VPN flaw could put users at risk - ouch!

[bluescope]

An attack on virtual private networks could see people sent to fraudulent websites

by Chris Stokel-Walker

    VIRTUAL private networks (VPNs), which have seen a rise in use as more people work from home, are vulnerable to an attack that removes user anonymity, researchers have found.
     VPNs work by rerouting your internet traffic through a virtual tunnel that encrypts all data that passes through it and disguises your IP (or internet protocol) address, which is used to identify from where you access the internet. They are often used to access internal networks remotely, such as connecting to workplace servers from home.
     The technology has long been considered secure against external attacks, but now William Tolley at Arizona State University and his colleagues say they have found a flaw with VPN infrastructure.
     The vulnerability works by monitoring one thing that VPNs cannot hide: the existence and size of the packets of data flowing through them.
     “This is more fundamental than a cute trick,” says Tolley, who claims his attack works against all VPNs. “It’s a fundamental networking vulnerability.”
     Each user of a VPN is secretly assigned one of around 65,000 possible ports, the entry and exit points to the tunnel through which their data is processed. The first phase of the attack involves sending data packets of different sizes to lots of ports in an attempt
to trick the VPN. If a packet is sent to a user’s correct port, the VPN will forward it on. Otherwise, the packet will be discarded.
     By monitoring traffic through the VPN tunnel and the size of the data packets that make it through, it is possible to identify a user’s port. Hackers can then send packets where they have modified the source address to appear as though it is from one of the legitimate ends of the connection, which can send users to a fake website or inject malicious data into any websites they visit.
     The researchers presented their work at the Usenix Security Symposium last week. They say they have reported the attack method to a number of VPN providers, but it is likely that not all VPNs in use today will be patched to prevent the vulnerability. “Our advice is to avoid VPNs if you’re trying to keep your information private from government entities,” says Tolley, but he says they could be OK in
other situations. “It depends on the use case.”
The use of VPNs has become more popular as people work from home and require secure access to work files stored on business servers. They are also used by some people to subvert geographical region locks on services such as Netflix, and by those living in countries ruled by repressive regimes to try to avoid surveillance.
     “I really like what the authors have done,” says Gareth Tyson at Queen Mary University of London. “They’ve found a bunch of flaws
and put them together to discover a comprehensive attack.” Yet Tyson points out that the skill level required to carry out a successful attack is more than the average hacker is likely to have. “These attacks can’t be performed by some kid in the basement. It’s something that does require some dedicated effort, and in some cases a pretty powerful adversary.”
     Tyson points out that attackers would require a physical presence in the correct parts of an IT network in order to carry out the level of intrusive packet monitoring required. “In an authoritarian regime where the state controls all the infrastructure, that would be much easier,” he says. 

(from New Scientist, August 21, 2021

[uk666]

Though, no actual breaches were reported, if you're trying to keep your information private from government entities, or something like that, the advice is to avoid VPNs.

[bluescope]

17 hours ago, uk666 said:

Though, no actual breaches were reported, if you're trying to keep your information private from government entities, or something like that, the advice is to avoid VPNs.

Problem is, what's the alternative for the needy user? I suppose the dark web - but how would you safely go 'there' without a VPN?

[uk666]

The so-called dark web, a portion of the hidden internet, is usually associated with a host of illegal activities including the buying and selling of drugs, firearms, stolen financial data and other types of valuable information. The selling point? Total anonymity.

That may sound nefarious, but some experts argue that the dark web is also useful in circumventing internet censorship.

The Tor network began as an anonymous communications channel, and it still serves a valuable purpose in helping people communicate in environments that are hostile to free speech. A lot of people use it in countries where there’s eavesdropping or where internet access is criminalized.

While most people spend their time online on what is known as the surface web — the portion of the World Wide Web that can be accessed with standard browsers and search engines — it has become relatively easy for anyone to access the dark web.

Accessing the dark web requires the use of an anonymizing browser called Tor. The Tor browser routes your web page requests through a series of proxy servers operated by thousands of volunteers around the globe, rendering your IP address unidentifiable and untraceable.

Not everything is illegal in the dark web, it also has a legitimate side. For example, you can join a chess club or BlackBook, a social network described as the “the Facebook of Tor.”

[aquiladacciaio]

Thanks for the info 'uk666'.

Just for my curisosity, is there any guide for dark web and Tor that you recommend?

Thanks ?

aquila