Concluding Thoughts – Week 15

As I am privately hosting this blog, I’ll at least maintain it for the next semester to permit any referencing of it. After next semester, I will decide whether to maintain this blog for the foreseeable future or whether I’ll try and archive and set the host offline.

For those of you interested in the technicalities of this blog, the following items were used in its construction:

  1. FreeBSD
  2. FreeBSD jail
  3. nginx
    • As a reverse proxy at my firewall, and
    • As a jail-hosted daemon
  4. WordPress
  5. PHP packages
  6. MySQL/MariaDB
  7. NoIP DyDNS
  8. Certbot HTTPS Certificate and internal SSL certificate fun
  9. VLANs and other networking know-how

I hope you have a Happy Holiday season, and I wish you the best of luck toward your future aspirations.

If you have any job hook-ups, please email me if you think that I’d be a great fit; I am on the market for a job or internship. I am taking my F5 Certified Administrator exam this Monday, December 11th for the 3rd time (as a renewal candidate). You can also connect with me on LinkedIn at: https://www.linkedin.com/in/matthewmarkfort

VPNs Still Don’t Work – Week 2

Original posting by Feisty Duck: Feisty Duck: VPNs Still Don’t Work, which based their Newsletter from TunnelCrack.

The Feisty Duck reiterates TunnelCrack’s conclusions so I’ll try to articulate the two vulnerabilities/attack vectors identified by TunnelCrack. The first attack dubbed “LocalNet Attack” is where the malicious actor clones a WiFi hotspot, which are commonly available in public spaces, like the WiFi at StarBucks. The user, thinking that this is owned and operated by the establishment, foolishly connects to it, where the hacker assigns an IP address from their private pool. The malicious actor can then exploit the vulnerability because VPNs are notorious for permitting LAN address communication. When the user tries to connect with a site, the malicious actor injects or monitors web traffic between its unsuspecting user and a legitimate site.

The second attack, dubbed “ServerIP Attack,” is a little more complex, but the principle is the same; “while establishing the VPN connection, the victim will add a routing rule so that all traffic to the VPN server, in this case the spoofed IP address 1.2.3.4, is sent outside the VPN tunnel.” And because VPNs don’t re-encrypt traffic between the user and its VPN server, the user connects to an unsafe point, which leaks information.

The TunnelCrack team did testing for a broad set of VPN clients and platforms, and they discovered that Apple users are most susceptible, whereas other platforms and VPN clients did better; Android, after version 12, is least affected.

The reason why Feisty Duck posted about these attacks is because they’re a good source for SSL/TLS configuration. Feisty Duck concludes that when a “combination of TLS, valid certificates, and HTTP Strict Transport Security” are implemented, users are far better protected from these exploits. It’s easy to spoof DNS and masquerade as a legitimate server until TLS is properly vetted since most 3rd Parties, like Verisign and GoDaddy, protect their private keys like Crown Jewels.

I did notice that from the TunnelCrack post that VPNs are also susceptible since, like in OpenVPN, the host configuration keyword is often accompanied by a DNS hostname, which can easily be spoofed.

One thing that I didn’t see in these blog posts/newletters was mention of DNSSEC, but I guess, DNS — when it performs a forward lookup — may not be running the gauntlet to validate that the DNS reply is using properly configured DNSSEC; it’s probably less likely.

Continue reading VPNs Still Don’t Work – Week 2