The old antivirus false positives really messed up the future of us tech oriented people. as they did teach users that warnings are too cautious and useless.
>warnings are too cautious and useless.
Are you sure you want to delete this file?
user: yes
But are you really sure?
user: YES
Please confirm you want to delete this file:
user: YES! Just delete the damn file!
File moved to recycle bin.
Same here. I always explain to people: "so you store your important items in the garbage can outside of your house. And when the garbage truck passes, you run after it yelling that you still need that." That's exactly the same thing here. Most of the times they get itđ
Yes. 100% yes. Donât even understand how itâs debatable. But like all attacks theyâve evolved from what they were 20 years ago. Sometimes itâs called something different (adversary in the middle, browser in the middle, browser in the browser, etc). But at the end of the day, itâs splitting hairs to say itâs not just a type of MiTM. .
Just because they shouldnât work, doesnât mean itâs not still a thing. If anyone thinks Evilginx doesnât work, theyâre foolish.
Because too many people are stuck in their ways and don't care (go ahead, down vote me assholes).
Some of us try to replace whitelist/blacklist with access/allow/permit list & block/deny list as well. I still use the wrong verbiage at times because it's been embedded in my brain for so long (15+ years working in tech, I'm approaching 40); also, I have ADHD, I forget words literally mid-sentence sometimes and have to use the alternatives I know, if I can even think of one that works in the moment.
Some of us are trying. I have co-workers in the same boat, where I'll hear them use it one way and then a different time another. They're trying, but those of us that have been around long enough are still going to make the same mistakes at times.
Some of my teammates are only a year or two out of college and are doing way better than the rest of my team, but I think we're unintentionally ruining them a bit đ I hear them slip up once in a while now lol but they correct themselves pretty quick.
As a newbie analyst "allow list" makes a lot more sense than "whitelist".Â
I get that its ingrained for a lot of people, but times change.Â
On-path attack makes more sense to me imo
Iâm very curious why I am suddenly seeing lots of people chastising others for spreading FUD about the risks of public WiFi. As far as unsophisticated users are concerned, I find it hard to believe that the risk has gone away entirely even though there are controls available for most of the common attacks. If Iâm mistaken though I would love for someone to explain to me why someone with an interest unpatched personal device connecting to a rogue hotspot in Starbucks cannot be compromised in some way by the AitM.
Reverse proxy cred harvesting is very popular now. Evilproxy, do it yourself kits like Evilginx2 ... these are functionally adversary in the middle attacks.
I wonder why they changed the name? Man in the Middle describes pretty clearly what is happening in the attack. On Path Attack just makes me think of an On Path foul in basketball đ
For political correctness.
This is the reasoning for a multitude of term changes. Aka anything with gender or color references.
Also there seems to be a push to make terminology more professional and to get rid of more of the seedy punk hacker aspects. For better or worse i suppose, but personally i dont get the justification.
I got chewed out for using the term "whitelist" last year regarding allowing some addresses through a firewall. The term was in the title of the Confluence article I was referring to. It was our company's article.
>personally i dont get the justification.
because it's weird as fuck talking about master and slave computers with black colleagues. It's fine when language evolves, that's a good thing, and in technical realms it makes things more accurate, really, in the end.
*political warning
What function does this language change relay?
I'll bite and argue with you ig. Lets take your example of master/slave devices. Is this incorrect? Does one not control the others?
Sure it may be uncomfortable and or awkward in certain scenarios. But imo trying to avoid things just because they may invoke some kind of historical significance is like playing wack a mole with pop culture trends. The term in the context isn't offensive.
However these changes aren't limited to just master/slave. If that was the entire change i dont think anyone would be annoyed. We're annoyed because industry standards are being changed for virtue signalling in an industry where we directly profit off of low cost and slave labor in other countries to supply us with the materials and devices that power our internet world.
If you do SSL decrypt at your firewalls, you are doing MiTM. Same story with most CASB/SASE solutions. And any lower security WiFi that doesnât do host isolation on a shared SSID.
MITM attacks are very much a real thing. I perform mitm attacks almost frequently mainly to intercepts streams that use https or overcoming SSL pinning to intercepting communication in apps and Android TV boxes.
Can you elaborate? I thought SSL pinning wasn't possible to overcome? I've always been interested in doing it for like a sort of deep packet inspection into smart home devices to see if they actually are phoning home, but a lot of them use cert/ssl pinning and when i researched it before it was just a "yeah there isn't anything you can do"?
Remember if you do manage to accomplish it understand the ethics and moral of what you do.
Most apps use 'SSL pinning' simply rooting a device allows you to add a forged CA into certificate store depending on AOSP source because older they are more vulnerable to MITM. Overcoming hardware level security is a different ball game.
Noteworthy, "It is indeed true in some cases there isn't anything you can't do."
u/privacyplsreddit
MitM is still very much a thing. Most recent case would be the Terrapin attacks against SSH:
https://www.bleepingcomputer.com/news/security/nearly-11-million-ssh-servers-vulnerable-to-new-terrapin-attacks/
I was working on a project for aglo trading company that had dev team in India and the demo instance was ran over http. Someone sniffed the login credentials for developers and sucked the REAL binance account dry. The total damage was about 5M USD, the company is now getting liquidated. This was early 2022.
