Tag: Vpn

  • Notes From a Hacker: Yes, You Have to Use Your VPN – and Here’s Why

    Right now, across the globe, there are millions of exasperated IT helpdesk workers on the phone with an equal number of frustrated colleagues who are working from home, some for the very first time. I don’t have exact numbers, but I’m willing to bet that the most common issue they’re discussing is problems logging onto a company’s virtual private network (VPN). From my own experience, at least some of those end users (maybe you included) are asking, “Do we really have to do this?” 

    The answer is, yes, you do. And, because your IT team is likely overwhelmed right now, I’ll step in and share just a few reasons why a VPN helps keep your company safe from people like me.

    The most common threat someone faces on unsecured WiFi networks is a man-in-the-middle (MitM) attack, where a hacker inserts himself into the data stream between two endpoints. You’ve probably been cautioned about public WiFi – coffee shops, airports, etc. – for that very reason.  Trust me, it will work on your home as well.

    A successful MitM attack allows a bad guy to intercept or modify data in transit, including credentials or financial information. In fact, most wireless attacks are perpetrated with the goal of acquiring MitM access to user data. A VPN connection encrypts your data and makes it much harder for a hacker to steal.

    MitM is similar to another threat known as the “Evil Twin” attack. This is sometimes referred to a rogue access point that exploits how wireless endpoints behave. When a phone, laptop, or tablet joins a wireless network, it will remember that connection. From that point forward, the endpoint will send out beacons looking for that network.

    Unfortunately for you, it’s easier than you think to trick your devices. We can use tools such as Mana or the WiFi Pineapple to respond to create a fake access point. Your device will associate with it as though it was the legitimate network. From there we have a MitM and can intercept or modify data in flight, or even create fake captive portals to capture credentials.  

    Other tools help attackers go after wireless networks directly by sending de-authentication packets, which cause devices to disconnect. When they attempt to reconnect to the network, they must re-authenticate. This process involves a four-way handshake in which a hashed form of the Pre-shared Key (PSK) is exchanged. A hacker can capture this handshake and attempt to crack it offline using tools such as Hashcat. If the hash is cracked, the PSK is revealed in cleartext.

    The most widely used is the Aircrack-ng suite of tools which includes Airmon-ng for capturing wireless traffic, Aireplay for injecting wireless packets, and Aircrack for cracking the PSK. Other tools such as WiFite offer a menu-driven interface that automates a wide variety of attacks.

    You may be thinking these tools are rare and hard to find, but that’s not the case. Both hardware and software are readily available and relatively cheap. They’re also very simple to set up and operate. 

    My point is that it can be relatively easy for a hacker to compromise your home WiFi. By contrast, your IT security team has a number of safeguards in place to protect you and the company’s network from the tools and tactics I described above. Extending that protection to those working remotely is the reason you have to use your VPN.

    Does that mean you can’t be hacked? Certainly not. But it does make my job a lot harder and it probably will cause me to move on – to another employee, another method of attack, or best case, another company.

    Preferably one that doesn’t use a VPN for remote workers.

     

  • Remote Security Series: Protect Your Network Health Like Your Own

    Most of us understand by now (hopefully) that this COVID-19 emergency is not the time to take chances with our health and safety. The benefits of being disease free far outweigh the costs of some social distancing and extra diligence about hygiene. However, I’m worried that many companies don’t seem to make the connection between what they’re doing to protect their employees and what they should be doing to protect their data.

    That’s dangerous because hackers are heartless. In their world, COVID-19 doesn’t bring suffering and death; to them, it’s all about opportunity and wealth. Like a virus, they’re attacking the most vulnerable and leaving untold damage in their wake.

    Unfortunately, we’ve seen and heard about companies across America that are making hackers’ jobs easier. For example, the additional strain of accommodating remote workers has caused many IT departments to open ports and grant access that they would never allow normally.

    RDP, VPN, oh my!

    One common problem is companies opening remote desktop protocol (RDP) access, which can be easily exploited. Others have VPN configuration errors that slow network traffic, frustrate users, and put pressure on IT staff to relax security measures in order to improve productivity. And some are not monitoring network traffic, which can open the door to brute force attacks. Raxis is seeing this firsthand in many of our external and remote internal penetration tests we are currently conducting for our customers.

