In an eavesdropping attack, attackers snoop on network communications, overhearing information that they might not be authorized to see. In this video, learn about the various types of eavesdropping attacks that malicious individuals might use to jeopardize the confidentiality of information.
- [Instructor] In some cases, an attacker can gain physical or logical access to the network, and eavesdrop on communications between two systems. These attacks can be especially dangerous because they allow the attacker to potentially decrypt encrypted communications and view confidential information without the sender's knowledge or consent. All eavesdropping attacks require some compromise of the communications path between a client and a server. This might include tapping into a network device or cable, or conducting a DNS or ARP poisoning attack to trick a system into sending traffic directly to an attacker instead of the intended recipient.
Let's look at two attacks based upon eavesdropping. Man in the Middle Attacks, and Replay Attacks. Here's how most people imagine web communication takes place. The user, running a web browser, initiates a connection to a server, located somewhere off in a data center. The reality is that those communications travel over many network connections along the way. Any one of the devices in the middle represents a possible point where an eavesdropper might listen in on the communication.
Encryption, such as that used with HTTPS, prevents any of those intermediate devices from viewing or altering the communication. Since simple eavesdropping is easily defeated by encryption, attackers can use the Man in the Middle Attack to step up the game a bit. In this attack, the attacker tricks the sending system during the initial communication. This might be done by reconfiguring a network device, or using DNS or ARP poisoning. Instead of establishing communications with a legitimate server, the user then connects directly to the attacker.
The attacker, in turn, connects to the legitimate server. The user authenticates to the fake server set up by the attacker, and the attacker acts as a relay, the man in the middle, and can view all of the communications that take place between the client and the server. The attacker receives the requests from the user, passes them onto the server, and receives the real responses, reads them, and then replays them to the original user, who has no idea that there is a man in the middle intercepting those communications.
The Man in the Browser Attack is a variation on the Man in the Middle Attack, where the attacker compromises the user's web browser or a browser plugin to gain access to web communications. If attackers have the ability to capture network traffic, they can also conduct a Replay Attack. A Replay Attack uses previously captured data, such as an encrypted authentication token, to create a separate connection to the server that is authenticated, but does not involve the real end user.
If the attacker can resend the authentication sequence, without the remote system noticing that it is being replayed, the attacker can then use those credentials for his or her own purposes. In a Replay Attack, the attacker typically cannot see the actual credentials, but only has the encoded version of them available. Fortunately, Replay Attacks are easily defeated by using a simple session token, or through the use of timestamps. Each session established with a remote system should use a new token that is chosen randomly and has a limited lifespan suitable to the length of time the authenticated session should last.
Then, when the attacker tries to replay that token, it's already expired and not valid. Timestamps work in a similar way, and rely upon both systems having their system time set properly to ensure that the packets they were sending were sent during a similar time window. Replay Attacks can succeed during that short time window, but attacks at a later time will be rejected. Once an attacker gains access to the network underlying a connection, it becomes very difficult to protect those communications.
Encryption, secure network configuration, and strong authentication mechanisms are all good ways to protect your applications and users from falling victim to eavesdropping attacks.
Looking for study partners?Join the CompTIA Security+ SY0-501 Exam study group
The CompTIA Security+ exam is an excellent entry point for a career in information security. The latest version, SY0-501, expands coverage of cloud security, virtualization, and mobile security. This course prepares exam candidates for the critical Threats, Attacks, and Vulnerabilities domain of the exam. By learning about malware, networking and application security exploitations, and social engineering, you'll be prepared to answer questions from the exam—and strengthen your own organization's systems and defenses. Author Mike Chapple, an IT leader with over 15 years of experience, also covers the processes for discovering and mitigating threats and attacks, and conducting penetration testing and scanning for vulnerabilities. Visit certmike.com to join one of his free study groups.
We are a CompTIA Content Publishing Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Comparing viruses, worms, and Trojans
- Backdoors and logic bombs
- Understanding the attacker
- Attack types: from denial of service to brute force attacks
- Preventing insider threats
- Wireless attacks
- Understanding cross-site scripting
- Preventing SQL injection
- Social engineering
- Scanning for vulnerabilities
- Penetration testing
- Assessing the impact of vulnerabilities