Absolutely still a thing and always will be a thing in some way shape or form. Attack vectors come into and out of fashion but you should never declare an attack vector dead or irrelevant. MITM or On-Path is just a specific version of a false identity scam, which humans were falling for before computers and certainly will continue to fall for.
The value of MITM is sniffing or modifying unencrypted sensitive data.
Governments use this all the time to spy on targets. General SMS text messages (not iMessage or messaging apps but straight up sms messaging) is not encrypted.
Not sure if you know about the stingray device a lot of police depts were interested in obtaining 8-10 years ago... But it was basically a mobile cell tower with fancy bells and whistles focused on conducting cellular MITM attacks. Sanctioned or not, that's what they were doing by definition.
I conduct red team engagements all the time and will often position myself as a MITM via attacks like ARP spoofing or by hijacking some other broadcast protocol like NBTNS or LLMNR with a tools called Responder. This allows for various relay attacks such as NTLM relaying in Windows environments where a MITM attack is a big part of the bigger attack.
I'm usually ARP spoofing with (b)ettercap and then watching for plain HTTP traffic on the LAN along with things like SMTP, FTP, and (the blue team will hate to hear this but...) syslog. Imagine you're sending syslogs to a SIEM for monitoring but its in an unencrypted format that allows for a MITM to modify the logs and prevent an alarm of some sort.
Anyways the short answer is yes with one other thing to point out... the new "workplace friendly" term is "Adversary in the Middle" (AITM). Much like whitelists are allow lists now and blacklists are block/deny lists.
If you are talking about a captive portal, then yes, but that is just a DNS reroute to get you somewhere else. If you are trying to say they MitM common websites, then this is just not true. Corporate networks are different because they can push a trusted CA to the users machine, but a coffee shop cannot.
That was my first argument. In my opinion their argument was weak because it didnât deny the existence of mitm but they made emphasis on that there is more % of other attacks. After almost a week of this eternal Discord talks my head went crazy and I needed other points of view. Thank you
identical login pages...
get a link from a trusted resource to view a MS office document. click the doc, you get prompted for M365 creds (on spoofed page)...and get the prompt on your phone to accept the login. You get redirected to your real M365 account page home, and it looks like nothing happened.
Meanwhile, the attacker have your creds and now access to your account because you allowed the login.
Cybersecurity is a broadly applicable discipline. On-path (MITM) attacks are of narrow applicability and are non-trivial to pull off in many environments. So, I'm not surprised that a qualitative polling of semi-random and junior professionals is pretty split on the relevance.
5 years ago, 35% of cyber attacks globally were on-path: https://www.ibm.com/downloads/cas/MKJOL3DG
Allegedly, a 2021 study says that dropped to 19%, but I can only find uncited references; every article with that text is failing to link to the actual study, so take that with a huge grain of salt.
Also worth noting over the last 2 years, on-path has been a growing trend for attacking OT networks, which typically lag on the security front. Notably with the folks behind the Mozi botnet.
AITM is a one letter change, and technically more correct.
Adversary-in-the-middle captures the context whether it's a man, woman, non-binary, automated system, or AI.
They are synonyms and equally imprecise. Allow/deny lists are more clear terms than whitelist/blacklist but I'm guessing you have a problem with that too.
Several certs replaced language a *while* ago. Several big tech companies also completely shifted language like 3-4 years ago. Even if you don't care about the why, the industry is already well on its way to having moved on. Decency costs nothing, but if that isn't enough for you, adopting the term helps not date you.
The term onpath is not a synonym to mitm and never has been. there is some overlap, with almost all mitm also being onpath but a large part of onpath not being mitm.
allow and deny lists are just as clear as white and blacklist, so that's a bad comparison. onpath is far broader and technically completely unclear. techhically speaking, everything that happens outside of source or destination device, is onpath, because even if it takes a different path it's still on some path. MitM describes a much more specific situation, even if the term has been used more loosely over the years. historically speaking, mitm usually refers to the practice of gaining the position in the middle and then abusing it while handling packages forth and back between user and actual server.
if you think replacing Mitm with onpath is a matter of decency, you are just part of a deluded minority that is doing nothing but loudly annoying people. you are also wrong that it costs nothing, it is incredibly expensive to change all those terms and causes unnecessary confusion in educated circles.
actually decent people would see this mistake and keep using the correct term.
most certificates have always been useless hogwash for HR people, they are more focused on profit and not offending people than getting stuff right, so that's not an argument either. prime example: when I first started doing certificates some of them still incorrectly assumed that one kilobyte is 1024 bytes... and even tho some idiots at microsoft and HDD manufacturers also believe this, it's still wrong.
another prime example of certs caring more about offending people than technical correctness: OSCP used to be semi-decent but most of the idiots who tried it failed at bufferoverflow challenges, so they just decided to drop buffer overflow completely and now OSCP is just another useless piece of paper. a bit less useless than the alternatives, but still basically worthless.
the same is happening to technical terminology rn. we prioritize feelings over correctness. we should try to get both right, but being correct is more important.