    Add to this the challenge of team members accessing the network with their home devices. Each one brings with it a high degree of risk that most office-based IT teams aren’t accustomed to managing at scale.

    The bad guys know all this, of course. That’s why we’ve seen a surge of attacks, many based on the COVID-19 emergency itself. Scammers know we’re scared, tired, and worried for ourselves and our loved ones. We’re more likely to click on a malicious link or reveal sensitive information – and less likely to have appropriate safeguards in place when we do.

    Where to start

    So, what’s the solution? Our previous posts in this series have talked about ways to make networks more resilient from a technological perspective. But this is also a time when IT pros have a responsibility to safeguard their companies infrastructure and protect their employees. It’s up to you to make sure that productivity doesn’t come at the expense of security, even if that isn’t what your C-suite leaders or colleagues want to hear right now.

    The good news is that you don’t have to go it alone. Raxis experts can help you discover and document any unintended security consequences that come from your team working remotely. We can provide a fresh, hacker’s-eye evaluation of your perimeter defenses along with continual assessments to make sure they remain effective. We also offer many remote solutions that go hand in hand with the new workplace guidelines for many of our customers.

    Just as the coronavirus has made us more careful about our physical health, the resulting work-from-home experience should make us much more conscious of our cybersecurity posture. Give us a call and let’s talk about how Raxis can help you emerge from this crisis more secure and more confident about working remotely.

    Contact Raxis for more information.

    Want to learn more? Take a look at the first part of our Remote Security Series.

  • Remote Security Series: Urgent Questions You’ll Face About VPN and Remote Access

     As the coronavirus has pushed almost all of the workforce remote, IT teams have been very busy making networks accessible in ways they weren’t previously. Most organizations plan for a consistent number of users remotely accessing the network. I doubt any planned for a nearly global work-from-home (WFH) event like COVID-19. 

    As a result, I’ve worked with a few companies to help implement some very last-minute WFH solutions. I came away with a better understanding that there are some critical questions companies need to be asking (and answering) right now. 

    Do you have enough VPN licenses? Imagine being told on a Friday afternoon that everyone will be working from home for the foreseeable future. One company’s VPN was licensed for 100 users but had over 250 working remotely. Their immediate answer was to open up remote desktop ports for each user’s office computer. Bad idea, especially considering a few passwords were very insecure, including “Winter2020!” and “Corona2020$.” 

    Do you have enough bandwidth? Like VPN licenses, most companies have plenty of bandwidth to handle office data and the normal load of remote users with no issues. But with everyone working from home and many streaming media, this can cause a lot of strain on your network and lead to performance issues and outages.  

    Is split tunneling appropriate for your company? In many cases, split tunneling is a great way to address the bandwidth issue. However, you lose some encryption as you now have only certain applications and network traffic going back through the encrypted VPN. This can lead to data being mishandled, so make sure you have safeguards in place to prevent that. Also, it’s a good idea to block streaming services through the VPN tunnel or on an endpoint protection product. 

    Are your users trained to use the VPN? With the rush to get users setup, users who worked in the office every day are now trying to do the same type of work from home. This may be painfully slow if they are accustomed to 1000 Mbps in the office and get only 50 Mbps at home. Their fix will be to download files locally, work on them, and then upload them back when done (we hope). That raises a couple of other important questions…

    Do they delete sensitive data from their computers when they are done?  Do they even know they should do this? If there’s even a speck of doubt, I strongly recommend putting data loss prevention (DLP) tools on the endpoints to ensure data isn’t leaving the network unsecured.

    Do you have a ‘shadow IT’ problem you didn’t know about? Here’s an interesting issue I ran into recently: A company realized there were employees who had been working remotely for years, but who didn’t know how to use the VPN to access files they need on a daily basis. I decided they either have integrity challenges, or they have unauthorized side channels they may not know about. Let’s set aside the ethics issue and assume you suspect the latter. Now would be a good time to start monitoring traffic going out to popular file sharing services. In an incident response situation, these services create more areas to audit, and your price tag and scope just increased a lot. Imagine thinking you have 10 servers and 400 workstations to check and then adding every Dropbox, Box.net, Sync and OneDrive account and folder. 

    Is your VPN network being monitored or logged? How many concurrent connections are allowed per user? This is important if a user is compromised and you allow unlimited connections per user. A malicious person can be connected to your network and it may go unnoticed. That’s why you should enforce MFA on your remote access solution.

