NTA Monitor

Latest News

Will IE6 be the next NT4?

1st October 2009 All penetration testers will remember the long tail of Windows NT 4.0, and how this operating system continued to be used long past the point when security updates stopped at the end of 2004. For many years the presence of an unpatchable NT4 server was a common issue in a penetration test report, and it is only now, almost five years after security support ended, that finding an NT4 system on a network is becoming a rare event. Read More

One in four web applications susceptible to high risk security flaws

7th September 2009 NTA Monitor has reported a 10% increase in the total number of web applications found to have at least one high-risk security issue... Read More

Organisations facing a changing threat landscape

20th July 2009 According to NTA Monitor's 2009 Annual Security Report, the average number of Internet security vulnerabilities is on the rise... Read More

The Return of the Insider Threat

1st July 2009 When NTA started security testing twelve years ago, the main focus was on the insider threat. There were many reports with statistics showing that most security breaches were due to insiders. By contrast there was very little focus on the external threat via Internet and third-party network links. Back then many companies did not even have a firewall. Read More

Common VPN Security Flaws

Publication Date: 25th January 2005
Author: Roy Hills

Key Findings:

  1. 90% of remote access VPN systems have exploitable vulnerabilities
  2. New security flaws - Username Enumeration Vulnerabilities
  3. Lack of best security practice

Over a three-year period of testing VPNs, NTA Monitor has discovered that 90% of remote access VPN systems have exploitable vulnerabilities. The tests were mainly carried out for large organisations, including financial institutions that had their own in-house security teams. The common belief is that VPN systems are invulnerable, when in fact they are frequently the weak link in an otherwise secure system.

Username Enumeration Vulnerabilities

Many remote access VPNs have vulnerabilities that allow valid usernames to be guessed through a dictionary attack, because they respond differently to valid and invalid usernames. One of the basic requirements of a username/password authentication scheme is that an incorrect login attempt should not leak information as to whether the username or password was incorrect, because the attacker can then deduce if the username is valid or not. However, many VPN implementations ignore this rule.

The fact that VPN usernames are often based on people's names or email addresses makes it relatively easy for an attacker to use a dictionary attack to recover a number of valid usernames in a short period of time.

During VPN security testing, NTA Monitor has found many usernames in this way. It is believed this VPN guessing issue is a new discovery and several vendors have been notified. However the vendors have not always implemented fixes after notification so many systems are still vulnerable.

Offline password cracking

Once a valid password is obtained using IKE Aggressive Mode it is possible to obtain a hash from the VPN server and use this to mount an offline attack to crack the associated passwords. As this attack is offline, it does not show on the VPN server log or cause account lockout. It is also extremely fast - typically several hundred thousand guesses per second:

VPNs are an attractive target to hackers

VPNs carry sensitive information over an insecure network and remote access VPNs often allow full access to the internal network, while VPN traffic is usually invisible to IDS monitoring. With increasing security in other areas e.g. more organisations installing firewalls, moving Internet servers onto the DMZ and automatically patching servers, the VPN becomes a more tempting target.

Security practices

The majority of VPN vendors still allow their implementations to leak information about valid usernames and do not lock out accounts after a number of failed attempts. This does not happen on operating system login and should not occur on VPN implementations.

VPN testing

NTA Monitor recommends that VPNs should be tested regularly to ensure they are secure. Tools such as NTA Monitor's updated ike-scan can help to test a VPN but it is quite complex and needs to be fully understood in order to be used effectively.

Click here to read the full paper.