VPNs are critical pieces of the security infrastructure, but they can be vulnerable, hackable, and weaponized against you. Here are seven things to be aware of before you ignore your VPN.

VPN Threats

VPN Threats

VPN Threats- VPNs are critical pieces of the enterprise cybersecurity infrastructure. When it comes to protecting data in motion, there’s really no good substitute. And that’s why it can be so devastating to learn that this mandatory tool can carry vulnerabilities.

Before going any further, it’s important to note that nothing here is intended to suggest that your organization ditch its VPNs. Networking with VPNs is vastly more secure than networking without them. With that said, there’s no part of the enterprise IT infrastructure that qualifies as “set it and forget it,” and VPNs are not exceptions to this rule.

The dangers represented in this article fall into two broad categories; first are the vulnerabilities that are “designed in,” featuring problems with the logic, installation, or basic features of the VPN’s client or server.

Vulnerabilities in the second group are “classic” vulnerabilities — inadvertent errors in the code running on one side or other of the VPN, an issue with how a protocol is implemented, or something similar.

VPNs are critical pieces of the security infrastructure, but they can be vulnerable, hackable, and weaponized against you. Here are seven things to be aware of before you ignore your VPN.

Vulnerable Key-Handling Routines
One of the characteristics all VPNs share is their reliance on encryption keys - the digital strings that allow data to be encrypted on one end of the transaction and decrypted on the other. While encryption keys aren't confined to VPNs, the fact that one end of a VPN is often wandering around in public on a laptop computer makes key-handling a critical feature.
In an example shown at Black Hat USA 2019, researchers Orange Tsai and Meh Chang showed that a vulnerability in a Palo Alto Networks SSL VPN was made much more severe because it exposed a hard-coded password for the encryption key.
Most VPNs are 'black boxes,' whether they come in the form of appliances in the network stack or services accessed by consumers. That opacity is why a vulnerability like a hard-coded key or keys stored insecurely can be so dangerous - there's little (beyond keeping up-to-date with patches) that an organization can do to remediate the vulnerability on its own.
(Image: Tampatra via Adobe Stock)

Vulnerable Key-Handling Routines

One of the characteristics all VPNs share is their reliance on encryption keys — the digital strings that allow data to be encrypted on one end of the transaction and decrypted on the other. While encryption keys aren’t confined to VPNs, the fact that one end of a VPN is often wandering around in public on a laptop computer makes key-handling a critical feature.

In an example shown at Black Hat USA 2019, researchers Orange Tsai and Meh Chang showed that a vulnerability in a Palo Alto Networks SSL VPN was made much more severe because it exposed a hard-coded password for the encryption key.

Most VPNs are “black boxes,” whether they come in the form of appliances in the network stack or services accessed by consumers. That opacity is why a vulnerability like a hard-coded key or keys stored insecurely can be so dangerous — there’s little (beyond keeping up-to-date with patches) that an organization can do to remediate the vulnerability on its own.

Weak Encryption
It's not hard to find people worried that quantum computing will wreak havoc on the world of encryption. But you don't have to wait for quantum computing's powerful brute-force capabilities to be frightened about breakable encryption - you just have to use a VPN employing an older, breakable encryption algorithm.
The VPN market is littered with the remains of encryption algorithms once thought safe but now known to be vulnerable. From DES and 3DES to SHA-1 and RSA (with small keys), algorithms have been shown to have either algorithmic flaws or a susceptibility to brute-force methods. Other products use proprietary encryption methods that promise super-double-plus ninja-grade security, but can offer no rigorous test results to prove their claims.
Security teams should look for VPNs using known-good encryption algorithms such as AES, elliptic-curve Diffie-Hellman (ECDH), SHA-256 (or greater), or RSA with a 1536- or 2048-bit key. It's important to note that a strong encryption algorithm can be wrecked by a poor implementation - random-number generators are a regular source of woe. As always, teams should keep up with patches and updates for the products in use so that any problems that are found and fixed can be remediated in the field.
(Image: Faithie via Adobe Stock)

Weak Encryption

It’s not hard to find people worried that quantum computing will wreak havoc on the world of encryption. But you don’t have to wait for quantum computing’s powerful brute-force capabilities to be frightened about breakable encryption — you just have to use a VPN employing an older, breakable encryption algorithm.

The VPN market is littered with the remains of encryption algorithms once thought safe but now known to be vulnerable. From DES and 3DES to SHA-1 and RSA (with small keys), algorithms have been shown to have either algorithmic flaws or a susceptibility to brute-force methods. Other products use proprietary encryption methods that promise super-double-plus ninja-grade security, but can offer no rigorous test results to prove their claims.

Security teams should look for VPNs using known-good encryption algorithms such as AES, elliptic-curve Diffie-Hellman (ECDH), SHA-256 (or greater), or RSA with a 1536- or 2048-bit key. It’s important to note that a strong encryption algorithm can be wrecked by a poor implementation — random-number generators are a regular source of woe. As always, teams should keep up with patches and updates for the products in use so that any problems that are found and fixed can be remediated in the field.

Read More On Dark Reading

About The Author

Related Posts

Leave a Reply

Your email address will not be published.