Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[123Privacy] Findnot.com IP Address Privacy Breach and Unencrypted Data Vulnerability
From: "123 Privacy Advisories" <123privacy_advisory () mailvault com>
Date: Thu, 20 Apr 2006 03:58:59 00200 (CEST)

-----BEGIN PGP SIGNED MESSAGE-----

Findnot.com IP Address Privacy Breach and Unencrypted Data
Vulnerability

Advisory ID:    FN15294

Release Date:   2006-04-18

Last Update:    2006-04-18

Severity:       Critical

IMPACT:

Unexpected Intermittent IP Address Privacy Breach, Immediate Loss of
Anonymity and Unencrypted data sent directly out to the Internet.
Exposure to DNS lookup spoofing.

Where:  From localnetwork, and from remote servers.

Solution Status:        Unpatched

Software:       Findnot.com's VPN Service which uses Microsoft PPTP Client

Related Advisories:     FN15398

DESCRIPTION:

Several vulnerabilities have been reported in Findnot.com's Microsoft
PPTP VPN Service Client, which can cause intermittent immediate loss of
anonymity and privacy while using the service:

* IP Address Privacy Breach: Exposing your REAL IP address during
Internet activity to remote sites whom seconds ago the remote sites saw
an anonymous IP address.

* Encryption Data Link Broken: Sending Unencrypted directly out to the
Internet viewable by users on the local network, ISP, or local snooping
Government; all while the user assumes all data is encrypted between
their machine and the VPN server.

* DNS Spoofing: While disconnected and the VPN is attempting
reconnection, on an unsecured DNS system in a shared computer setting
such as a WiFi Hotspot, hotel or internet cafe. www.hostname.com may
actually be directed toward a spoofed website all the while the user
assumes they are using the secure VPN DNS servers.

This vulnerability is caused due to a problem with the VPN software
dropping the machine's routing of data through the VPN and sending it
directly over the Internet to sites being accessed when the VPN
encounters a disconnection with the remote VPN server.

The vulnerability has been reported by many users of the Findnot.com
system. It is most likely to happen on a congested Findnot.com server,
or because of an internet connection problem somewhere between your
machine and the VPN server.

FINDNOT.COM'S SOLUTION:

From the vendor's website:

"...If you are concerned about a connection to one of our servers being
dropped during a transaction like a download and your real ip address
then being revealed relax. In most applications ...[when the]... VPN
server drops, the application times out."
   
http://web.archive.org/web/20050326031144/http://www.findnot.com/howitwo
rks.html

Yes, they actually tell you to "relax" about your privacy being
breached.

A rash and irresponsible statement coming from a so-called provider of
anonymous Internet services. The vendor instead of recommending that the
VPN therefore not be used advise the customer to "relax" but then
contradict themselves in a following recommendation that:

"...For real bullet proof protection just run the application through
the SSH Proxy..."
   
http://web.archive.org/web/20050326031144/http://www.findnot.com/howitwo
rks.html

In other words if you are concerned about your IP address privacy, and
your data encryption don't use the VPN, use the SSH Proxy.

It is concerning to say the least that they are so hypocritical about
use of the VPN despite the clear and present danger to anonymity it
presents. It brings into question other aspects of their setup.

In fact the SSH Proxy has its own Vulnerability covered in the Security
Advisory: Findnot.com DNS Privacy Breach (Advisory Id: FN15398) covering
a vulnerability exposing the websites you visit to snoopers on your
wireless connection, local network, or ISP while using the 'SSH Proxy'
service of Findnot.com.

VALIDATION:

Load etherape and sniff on your local internet connection interface.
Choose a very busy Findnot.com server where a disconnect is likely due
to connection issues with the VPN server, or play with your local
internet connection cable by disconnecting it temporarily to simulate an
internet connection problem. The VPN will disconnect and you will
immediately see your network traffic going directly out on to the net
unencrypted, and connections being made directly to the sites being
accessed by your applications. Your DNS queries will also be happening
at your local ISP or gateway machine revealing what sites you are
accessing to the operator of the DNS server.

SUGGESTED SOLUTION:

When Findnot.com VPN is used, Firewall ALL applications from access
directly to the net, and only allow them access to the VPN interface
when it is up. Toggle your firewall settings to allow all applications
access to the internet interface when not using the Findnot.com VPN.
Contact your system administrator for instructions, as this is not a
trivial task, and beyond the scope of most Internet users and this
document.

Or use a real solution.

Use an alternative VPN client such as the Open Source OpenVPN system
which does not have these vulnerabilities.

Endnote:        Please note that for readability we have adopted a 'Secunia
Advisories' like format but that this is not a Secunia advisory.

