By Bruce Schneier
July 9, 2008
Last week's dramatic rescue of 15 hostages held by the guerrilla
organization FARC was the result of months of intricate deception on the
part of the Colombian government. At the center was a classic
In a man-in-the-middle attack, the attacker inserts himself between two
communicating parties. Both believe they're talking to each other, and
the attacker can delete or modify the communications at will. The Wall
Street Journal reported how this gambit played out in Colombia. The plan
had a chance of working because, for months, in an operation one army
officer likened to a "broken telephone," military intelligence had been
able to convince Ms. Betancourt's captor, Gerardo Aguilar, a guerrilla
known as "Cesar," that he was communicating with his top bosses in the
guerrillas' seven-man secretariat. Army intelligence convinced top
guerrilla leaders that they were talking to Cesar. In reality, both were
talking to army intelligence.
This ploy worked because Cesar and his guerrilla bosses didn't know
each other well. They didn't recognize each others' voices, and
didn't have a friendship or shared history that could have tipped
them off about the ruse. Man-in-the-middle is defeated by context,
and the FARC guerillas didn't have any.
And that's why man-in-the-middle, abbreviated MITM in the computer
security community, is such a problem online: Internet communication is
often stripped of any context. There's no way to recognize someone's
face. There's no way to recognize someone's voice. When you receive an
e-mail purporting to come from a person or organization, you have no
idea who actually sent it. When you visit a website, you have no idea if
you're really visiting that website. We all like to pretend that we know
who we're communicating with -- and for the most part, of course, there
isn't any attacker inserting himself into our communications -- but in
reality, we don't. And there are lots of hacker tools that exploit this
unjustified trust, and implement MITM attacks.
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com