Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Chubby_Chubby

Hackers can use VPNs to hijack your PC

Recommended Posts

Posted (edited) · Original PosterOP
Quote

 

Two prominent VPN services could have been hacked through malicious software updated, researchers from news website VPNpro discovered. If you were using one of them, your computer could have been completely hijacked with almost any kind of malware before you realized it. 
The two VPN services, Betternet and PrivateVPN, have since fixed the flaws. But beforehand, you could have infected Betternet and PrivateVPN client software on a Windows PC with fake software updates downloaded in man-in-the-middle attacks, in which the client software would not realize it was getting updates from a malicious source instead of the legitimate software-update server.

 

I think it's great, that some websites do such reseraches and find vulnerabilities and talk about them. I personally didn't find it surprising, as this providers are cheap , almost noname :dunno: , so it was sort of predictable. 
But why PrivateVPN and Betternet didn't make any official statements? I think their users must know 

Found Source : TomsGuide
Original Source: VPNpro

Edited by Chubby_Chubby
i forgot to write my thought
Link to post
Share on other sites

Interesting news on its own, but that TomsGuide title is suggestive at best.

Link to post
Share on other sites
53 minutes ago, Mojo-Jojo said:

Interesting news on its own, but that TomsGuide title is suggestive at best.

i dunno, sounds like a good summary of how it works:

Quote

But beforehand, you could have infected Betternet and PrivateVPN client software on a Windows PC with fake software updates downloaded in man-in-the-middle attacks, in which the client software would not realize it was getting updates from a malicious source instead of the legitimate software-update server.

 

Link to post
Share on other sites
1 hour ago, VegetableStu said:

i dunno, sounds like a good summary of how it works:

 

The title says that VPNs can be used to hack you, without specifying further. This is suggestive in that it suggests there's a problem with the VPN protocol or the implementation. Neither is true, as it's simply a broken update mechanism in the apps.

Link to post
Share on other sites

Good ol' clickbait.  I don't think enough people use these services enough for people to even bother exploit it

Link to post
Share on other sites
27 minutes ago, Mojo-Jojo said:

This is suggestive in that it suggests there's a problem with the VPN protocol or the implementation.

Neither is true, as it's simply a broken update mechanism in the apps.

sure it's not a problem specific to the protocols, but consider people say VPNs in the context of the operators, not (just) the protocol ._.

 

frankly if there was a protocol-related vulnerability, you'd think they have titles like:


Hackers Continue to Exploit Patched Pulse Secure VPN Flaws, CISA Warns
https://securityboulevard.com/2020/04/hackers-continue-to-exploit-patched-pulse-secure-vpn-flaws-cisa-warns/

Link to post
Share on other sites
47 minutes ago, duncannah said:

Good ol' clickbait.  I don't think enough people use these services enough for people to even bother exploit it

With Private VPN having been affected? And sponsoring so many Youtubers?


"We also blind small animals with cosmetics.
We do not sell cosmetics. We just blind animals."

 

"Please don't mistake us for Equifax. Those fuckers are evil"

 

This PSA brought to you by Equifacks.
PMSL

Link to post
Share on other sites

 

4 hours ago, VegetableStu said:

i dunno, sounds like a good summary of how it works:

 

 

2 hours ago, VegetableStu said:

sure it's not a problem specific to the protocols, but consider people say VPNs in the context of the operators, not (just) the protocol ._.

It's still misleading: any program downloading updates can be used the exact same way if they are susceptible of receiving fake updates. The only reason the article is centered on VPNs is that the investigation was carried out by a site specialized in VPNs.

"VPNs can be used to hijack your computer" isn't really more accurate than "programs can be used to hijack your computer"... Frankly, a headline like "Programs that update can be used to hijack your computer" would have been a better description, but it goes against our auto-update religion (update=security is part of our dogma) so we couldn't possibly frame it like that :P

 

 

1 hour ago, Dabombinable said:

With Private VPN having been affected? And sponsoring so many Youtubers?

Pirvate VPN is not Private Internet Access VPN.

Link to post
Share on other sites
59 minutes ago, SpaceGhostC2C said:

"VPNs can be used to hijack your computer" isn't really more accurate than "programs can be used to hijack your computer"... Frankly, a headline like "Programs that update can be used to hijack your computer" would have been a better description, but it goes against our auto-update religion (update=security is part of our dogma) so we couldn't possibly frame it like that :P

fair 635829891970891776.png?v=1

Link to post
Share on other sites
1 hour ago, SpaceGhostC2C said:

 

 

It's still misleading: any program downloading updates can be used the exact same way if they are susceptible of receiving fake updates. The only reason the article is centered on VPNs is that the investigation was carried out by a site specialized in VPNs.

