Enterprise VPNs Found Vulnerable: Is Yours One?
What do you do when the measures you put in place to protect yourself online are insecure?
That’s just what customers of Pulse Secure Connect, Cisco AnyConnect, and Palo Alto Networks were asking themselves a few months ago. It seems that a flaw caused authentication and session cookies to be stored insecurely in user log files of enterprise VPN clients. Two of the providers have since released an update to patch the vulnerability, but the question remains:
Could this happen again?
The answer to that seems to be a resounding “Yes,” when you consider a CERT/CC incident report warning that the flaw could still affect products from some 230+ other vendors. Is yours one of them?
What is the Vulnerability?
The vulnerability was discovered by the National Defense ISAC Remote Access Working Group and the incident made public on April 10, 2019. There aren’t a whole lot of details forthcoming, but the vulnerability improperly stores session and authentication information to spoof the user and gain access to their browsing sessions, including online accounts.
Vulnerabilities Vs Selling Data
Another alarming trend in the digital privacy space is vendors selling client data. Even highly profitable companies have begun to double monetize user data by selling it to third party software companies. One such company is Avast which had been selling data to a number of US businesses including sensitive financial information. A 2019 VPN report by Hosting Canada showed that over 1/3 of commercial VPNs sold client data and nearly all free VPNs sold data.
How is it Spread?
By using a pass-the-hash attack or hijacking authentication and/or session cookies, hackers with access to the app storage can commandeer user computers and access sensitive data like account passwords, credit card information, and even their name and address. This can be done remotely from any location. Although the companies known to be affected have patched the flaw, the only sure solution is to prevent users from installing vulnerable apps altogether.
Are VPNs Still Safe?
Despite new advances in enterprise cyber security, nothing is 100 percent impenetrable. However, all but one of the companies known to be affected have released updates to correct the defect. Palo Alto Networks GlobalProtect Agent version 4.1.1 and macOS users with version 4.1.11 and up can find their patch here. Pulse Secure Desktop Client and Network Connect users can go here for their fix. The lone outlier, Cisco AnyConnect, has not yet released any information to help their customers. It affects customers using versions 4.7.x and prior.
What to Look for in a Secure VPN
In many countries, your ISP and government agencies can snoop on your activity unless you have something in place to hide your IP address and location. That’s why many people choose virtual private networks. Not only do they allow access to geo-blocked accounts while you’re traveling, they also enable free and unfettered website and internet access to dissidents and others living in under oppressive regimes.
We count on VPNs to protect our privacy and security when we install their apps. Although you’re less likely to run into problems if you choose a proven service provider with a good reputation, nothing is fail-safe. There are a number of questions you should ask before you sign up, such as:
- Do you store any information that could allow identification of users through IP addresses or time stamps? If so, what do you store and for how long?
- Does your company hold any jurisdiction in a 5, 9, or 14 Eyes Alliance nation?
- What type of encryption, authentication, and leak protection do you use?
- Are you obligated to share any of my information or activity with third parties? With whom, and under what conditions?
- What tools do you use to monitor and eliminate abuse of your network?
Added to that list is the question “How do you store authentication and session information?”
When the companies you pay for protection can’t keep you safe, you have to take matters into your own hands. Once you’re satisfied that your VPN service provides all of the security and privacy protection they’ve promised on their end, you can install additional security measures on yours. For a start, you can learn how to check for data leaks after you install a VPN. This should be done periodically to ensure uniform protection throughout your contract.
In addition, you can protect yourself and other devices connected to your network by following these five security best practices:
Secure Your Devices
The first line of defense is to secure any device that’s connected to your network. That means ensuring employees are limited in BYOD permissions, using best practices for password creation, adding 2F authentication and password apps, and configuring separate networks for business use and guests.
Secure Your Network
In addition to securing your devices from infiltration, the networks they’re connected to should be protected. You can install a VPN directly to most routers, and install a mobile VPN on those devices, especially if you’re going to access public networks while travelling or telecommuting. Make sure that you also have a firewall in place on networks, and keep all firmware up to date.
Harden IoT and Other Smart Devices
Did you know that any IoT device connected to your network offers new ways for hackers to enter your system? Most people don’t think twice about securing their thermostat, electric can opener, or home theater, but any network-connected smart devices should be placed on a separate network from your home or business telecommunications devices and operated through a VPN. Be careful what you say around virtual assistants like Alexa and Siri.
Strong passwords and 2F authentication can limit who has access to your devices, but that doesn’t help if your device is stolen or you use a public network and forget to log off from your accounts. You should also be wary of using apps that require access to your camera, microphone, and contact list, disable any camera and audit access from gaming systems or smart TVs, and cover the webcam on your laptop when you’re not using it. Yes, you can be watched remotely through these devices.
Scan Removable Media Before Using
Many companies offer samples or leave prototypes with business owners and sales reps that are stored on USB sticks. This is also a clever way for malicious actors to load viruses and other malware or spyware onto unsuspecting users’ computers. Don’t install any removable media on your laptop or computer without scanning it first, and never use a USB stick that you found somewhere.