[NEWS] Findnot.com VPN Service Address Privacy Breach and Unencrypted Data
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 2 May 2006 13:57:45 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Findnot.com VPN Service Address Privacy Breach and Unencrypted Data
------------------------------------------------------------------------
SUMMARY
Findnot.com provides online anonymous services.
Unexpected Intermittent IP Address Privacy Breach, Immediate Loss of
Anonymity and Unencrypted data sent directly out to the Internet, exposes
the service to DNS lookup spoofing.
DETAILS
Vulnerable Systems:
* Findnot.com's VPN Service which uses Microsoft PPTP Client
Several vulnerabilities have been reported in Findnot.com's Microsoft PPTP
VPN Service Client, which can cause intermittent immediate loss of
anonymity and privacy while using the service:
* IP Address Privacy Breach: Exposing your REAL IP address during Internet
activity to remote sites whom seconds ago the remote sites saw an
anonymous IP address.
* Encryption Data Link Broken: Sending Unencrypted directly out to the
Internet viewable by users on the local network, ISP, or local snooping
Government; all while the user assumes all data is encrypted between their
machine and the VPN server.
* DNS Spoofing: While disconnected and the VPN is attempting reconnection,
on an unsecured DNS system in a shared computer setting such as a WiFi
Hotspot, hotel or internet cafe. www.hostname.com may actually be directed
toward a spoofed website all the while the user assumes they are using the
secure VPN DNS servers.
This vulnerability is caused due to a problem with the VPN software
dropping the machine's routing of data through the VPN and sending it
directly over the Internet to sites being accessed when the VPN encounters
a disconnection with the remote VPN server.
The vulnerability has been reported by many users of the Findnot.com
system. It is most likely to happen on a congested Findnot.com server, or
because of an internet connection problem somewhere between your machine
and the VPN server.
"...If you are concerned about a connection to one of our servers beingFrom the vendor's website:
dropped during a transaction like a download and your real ip address then
being revealed relax. In most applications ...[when the]... VPN server
drops, the application times out."
<http://web.archive.org/web/20050326031144/http://www.findnot.com/howitworks.html> http://web.archive.org/web/20050326031144/http://www.findnot.com/howitworks.html
Yes, they actually tell you to "relax" about your privacy being breached.
A rash and irresponsible statement coming from a so-called provider of
anonymous Internet services. The vendor instead of recommending that the
VPN therefore not be used advise the customer to "relax" but then
contradict themselves in a following recommendation that:
"...For real bullet proof protection just run the application through the
SSH Proxy..."
<http://web.archive.org/web/20050326031144/http://www.findnot.com/howitworks.html> http://web.archive.org/web/20050326031144/http://www.findnot.com/howitworks.html
In other words if you are concerned about your IP address privacy, and
your data encryption don't use the VPN, use the SSH Proxy.
It is concerning to say the least that they are so hypocritical about use
of the VPN despite the clear and present danger to anonymity it presents.
It brings into question other aspects of their setup.
In fact the SSH Proxy has its own Vulnerability covered in the Security
Advisory: Findnot.com DNS Privacy Breach (Advisory Id: FN15398) covering a
vulnerability exposing the websites you visit to snoopers on your wireless
connection, local network, or ISP while using the 'SSH Proxy' service of
Findnot.com.
Validation:
Load etherape and sniff on your local internet connection interface.
Choose a very busy Findnot.com server where a disconnect is likely due to
connection issues with the VPN server, or play with your local internet
connection cable by disconnecting it temporarily to simulate an internet
connection problem. The VPN will disconnect and you willimmediately see
your network traffic going directly out on to the net unencrypted, and
connections being made directly to the sites being accessed by your
applications. Your DNS queries will also be happening at your local ISP or
gateway machine revealing what sites you are accessing to the operator of
the DNS server.
Suggested solution:
When Findnot.com VPN is used, Firewall ALL applications from access
directly to the net, and only allow them access to the VPN interface when
it is up. Toggle your firewall settings to allow all applications access
to the internet interface when not using the Findnot.com VPN. Contact your
system administrator for instructions, as this is not a trivial task, and
beyond the scope of most Internet users and this document. Or use a real
solution.
Use an alternative VPN client such as the Open Source OpenVPN system which
does not have these vulnerabilities.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:123privacy_advisory@xxxxxxxxxxxxx> 123 Privacy Advisories.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [TOOL] SWCS - Silent CGI Web Shell
- Next by Date: [NT] Microsoft ISA Server 2004 Log Manipulation
- Previous by thread: [TOOL] SWCS - Silent CGI Web Shell
- Next by thread: [NT] Microsoft ISA Server 2004 Log Manipulation
- Index(es):
Relevant Pages
|