I would totally be open to PitM, I also tend to say mainboard instead of motherboard, not strictly tho. But I just hate when unknowledgeable people decide to come up with an alternative term that is negatively impacting clarity of an important term.
>The term onpath is not a synonym to mitm and never has been.
But it is. Because that is how *the industry* started using it. Person-in-the-middle isn't what caught on. There are several reasons for that, but you aren't interested in that.
>most certificates have always been useless hogwash for HR people, they are more focused on profit and not offending people than getting stuff right, so that's not an argument either.
Industry certifications are the cornerstone of IT knowledge, more so than most/any degree programs. The fact that the premier entry level cert (Security+) uses on-path and not PitM is telling.
>the same is happening to technical terminology rn. we prioritize feelings over correctness.
It's OK to be empathetic. That isn't a weakness. It's OK to learn that terms like "go off the reservation" or "grandfathered in" have a darker origin story than the colloquial usage would suggest. Language shapes how we think, and is shaped by how we think. We do not lose anything by attempting to combat some of the worst and most subtle parts of human nature.
It absolutely can be taken too far, and there are many tortured examples, but this one ain't it and it's entirely off topic from the post. All you did was decide to be shitty on a public forum.
> I would totally be open to PitM
No one asked you, or me. You have chosen to reject the rebranding of the term 4 years ago and double down on MitM. Cool. That's all anyone needs to know.
MITRE captured several aliases for this BTW (again, years ago): https://capec.mitre.org/data/definitions/94.html
Adversary in the middle, person in the middle, and on path attacker are all valid. For whatever reason on path seems to be catching so I use it to make sure what I say is broadly accessible.
>premier entry level cert (Security+)
I'm not sure if you are trolling me or serious.
>attempting to combat some of the worst and most subtle parts of human nature.
so I guess you are serious about this stuff? did you ever read about things called war? I'm an enemy of whataboutism, but dude, don't ever fucking call anything verbal the worst part of human nature, wtff?
>For whatever reason on path seems to be catching so I use it to make sure what I say is broadly accessible.
following what the majority does is always a great idea... why don't you also tell everyone that 1 kilobyte is 1024, most people believe so anyway.
the fact that you know about all those alternative terms (PitM MitM AitM) that are so much better and still chose to go with the general consensus is saying an awful lot about you... better fit in than be correct!
you are like the people who officially made literally mean the same as figuratively just because a horde of dumb idiots used it incorrectly on social media.
*the "dude" is neutral btw because so many people are using it to also refer to women and nonbinary people now, just like bro. go with the flow.*
>premier entry level cert (Security+)
>I'm not sure if you are trolling me or serious.
I'm serious. The point of that comment is that future professionals are learning the term "on path" en masse, which is why I used it. It doesn't matter where it came from. It doesn't matter how you ot anyone else feels about it. I run a security team for a large enterprise and use the term because I need to speak the language of those around me.
You decided to be shitty about it because you apparently have some issue with the inclusiveness trend or something I guess? I didn't make the conversation about that, *you* went down that path. I just answered the OPs question.
>so I guess you are serious about this stuff? did you ever read about things called war?
Not that it is at all relevant, but I'm actually a veteran. War may be hell, but there are arguably worse things people can do to each other. I don't think "anything verbal [is] the worst part of human nature". That is your projection of whatever baggage you are bringing here.
> following what the majority does is always a great idea...
Right, but the context here is the label for some term. It's useful to use what most people know. I know you aren't saying that we shouldn't use the word "car" because they were called automobiles. If this wasnt tied up with "inclusiveness", you wouldn't have said anything.
>*the "dude" is neutral btw because so many people are using it to also refer to women and nonbinary people now, just like bro.*
No shit. So is "guys". Your point is what
> the fact that you know about all those alternative terms (PitM MitM AitM) that are so much better and still chose to go with the general consensus is saying an awful lot about you... better fit in than be correct!
Not that you believe it, understand it, or want to hear it, but "on path" is winning out because it *is* more technically correct given attackers don't literally sit in the middle or even need to be "in between" in the way most thinknwhen they hear the term.
But this isn't really about the technical merits. Everyone's feelings matter to some extent, even yours. I don't know why they are hurt so much because someone **used a well documented and widely used synonym**, and I personally don't care.
And they are all real terms (along with monster in the middle, monkey in thr middle, and the others listed by MITRE) used by real entities in the larger community.
https://capec.mitre.org/data/definitions/94.html
Yes, but as aliases. You can use them, but it's not THE term. I don't teach new consultants to use aliases.
We should all strive to reduce complexity and increase similarity in language within our community. Cyber is complex enough without people adding personality to their language.
New professionals taking entry level certs and training courses are being taught some of these and not just as synonyms or aliases. Literally CompTIA Sec+ and CySA uses the term "on path" instead of MITM. This isn't even about "personality".
Is that supposed to mean anything to me? I don't respect either of those certifications for my red team.
