VPN | Mark Cathey's Tech Site

Information security firm High-Tech Bridge has conducted a study of SSL VPNs (Virtual Private Networks) and discovered that nine out of ten such servers don’t provide the security they should be offering, mainly because they are using insecure or outdated encryption.

An SSL VPN is different from a classic IPSec VPN because it can be used inside a standard Web browser without needing to install specific software on the client-side.

SSL VPNs are installed on servers, and clients connect to the VPN via their browsers alone. This connection between the user’s browser and the VPN server is encrypted with the SSL or TLS protocol.

Three-quarters of all SSL VPNs use untrusted certificates

Researchers from High-Tech Bridge say they analyzed 10,436 randomly selected SSL VPN servers and they found that most of them are extremely insecure.

They claim that 77% of all SSL VPNs use SSLv3 or SSLv2 to encrypt traffic. Both of these two versions of the SSL protocol are considered insecure today. These protocols are so insecure that international and national security standards, such as the PCI DSS and NIST SP 800-52 guidelines, have even gone as far as to prohibit their usage.

Regardless of their SSL version, 76% of all SSL VPN servers also used untrusted SSL certificates. These are SSL certificates that the server has not confirmed, and that attackers can mimic and thus launch MitM (Man-in-the-Middle) attacks on unsuspecting users.

High-Tech Bridge experts say that most of these untrusted certificates are because many SSL VPNs come with default pre-installed certificates that are rarely updated.

Some VPNs still use MD5 to sign certificates

Additionally, researchers also note that 74% of certificates are signed with SHA-1 signatures, and 5% with MD5 hashes, both considered outdated.

41% of all SSL VPNs also used insecure 1024 key lengths for their RSA certificates, even if, for the past years, any RSA key length below 2048 was considered to be highly insecure.

Even worse, one in ten SSL VPNs is still vulnerable to the two-year-old Heartbleed vulnerability, despite patches being available.

Out of all the tested SSL VPNs, researchers say that only 3% followed PCI DSS requirements. None managed to comply with NIST (National Institute of Standards and Technology) guidelines.

High-Tech Bridge is also providing a free tool that can tell users if their SSL VPN or HTTPS website is actually doing a good job of protecting them.

For the original story follow this link to Softpedia for more information.

A flowchart of the infection process used by a malicious Tor exit node.

Attacks tied to gang that previously infected governments with highly advanced malware.

Three weeks ago, a security researcher uncovered a Tor exit node that added malware to uncompressed Windows executables passing through it. Officials with the privacy service promptly shut down the Russia-based node, but according to new research, the group behind the node had likely been infecting files for more than a year by that time, causing careless users to install a backdoor that gave attackers full control of their systems.

What’s more, according to a blog post published Friday by researchers from antivirus provider F-Secure, the rogue exit node was tied to the “MiniDuke” gang, which previously infected government agencies and organizations in 23 countries with highly advanced malware that uses low-level code to stay hidden. MiniDuke was intriguing because it bore the hallmark of viruses first encountered in the mid-1990s, when shadowy groups such as 29A engineered innovative pieces of malware for fun and then documented them in an E-zine of the same name. Written in assembly language, most MiniDuke files were tiny. Their use of multiple levels of encryption and clever coding tricks made the malware hard to detect and difficult to reverse engineer. The code also contained references to Dante Alighieri’s Divine Comedy and alluded to 666, the “mark of the beast” discussed in the biblical Book of Revelation.

“OnionDuke,” as the malware spread through the latest attacks is known, is a completely different malware family, but some of the command and control (C&C) channels it uses to funnel commands and stolen data to and from infected machines were registered by the same persona that obtained MiniDuke C&Cs. The main component of the malware monitored several attacker-operated servers to await instructions to install other pieces of malware. Other components siphoned login credentials and system information from infected machines.

Besides spreading through the Tor node, the malware also spread through other, undetermined channels. The F-Secure post stated:

During our research, we have also uncovered strong evidence suggesting that OnionDuke has been used in targeted attacks against European government agencies, although we have so far been unable to identify the infection vector(s). Interestingly, this would suggest two very different targeting strategies. On one hand is the “shooting a fly with a cannon” mass-infection strategy through modified binaries and, on the other, the more surgical targeting traditionally associated with APT [advanced persistent threat] operations.

The malicious Tor node infected uncompressed executable files passing through unencrypted traffic. It worked by inserting the original executable into a “wrapper” that added a second executable. Tor users downloading executables from an HTTPS-protected server or using a virtual private network were immune to the tampering; those who were careful to install only apps that were digitally signed by the developer would likely also be safe, although that assurance is by no means guaranteed. It’s not uncommon for attackers to compromise legitimate signing keys and use them to sign malicious packages.

Tor officials have long counseled people to employ a VPN use encryption when using the privacy service, and OnionDuke provides a strong cautionary tale when users fail to heed that advice.

This post was updated to remove incorrect statements concerning the use of virtual private networks.

For the complete story follow the source link below.

Source: Ars Technica