Agreed. This MiTM isn't a focus but more accurately spun from a discussion that was started here all because I was asked to disable Extended Protection for Windows authentication in IIS7 to allow non-IE browsers to connect, to which I got "if the protection is there by Microsoft, it's for a reason". Really.
They are slow to think outside their old ways here...a couple months ago I had to dispel the old thinking of "indiscriminately turning off unused things" relative to IPv6 by pointing them to some articles... From: [email protected] [mailto:[email protected]] On Behalf Of Andrew S. Baker Sent: Thursday, August 01, 2013 10:16 AM To: ntsysadm Subject: Re: [NTSysADM] man-in-the-middle attack >>What is the most common way to initiate a MITM attack? Phishing e-mail with a >>link? That would depend entirely on the technologies involved. You could wait in the right place, you could phish to get in the right place, you could spoof or poison DNS to send the users to the "right" place... You really need to focus your risk mitigation on specific, credible threats that you wish to address, and then determine if it is worth it for any particular mitigation approach. Otherwise, not only might you miss low hanging fruit that is less sexy, but more damaging in the aggregate, you might end up spending $100K to prevent a loss of $50K ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market... On Thu, Aug 1, 2013 at 10:43 AM, David Lum <[email protected]<mailto:[email protected]>> wrote: Oh hey, maybe I should get caught up in the tread before replying... * Remote user goes to ADFS to leverage SSO to get to 3rd party for travel expenses, etc. which includes entering credit card data * Focus on MITM because the discussion became centered around TLS 1.2 after I requested to turn off Extended Protection in IIS7 (http://support.microsoft.com/kb/973917/en-us) which is only supported by IE * See bullet 1 What is the most common way to initiate a MITM attack? Phishing e-mail with a link? Dave From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Andrew S. Baker Sent: Thursday, August 01, 2013 6:43 AM To: ntsysadm Subject: Re: [NTSysADM] man-in-the-middle attack I think you missed Ken's point, Micheal. For any given scenario, the likelihood of it happening has to be considered AS WELL AS (not independently of) the consequences if it happens. His last paragraph is instructive here: Using your method results in too much attention being paid to extreme events, and inadequate supervision of more mundane, even boring, events that result in small losses. Except lots of small losses can be just as crippling to a business. As to the original question of "In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server?" I would respond that there is insufficient information in the thread thus far to actually answer that question. David's question begs a few questions from me: -- How are the ADFS servers being used as relates to these remote devices? -- Why the focus on man-in-the-middle attacks? (Is this the only perceived risk of remote and mobile systems?) -- What apps will the users be accessing after authentication? Regards, ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market...
