Quantcast

Don’t Fuck It Up 3: The Ins and Outs of VPNs

This part provides the analysis of whether using VPN services prevents traffic interception and gets a user on some kind of a potential suspects list.

Features of VPNs

Features of VPNs

So, here’s the first tool, VPNs (see left-hand image). You are going to use an insecure network – are you safe? Two questions when it comes to tools: “Should I use it?” and “How should I use it?” What do you get from a VPN? You get some traffic encryption, but only between you and the VPN itself, not necessarily from the VPN to the remote location. You may get a little bit of location obfuscation to the remote server; they may not know exactly where you are. Maybe you get some request concealment to the ISP, between you and the VPN, not afterwards. So it really depends on where the listener is located. It’s a single-hop proxy, so anyone who is watching both ends, like a state agency, can do traffic correlation very easily. It also shifts the trust model over to the VPN provider. That’s a provider you probably have a financial relationship with; that could be traceable, depending on how you are paying for it. So think about those things.

VPN providers really vary on what they promise. Many of them say they don’t keep logs. You should know the logging policy, but it doesn’t tell you the whole story, especially if they are not located in the United States. Because they can start logging anytime they want to, for example when they receive a national security letter, which they are barred by law from telling you they’ve received. So, just because they don’t log now doesn’t mean they won’t in the future if you become interesting.

Check what's leaking

Check what’s leaking

VPN clients vary on how well they hook you up. They can leak information depending on the client – I’ve seen this myself. So if you plan on hiding behind a VPN, then you’d better see what the client lets you expose. Connect to the VPN, run Wireshark (see right-hand image) or another packet sniffer on another computer and see what’s coming out of the computer that you are going to use for operations. Is everything going through the VPN or not? If this small amount of things is too much effort for you, then Internet scofflaw is probably not the job for you. You should work for the government instead.

Need to reconnect

Need to reconnect

Here’s a simple task for the lazy. Open up an SSH connection and then fire up your VPN and see if it drops. If it stays open, then stuff is still being leaked; existing connections are allowed to go through and all kinds of things could be phoning out with your real IP. A lot of VPN clients are also shitty for mobile use. Every time you put your computers to sleep or move around, the tunnel goes down and you have to reconnect (see left-hand image). When that happens, every frickin’ app on your computer phones home and tries immediately to reconnect before the VPN reconnects, and exposes your IP. Mail clients, browsers with open tabs just try to reload them, browsers that are doing all kinds of javascripts in the background that are communicating – all your shit is exposed. If this applies to you, make sure all this stuff is shut down before you close the VPN.

Simply using a VPN makes you look interesting.

So, even if it’s as simple as doing a ‘killall -STOP’, thinking about everything that could possibly phone home, stopping it before you close the VPN is a good habit to get into. Of course, habits are fragile, you’ll eventually fuck it up, so try to automate that process. Another thing on that subject – randomize your MAC address. It’s already been exposed at the Canadian Government, where it’s probably illegally tracking people using airport WiFi from their MAC addresses so they could see where people were moving around in various airports. So I like to randomize my MAC address as often as not too inconvenient.

XKeyscore vs. VPN

XKeyscore vs. VPN

So, should you use a VPN? What kind of a list does it get you on? VPNs have their uses and their flaws. If you are going up against the big guys and they are on both sides of the VPN, traffic correlation is trivial. Simply using a VPN also makes you look interesting. This is from the XKeyscore manual from 2008 (see right-hand image). You’ve got to also remember with XKeyscore this is not a real-time traffic processor; this is a database miner, it’s a set of filters for stored data. People often say to me: “You should be on a list.” Well, I use a VPN, when I travel especially, so I’m definitely on some sort of list.

More tools to compromise VPN traffic

More tools to compromise VPN traffic

This is from Pacific SIGDEV in March 2011 (see left-hand image). Also it mentions ingesting and storing VPN data, once again, looking at identifying VPN use, and then finding out ways to get into those networks. It mentions a program called Birdwatcher; we know nothing more about this, but clearly it’s some sort of data mining program that perhaps could be put to use collecting VPN key exchangers for later cryptanalysis.

Hackers mentioned

Hackers mentioned

By the way, this is also from Pacific SIGDEV (see right-hand image). I’m really pleased to see in this presentation we got a category of our own right next to terrorists, criminal groups and foreign intelligence agencies, so we’re on The Big Time.

'Legal weaseling'

‘Legal weaseling’

Here’s another NSA slide (see left-hand image). Blackpearl, a survey database from the taps on the undersea fiber-optic cables presumably providing high-level communication of things such as communications having a foreign endpoint, because technically they are only allowed to look at things with a foreign endpoint. This is the sort of legal weaseling. So, once again, using VPNs is something that can attract attention. This was reported as a tool for specifically targeting private networks, but that doesn’t seem to be the case. So, using a VPN puts you on a radar. Is that a reason not to use it? I don’t think so, because you might as well make things more difficult for them. But perhaps in certain cases you should be aware of it when you do your tradecraft analysis.

MITM attack on VPN traffic

MITM attack on VPN traffic

Here’s another one about intercepting and decrypting VPN traffic (see right-hand image). This is the Hammerstein slides referring to doing a man-in-the-middle attack on VPN traffic via compromised network routers with implants inserted. So these refer to selected decrypted content. The good news is that going through all this trouble probably means that it’s not all vulnerable. But at least some of it, no doubt, refers to crypto attacks on PPTP VPNs, known compromise since about 2012 – Moxie Marlinspike and David Hulton’s DEF CON 20 presentation and release of CloudCracker for PPTP.

So, a VPN is probably still worthwhile, but you’ve got to make sure it’s up to date. And don’t just rely on that one thing. One thing you can do if you’re truly paranoid is hop VPNs every few minutes. Some providers even offer this service within a single provider. Again, you’re depending on one provider, and you’re now generating really interesting traffic for the NSA. But against some listeners you’ve got some decorrelation noise in there – good for research like searches in port scans. But just don’t fuck it up believing that this one-hop proxy is going to be a magic all-in-one solution. And remember that it leaves a financial trail, and that can connect to your real identity unless you’re paying anonymously.
 

Read previous: Don’t Fuck It Up 2: The 7 Deadly Sins

Read next: Don’t Fuck It Up 4: Use Tor the Right Way

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: