Security testing company NTA Monitor claim that 90% of virtual private networks are open to hackers as a result...
of elementary flaws.
Over a three year period of testing VPNs at mainly large companies, NTA Monitor said 90% of remote access VPN systems have exploitable vulnerabilities, even though many companies, including financial institutions, have their own in-house security teams.
Major flaws include "username enumeration vulnerabilities" that allow valid usernames to be guessed through a dictionary attack because they respond differently to valid and invalid usernames.
Roy Hills, NTA Monitor technical director, said, "One of the basic requirements of a username/password authentication scheme is that an incorrect login attempt should not be leaked information as to whether the username or password is incorrect. However, many VPN implementations ignore this rule."
The fact that VPN usernames are often based on people's names or e-mail addresses makes it relatively easy for an attacker to use a dictionary attack to recover a number of valid usernames in a short period of time, said Hills.
Passwords can also be made harder to crack by encouraging users to deploy a mixture of characters and numbers. Hills said an A-Z six character password can be cracked by a hacker in around 16 minutes using standard "brute force" cracking software.
However, a six character password combining letters and numbers could take a hacker two days to crack.