I would not class a phishing attempt as a MitM attack; it’s just social engineering (or leveraging user ignorance) to obtain information. No one is getting in the middle at all; it’s just subterfuge. There are no technological solutions to behavior problems. MitM is someone who has managed to interject his presence into a private conversation and eavesdrop on it (insert appropriate technical terms as needed to make the general definition more specific). It’s not a simple thing to do and that right there elevates the threat level. One does not go through the gyrations and work necessary for a successful MitM attack only to plant pop-up ads.
From: David Lum Sent: Thursday, August 01, 2013 9:43 AM To: [email protected] Subject: RE: [NTSysADM] man-in-the-middle attack Oh hey, maybe I should get caught up in the tread before replying… · Remote user goes to ADFS to leverage SSO to get to 3rd party for travel expenses, etc. which includes entering credit card data · Focus on MITM because the discussion became centered around TLS 1.2 after I requested to turn off Extended Protection in IIS7 (http://support.microsoft.com/kb/973917/en-us) which is only supported by IE · See bullet 1 What is the most common way to initiate a MITM attack? Phishing e-mail with a link? Dave From: [email protected] [mailto:[email protected]] On Behalf Of Andrew S. Baker Sent: Thursday, August 01, 2013 6:43 AM To: ntsysadm Subject: Re: [NTSysADM] man-in-the-middle attack I think you missed Ken's point, Micheal. For any given scenario, the likelihood of it happening has to be considered AS WELL AS (not independently of) the consequences if it happens. His last paragraph is instructive here: Using your method results in too much attention being paid to extreme events, and inadequate supervision of more mundane, even boring, events that result in small losses. Except lots of small losses can be just as crippling to a business. As to the original question of "In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server?" I would respond that there is insufficient information in the thread thus far to actually answer that question. David's question begs a few questions from me: -- How are the ADFS servers being used as relates to these remote devices? -- Why the focus on man-in-the-middle attacks? (Is this the only perceived risk of remote and mobile systems?) -- What apps will the users be accessing after authentication? Regards, ASB http://XeeMe.com/AndrewBaker Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…