"VPNs can be used to hijack your computer" isn't really more accurate than "programs can be used to hijack your computer"... Frankly, a headline like "Programs that update can be used to hijack your computer" would have been a better description, but it goes against our auto-update religion (update=security is part of our dogma) so we couldn't possibly frame it like that :P

 

 

Pirvate VPN is not Private Internet Access VPN.

So how does one go about updating securely? Updates patch discovered holes, though they frequently do other things as well which seems to be causing large problems


Life is like a bowl of chocolates: there are all these little crinkly paper cups everywhere.

Link to post
Share on other sites
3 hours ago, Bombastinator said:

So how does one go about updating securely?

🤷‍♂️ Anything you can do user-side will only make you as safe as your software provider, as you are placing some trust in them. If they screw up at any point, you'll be exposed to the consequences.

 

It must be said that the original article shows that most providers tested had clients for which at least one of many barriers would prevent this form of attack, and if I understood it correctly, it's not some new vulnerability, but rather a few VPN clients being exposed to an already known attack strategy. That's also why I said the emphasis probably shouldn't be so much on VPNs as in unsafe update practices. 

 

I do think we'll do well to remember than "updating" and "upgrading" is just installing software. You may have a previous version installed, you may be installing something almost identical to what you have, but it's still installing software. When you put it that way, why should it be held to a standard any lower than installing from scratch? The rationale is that once you vetted what you install, then you can trust the software to take over as everything "within" that program can be left to its own device. Examples like these show that sadly that's wishful thinking.

 

 

 

I think the broader problem is that we kind of need to believe it's fine due to the software industry moving to the "eternal work in progress" model, which imlies insanely frequent updates and highlighted a tension between two arguments. Namely: 1) every update is necessary for security reasons, 2) silent, background auto-updates are essential to "a seamless user experience", because having 300 hundred resident programs each prompting you to update, taking you to a (https) website to download the update, installing, clicking "yes" to 3 or 4 Windows questions and UAC dialogue boxes ("btw, I noticed your Adobe flash players isn't up to date..." :P) is furstrating and make people ask why an update again, can I switch this off, please don't notify me at all, etc.

 

 

 

3 hours ago, Bombastinator said:

Updates patch discovered holes, though they frequently do other things as well which seems to be causing large problems

Sometimes they do. It's hard to believe every software company has that many people writing patches that often, not to mention finding that many holes all the time to begin with. They need to present updates as a security must (which it sometimes is) not only to make sure people apply the patches that are actually critical, but also the more frequent "bug fixes" which must roll out on a constant basis due to the broken state in which first versions are released. Yes, we hear all the time that "no software is bug free" ("it's impossible to do right" is the first excuse of incompetence :P), but there is a difference between "not perfect, but state-of-the-art" and what many firms are shipping (a.ka. "the first two lines of code that didn't BSOD on us" :D). The reality is that not everyone has good developers, but more importantly, it doesn't matter how good your developers are if you a) crunch and overwork them to meet an unrealistic deadline for a goal, and b) you set the goal too low to begin with because you want to "put something out quickly" to exploit some business opportunity you found or just impress that venture capital.

 

 

 

Digressed much, have I? :P Anyway, TL,DR: shifts in software business models increased the importance of frequent updates not just for security, but for functioning at all, and that increased in update flows called for "more convenient updates", convenience being traded-off with security in a different dimension.

 

So how do you get good, secure software, and timely patches for new vulnerabilities? The same way you get a car that won't kill you or a PSU that won't met your PC1: identify good (not fast, not hyped, not "first", good) software makers first... But then you realize how many software providers you currently have (how many you don't even know you have) and... easier said than done. Can you realistically have a solid appraisal of a VPN's software prowess? And your office suite? and your temp monitor? And your browser's plugin? And...

 

 

1By chance, I came up with two examples were regulation is involved... 🤔

Link to post
Share on other sites
7 hours ago, SpaceGhostC2C said:

 

 

It's still misleading: any program downloading updates can be used the exact same way if they are susceptible of receiving fake updates. The only reason the article is centered on VPNs is that the investigation was carried out by a site specialized in VPNs.

