Security testing company NTA Monitor claim that 90% of
virtual private networks are open to hackers as a result of
elementary flaws.
Over a three year period of testing VPNs at mainly large
companies, NTA Monitor said 90% of remote access VPN systems have
exploitable vulnerabilities, even though many companies, including
financial institutions, have their own in-house security teams.
Major flaws include "username enumeration vulnerabilities" that
allow valid usernames to be guessed through a dictionary attack
because they respond differently to valid and invalid
usernames.
Roy Hills, NTA Monitor technical director, said, "One of the
basic requirements of a username/password authentication scheme is
that an incorrect login attempt should not be leaked information as
to whether the username or password is incorrect. However, many VPN
implementations ignore this rule."
The fact that VPN usernames are often based on people's names or
e-mail addresses makes it relatively easy for an attacker to use a
dictionary attack to recover a number of valid usernames in a short
period of time, said Hills.
Passwords can also be made harder to crack by encouraging users
to deploy a mixture of characters and numbers. Hills said an A-Z
six character password can be cracked by a hacker in around 16
minutes using standard "brute force" cracking software.
However, a six character password combining letters and numbers
could take a hacker two days to crack.