Thursday, May 3, 2012

User-in-the-Middle

Just a quick description for what we think may (or may not) become an important attack technique in the future:

User-in-the-Middle (UITM) - A technique where attacker hides behind a legitimate user of an online service in order to avoid being traced once his/her malicious activities are detected. Applicable where user registration - providing access to said online service and its vulnerabilities - requires exposure of user's real identity, e.g., in online banking.

In contrast to the well known Man-in-the-Middle (MITM) technique and its web application derivative, Browser-in-the-Middle, where the attacker intercepts communication between a user and an online service in an attempt to steal user's physical or digital property while hiding the attack from the user, a user-in-the-middle attack is an attack against the server (not the user), but utilizing user's computer as well as his identity to perform the attack. This allows the attacker to effectively hide behind the user and make it appear as if the user was actually the source of malicious activity. Even if forensic investigation subsequently discovers that it was not the user who performed the malicious activities, the traces on his computer would be insufficient for tracking down a smart attacker. Furthermore, a cautious attacker would erase user's computer after use, deleting all remaining traces of his activities.

@mkolsek
@acrossecurity