For a long time only third party software existed to connect two networks via an encrypted connection (called Virtual Private Networking, or VPN). Microsoft introduced a built-in version of this technology into Windows Server, and its use became widespread.
This functionality is incorporated into many office networks to allow remote users to get access to the office while at home or on the road. Security researchers at the Black Hat computer security convention recently released information that Microsoft’s VPN was old, outdated and needed to go for the sake of people who think they are secure. CloudCracker released a blog detailing, step by step, the authentication process and how it could be compromised. They also released tools on the internet to allow users to crack captured VPN authentication data in under 20 hours. This affects us and our clients quite a bit. We’ve already begun working out plans to rethink who needs VPN access, and how we deploy it.
Microsoft issued a security advisory about 3 weeks later with recommendations on how to mitigate the impact. This is sour news, as the recommended changes make client configuration on windows machines rather difficult and nearly impossible on other client systems like Mac or Linux; that includes VPN over iPhone or iPad.
Lucky, this is still in early stages. This is a very pin-point attack and hackers still need access to the data while it’s in transit, which is not an easy task. Connecting to VPN over wired connections, like your home or hotel, can generally be verified. Wireless access is the major problem where, if you aren’t certain what network you’re connecting to, your communication can be sniffed and monitored. Boiled down – don’t use VPN over an open wi-fi hot spot, even a neighbor’s open wireless; you can never be sure what you’re connecting to. In time we will convert our clients to a new security policy for virtual private networking that allows as much of of the flexibility that people have come to expect while remaining secure.