Edward Maillet <maillet @
doc .
cs .
usm .
maine .
edu> said:
EM> Hey All, Wouldn't it be more accurate to say that Man in the Middle
EM> attacks are really Man at the End attacks?
EM> I've been reading the IP-Watch Web Page about hijacking TCP
EM> connections and active packet sniffing. The "threat to the whole
EM> Internet" seems a bit exaggerated for the average Joe.
EM> (http://www.EnGarde.com/software/ipwatcher) TCP connections flying
EM> over Internet today from say A.com to B.com aren't likely to be
EM> crossing over a network controlled by evil.com. What is the REAL
EM> potential of someone being able to nail a A.com to B.com connection
EM> without being inside A.com or B.com? Most companies connect to the
EM> 'net using a commercial Intner provider. Let's say MCI. I know for a
EM> fact MCI routes data internally along its DS3 back bone as much as
EM> it can so if you and I both use MCI we never leave MCI land. What is
EM> the real potential of someone tapping, hacking or sniffing one of
EM> MCI's links? Sure the possibility exists but so does the possibility
EM> I put a bomb in your car while you were reading this. The real
EM> potential threat seems to be from the inside of B.com or A.com where
EM> direct access to the network is MUCH more easy to abtain. Or even
EM> worse is evil.com directly attacking A.com or B.com like the Tsutomu
EM> Shimomura attack last year. Is the real potential threat the Man at
EM> the End rather than the Man that maybe in the Middle? Particularly
EM> my end. My company seems to not view it this way so internal
EM> security is much looser than our outbound connections.
EM> As a side thought, anyone got any numbers of how many hacks come
EM> from inside versus outside?
I can't give any specific percentages, but, yes, more security
problems occur from disgruntled/larcenous current and former employees
than from outside sources, whether you are talking about computer cracks
or bank losses. But unless every single one of your systems talks
directly to MCIinternet, you are vulnerable to MitM attacks within your
organization. Then you have MitM attacks within MCIinternet by their
employees (note: I'm not saying that MCIinternet is hiring more
dishonest employees than anyone else. I'm just saying that they're
probably not hiring _less_ than anyone else, either). Then, unless
every single one of the systems at the other organization is connected
to MCIinternet, you have MitM attacks there. The real danger with the
internal MitM asttacks is that they are probably more likely to go
unnoticed for prolonged periods, because the perpetrator is 'supposed'
to be there, just like a bank manager siphoning of a small fraction of
deposits periodically is going to be more likely to go unnoticed than
someone walking into the lobby with a ski mask and a Uzi. But that bank
manager (if he's good enough of an accountant to cook the books well
enough to get past auditors) it likely to be able to do much more
damage.
Sten
--
#include <disclaimer.h> /* Sten Drescher */
To get my PGP public key, send me email with your public key and
Subject: PGP key exchange
Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3
References:
|
|
