Virtual Private Problems: A Broken Dream presented at BlackHatWindows 2001

by Loki ,

Summary : With continued advancements in current cryptography technology such as Diffie Helman key exchange, Triple (3) DES Encryption, MD5, HMAC, IKE, and IPSec, we have been introduced to a technology that has created a false sense of complete security for end users of VPN's. In an industry where each vendor defines a VPN differently, we are faced with no real standards, no real complete interoperability, and growing security problems as the products become more and more complex. IPSec creates an open standard for VPNs. However, interoperability remains an issue. Compliance with standards is not enough.
As a technology in it's extreme infancy, this topic will drill deep into the insecurities of Virtual Private Network appliances and demonstrate several exploits that circumvent VPN's. It's not cryptography that has ever been the issue, it's the misconfiguration and improper deployment of the security product that is the weakest link.
According to Forrester Research, Corporate America will go from spending $205,000,000 in 1997 to more then $11.9 billion in 2001. With this dramatic increase of investments into what is a relatively new product, has brought and will continue to bring an advent of serious security problems. Should such neoteric and untested technology be relied on so heavily? Through the demonstration of our recently released VPNet exploit and other situations that have risen from this technology, we hope to prove that such a technology should not be so heavily relied on in its current nonviable stage of development.
As founder of Fate Research Labs, Loki has released several Virtual Private Network advisories from RapidStream to even VPNet. Loki later became the CEO of Netstream, where he is now currently manager of the Penetration Testing division for the largest phone conglomeration in the world.
Their Presentation! (PowerPoint 1,769k)