Hello. This is Susan Bradley for CSO Online.
Today I’m going to talk about virtual private network. Or specifically VPN software. It
all started when the other day the Internal Revenue Service the United States tax enforcement
organization released publication for 4557 talking about steps that tax preparation firms
needed to do in order to maintain data security about taxpayers information. And one of the
items in the guidance that they gave kind of struck me as a bit odd. It had to do with
discussing what to do with public Wi-Fi. And they recommended that you only access business
similar sensitive documents if you used a VPN. It said a VPN provides a secure encrypted
tunnel to transmit data between a remote user through the Internet and the company network.
And then they said search for best vpns to find a legitimate vendor. Major technology
sites often provide lists of top services. And I saw that and went wow you know the number
of times that I’ve googled on best VPN software I’ve hit so many Malicious Web sites it’s
not funny. So. Is VPN more secure? Let’s think about that. So first off when you go looking
around for VPN software VPN phone applications in particular aren’t so secure. In fact a
Wired article at least two years ago found that 283 mobile VPN applications on the Google
Play store were found to be malicious or has significant privacy and security limitations.
So don’t get pulled in by the lure of free software either. As research has shown when
you don’t pay for something you’re often the product. Once again various different android
VPN permission based apps were reviewed and many of them had issues with privacy and security.
Two years later and now we see research that 90 percent of popular free VPN apps on Apple
and Google Play stores have serious user privacy flaws. Things are not better. But what about
applications in corporate VPN software? Recently attackers have been targeting VPN platforms
and are being used in active attacks specific attackers are targeting telecommunications
software in defense industries. VPN software is their new target once they steal the passwords
into VPN software. They then use more typical attack tools to get inside the network and
do lateral movements for example they use Mimi Katz. PWdump and WDigest credential harvesting
to gain more access into the network. Attackers are also going after Office 365 mailboxes
by using tools such as ruler penetration testing tool and abusing the exchange Web services
API. Back in July a presentation was done at Black Hat talking about ways to get into
networks using VPN vulnerabilities in particular using a pre auth Remote control Exploit. On
the Leading SSL VPN is. Specifically if you’re using pulse connect secure look for CVE 2019-
11510. Also pulse connects secure CVE 2019-11539. If you’re using Fortinet you need to make
sure your patch for CVE 2018-13379. CVE 2018-13382. And then also CVE 2018-13383. Most of these
are post authorization heap overflow. It allows an attacker to gain a shell running on the
router itself. Last but not least you want to make sure you patch for CVE 2019-1579.
If you’re running Palo Alto VPNs. If you’ve been attacked you want to make sure you look
at the log files on the virtual private network device and also look for evidence of compromised
accounts and active use. Look for connections that don’t make sense that are done during
odd times and other unusual events on your log files. When choosing me solutions make
sure you understand and give yourself ways to that you can patch and maintain the remote
access. You can also consider adding multi factor authentication when using VPN solutions.
For example Duo is one vendor that allows VPN to have two factor authentication. You
want to make sure that you provide guidance and education to users on how to use the two
factor authentication process. Bottom line, don’t just automatically assume that VPN
applications make you more secure. They can introduce more risk not less. So think about
that. VPN isn’t inherently secure and treat it accordingly. Make sure you can update it
make sure you can patch it look for it abilities to add to factor to it. Until next time this
is Susan Bradley. Don’t forget to signe up for Techtalk from IDG and look for us on the
YouTube channel. Until next time. This is Susan Bradley. Thank you again. Bye bye.