The World Wide Web has grown immensely in the last few decades and it still continues to expand exponentially. As with many new pieces of technology, new content and services that help us with day-to-day tasks are accompanied by an abundance of malware, spyware and other harmful agents. These are built and managed by people trying to take advantage of other participants and infrastructure to do harm, with different goals in mind. Well some of them really just do it for the fun of it.
A big part of these attacks are possible due to improper and insufficient security measures undertaken by the average user, accompanied by a lack of understanding of how the Internet works. I agree it can seem a bit abstract at first, but hey, we all like new challenges, right? Let’s see what happens when I, an average user, want to undertake a simple task of checking the daily news, whilst enjoying my morning coffee.
When I turn on my laptop, it, among other things, connects to the office WiFi router. A WiFi router is basically an electronic device that routes the traffic/data in our local area network (LAN). When a device wants to send a message to another device, be that to a device within or outside our local area network, the router is the one to decide where the package should go. There are a few more key concepts we need to cover, to get the basic grasp of how the traffic is routed:
DNS resolution, an
ARP table and a
ARP (stands for Address Resolution Protocol) is a protocol used to map an IP address to a physical machine address (MAC). Every device (or rather its network adapter) has its own unique MAC address. For a router to deliver data to a specific device in its subnet it has to know the device’s MAC address. That’s where ARP tables come in handy – they hold information on which MAC address a given IP address resolves to.
Lots of people believe we programmers think and talk in bits and numbers. With the exception of our own Saša, that’s mostly not true. It’s in our nature as humans to forget and/or mush up larger sequences of numbers. The same is true when it comes to IP addresses, that’s why we prefer using domain names which are much easier to remember. These human readable names are resolved to IP addresses by means of domain name resolution, which is usually done by dedicated DNS servers.
When I start my browser and type in
www.infincube.com the request is sent to the router’s MAC address. After the router receives the request, it has to check whether the address is a local one (part of its subnet). If so, it only has to resolve the URL and map the IP address to the target computer’s MAC address and route it to the target computer in the subnet. On the other hand, if it has no idea who we’re trying to talk to, it sends the request to our ISP (Internet Service Provider) and hope some router out there knows where to route our request to. Before reaching its destination, our request is routed a few more times. At some point the request reaches our target, which in turn responds with a response displayed by our browser. It’s impossible to imagine just how many packages are flying around the world wide web at any given time and how all of this actually works. It turns out it involves a lot of trial and error.
There’s a significant amount of people trying to intercept the traffic going back and forth at any time. Some of the attacks focus on specific targets and some of them are just blindly trying their luck. Either way, we have to try our best to stay secure. Let’s go through a small subset of these attacks.
This is by far the easiest and most successful way of gaining access to someone’s privacy and data. It focuses on the attackers ability to convince the victim, be that in person, via phone or other channels, to disclose information such as credit card numbers and even passwords. Ironically, our trusting personalities are our worst weak spots.
Earlier we’ve gone through the basics of how devices within a local network communicate with eachother. We’ve identified that the ARP protocol is one of the key factors required for a successful address resolution. Now, how could someone take advantage of that?
Consider one of your coworkers having their birthday next week and the other coworkers put you in charge of finding a suitable gift. You know he/she’s constatly browsing the Internet for a new Bluetooth speaker, but you have no idea which one they prefer. It would be much simpler, if you could just see all their web traffic, right? Right. One way of intercepting all their traffic is by literally putting yourself in the middle of their computer and the office router (hence the Man In The Middle attack) and sniff the traffic using a tool such as Wireshark.
This could be achieved by spoofing the router’s ARP table, convincing the router that you’re actually the coworker’s computer and convincing the coworker’s computer you’re actually the router. All you need is for both of you to be connected to the same router and your coworker’s IP address. Whenever the router asks the subnet for your coworkers address, you step in and say: “That’s me!!”, and similary, when your coworker’s computer asks for the router’s address you say: “Hey, that’s me, I’m the router!”. Yelling that out loud doesn’t actually help, it’s a bit more complicated, but you get the idea. The whole process results in traffic being routed through your computer, without your coworker even suspecting a thing.
A big step towards security is using websites that use
HTTPS. Websites with URLs starting with HTTPS use the SSL protocol to encrypt the data being sent between the client and the server, ensuring a considerable level of security. It’s not a bad idea to check that the website is who it says it is and that its certificate is issued by a trusted agency
Also, it stands to reason that you should avoid using unknown public WiFi hotspots – you never know who’s watching.
Security and integritiy of our online personas are incredibly important. The physical world feels more real and so it’s hard to imagine we’re as vulnerable on the Internet as we are in “real life”. The best way to go about defending our identities and data is to educate ourselves. We’ll be writing about more threats you face on the Internet, so be sure to check back soon.