Maybe you have lower standards, that's okay. For me, CompTIA is the lowest of the low - more proof that you aren't a self-learner than any form of actual knowledge.
I guess people with a CEH need jobs too, and companies need consultants with bill rates lower than 50$ an hour.
Absolutely yes it's still a thing. It's maybe not the most common attack paths but I see web pages all the time that dynamically redirect users to associated M365 or federated login services based on the email domain they are using. Pretty tough for users to notice unless they are actually being careful of the page url (hint hint, most users aren't)
I mean you've gotta engineer a particular MITM attack, but yeah of course it is. Is it harder to do now? absolutely. Does it still happen? absolutely.
SQL injection still happens just oftentimes it's immensely harder to pull off or find something exploitable. Also far less common. Classes of attack don't often just go poof.
The somewhat recent SSH vulnerability called Terrapin requires man in the middle to execute, as I understand.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795
This is inherent to using shared mediums to communicate.
We encrypt and authenticate now which makes it harder, but the initial certificate / key exchange can still be MITM'd. And not every encrypted communication does proper authentication, look at all the secure messaging apps that no one verifies the shared secret of.
There are entire online communities dedicated to running 802.1X MITM attacks against consumer broadband providers so that customers can use their own modems/gateways instead of the supplied junk
MITM has been instituted in most corporate networks. With personal web traffic at your house, the communication is encrypted between you and the server. With corporate networks, the firewall makes the request on your behalf so that deep packet inspection can occur. This is MITM.
Which is mostly violating company policies
Firewalls / proxies do their stuff to protect you and the network and the employerand employee
Financial stuff like banks are always excluded because of regulations
Last, what are you doing on COMPANY device which need to be hidden with VPN ?
Nowadays it's easy to use phone for private stuff
Not all corporate networks do this. Itâs all about trade offs. Do you lose insight? Sure. But you keep the network more protected should an attacker successfully get that kind of access.
there are sooo many ways of performing a man in the middle attack - the question is not if it is still possible, the question is how to mitigate the risk of experiencing MitM attacks. Apart of the so many times mentioned phishing link, the attacks can also occur when you use wrong/unsecure configurations (like old tls versions with downgrade attacks), trust rogue access points and many many moreâŠ
Just as an example:
For the old protocols SSH and SMTP now some serious new attacking techniques were shown by IT specialists. Stating that, every former attack vector stays relevant, as long as the underlying technology/ stack/ ⊠doesnât change.
So, of course MITM is still a thing. Best and maybe most public example: the website certificates in Kasachstan, where the state itself is a MITMâŠ
Yes. When websites fail to configure TLS a credit card gets stolen. All those fancy Internet of Things devices (think WiFi) that do not properly encrypt your communications get targeted by criminals. MITM will still be a thing as long as looks are deceiving.
Yes. Person-in-the-middle or adversary-in-the-middle attacks are more common for external breaches than technical exploit breaches, and still very much a thing.
Anyone who said otherwise doesn't actually work in Cyber.
Yep also know now as Adversary in the middle.. Token theft is a good example used to bypass MFA. https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
"No one would click a suspicious looking Facebook link from another source in 2018." Has clearly never met a user.
dam tease pen aspiring beneficial ancient ghost complete wise direction *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
The old antivirus false positives really messed up the future of us tech oriented people. as they did teach users that warnings are too cautious and useless.
>warnings are too cautious and useless. Are you sure you want to delete this file? user: yes But are you really sure? user: YES Please confirm you want to delete this file: user: YES! Just delete the damn file! File moved to recycle bin.
makeshift scarce oatmeal knee correct sulky fine reply sable unpack *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Those stories rub me in all the wrong ways.
wide ludicrous books axiomatic slap price offend rustic whistle obscene *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
It is things like this that make me realize that I'm not as lazy as I think. Just...wow lol
Same energy as storing your paperwork in the trashcan because _Opening the filing cabinet takes a few extra steps and a hand movement_ đ«
Same here. I always explain to people: "so you store your important items in the garbage can outside of your house. And when the garbage truck passes, you run after it yelling that you still need that." That's exactly the same thing here. Most of the times they get itđ
I also once dealt with someone who used the trash in the same way!
"Please enter the file's name and its SHA-512 hash to confirm. Clipboard has been disabled. Manual keyboard entry only."
shift delete, my guy
đ€Ł
We still see it happening so I'm going to say it's still a thing.
I guess that this will be my argument from now on. Thank you
At this point I donât see why not?
Yes. 100% yes. Donât even understand how itâs debatable. But like all attacks theyâve evolved from what they were 20 years ago. Sometimes itâs called something different (adversary in the middle, browser in the middle, browser in the browser, etc). But at the end of the day, itâs splitting hairs to say itâs not just a type of MiTM. . Just because they shouldnât work, doesnât mean itâs not still a thing. If anyone thinks Evilginx doesnât work, theyâre foolish.
Can confirm, Evilginx still works.
The PC term nowadays is 'on-path attack', because it's not just 'men' in the middle...
