VPN we may have a problem

[coxhaus]

https://www.theregister.co.uk/2019/10/10/nsa_ncsc_vpn_warnings/

 

[st3v3n]

coxhaus, It's nice of the Brits to spill the beans. Seriously, there have been rumbles for quite some time about the VPN network's (and OpenVPN's) vulnerabilities. Several years ago, one of the owners at a commercial VPN we used mentioned they had indications that multiple state actors were gaining access to their infrastructure, and the daily attacks from multi-state actors were extremely good at covering their tracks, but so were others.

The day Windows 7 was officially retired, the word came out on the newest MS crypto critical vulnerability which affects all MS OS's and software. This should reinforce that no matter what OS, router/FW, VPN or encryption one uses, security in depth is still the best way to try to protect one's data, including regularly changing all IDs, passwords, addresses, etc. It's the eternal security challenge and there's never enough time available to even the most dedicated hardcore/paranoid IT or admin to scour their daily security alerts, read through all of the newsletters we subscribe to, and do the rest of the work in order to stay current. A single post like yours always helps, thank you.

 

[AndreiV]

Presumably action was taken long ago to mitigate this?

The article is dated 10 Oct 2019 , the UK warning was April 2019 , a long time ago in cyberland.

 

[st3v3n]

Hi AndreiV, Did you refer to the security implications of the URL/article the OP referred, or my response to him? Most of the VPN owners are patching as quickly as they can though they don't talk much about their means and methods. Some have other worries, such as SNLs, warrants and that's the dog in the room everyone knows about yet they won't talk about it, and no one really wants to hear it bark. Like everyone else, the VPNs scramble to make sense of all of security issues and like the rest of us, try to secure everything. A few VPN companies have extremely sharp technical teams and they all know security Information is fungible/powerful and valuable. The OP's post was likely meant to be helpful so I was thankful even if it was from October.

Compared to the pre-Snowden era, many more people depend on VPNs. State actors/hackers don't have to break into the encryption or the VPNs, (even if they have the means), since they can just watch the unencrypted date exit the data centers.

The article the OP pointed to wasn't fresh in linear times but considering a nano-second is practically an eternity on the internet, it's good information. The vast quantity of security data insures we'll always be playing catch up. Some SNB members have jobs, projects, and little time to be involved. Since Merlin began development of his fork, some (like me) only had time to lurk and learn. It was ages before I joined or posted. Thanks to Merlin and SNB; they have a worldwide following and have helped so many of us. As long as posters can remain positive and civil we'll stay better informed, more productive and secure. Cheers

 

[AndreiV]

It was a question , nothing more.

Simple fact , this problem was known about @ 3 years ago , security agencies were aware and indeed used it themselves.

(People believe that if they use a VPN or TOR they are totally safe from prying eyes, they are not)

Once it became obvious that criminals were using it the UK made it public knowledge, that was 9 months ago, the linked news article reporting it is 4 months old and 5 months after the event.
There has been more than enough time for the vulnerability to be patched by VPN providers.

 

[st3v3n]

AndreiV, Got it. Difficult to link at times, reading text will never be as easy as talking. The feds were into/aware of this same issue many years ago when they really went after the eastern gangs. Didn't help one of their prime agents/investigators got dirty during that time, but it happens everywhere when billions of bucks are at stake. Just an opinion but it will never be resolved, just more jumping through hoops and closing the doors whenever possible.