    Are user endpoints encrypted and patched? Your end users are now working on networks with potential default passwords and weak wireless security, which you probably can’t control. It is very important then that you harden as much as you possibly can control.  Once your WFH solutions are in place, make sure you remember to audit their security. Don’t let a rush to get users working remotely lead to costly misconfigurations and data breaches — just because they click a malicious COVID-19 update or decide to watch cat videos.

    Does your business continuity plan reflect the new reality? Remote access to critical data should be a part of your business continuity plan. Being surprised by a hard limit of users on your VPN appliance can lead to a rush to provide accessibility, which in turn can lead to bad security decisions. Testing this plan will also show you areas that need to be addressed or that would be much easier to handle if you had known ahead of time. Also, ensure you have an updated remote access and VPN policy in place. Your end users will not always make smart security decisions, so ensure that they have a document to reference.

     The coronavirus emergency is putting all of us to the test, but especially the IT teams who shoulder the responsibility for keeping a remote workforce secure and productive. Make sure you have good answers to these questions and, if you need help, remember we are here for you.

     Raxis is always happy to discuss your unique circumstances and to offer options specific for your needs as well as your budget.

    Contact Raxis for more information.

     Want to learn more? Take a look at the next part of our Remote Security Series.

  • Celebrate National Cybersecurity Awareness Month Through Security

    Each October the NICCS (National Initiative For Cybersecurity Careers And Studies) leads National Cybersecurity Awareness Month (NCSAM) . This year the focus is on personal accountability and taking proactive steps both at home and at work. Raxis is joining in the fun by offering tips that we all can try at home and in the workplace (or school), no matter our age or what we do.

    Computer & Smart Phone Basics

    These tips are the same ones you’ve been hearing for years, but it’s always good to have a reminder.

    Apply updates to your devices. The IT department at your office is likely handling this there, but it doesn’t hurt to check and be sure your operating systems and software are running current, patched versions. This is also important for your personal devices. Watch for notifications that it’s time to update your operating system and keep software that you buy up to date. Almost all software has a place (Updates, Preferences, Settings) where you can check to see if you are on the current version. Most vendors watch for security news and provide patches and updates as soon as they fix issues. And don’t forget smart devices, such as phones, tablets and household products like cameras and lighting systems. Such devices can be easy to overlook, and hackers often focus on them because they know that.

    Set passwords/passcodes on your computers and smart devices. Your kids may “hack” your phones by entering the passcode that you’ve told them and posting amusing Instagram photos, but, when you misplace your phone while out, you will appreciate setting that passcode so that a stranger doesn’t have access to your private information including sending texts, reading your emails, or erasing your phone for their own use. The same applies to computers. Step away for a few moments, and you don’t know if someone has stopped by to look at your private downloads or browser history.

    Use strong passwords. While on the topic of passwords, please don’t use 12345 or Password1. It’s often tempting to set easy passwords or the same password for every login to save time and make passwords easier to remember. Hackers count on that. Some websites allowed hackers to guess many passwords until they find the right one, and, once they have it, they may try it to login to your other accounts or even sell the password to other people. Raxis gives tips on setting passwords that are easy to remember but hard for others to guess here: The Weakest Link in the Password Hash.

    WiFi Networks

    Nowadays all sorts of places from coffee shops to hotels have free WiFi guest networks. It’s convenient to join these, and you can do that safely if you follow a few rules. While connected to these networks, there is a chance that a hacker could be watching your internet traffic, including passwords as you login to sites and private information that you enter in websites or upload to the cloud. If you’re logging in to check a score or find the closest pizza parlor, there’s probably nothing for a hacker to steal. But if you plan to stay on the WiFi network for a while or do anything that may be private, Raxis advises you use a VPN tool such as Private Internet Access (PIA) while connected to the guest WiFi network. Tools such as PIA have apps for your phones and tablets as well as software for your computer, and they often charge a low monthly or annual fee so that you can use the service at any time. Once you connect to the guest WiFi network, start PIA, and it will encrypt your internet traffic so that an attacker attempting to watch your secure data only sees gibberish.