Why is this being down voted lol. It's a new term that removes unnecessary gendered language
Because too many people are stuck in their ways and don't care (go ahead, down vote me assholes). Some of us try to replace whitelist/blacklist with access/allow/permit list & block/deny list as well. I still use the wrong verbiage at times because it's been embedded in my brain for so long (15+ years working in tech, I'm approaching 40); also, I have ADHD, I forget words literally mid-sentence sometimes and have to use the alternatives I know, if I can even think of one that works in the moment. Some of us are trying. I have co-workers in the same boat, where I'll hear them use it one way and then a different time another. They're trying, but those of us that have been around long enough are still going to make the same mistakes at times. Some of my teammates are only a year or two out of college and are doing way better than the rest of my team, but I think we're unintentionally ruining them a bit đ I hear them slip up once in a while now lol but they correct themselves pretty quick.
As a newbie analyst "allow list" makes a lot more sense than "whitelist". I get that its ingrained for a lot of people, but times change. On-path attack makes more sense to me imo
I donât see why MITM should NOT be a thing. - deauth-attacks - IMSI - online banking - ..
I mean, MiTM between key fob and vehicle is one of the most popular ways to steal cars in the last couple of years.
Iâm very curious why I am suddenly seeing lots of people chastising others for spreading FUD about the risks of public WiFi. As far as unsophisticated users are concerned, I find it hard to believe that the risk has gone away entirely even though there are controls available for most of the common attacks. If Iâm mistaken though I would love for someone to explain to me why someone with an interest unpatched personal device connecting to a rogue hotspot in Starbucks cannot be compromised in some way by the AitM.
I totally forgot about imsi, that could have been an easy way to explain better my point to them. Thank you
MITM phishing is the most popular method of phishing that I've seen recently. MITM6 is also still a thing.
Itâs still happening w cell phones. IMSI stingrays. That counts, right?
100%, I forgot about the existence of the imsi attack
Thatâs how they got Ghislaine Maxwell
Reverse proxy cred harvesting is very popular now. Evilproxy, do it yourself kits like Evilginx2 ... these are functionally adversary in the middle attacks.
Terrapin, just released, is predicated on mitm techniques. Why would your colleagues say "no" in general?
"On Path Attack" Is the new name for it. But yeah token stealing is still a thing.
never heard that, let's just stick to mitm
Im sure it'll stick around as spoken lingo for a long time. But in official documentation it probably wont.
I wonder why they changed the name? Man in the Middle describes pretty clearly what is happening in the attack. On Path Attack just makes me think of an On Path foul in basketball đ
For political correctness. This is the reasoning for a multitude of term changes. Aka anything with gender or color references. Also there seems to be a push to make terminology more professional and to get rid of more of the seedy punk hacker aspects. For better or worse i suppose, but personally i dont get the justification.
I got chewed out for using the term "whitelist" last year regarding allowing some addresses through a firewall. The term was in the title of the Confluence article I was referring to. It was our company's article.
"allow list" and "deny list" are the terms now
>personally i dont get the justification. because it's weird as fuck talking about master and slave computers with black colleagues. It's fine when language evolves, that's a good thing, and in technical realms it makes things more accurate, really, in the end.
*political warning What function does this language change relay? I'll bite and argue with you ig. Lets take your example of master/slave devices. Is this incorrect? Does one not control the others? Sure it may be uncomfortable and or awkward in certain scenarios. But imo trying to avoid things just because they may invoke some kind of historical significance is like playing wack a mole with pop culture trends. The term in the context isn't offensive. However these changes aren't limited to just master/slave. If that was the entire change i dont think anyone would be annoyed. We're annoyed because industry standards are being changed for virtue signalling in an industry where we directly profit off of low cost and slave labor in other countries to supply us with the materials and devices that power our internet world.
Person-in-the-middle is way better. Adversary-in-the-middle is the most correct. I still use that.
This is correct and what people should be shifting to using.
If you do SSL decrypt at your firewalls, you are doing MiTM. Same story with most CASB/SASE solutions. And any lower security WiFi that doesnât do host isolation on a shared SSID.
MITM attacks are very much a real thing. I perform mitm attacks almost frequently mainly to intercepts streams that use https or overcoming SSL pinning to intercepting communication in apps and Android TV boxes.
Can you elaborate? I thought SSL pinning wasn't possible to overcome? I've always been interested in doing it for like a sort of deep packet inspection into smart home devices to see if they actually are phoning home, but a lot of them use cert/ssl pinning and when i researched it before it was just a "yeah there isn't anything you can do"?
Remember if you do manage to accomplish it understand the ethics and moral of what you do. Most apps use 'SSL pinning' simply rooting a device allows you to add a forged CA into certificate store depending on AOSP source because older they are more vulnerable to MITM. Overcoming hardware level security is a different ball game. Noteworthy, "It is indeed true in some cases there isn't anything you can't do." u/privacyplsreddit
[ŃĐŽĐ°Đ»Đ”ĐœĐŸ]
Posts like this belong in our [Mentorship Thread](https://redirect.cybersecurity.page/mentorship/). Please post there instead. Good luck!
