Multz

"Your connection is not secure" - am I vulnerable to a MITM attack?

5 posts in this topic

*cross-posting from BleepingComputer forums. I didn't get any replies there for 5 days, I hope someone here may be willing to help.*

I'd be grateful for some advice on my situation. 
 
I'm using Mac OSX 10.8.5 (I know I need upgrade as soon as I poss, currently travelling).
 
I starting seeing "connection not secure" browser error dialogue when trying to open facebook, instagram, skype. But opened my bank's portal no problem.

 

rkLZmn.png

 

 

 

Same behaviour in FF, Chrome and Safari. Sometimes it would redirect and display an OpenDNS error page instead. I couldn't pick a pattern for why. Google search started prompting me to verify that I'm human.

 

FRMQyQ.png

 

The problem disappeared when I found and removed OpenDNS addresses from my DNS settings. But prior to that I had taken a bunch of steps (listed below). Subsequently I've removed Spigot adware from my system. 

Now I'm not sure if I'm vulnerable to a MITM attack? Or is the problem is resolved?

In particular, I'm not sure how the OpenDNS addresses got added to my DNS settings. Could it be the Spigot adware? Or should I be looking for something else?

Steps I've taken:

  • Checked that pages that produced the "not secure" error load with my phone and a different computer on the same wifi network - they do. So not a router issue
  • Timezone, date and time are synced with Apple servers 
  • Updated Java
  • Disabled all browser plugins
  • Firefox, browser I use every day - cleared cache and offline files
  • scan with clamxav (2016 version, updated definitions, no infection found)
  • scan with knock-knock (current ver, no infection found)
  • At this point I found OpenDNS addresses and removed them. 
  • scan with Avast 12.5, found and removed 
    • searchme@mybrowserbar.com.xpi
    • Spigot-O "YahooEngine.xml"
    • Several Spigot files already sitting in Malwarebytes "removals" folder
  • Checked for Avast CA untrusted certificate in KeyChain - not present (but Avast is using MITM, switching in its own trusted certificate)
  • Downgraded anti-malware bytes to 1.2.4 (1.2.5 requires OSX 10.9 or later, apparenty), found and removed "adware.Spigot"

I'd appreciate some help on this! 

 

Many thanks

Share this post


Link to post
Share on other sites

It sounds like this is a known problem when OpenDNS blocks sites that use HSTS, thus the reason that the problem went away when you removed OpenDNS from your network settings.

As for why OpenDNS might have been blocking those sites, since you say you're traveling, most likely someone else set OpenDNS to block those sites for the IP address you're currently using.

Share this post


Link to post
Share on other sites

Hi, thanks for your thoughts! This seems unlikely to me though, bc I had been using this wifi network for a month already before unusual behaviour appeared. No problems loading the same sites prior to that. Anything else it could be?

Share this post


Link to post
Share on other sites

On many networks, the IP address can change periodically. That could easily explain the issue. If the problem went away when you removed the OpenDNS addresses from your network settings, and hasn't been back since, I wouldn't worry about it. In that case, it's not a man-in-the-middle attack.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.