Hackers can use VPNs to hijack your PC

[Chubby_Chubby]

Quote

 

Two prominent VPN services could have been hacked through malicious software updated, researchers from news website VPNpro discovered. If you were using one of them, your computer could have been completely hijacked with almost any kind of malware before you realized it. 
The two VPN services, Betternet and PrivateVPN, have since fixed the flaws. But beforehand, you could have infected Betternet and PrivateVPN client software on a Windows PC with fake software updates downloaded in man-in-the-middle attacks, in which the client software would not realize it was getting updates from a malicious source instead of the legitimate software-update server.

 

I think it's great, that some websites do such reseraches and find vulnerabilities and talk about them. I personally didn't find it surprising, as this providers are cheap , almost noname :dunno: , so it was sort of predictable. 
But why PrivateVPN and Betternet didn't make any official statements? I think their users must know 

Found Source : TomsGuide
Original Source: VPNpro

Edited May 7, 2020 by Chubby_Chubby
i forgot to write my thought

[Mojo-Jojo]

Interesting news on its own, but that TomsGuide title is suggestive at best.

[Mojo-Jojo]

1 hour ago, VegetableStu said:

i dunno, sounds like a good summary of how it works:

 

The title says that VPNs can be used to hack you, without specifying further. This is suggestive in that it suggests there's a problem with the VPN protocol or the implementation. Neither is true, as it's simply a broken update mechanism in the apps.

[duncannah]

Good ol' clickbait.  I don't think enough people use these services enough for people to even bother exploit it

[Dabombinable]

47 minutes ago, duncannah said:

Good ol' clickbait.  I don't think enough people use these services enough for people to even bother exploit it

With Private VPN having been affected? And sponsoring so many Youtubers?

[SpaceGhostC2C]

 

4 hours ago, VegetableStu said:

i dunno, sounds like a good summary of how it works:

 

 

2 hours ago, VegetableStu said:

sure it's not a problem specific to the protocols, but consider people say VPNs in the context of the operators, not (just) the protocol ._.

It's still misleading: any program downloading updates can be used the exact same way if they are susceptible of receiving fake updates. The only reason the article is centered on VPNs is that the investigation was carried out by a site specialized in VPNs.

"VPNs can be used to hijack your computer" isn't really more accurate than "programs can be used to hijack your computer"... Frankly, a headline like "Programs that update can be used to hijack your computer" would have been a better description, but it goes against our auto-update religion (update=security is part of our dogma) so we couldn't possibly frame it like that

 

 

1 hour ago, Dabombinable said:

With Private VPN having been affected? And sponsoring so many Youtubers?

Pirvate VPN is not Private Internet Access VPN.

[Bombastinator]

1 hour ago, SpaceGhostC2C said:

 

 

It's still misleading: any program downloading updates can be used the exact same way if they are susceptible of receiving fake updates. The only reason the article is centered on VPNs is that the investigation was carried out by a site specialized in VPNs.

"VPNs can be used to hijack your computer" isn't really more accurate than "programs can be used to hijack your computer"... Frankly, a headline like "Programs that update can be used to hijack your computer" would have been a better description, but it goes against our auto-update religion (update=security is part of our dogma) so we couldn't possibly frame it like that

 

 

Pirvate VPN is not Private Internet Access VPN.

So how does one go about updating securely? Updates patch discovered holes, though they frequently do other things as well which seems to be causing large problems

[SpaceGhostC2C]

3 hours ago, Bombastinator said:

So how does one go about updating securely?

 Anything you can do user-side will only make you as safe as your software provider, as you are placing some trust in them. If they screw up at any point, you'll be exposed to the consequences.

 

It must be said that the original article shows that most providers tested had clients for which at least one of many barriers would prevent this form of attack, and if I understood it correctly, it's not some new vulnerability, but rather a few VPN clients being exposed to an already known attack strategy. That's also why I said the emphasis probably shouldn't be so much on VPNs as in unsafe update practices. 

 

I do think we'll do well to remember than "updating" and "upgrading" is just installing software. You may have a previous version installed, you may be installing something almost identical to what you have, but it's still installing software. When you put it that way, why should it be held to a standard any lower than installing from scratch? The rationale is that once you vetted what you install, then you can trust the software to take over as everything "within" that program can be left to its own device. Examples like these show that sadly that's wishful thinking.

 

 

 

I think the broader problem is that we kind of need to believe it's fine due to the software industry moving to the "eternal work in progress" model, which imlies insanely frequent updates and highlighted a tension between two arguments. Namely: 1) every update is necessary for security reasons, 2) silent, background auto-updates are essential to "a seamless user experience", because having 300 hundred resident programs each prompting you to update, taking you to a (https) website to download the update, installing, clicking "yes" to 3 or 4 Windows questions and UAC dialogue boxes ("btw, I noticed your Adobe flash players isn't up to date..." ) is furstrating and make people ask why an update again, can I switch this off, please don't notify me at all, etc.