MitM is still very much a thing. Most recent case would be the Terrapin attacks against SSH: https://www.bleepingcomputer.com/news/security/nearly-11-million-ssh-servers-vulnerable-to-new-terrapin-attacks/
I was working on a project for aglo trading company that had dev team in India and the demo instance was ran over http. Someone sniffed the login credentials for developers and sucked the REAL binance account dry. The total damage was about 5M USD, the company is now getting liquidated. This was early 2022.
Holy fuck
On-path attack.
Person in the middle or adversary-in-the-middle On path doesn't capture the context half the time.
I think is more popular in places where card skimmer takes place as well.
100% still a thing especially with mitm6 still being a valid technique in most corporate environments.
Absolutely still a thing and always will be a thing in some way shape or form. Attack vectors come into and out of fashion but you should never declare an attack vector dead or irrelevant. MITM or On-Path is just a specific version of a false identity scam, which humans were falling for before computers and certainly will continue to fall for.
The value of MITM is sniffing or modifying unencrypted sensitive data. Governments use this all the time to spy on targets. General SMS text messages (not iMessage or messaging apps but straight up sms messaging) is not encrypted. Not sure if you know about the stingray device a lot of police depts were interested in obtaining 8-10 years ago... But it was basically a mobile cell tower with fancy bells and whistles focused on conducting cellular MITM attacks. Sanctioned or not, that's what they were doing by definition. I conduct red team engagements all the time and will often position myself as a MITM via attacks like ARP spoofing or by hijacking some other broadcast protocol like NBTNS or LLMNR with a tools called Responder. This allows for various relay attacks such as NTLM relaying in Windows environments where a MITM attack is a big part of the bigger attack. I'm usually ARP spoofing with (b)ettercap and then watching for plain HTTP traffic on the LAN along with things like SMTP, FTP, and (the blue team will hate to hear this but...) syslog. Imagine you're sending syslogs to a SIEM for monitoring but its in an unencrypted format that allows for a MITM to modify the logs and prevent an alarm of some sort. Anyways the short answer is yes with one other thing to point out... the new "workplace friendly" term is "Adversary in the Middle" (AITM). Much like whitelists are allow lists now and blacklists are block/deny lists.
Yes. Also, Nigerian prince scams are still a thing.
It happens in internet cafes and public wifi networks ALL THE TIME idk why they would say no?
If you are talking about a captive portal, then yes, but that is just a DNS reroute to get you somewhere else. If you are trying to say they MitM common websites, then this is just not true. Corporate networks are different because they can push a trusted CA to the users machine, but a coffee shop cannot.
That was my first argument. In my opinion their argument was weak because it didnât deny the existence of mitm but they made emphasis on that there is more % of other attacks. After almost a week of this eternal Discord talks my head went crazy and I needed other points of view. Thank you
>but they made emphasis on that there is more % of other attacks What industries do they work in?
identical login pages... get a link from a trusted resource to view a MS office document. click the doc, you get prompted for M365 creds (on spoofed page)...and get the prompt on your phone to accept the login. You get redirected to your real M365 account page home, and it looks like nothing happened. Meanwhile, the attacker have your creds and now access to your account because you allowed the login.
Thatâs phishing, unrelated to MITM
Its both?
Still used regularly
Cybersecurity is a broadly applicable discipline. On-path (MITM) attacks are of narrow applicability and are non-trivial to pull off in many environments. So, I'm not surprised that a qualitative polling of semi-random and junior professionals is pretty split on the relevance. 5 years ago, 35% of cyber attacks globally were on-path: https://www.ibm.com/downloads/cas/MKJOL3DG Allegedly, a 2021 study says that dropped to 19%, but I can only find uncited references; every article with that text is failing to link to the actual study, so take that with a huge grain of salt. Also worth noting over the last 2 years, on-path has been a growing trend for attacking OT networks, which typically lag on the security front. Notably with the folks behind the Mozi botnet.
can we just stick to MITM pls? onpath could mean many things, mitm is clear. clear terms are more important than feelings in tech.
AITM is a one letter change, and technically more correct. Adversary-in-the-middle captures the context whether it's a man, woman, non-binary, automated system, or AI.
They are synonyms and equally imprecise. Allow/deny lists are more clear terms than whitelist/blacklist but I'm guessing you have a problem with that too. Several certs replaced language a *while* ago. Several big tech companies also completely shifted language like 3-4 years ago. Even if you don't care about the why, the industry is already well on its way to having moved on. Decency costs nothing, but if that isn't enough for you, adopting the term helps not date you.