    Setting up a home WiFi network. When setting up your WiFi network at home, either through tools from your local cable, phone or satellite service, or with your own wireless router, be sure to set a strong password (see above) on the administrative webpage where you set up the WiFi network. Though these sites appear to be personal for your home, the signal often travels outside and to neighbors’ houses. If you leave the site with no password or an easily guessable password, someone nearby could change your settings. Raxis also advises that you set a password to join your home wireless network. Though you’ll likely share this with friends and family, it makes it harder for someone nearby to join without you knowing.

    Use WPA2. Your router setup likely has several options for the wireless security protocol and sometimes defaults to a weak protocol. The WEP and WPA protocols are about 20 years old, and exploits are easily available on the internet. Several varieties of WPA2 are available on most routers, and any of these should work well for a home network.

    Social Engineering & Phishing

    Many hackers and thieves look for a simpler way to get the information and access they want.

    Email, fax and phone (calls & texts) phishing campaigns have become very realistic and are often difficult to distinguish from legitimate messages. Hackers can steal your information by talking you into telling them, tricking you into entering your private information, such as credentials, on their malicious webpage, or even automatically stealing credentials or infecting your computer when you open a link that they send you. At Raxis we advise our customers to stop and think before acting. Many companies, such as banks and stores, provide contact numbers and forms that you can call to confirm the information.

    It may seem brazen, but the easiest way to get access to businesses, apartment buildings, or other shared spaces, is to act like you belong and see if someone lets you in. Once inside, it’s often rare for people to confront others about whether they belong there. Raxis recommends not holding locked doors for people you don’t know as well as keeping confidential information and keys hidden in case someone does gain access. If someone appears suspicious to you, you don’t have to confront them. Let a security guard, receptionist, or someone in authority know.

    The most important thing to remember is, to quote the Department of Homeland Security, “If you see something, say something.” This is the case whether at work or at home. Check with your manager or IT department or check with your neighborhood watch or HOA. If you are not sure about an email from your bank, contact them about it; if it’s a scam, they may want to inform other customers. If you see someone acting suspiciously, report it or ask around.

    Raxis provides more information in the following series of blog posts:

    Stay Safe & Secure Out There!

    As the holiday season gets closer, focusing on cybersecurity is not just for the month of October. When we focus on security in our daily lives, we can work together to make things more difficult for hackers and thieves. Let’s all do our part

  • IKE VPNs Supporting Aggressive Mode

    In Raxis penetration tests, we often discover IKE VPNs that allow Aggressive Mode handshakes, even though this vulnerability was identified more than 16 years ago in 2002. In this post we’ll look at why Aggressive Mode continues to be a vulnerability, how it can be exploited, and how network administrators can mitigate this risk to protect their networks and remediate this finding on their penetration tests.

    What is an IKE VPN?

    Before we get into the security details, here are a few definitions:

    • Virtual Private Network (VPN) is a network used to securely connect remote users to a private, internal network.
    • Internet Protocol Security (IPSec) is a standard protocol used for VPN security.
    • Security Association (SA) is a security policy between entities to define communication. This relationship between the entities is represented by a key.
    • Internet Key Exchange (IKE) is an automatic process that negotiates an agreed IPSec Security Association between a remote user and a VPN.

    The IKE protocol ensures security for SA communication without the pre-configuration that would otherwise be required. This protocol used by a majority of VPNs including those manufactured by Cisco, Microsoft, Palo Alto, SonicWALL, WatchGuard, and Juniper. The IKE negotiation usually runs on UDP port 500 and can be detected by vulnerability scans.There are two versions of the IKE protocol:

    • IKEv2 was introduced in 2005 and can only be used with route-based VPNs.
    • IKEv1 was introduced in 1998 and continues to be used in situations where IKEv2 would not be feasible.
    Pre-Shared Keys (PSK)

    Many IKE VPNs use a pre-shared key (PSK) for authentication. The same PSK must be configured on every IPSec peer. The peers authenticate by computing and sending a keyed hash of data that includes the PSK. When the receiving peer (the VPN) is able to create the same hash independently using the PSK it has, confirming that the initiator (the client) has the same PSK, it authenticates the initiating peer.

    While PSKs are easy to configure, every peer must have the same PSK, weakening security.

    VPNs often offer other options that increase security but also increase the difficulty of client configuration.

