Regulators Warn of Man-in-the-Middle Attack RisksUS CERT: Some End-to-End Security Products Vulnerable
Federal regulators are warning healthcare sector entities that some products used as part of their end-to-end security could make the organizations vulnerable to man-in-the-middle attacks.
In its April cyberawareness newsletter, the Department of Health and Human Services' Office for Civil Rights warns about the threat of man-in-the-middle attacks and related risks associated with the use of some Secure Hypertext Transport Protocol, or HTTPS interception products.
Man-in-the-middle, or MITM attacks occur "when a third party intercepts and potentially alters communications between two different parties, unbeknownst to the two parties," OCR explains. These attacks can be used to inject malicious code, intercept sensitive information such as protected health information, expose sensitive information, and modify trusted information, OCR notes.
Man-in-the-middle attacks are worrisome for healthcare entities because they can be particularly difficult to detect, says Rebecca Herold, president of Simbus, a privacy and security cloud services firm, and CEO of The Privacy Professor, a consultancy.
"What cyber crooks love about man-in-the-middle attacks is that they can often be accomplished leaving no trail, and when the target victim does not have adequate security monitoring in place, often without being caught," she says. "It could be a big problem for the healthcare sector given the high value of patient data, and the amount of other data that could be obtained using such an attack.
"So hospitals, and any other type of organization, could have been a victim of such an attack, but without any trail left behand for the breach, they would not be able to know if they were a victim."
Keith Fricke, principal consultant at tw-Security, says man-in-the-middle attacks "pose the same risks for healthcare entities as they do in any other industry - compromising the communication chain can lead to stolen credentials or direct access to sensitive information. In the case of the healthcare industry, a MITM attack could lead to unauthorized access to PHI either directly through capturing PHI or indirectly by compromising user accounts that have access to PHI."
Fricke notes that MITM attacks often originate on a client-side computer that is infected with malware designed to hijack web browser sessions and in some cases are logging keystrokes.
In terms of HTTPS inspection products posing a potential vulnerably for man-in-the-middle attacks, Fricke suggests organizations contact their endpoint protection solution vendors and "ask for details on how well insulated workstations are from MITM attacks originating on a user's computer." He also suggests that organization ask their vendors "to confirm how their implementation of SSL inspection maintains integrity of the security protocols."
Herold notes that HTTPS interception tools can "lose the ability to effectively verify that the web server communicating with the health care network is secure and legitimate. This opens up the possibility for such man-in-the-middle attacks."
HTTPS Interception Product Risks
OCR warns that the use by some organizations of some HTTPS interception products known as "HTTPS inspection" as part of their end-to-end connection security can put these entities at risk for man-in-the-middle attacks.
"Poor implementation of many of these products may actually reduce end-to-end security and introduce new vulnerabilities," OCR writes, referring to a March 16 alert on that topic issued by the U.S. Computer Emergency Readiness Team.
"Many organizations have implemented end-to-end connection security on their internet transactions using HTTPS. Additionally, some organizations use 'HTTPS interception products' to detect malware over an HTTPS connection," OCR says.
HTTPS interception products, also known as "HTTPS inspection," work by intercepting the HTTPS network traffic and decrypting it, reviewing it, then re-encrypting it, OCR notes. "To do so, HTTPS interception products must install trusted certificates on client devices to perform the HTTPS inspection without presenting warnings."
However, this process may leave organizations using HTTPS interception products vulnerable, because the organizations can no longer verify web servers' certificates; view the protocols and ciphers that an HTTPS interception product negotiates with web servers, and, most importantly, independently validate the security of the end-to-end connection.
"In other words, the organizations that use these interception products are able to validate only the connection between themselves and the interception product, not between themselves and the server," OCR writes. "This is problematic, because many HTTPS interception products do not properly verify the certificate chain before re-encrypting and forwarding information to the organizations, which leaves the connection vulnerable to a malicious MITM attack."
Securing end-to-end communications performs an important function in protecting the privacy of HTTPS traffic and preventing some forms of man-in-the-middle attacks. However, US-CERT in its March alert recommends reviewing various mitigation steps in to reduce vulnerability to MITM attacks.
Some of those steps recommended by US-CERT include:
- Updating Transport Layer Security and Secure Socket Layer. Specifically, upgrading TLS to 1.1 or higher and ensuring TLS 1.0 and SSL 1, 2, 3.x are disabled unless required. "The continued use of TLS 1.0 and SSL 1, 2, 3.x is leading to increased cases affected by MITM attacks and session hijacks," US-CERT notes.
- Utilizing certificate pinning. "Certificate pinning is a method of associating X.509 certificate and its public key to a specific CA or root," US-CERT writes. "Typically, certificates are validated by checking a verifiable chain of trust back to a trusted root certificate. Certificate pinning bypasses this validation process and allows the user to trust 'this certificate only' or 'trust only certificates signed by this certificate.'"
- Implementing DNS-based Authentication of Named Entities, or DANE, which is a protocol that allows certificates (X.509) commonly used for TLS. "DANE is bound to DNS, which uses Domain Name System Security Extensions. A working group in the Internet Engineering Task Force of DANE developed a new type of DNS record that allows a domain itself to sign statements about which entities are authorized to represent it," US-CERT writes.
- Using Network notary servers, which aim to improve the security of communications between computers and websites by enabling browsers to verify website authenticity without relying on certificate authorities, or CAs. "CAs are often considered a security risk because they can be compromised," US-CERT writes. "As a result, browsers can treat fraudulent sites as trustworthy and are left vulnerable to MITM attacks."
Other Steps to Take
In addition to the mitigation steps outlined by US-CERT in OCR's warning, Herold suggests that to prevent falling victim to man-in-the-middle attacks, organizations apply "comprehensive, layers of security and vigilant security monitoring and updates."
That includes performing a security risk assessment for the network. "Establish the scope to include HTTPS interception tools, and wherever TLS and SSL are used," she says.
"Have a qualified third party, or an experienced IT internal auditor, review/audit the implementation of HTTPS, TLS and SSL tools and associated systems/applications that the organization uses. Such an audit should be on the annual audit plan any way, but now that there is increased awareness of this issue, doing such an audit should be moved to the top of an organization's priority list."
Organizations also need to be proactive in accomplishing those measures. "The CISO, CIO and others responsible for the network, applications and network security should work together to plan how to effectively do these updates, implementations, and removal of inadequate tools to minimize the impact on network users and patients," she says. "Don't just go changing settings; planning is necessary for successful security improvement. Without such you run the risk of not only network interruptions, but also of creating more holes and vulnerabilities than you are trying to fix as a result of not being comprehensive in addressing all vulnerabilities."