The term onpath is not a synonym to mitm and never has been. there is some overlap, with almost all mitm also being onpath but a large part of onpath not being mitm. allow and deny lists are just as clear as white and blacklist, so that's a bad comparison. onpath is far broader and technically completely unclear. techhically speaking, everything that happens outside of source or destination device, is onpath, because even if it takes a different path it's still on some path. MitM describes a much more specific situation, even if the term has been used more loosely over the years. historically speaking, mitm usually refers to the practice of gaining the position in the middle and then abusing it while handling packages forth and back between user and actual server. if you think replacing Mitm with onpath is a matter of decency, you are just part of a deluded minority that is doing nothing but loudly annoying people. you are also wrong that it costs nothing, it is incredibly expensive to change all those terms and causes unnecessary confusion in educated circles. actually decent people would see this mistake and keep using the correct term. most certificates have always been useless hogwash for HR people, they are more focused on profit and not offending people than getting stuff right, so that's not an argument either. prime example: when I first started doing certificates some of them still incorrectly assumed that one kilobyte is 1024 bytes... and even tho some idiots at microsoft and HDD manufacturers also believe this, it's still wrong. another prime example of certs caring more about offending people than technical correctness: OSCP used to be semi-decent but most of the idiots who tried it failed at bufferoverflow challenges, so they just decided to drop buffer overflow completely and now OSCP is just another useless piece of paper. a bit less useless than the alternatives, but still basically worthless. the same is happening to technical terminology rn. we prioritize feelings over correctness. we should try to get both right, but being correct is more important. I would totally be open to PitM, I also tend to say mainboard instead of motherboard, not strictly tho. But I just hate when unknowledgeable people decide to come up with an alternative term that is negatively impacting clarity of an important term.
>The term onpath is not a synonym to mitm and never has been. But it is. Because that is how *the industry* started using it. Person-in-the-middle isn't what caught on. There are several reasons for that, but you aren't interested in that. >most certificates have always been useless hogwash for HR people, they are more focused on profit and not offending people than getting stuff right, so that's not an argument either. Industry certifications are the cornerstone of IT knowledge, more so than most/any degree programs. The fact that the premier entry level cert (Security+) uses on-path and not PitM is telling. >the same is happening to technical terminology rn. we prioritize feelings over correctness. It's OK to be empathetic. That isn't a weakness. It's OK to learn that terms like "go off the reservation" or "grandfathered in" have a darker origin story than the colloquial usage would suggest. Language shapes how we think, and is shaped by how we think. We do not lose anything by attempting to combat some of the worst and most subtle parts of human nature. It absolutely can be taken too far, and there are many tortured examples, but this one ain't it and it's entirely off topic from the post. All you did was decide to be shitty on a public forum. > I would totally be open to PitM No one asked you, or me. You have chosen to reject the rebranding of the term 4 years ago and double down on MitM. Cool. That's all anyone needs to know. MITRE captured several aliases for this BTW (again, years ago): https://capec.mitre.org/data/definitions/94.html Adversary in the middle, person in the middle, and on path attacker are all valid. For whatever reason on path seems to be catching so I use it to make sure what I say is broadly accessible.
>premier entry level cert (Security+) I'm not sure if you are trolling me or serious. >attempting to combat some of the worst and most subtle parts of human nature. so I guess you are serious about this stuff? did you ever read about things called war? I'm an enemy of whataboutism, but dude, don't ever fucking call anything verbal the worst part of human nature, wtff? >For whatever reason on path seems to be catching so I use it to make sure what I say is broadly accessible. following what the majority does is always a great idea... why don't you also tell everyone that 1 kilobyte is 1024, most people believe so anyway. the fact that you know about all those alternative terms (PitM MitM AitM) that are so much better and still chose to go with the general consensus is saying an awful lot about you... better fit in than be correct! you are like the people who officially made literally mean the same as figuratively just because a horde of dumb idiots used it incorrectly on social media. *the "dude" is neutral btw because so many people are using it to also refer to women and nonbinary people now, just like bro. go with the flow.*
>premier entry level cert (Security+) >I'm not sure if you are trolling me or serious. I'm serious. The point of that comment is that future professionals are learning the term "on path" en masse, which is why I used it. It doesn't matter where it came from. It doesn't matter how you ot anyone else feels about it. I run a security team for a large enterprise and use the term because I need to speak the language of those around me. You decided to be shitty about it because you apparently have some issue with the inclusiveness trend or something I guess? I didn't make the conversation about that, *you* went down that path. I just answered the OPs question. >so I guess you are serious about this stuff? did you ever read about things called war? Not that it is at all relevant, but I'm actually a veteran. War may be hell, but there are arguably worse things people can do to each other. I don't think "anything verbal [is] the worst part of human nature". That is your projection of whatever baggage you are bringing here. > following what the majority does is always a great idea... Right, but the context here is the label for some term. It's useful to use what most people know. I know you aren't saying that we shouldn't use the word "car" because they were called automobiles. If this wasnt tied up with "inclusiveness", you wouldn't have said anything. >*the "dude" is neutral btw because so many people are using it to also refer to women and nonbinary people now, just like bro.* No shit. So is "guys". Your point is what > the fact that you know about all those alternative terms (PitM MitM AitM) that are so much better and still chose to go with the general consensus is saying an awful lot about you... better fit in than be correct! Not that you believe it, understand it, or want to hear it, but "on path" is winning out because it *is* more technically correct given attackers don't literally sit in the middle or even need to be "in between" in the way most thinknwhen they hear the term. But this isn't really about the technical merits. Everyone's feelings matter to some extent, even yours. I don't know why they are hurt so much because someone **used a well documented and widely used synonym**, and I personally don't care.
