Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Findnot.com VPN Service Address Privacy Breach and Unencrypted Da

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Findnot.com VPN Service Address Privacy Breach and Unencrypted Data
Date: 2 May 2006 13:57:45 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Findnot.com VPN Service Address Privacy Breach and Unencrypted Data
------------------------------------------------------------------------


SUMMARY

Findnot.com provides online anonymous services.

Unexpected Intermittent IP Address Privacy Breach, Immediate Loss of 
Anonymity and Unencrypted data sent directly out to the Internet, exposes 
the service to DNS lookup spoofing.

DETAILS

Vulnerable Systems:
 * Findnot.com's VPN Service which uses Microsoft PPTP Client

Several vulnerabilities have been reported in Findnot.com's Microsoft PPTP 
VPN Service Client, which can cause intermittent immediate loss of 
anonymity and privacy while using the service:
* IP Address Privacy Breach: Exposing your REAL IP address during Internet 
activity to remote sites whom seconds ago the remote sites saw an 
anonymous IP address.

* Encryption Data Link Broken: Sending Unencrypted directly out to the 
Internet viewable by users on the local network, ISP, or local snooping 
Government; all while the user assumes all data is encrypted between their 
machine and the VPN server.

* DNS Spoofing: While disconnected and the VPN is attempting reconnection, 
on an unsecured DNS system in a shared computer setting such as a WiFi 
Hotspot, hotel or internet cafe. www.hostname.com may actually be directed 
toward a spoofed website all the while the user assumes they are using the 
secure VPN DNS servers.

This vulnerability is caused due to a problem with the VPN software 
dropping the machine's routing of data through the VPN and sending it 
directly over the Internet to sites being accessed when the VPN encounters 
a disconnection with the remote VPN server.

The vulnerability has been reported by many users of the Findnot.com 
system. It is most likely to happen on a congested Findnot.com server, or 
because of an internet connection problem somewhere between your machine 
and the VPN server.


From the vendor's website:

"...If you are concerned about a connection to one of our servers being 
dropped during a transaction like a download and your real ip address then 
being revealed relax. In most applications ...[when the]... VPN server 
drops, the application times out."
 
<http://web.archive.org/web/20050326031144/http://www.findnot.com/howitworks.html>
 
http://web.archive.org/web/20050326031144/http://www.findnot.com/howitworks.html

Yes, they actually tell you to "relax" about your privacy being breached.

A rash and irresponsible statement coming from a so-called provider of 
anonymous Internet services. The vendor instead of recommending that the 
VPN therefore not be used advise the customer to "relax" but then 
contradict themselves in a following recommendation that:

"...For real bullet proof protection just run the application through the 
SSH Proxy..."
 
<http://web.archive.org/web/20050326031144/http://www.findnot.com/howitworks.html>
 
http://web.archive.org/web/20050326031144/http://www.findnot.com/howitworks.html

In other words if you are concerned about your IP address privacy, and 
your data encryption don't use the VPN, use the SSH Proxy.

It is concerning to say the least that they are so hypocritical about use 
of the VPN despite the clear and present danger to anonymity it presents. 
It brings into question other aspects of their setup.

In fact the SSH Proxy has its own Vulnerability covered in the Security 
Advisory: Findnot.com DNS Privacy Breach (Advisory Id: FN15398) covering a 
vulnerability exposing the websites you visit to snoopers on your wireless 
connection, local network, or ISP while using the 'SSH Proxy' service of 
Findnot.com.

Validation:
Load etherape and sniff on your local internet connection interface. 
Choose a very busy Findnot.com server where a disconnect is likely due to 
connection issues with the VPN server, or play with your local internet 
connection cable by disconnecting it temporarily to simulate an  internet 
connection problem. The VPN will disconnect and you willimmediately see 
your network traffic going directly out on to the net unencrypted, and 
connections being made directly to the sites being accessed by your 
applications. Your DNS queries will also be happening at your local ISP or 
gateway machine revealing what sites you are accessing to the operator of 
the DNS server.

Suggested solution:
When Findnot.com VPN is used, Firewall ALL applications from access 
directly to the net, and only allow them access to the VPN interface when 
it is up. Toggle your firewall settings to allow all applications access 
to the internet interface when not using the Findnot.com VPN. Contact your 
system administrator for instructions, as this is not a trivial task, and 
beyond the scope of most Internet users and this document. Or use a real 
solution.

Use an alternative VPN client such as the Open Source OpenVPN system which 
does not have these vulnerabilities.


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:123privacy_advisory@mailvault.com> 123 Privacy Advisories.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Findnot.com VPN Service Address Privacy Breach and Unencrypted Data, SecuriTeam <=
Previous by Date:  [TOOL] SWCS - Silent CGI Web Shell, SecuriTeam
Next by Date:  [NT] Microsoft ISA Server 2004 Log Manipulation, SecuriTeam
Previous by Thread:  [TOOL] SWCS - Silent CGI Web Shell, SecuriTeam
Next by Thread:  [NT] Microsoft ISA Server 2004 Log Manipulation, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]