-----BEGIN PGP SIGNATURE-----
Version: MailVault 2.2 from MailVault Corporation http://www.mailvault.com

iQA/AwUAREbqkJmYJws4aHIREQLjPQCdF9umlbefbIhKSc0AigRybcf2o9kAmgKc
Gl7O1N4A+uJ4XWDeP25B7NzC
=ghrQ
-----END PGP SIGNATURE-----


PGP Public Key for "123 Privacy Advisories" <123privacy_advisory () mailvault com>:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: MailVault 2.2 from MailVault Corporation http://www.mailvault.com

mQGiBERG5GoRBADP1Tumaiq2mSrqSjwXOW6Y3bye9qbBMbNYrpJe9yF8uVY1vhAV
S5yDarhIVU7k0Km7Rq0GIk369sO7J0q78kcAd2QVX15lBqHbryjXqN7ev3aFzIFz
t96sp5URkNz4c5/vuLHPOaLpfXdEFyr8/idtzRoMcRqw0gtl7OL8zUv+/QCg/xSG
BsuKgIir5DFk3m3vahFeksMD/jIhr/yHbT4ab9VgZL8qHILQS4ZlpxX+7HK+ntOv
f9rHt5VXZwI/v+VA6oxouSgFp6KOmPURj4yjT92wfNgOygMh5/yZj5rbfRZowDvh
zu8/DV3XwuVb+ymyRFAXq7GzsAeDxRwIrEnsz2wUEN+NOMu+lcVSPpAqy1p8d4h4
lMRIA/9lBQme7kzNAytBoHdmtMz+4MSYJFg4qehGodvbRP1oyzWDEZGN7iAVqOvn
rs8ldUu1I/a0gjis4uRqmd9AVtcuJpxFMESPtzq1y0ePEko+yXJsrOJFfjTYQe31
WXnT6y0GJUSHXbTcaVMmq0bGowfMhEIgnp1X+qLkzsp+X12UPLQ8IjEyMyBQcml2
YWN5IEFkdmlzb3JpZXMiIDwxMjNwcml2YWN5X2Fkdmlzb3J5QG1haWx2YXVsdC5j
b20+iQBOBBARAgAOBQJERuRqBAsDAQICGQEACgkQmZgnCzhochFTsgCgtFNgT+MD
xceR561C3T9ZjHJ+EGgAnRp//iVsm1OugQVahOtFnwNZNhaDuQQNBERG5GoQEAD5
GKB+WgZhekOQldwFbIeG7GHszUUfDtjgo3nGydx6C6zkP+NGlLYwSlPXfAIWSIC1
FeUpmamfB3TT/+OhxZYgTphluNgN7hBdq7YXHFHYUMoiV0MpvpXoVis4eFwL2/hM
TdXjqkbM+84X6CqdFGHjhKlP0YOEqHm274+nQ0YIxswdd1ckOErixPDojhNnl06S
E2H22+slDhf99pj3yHx5sHIdOHX79sFzxIMRJitDYMPj6NYK/aEoJguuqa6zZQ+i
AFMBoHzWq6MSHvoPKs4fdIRPyvMX86RA6dfSd7ZCLQI2wSbLaF6dfJgJCo1+Le3k
XXn11JJPmxiO/CqnS3wy9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadW
oxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeS
Wc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0
iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF04
0zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQ
ClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6z3WFwACAg//ROHp1o+CXwk83ndQ
JJrnAvoMBIkJU+dokEX5it+IAy2rXfhMCnSwX6M5AJ23iFptmgvQYb6rzNyjhEHi
7nhYTw3RF5cIu4VELvD8/FTAxeMF9ik/dk+pRCbTQs4MeHUMPZlRECPb3vmCDIee
eCYvlmVkEfyMPjQ/uogKp4nI++0clsruK9mfNffgzC/BJu5rhx6J5JtnpJ7rwr26
BwgvhZc66CjIUX6izJjhlFMKmzckX7/UKkN4FJtHANfkBZkW2DxIx1Jv/MHgtKuc
N0Wpfcuqg2q9YIFgWXubn8oZ1cTZn1o5ThLXjDUDTGhN9vZb2y2HoU5qNFHtBTlC
IJo92lWNjm9V6xkZ6y8NGxeSwoic9pyszDShs/Sc8lWBChaD5sYCzlqjX8xkieRu
aroPU9+FNYcpeXvgSYVqO+TinK3U4eLY8Cb85p1JC8GGcBiJ7M4Ta+qv6xx6loOM
3KtkwFjzLC1m7oH+VSQOa/KBmNAdysHqASYrm9Jkf7hHHtBQBCLM01SvXhrQyr/W
rzk6XdSluJKfyOCXPRDZrCxEAeYXNFl8R89gvZa0xhbaUf8/eWEvoqLDCgP+9YTL
ktvm8JRvTmOQn4QKQ0jyLMe6tx2Ks64KPCdOv32UARfk662FFfPGTtZECWsToyck
wH0FwgEmQknpYwyHcLh0125OnGGJAEYEGBECAAYFAkRG5GoACgkQmZgnCzhochHo
tACg64TXmnTUP9+N6MafC7j1rY8OWaUAnA+WrgTWOXlK8joVeQj7WZjKifTf
=F3GJ
-----END PGP PUBLIC KEY BLOCK-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • [123Privacy] Findnot.com IP Address Privacy Breach and Unencrypted Data Vulnerability 123 Privacy Advisories (Apr 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]