Provider in the middle attacks

Wednesday

An internal British Telecom report on a secret trial of an ISP eavesdropping and advertising technology found that the system crashed some unsuspecting users’ browsers, and a small percentage of the 18,000 broadband customers under surveillance believed they’d been infected with adware.

The January 2007 report (.pdf) — published Thursday by the whistle blowing site Wikileaks — demonstrates the hazards broadband customers face when an ISP tampers with raw internet traffic for its own profit. The leak comes just weeks after U.S. broadband provider Charter Communications told users it would be testing a technology similar to what’s described in the BT document.

Dan Kaminsky at the latest Toorcon conference already warned us about this kind of provider-in the-middle-attack:

Dan Kaminsky, director of penetration testing for IOActive, at ToorCon in Seattle this weekend demonstrated what he calls a “Provider-in-the Middle Attack” or PITMA, an attack that steals cookies and injects content into legitimate Web pages via an ad server -- in the demo, an Earthlink ad server -- that contained a cross-site scripting flaw. He showed the attack to illustrate how these ad servers, which redirect a user that types in an incorrect URL, can be abused by the bad guys to compromise the Associated Press, Facebook, MySpace, and other Websites.
Kaminsky said in an interview prior to his demo at ToorCon that the ad servers, which are run by the advertisers on behalf of the ISPs, impersonate some trademarked domains via DNS. But ISPs aren’t intentionally putting legitimate sites such at risk, and the problem is more a side effect of this ad server model. "They are trying to monetize the vast number of eyeballs that go through them but don’t stop along the way... I don’t think the [security problem] is intentional. No one set out to make the Web less secure," Kaminsky says. (Source: DarkReading.com)

Read full article.