 

 

 

3 hours ago, Bombastinator said:

Updates patch discovered holes, though they frequently do other things as well which seems to be causing large problems

Sometimes they do. It's hard to believe every software company has that many people writing patches that often, not to mention finding that many holes all the time to begin with. They need to present updates as a security must (which it sometimes is) not only to make sure people apply the patches that are actually critical, but also the more frequent "bug fixes" which must roll out on a constant basis due to the broken state in which first versions are released. Yes, we hear all the time that "no software is bug free" ("it's impossible to do right" is the first excuse of incompetence ), but there is a difference between "not perfect, but state-of-the-art" and what many firms are shipping (a.ka. "the first two lines of code that didn't BSOD on us" ). The reality is that not everyone has good developers, but more importantly, it doesn't matter how good your developers are if you a) crunch and overwork them to meet an unrealistic deadline for a goal, and b) you set the goal too low to begin with because you want to "put something out quickly" to exploit some business opportunity you found or just impress that venture capital.

 

 

 

Digressed much, have I?  Anyway, TL,DR: shifts in software business models increased the importance of frequent updates not just for security, but for functioning at all, and that increased in update flows called for "more convenient updates", convenience being traded-off with security in a different dimension.

 

So how do you get good, secure software, and timely patches for new vulnerabilities? The same way you get a car that won't kill you or a PSU that won't met your PC¹: identify good (not fast, not hyped, not "first", good) software makers first... But then you realize how many software providers you currently have (how many you don't even know you have) and... easier said than done. Can you realistically have a solid appraisal of a VPN's software prowess? And your office suite? and your temp monitor? And your browser's plugin? And...

 

 

¹By chance, I came up with two examples were regulation is involved... 

[mr moose]

7 hours ago, SpaceGhostC2C said:

 

 

It's still misleading: any program downloading updates can be used the exact same way if they are susceptible of receiving fake updates. The only reason the article is centered on VPNs is that the investigation was carried out by a site specialized in VPNs.

"VPNs can be used to hijack your computer" isn't really more accurate than "programs can be used to hijack your computer"... Frankly, a headline like "Programs that update can be used to hijack your computer" would have been a better description, but it goes against our auto-update religion (update=security is part of our dogma) so we couldn't possibly frame it like that

 

 

Pirvate VPN is not Private Internet Access VPN.

The problem for the average user is that they are not expecting any hokus update popups specific to their VPN client to come because they are using a VPN.   As one of the articles points out the exploit specifically uses the VPN client to download the malware.   Now I know other software can be hacked to do this,  In fact all software can be, that is why there is no such things a true security,  however this does not change the fact it is a problem with the VPN client software/service.

[WkdPaul]

22 hours ago, SpaceGhostC2C said:

"VPNs can be used to hijack your computer" isn't really more accurate than "programs can be used to hijack your computer"... Frankly, a headline like "Programs that update can be used to hijack your computer" would have been a better description, but it goes against our auto-update religion (update=security is part of our dogma) so we couldn't possibly frame it like that

 

Yeah, the title is quite misleading. Like you said, any application can be used that way, and it happened before.

 

Some hackers are uploading their code to repository posing as popular libraries, in hopes inattentive devs will use the infected code ;

https://www.infosecurity-magazine.com/infosec/developers-software-supply-chain/

 

 

But this isn't on the user's fault (like users complaining about company having weak security when in fact, users are reusing passwords on multiple account, or using weak passwords), this is rather on the developers. There needs to be a culture of security, but some fall into complacency and don't adapt.

 

We have a client that handles VERY sensitive information that we're finally almost finished on migrating, these guys still had Windows Server 2003 and internal applications that used outdated protocols with know vulnerabilities and end-user softwares that had to run as admin (on said servers). Security is a big issue, and even in 2020, some people in the industry still don't get it.

Edited May 8, 2020 by wkdpaul

[mr moose]

8 hours ago, wkdpaul said:

 

Yeah, the title is quite misleading. Like you said, any application can be used that way, and it happened before.

 

Some hackers are uploading their code to repository posing as popular libraries, in hopes inattentive devs will use the infected code ;

https://www.infosecurity-magazine.com/infosec/developers-software-supply-chain/

 

 

But this isn't on the user's fault (like users complaining about company having weak security when in fact, users are reusing passwords on multiple account, or using weak passwords), this is rather on the developers. There needs to be a culture of security, but some fall into complacency and don't adapt.

 

We have a client that handles VERY sensitive information that we're finally almost finished on migrating, these guys still had Windows Server 2003 and internal applications that used outdated protocols with know vulnerabilities and end-user softwares that had to run as admin (on said servers). Security is a big issue, and even in 2020, some people in the industry still don't get it.

Unless I have read something wrong, the problem might start the same way many other exploits do, but it is executed by getting the VPN client to connect to a malicious update server and not it's own secure update server.  That is a problem with the VPN software, not a general issue that applies to all software. It might require the user to click ok on a popup, but it does it through the VPN's own software.

[matt_daemond]

On 5/7/2020 at 4:27 AM, Mojo-Jojo said:

Interesting news on its own, but that TomsGuide title is suggestive at best.

TomsGuide is like the Yahoo Answers of tech

[Chubby_Chubby]

On 5/9/2020 at 11:33 AM, matt_daemond said:

TomsGuide is like the Yahoo Answers of tech

but it's still a reliable source? i mean, i read them a lot 

[Bombastinator]

27 minutes ago, Chubby_Chubby said:

but it's still a reliable source? i mean, i read them a lot 

Yahoo answers is famous for being unreliable.   I don’t think they’re that bad myself.