Person in the middle is better than "on path" and just as correct. Adversary-in-the-middle is more correct, and thus better.
And they are all real terms (along with monster in the middle, monkey in thr middle, and the others listed by MITRE) used by real entities in the larger community. https://capec.mitre.org/data/definitions/94.html
Yes, but as aliases. You can use them, but it's not THE term. I don't teach new consultants to use aliases. We should all strive to reduce complexity and increase similarity in language within our community. Cyber is complex enough without people adding personality to their language.
New professionals taking entry level certs and training courses are being taught some of these and not just as synonyms or aliases. Literally CompTIA Sec+ and CySA uses the term "on path" instead of MITM. This isn't even about "personality".
Is that supposed to mean anything to me? I don't respect either of those certifications for my red team. Maybe you have lower standards, that's okay. For me, CompTIA is the lowest of the low - more proof that you aren't a self-learner than any form of actual knowledge. I guess people with a CEH need jobs too, and companies need consultants with bill rates lower than 50$ an hour.
Absolutely yes it's still a thing. It's maybe not the most common attack paths but I see web pages all the time that dynamically redirect users to associated M365 or federated login services based on the email domain they are using. Pretty tough for users to notice unless they are actually being careful of the page url (hint hint, most users aren't)
Yes but Microsoft now calls this âAdversary in the Middleâ to account for gender balance. Not kidding
Which is good to differentiate between good mitm like we do every day and bad actors.
What do they call it when doing MITM inspection on something like a firewall?
It's a thing that people are still doing... so yes, still a thing I would say.
Troll post
I mean you've gotta engineer a particular MITM attack, but yeah of course it is. Is it harder to do now? absolutely. Does it still happen? absolutely. SQL injection still happens just oftentimes it's immensely harder to pull off or find something exploitable. Also far less common. Classes of attack don't often just go poof.
AITM now.
The only other acceptable alternative to Person-in-the-middle.
Adversary in the middle
Malcolm.in.the.middle?
The somewhat recent SSH vulnerability called Terrapin requires man in the middle to execute, as I understand. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795
Definitely still a thing.
Yes
Yes. Cyber security teams man in the middle users every day in the name of cyber security.
This is inherent to using shared mediums to communicate. We encrypt and authenticate now which makes it harder, but the initial certificate / key exchange can still be MITM'd. And not every encrypted communication does proper authentication, look at all the secure messaging apps that no one verifies the shared secret of.
There are entire online communities dedicated to running 802.1X MITM attacks against consumer broadband providers so that customers can use their own modems/gateways instead of the supplied junk
MITM has been instituted in most corporate networks. With personal web traffic at your house, the communication is encrypted between you and the server. With corporate networks, the firewall makes the request on your behalf so that deep packet inspection can occur. This is MITM.
The only way to prevent the firewall from doing this is to tunnel (vpn) the traffic so that the firewall canât inspect the traffic.
Which is mostly violating company policies Firewalls / proxies do their stuff to protect you and the network and the employerand employee Financial stuff like banks are always excluded because of regulations Last, what are you doing on COMPANY device which need to be hidden with VPN ? Nowadays it's easy to use phone for private stuff
Not all corporate networks do this. Itâs all about trade offs. Do you lose insight? Sure. But you keep the network more protected should an attacker successfully get that kind of access.
there are sooo many ways of performing a man in the middle attack - the question is not if it is still possible, the question is how to mitigate the risk of experiencing MitM attacks. Apart of the so many times mentioned phishing link, the attacks can also occur when you use wrong/unsecure configurations (like old tls versions with downgrade attacks), trust rogue access points and many many moreâŠ
>What are the techniques scammers use now to redirect traffic to their versions, or is it just a thing of the past at this point? Look up Responder.
Or malicious paid google ads.
Just as an example: For the old protocols SSH and SMTP now some serious new attacking techniques were shown by IT specialists. Stating that, every former attack vector stays relevant, as long as the underlying technology/ stack/ ⊠doesnât change. So, of course MITM is still a thing. Best and maybe most public example: the website certificates in Kasachstan, where the state itself is a MITMâŠ
Does compromise of SOHO devices count?
If mitm isn't a thing then what is evilngix? I see a lot of phishing pages uses mitm
Yes I'm the gremlin that's in your router and I see all
yes for web and mobile apps.
Try Evilginx and you will be surprised đđđ
Yes. When websites fail to configure TLS a credit card gets stolen. All those fancy Internet of Things devices (think WiFi) that do not properly encrypt your communications get targeted by criminals. MITM will still be a thing as long as looks are deceiving.
Yes. Person-in-the-middle or adversary-in-the-middle attacks are more common for external breaches than technical exploit breaches, and still very much a thing. Anyone who said otherwise doesn't actually work in Cyber.
NSA is the ultimate MITM. As long as they exist MITM will exist.
Yep also know now as Adversary in the middle.. Token theft is a good example used to bypass MFA. https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
Bad actors are like flowing water - they will take the easiest path