"VPNs can be used to hijack your computer" isn't really more accurate than "programs can be used to hijack your computer"... Frankly, a headline like "Programs that update can be used to hijack your computer" would have been a better description, but it goes against our auto-update religion (update=security is part of our dogma) so we couldn't possibly frame it like that :P

 

 

Pirvate VPN is not Private Internet Access VPN.

The problem for the average user is that they are not expecting any hokus update popups specific to their VPN client to come because they are using a VPN.   As one of the articles points out the exploit specifically uses the VPN client to download the malware.   Now I know other software can be hacked to do this,  In fact all software can be, that is why there is no such things a true security,  however this does not change the fact it is a problem with the VPN client software/service.


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Sometimes I miss contractions like n't on the end of words like wouldn't, couldn't and shouldn't.    Please don't be a dick,  make allowances when reading my posts.

Link to post
Share on other sites
Posted (edited)
22 hours ago, SpaceGhostC2C said:

"VPNs can be used to hijack your computer" isn't really more accurate than "programs can be used to hijack your computer"... Frankly, a headline like "Programs that update can be used to hijack your computer" would have been a better description, but it goes against our auto-update religion (update=security is part of our dogma) so we couldn't possibly frame it like that :P

 

Yeah, the title is quite misleading. Like you said, any application can be used that way, and it happened before.

 

Some hackers are uploading their code to repository posing as popular libraries, in hopes inattentive devs will use the infected code ;

https://www.infosecurity-magazine.com/infosec/developers-software-supply-chain/

 

 

But this isn't on the user's fault (like users complaining about company having weak security when in fact, users are reusing passwords on multiple account, or using weak passwords), this is rather on the developers. There needs to be a culture of security, but some fall into complacency and don't adapt.

 

We have a client that handles VERY sensitive information that we're finally almost finished on migrating, these guys still had Windows Server 2003 and internal applications that used outdated protocols with know vulnerabilities and end-user softwares that had to run as admin (on said servers). Security is a big issue, and even in 2020, some people in the industry still don't get it.

Edited by wkdpaul

If you need help with your forum account, please use the Forum Support form !

 

VPN server guide

Introduction to Mechanical Keyboard

Spoiler

My Gaming Rig - Motherboard: MSI Z370-A PRO CPU: i7-8700 RAM: 32GB DDR4 2400(4x8GB) GPU: Gigabyte GTX 1060 3GB OS SSD: 240GB Avexir E100 Storage: 2x 1TB Seagate PSU: Seasonic G650 OS: Windows 10 Pro 64bits Monitor: Acer 21in G205H + Lenovo 21in

 

Link to post
Share on other sites
8 hours ago, wkdpaul said:

 

Yeah, the title is quite misleading. Like you said, any application can be used that way, and it happened before.

 

Some hackers are uploading their code to repository posing as popular libraries, in hopes inattentive devs will use the infected code ;

https://www.infosecurity-magazine.com/infosec/developers-software-supply-chain/

 

 

But this isn't on the user's fault (like users complaining about company having weak security when in fact, users are reusing passwords on multiple account, or using weak passwords), this is rather on the developers. There needs to be a culture of security, but some fall into complacency and don't adapt.

 

We have a client that handles VERY sensitive information that we're finally almost finished on migrating, these guys still had Windows Server 2003 and internal applications that used outdated protocols with know vulnerabilities and end-user softwares that had to run as admin (on said servers). Security is a big issue, and even in 2020, some people in the industry still don't get it.

Unless I have read something wrong, the problem might start the same way many other exploits do, but it is executed by getting the VPN client to connect to a malicious update server and not it's own secure update server.  That is a problem with the VPN software, not a general issue that applies to all software. It might require the user to click ok on a popup, but it does it through the VPN's own software.


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Sometimes I miss contractions like n't on the end of words like wouldn't, couldn't and shouldn't.    Please don't be a dick,  make allowances when reading my posts.

Link to post
Share on other sites
Posted · Original PosterOP
On 5/9/2020 at 11:33 AM, matt_daemond said:

TomsGuide is like the Yahoo Answers of tech

but it's still a reliable source? i mean, i read them a lot 🤔

Link to post
Share on other sites
27 minutes ago, Chubby_Chubby said:

but it's still a reliable source? i mean, i read them a lot 🤔

Yahoo answers is famous for being unreliable.   I don’t think they’re that bad myself.


Life is like a bowl of chocolates: there are all these little crinkly paper cups everywhere.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×