It is generally believed that data transfers are safest over a VPN connection. However, here is a bad news. They too are vulnerable and can be hacked and used to cause you harm. Earlier this week, vulnerabilities in VPN servers were exploited by Nation-state attackers. Hence, although they make network communication more secure, VPNs too demand their due share of attention from time to time.
Use VPNs that reportedly utilize known-good encryption algorithms such as AES, elliptic-curve Diffie-Hellman (ECDH), SHA-256 (or greater), or RSA with a 1536- or 2048-bit key. Also make sure that a strong encryption algorithm is not wrecked by a poor implementation.
All VPNs rely on encryption keys for doing their security job. Therefore key-handling is a critical phenomenon. For example, in a demonstration at Black Hat USA 2019, researchers Orange Tsai and Meh Chang showed that a vulnerability in a Palo Alto Networks SSL VPN exposed a hard-coded password for the encryption key. This undoubtedly makes the vulnerability much more worse. Vulnerabilities that lead to storing of hard-coded encryption keys insecurely are very dangerous and severe. Unfortunately organizations can do little more than timely patching the vulnerabilities.
Even if your VPN uses an impenetrable encryption, another major criminal gateway can be authentication. When a vulnerability in the VPN allows a threat actor to access critical assets behind the VPN, without demanding a user authentication, resources will end up in the hands of criminals.
For instance, In April Pulse Secure announced a set of vulnerabilities in its Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) products. Some of these allowed an attacker to use a specific URI as part of an HTTPS request to gain access to arbitrary files on the destination network. The vulnerability has already been patched, but users who are oblivious to the existence of this vulnerability and have not applied patches are likely to welcome bad news. Moreover, the flaw does not draw attention to itself. The users have to seek the updates proactively to apply timely patches.
Majority of VPNs use five protocols. Depending on the strength of a protocol, the strength of a VPN can be evaluated.
While experts consider these three protocols damaged, there are few choices left.
Even if an organization keeps track of all available patches and uses the best encryption and protocols, there may be other VPNs being used by their employees that aren’t secure. They may be using VPNs from remote work locations which are apparently free, but are meant to track their online moves. The VPN providers in collaboration with advertising networks often offer these free products to track users online. While advertisements may be bearable, VPN mentor reports that free VPNs are also being used to deploy malware. They may also feed on your bandwidth or overall data per month. Hence, it is best to use VPNs that are secure and are purchased by the organization itself.
VPNs apart from tunneling encrypted network communication serve other functions too. VPN should mask the end user’s IP address to make tracking more difficult, and should limit possibility of long-duration campaigns. In addition, a VPN may also offer blacklist URL protection (warning against malicious websites).
A VPN provided by the organization ensures that communication between the employee and the enterprise network takes places in an encrypted tunnel. From there on, the organization’s security infrastructure will take over. Third-party VPNs if being used, must be made sure to be as secure as the one provided by the company.
One of the basic tools of safe remote computing, the HTTPS, is being used by criminals as a gateway to cover up their malicious activities. Although this protocol safely carries legitimate traffic, a specially crafted HTTPS request can be used to bypass authentication as a key step in allowing data to be taken from the network. As free certificate authorities rise, the green lock is no more a definite security indicator.
It is crucial to monitor and patch vulnerabilities in the tools that you are using, in order to maintain a healthy and secure usage of VPN. Moreover, monitoring traffic from new sources is also essential to avoid security risks.