    • RSA signatures are more secure because they use a Certificate Authority (CA) to generate a unique digital certificate. These certificates are used much like PSKs, but the peers’ RSA signatures are unique.
    • RSA encryption uses public and private keys on all peers so that each side of the transaction can deny the exchange if the encryption does not match.

    Cisco goes into details on these options in their VPN and VPN Technologies article

    Aggressive Mode vs. Main Mode

    In this post, we are discussing the first phase of IKEv1 transmissions. IKEv1 has two phases:

    1. Establish a secure communications channel. This is initiated by the client, and the VPN responds to the method the client requested based on the methods its configuration allows.
    2. Use the previously established channel to encrypt and transport data. All communication at this point is expected to be secure based on the authentication that occurred in the first phase. This phase is referred to as Quick Mode.

    There are two methods of key exchange available for use in the first IKEv1 phase:

    1. Main Mode uses a six-way handshake where parameters are exchanged in multiple rounds with encrypted authentication information.
    2. Aggressive Mode uses a three-way handshake where the VPN sends the hashed PSK to the client in a single unencrypted message. This is the method usually used for remote access VPNs or in situations where both peers have dynamic external IP addresses.

    The vulnerability we discuss in this article applies to weaknesses in Aggressive Mode. While Aggressive Mode is faster than Main Mode, it is less secure because it reveals the unencrypted authentication hash (the PSK). Aggressive Mode is used more often because Main Mode has the added complexity of requiring clients connecting to the VPN to have static IP addresses or to have certificates installed. 

    Exploiting Aggressive Mode
    ike-scan in Kali Linux

    Raxis considers Aggressive Mode a moderate risk finding, as it would take a great deal of effort to exploit the vulnerability to the point of gaining internal network access. However, exploitation has been proven possible in published examples. The NIST listing for CVE-2002-1623 describes the vulnerability in detail.A useful tool when testing for IKE Aggressive Mode vulnerabilities is ike-scan, a command-line tool developed by Roy Hills for discovering, fingerprinting, and testing IPSec VPN systems. When setting up an IKE VPN, ike-scan is a great tool to use to verify that everything is configured as expected. When Aggressive Mode is supported by the VPN, the tool can be used to obtain the PSK, often without a valid group name (ID), which can in turn be passed to a hash cracking tool.If you use Kali Linux, ike-scan is included in the build: We can use the following command to download the PSK from an IKE VPN that allows Aggressive Mode:

    ike-scan -A [IKE-IP-Address] --id=AnyID -PTestkey
    ike-scan
    psk-crack

    Here is an example of the command successfully retrieving a PSK:The tool also comes with psk-crack, a tool that allows various options for cracking the discovered PSK.Because Aggressive Mode allows us to download the PSK, we can attempt to crack it offline for extended periods without alerting the VPN owner. Hashcat also provides options for cracking IKE PSKs. This is an example Hashcat command for cracking an IKE PSK that uses an MD5 hash:

    ./hc.bin -m 5300 md5-vpn.psk -a 3 ?a?a?a?a?a?a -u 1024 -n 800

    Another useful tool is IKEForce, which is a tool created specifically for enumerating group names and conducting XAUTH brute-force attacks. IKEForce includes specific features for attacking IKE VPNs that are configured with added protections. 

    What VPN Administrators Can Do to Protect Themselves

    As Aggressive Mode is an exploitable vulnerability, IKE VPNs that support Aggressive Mode will continue to appear as findings on penetration tests, and they continue to be a threat that possibly can be exploited by a determined attacker.We recommend that VPN administrators take one or more of the following actions to protect their networks. In addition, the above actions, when documented, should satisfy any remediation burden associated with a prior penetration test or other security assessment.

    1. Disable Aggressive Mode and only allow Main Mode when possible. Consider using certificates to authenticate clients that have dynamic IP addresses so that Main Mode can be used instead of Aggressive Mode.
    2. Use a very complex, unique PSK, and change it on a regular basis. A strong PSK, like a strong password, can protect the VPN by thwarting attackers from cracking the PSK.
    3. Change default or easily guessable group names (IDs) to complex group names that are not easily guessed. The more complex the group name, the more difficult of a time an attacker will have accessing the VPN.
    4. Keep your VPN fully updated and follow vendor security recommendations. Ensuring software is up to date is one of the best ways stay on top of vulnerability management.

    Also see our post on creating a secure password for more information on creating a strong PSK.