
> maillet @