Thought you were safe with VPN? Think again!

Dror Liwer Blog

If you’ve been kicking back and basking in your wireless network security zone because you have the most robust VPN in place, this is your wakeup call.

It has become increasingly clear that VPNs are not as safe or efficient as everyone thought they once were. It is easier than ever for hackers to hijack VPN ports and take advantage of the gap between VPN startup and connection in order to plant malware. Furthermore, many servers keep Server Logs, which means that hackers get easy access to see everything you do and can do anything they want with the information.  While VPNs have been a staple ‘secure’ framework to work away from the office for governments and enterprises, and even for individuals trying to watch Netflix, the changes in VPN protocol and the phenomenon of Shadow IT are causing a change in thinking.

Here’s why VPNs are no longer secure

1. Port Forwarding Easy as Pie
About a year ago, in November of 2015, Perfect Privacy put out an alert showing that five of nine of the largest VPN providers displayed flaws in their port forwarding services. Among the affected operating systems were IPSec, OpenVPN, PPTP and others. The major flaw was that any cybercriminal who had an account with any of the above problematic VPN providers could activate their port forwarding and uncover the real IP of anyone else on the same server. This is accomplished by simply luring an unsuspecting user to clicking a phishing link. Once a user clicks on the link, they are redirected to a new port under the control of the cybercriminal and the IP is uncovered. The scheme is so easy to pull off that Darren Martyn, who was under indictment for hacking LulzSec back in 2012, outlined on his blog eight easy steps for taking advantage of port forwarding for those with limited technical knowledge and a minimal budget.  One might think that someone once under investigation would refrain from cyber incitement, but whatever works for him.


2. The Firewall has Fallen
In late 2015, Larry Selzter, a veteran technology consultant with over a decade of experience, went to a Starbucks to test what actually happens in the seconds between launching a VPN and actual connection with open Wi-Fi. The test involved running a Wireshark to send thousands of packets on an open network before connecting to the VPN. He found that even though much of the information was indeed encrypted, the encryption was not foolproof. Your system configuration details are still visible and can be used by cyber attackers as hints to reveal your identity. Furthermore, when your software uses HTTPS it becomes susceptible to SSLstrip attacks. Seltzer also mentioned that even the best of VPN connections can fail when using open Wi-Fi, unless the vendors specially configure their systems not to crash. While many experts like Shaun Murphy, founder of PrivateGiant and Sean Sullivan, security advisor at F-Secure claim that the problem can be solved by simply installing a firewall or known as IP Binding, the proposed solution is not so simple. Different operating systems respond differently to the firewalls. For instance, if you are still using Windows 8.1 you might not be able to IP Bind at all.


3. No Logging is Subjective?
Many VPN providers claim that they do not keep logs, which would mean that you are untraceable. There is no way to know if your VPN is keeping logs or not and the entire system is based on trust between server and client. There are some companies like the London based, that do a very good job of keeping information private. In December 2016, the FBI began to investigate a bombing hoax against a number of school and airports.  All internet activity of the primary defendant came back to the London based company. When subpoenaed, the company was only able to provide a cluster of IP addresses from the US East Coast, which was not specific enough. There are, however, a variety of meanings behind “no logging” claims by various companies. Sometimes companies will not log at all, others will keep usage logs, while others will only keep connection logs. The latter case, it is still possible (although difficult) to use the information to track down a user via an end to end timing attack. The main point is that it’s impossible to know what is really going on behind the scenes.  


4. Shadow IT – A little Knowledge is a Dangerous Thing
Every company has procedures to protect data, but increasingly employees take it upon themselves to decide what is deemed safe, AKA, Shadow IT. Gartner estimates that companies will spend over one third of their 2016 IT expenditures, trying to manage this vigilantly style of IT. This cost is expected to rise, and understandably so;  applications and productivity tools for everything are so readily available. Few of us can make it through the day without accessing the Google drive, GitHub, Office 365, SalesForce and Dropbox and many more. Employees use these mediums to quickly store, share and work on sensitive materials.


What makes Shadow IT so risky?
As soon as an employee accesses or stores anything on a public cloud platform, the data moves outside of the company’s network protection. Users access the cloud services directly, bypassing the protection layers of the enterprise infrastructure – increasing the risk of a breach during connectivity. See the following illustration for a better overview.

Once your information goes to the cloud any conventional defence is rendered ineffective. However, new innovative technology can effectively form a defense in the cloud by analyzing raw network data, thus detecting and neutralizing attack vectors and other threats.