Tester claims 90% of VPNs open to hackers


Tester claims 90% of VPNs open to hackers

Antony Savvas
Security testing company NTA Monitor has claimed that 90% of virtual private networks are open to hackers.

Over a three-year period of testing VPNs at large companies, NTA Monitor said 90% of remote access VPN systems have exploitable vulnerabilities, even though many companies, including financial institutions, have in-house security teams.

Flaws include "user name enumeration vulnerabilities" that allow user names to be guessed through a dictionary attack because they respond differently to valid and invalid user names.

Roy Hills, NTA Monitor technical director, said, "One of the basic requirements of a user name/password authentication is that an incorrect log-in attempt should not leak information as to whether the user name or password is incorrect. However, many VPN implementations ignore this rule."

The fact that VPN user names are often based on people's names or e-mail addresses makes it relatively easy for an attacker to use a dictionary attack to recover a number of valid user names in a short period of time, said Hills.

Passwords can also be made harder to crack by deploying a mixture of characters and numbers. Hills said a six-character password can be cracked in about 16 minutes using standard "brute force" cracking software. However, a six-character password combining letters and numbers could take two days to crack.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy