ARTICLE
The Man-in-the-Middle Trap
Well before the Internet, Guglielmo Marconi’s company (of radio fame) became the first recorded victim of an electronic Man-in-the-Middle (MITM) Attack.
This happened during a demonstration of the cutting edge invention of radio transmission. A “bad actor” secretly listened to the transmission being sent from Cornwall (West coast of England) to the Royal Institute in London and, without being detected by the Royal Institute, forwarded a stronger signal to London with a revised message that appeared to come from Cornwall.
Today’s Internet attacks can happen in much the same way, with an attacker inserting themselves in the middle of a connection or data transfer, routing all traffic through them. To mitigate this, end-to-end encryption is used. Even then, unless everything is encrypted, including the initial connection, transmissions may not be safe. We saw this recently with a number of preauthorization attacks affecting previously highly trusted protocols like SSH.
Many protocols continue to be developed and improved to prevent MITM attacks: TLS, SSH and the Atsign atProtocol, which not only keeps data private, but also, if implemented properly, can provide non-repudiation (using authentication to maintain the integrity) of data transmission. In other words, you can prove that data came from someone, or something, with cryptographic confidence.
We have seen these huge leaps of progress on the Internet. Yet, it seems that corporations are intent on undoing all this work by installing MITM software and hardware to inspect their employees’ behavior.
Currently, very large brands in the remote access and cloud spaces actively use MITM techniques to offer services and insights into employees behavior. By doing this, a MITM scenario is purposely created which creates a new attack surface. In addition, this attack surface can be used to manipulate employee access data, which can go very wrong for both the company and the employees.
You only need to look at the recent TV series, Mr Bates vs The Post Office, to understand just how wrong this can go. In that example, the Post Office stuck to their belief that their accounting system was infallible, which led to the financial ruin and wrongful imprisonment of their employees. We have also seen this with fingerprints and DNA.
Balancing the need for employee monitoring with privacy, non-repudiation, and legal considerations is crucial. While techniques like CA certificate insertions, bastions, and proxies offer monitoring capabilities, they introduce the risk of opening attack surfaces and the potential for manipulation of the access data.
Atsign’s new way of providing end-to-end security and cryptographic proofs more safely allows implementing corporate policies.
Learn more about how Atsign can protect you—and your data—from MITM attacks—set up a demo today.
SSH No Ports Impresses at Sensors Converge
Atsign showcases secure LoRaWan gateway management using SSH No Ports at Sensors Converge, June 21-22, 2023.
Gateway Management at Scale
Atsign CTO, Colin Constable, walks through LoRaWan gateway management using SSH No Ports, Atsign’s innovative product offering. SSH No Ports is a utility that offers secure remote access to devices without having to open any ports.
Addressability vs. Identity on the Internet
Here at Atsign, we make all people, things, and organizations addressable on the Internet. But what does that mean? Barbara Tallent, Atsign CEO, explains the importance of addressability on the Internet, and how it differs from identity.
ZPE Systems & Atsign Partner for Zero Attack Surface Tech Solutions
This joint solution enables organizations to securely manage network infrastructure from anywhere in the world.
Losant and Atsign Partner to Offer Secure, Comprehensive IoT Solution
The partnership combines Losant’s robust IoT platform with Atsign’s security and privacy technology to provide businesses with a highly secure and scalable solution for managing their IoT devices and data.