Even though virtual private network (VPN) technology has been around for well over a decade, many high-profile VPN breaches are still occurring today. How is it that the VPNs of companies like Comodo, Gucci and Citigroup were compromised? We evaluate the most prominent cases of 2011 and explain what enterprises can do to beef up VPN security.
Top VPN breaches of 2011
- Gucci: A former Gucci network engineer created a fake employee account to access and control the company’s computer system, eliminating access to documents and emails in Gucci’s servers. This cost Gucci more than $200,000 in lost productivity and restoration efforts.
- DigiNotar: Hackers tricked the digital certificate authority’s system into issuing more than 500 fraudulent digital certificates for top Internet companies like Google, Mozilla and Skype. The hack happened in early June, but DigiNotar didn’t uncover the breach until mid-July. The company filed for bankruptcy in September.
- Comodo: Hackers issued fraudulent SSL certificates to seven Web domains, including Google, Yahoo and Skype.
- Citigroup: Hackers gained access to the account information of over 360,000 accounts, viewing customer contact info and transaction history, exposing their website’s security flaws.*
Two of these four VPN breaches -- DigiNotar and Comodo -- resulted from SSL VPN security holes. SSL VPNs use Internet browsers as clients -- unlike IPsec VPNs, which have dedicated clients -- and each browser has unique security flaws, explained Rainer Enders, CTO of Americas at NCP engineering. This means that SSL VPNs have inherently weak clients. A hacker can exploit these browser vulnerabilities to spoof a certificate authority (CA) certificate, which is used in the SSL VPN handshake to verify information.
"These security breaches called into question the integrity of the SSL certification process, which is somewhat problematic because of all these certificate authority entities that are not well-controlled and organized," Enders said.
In addition to using fraudulent digital certificates, hackers also took advantage of DigiNotar's lack of strong passwords, weak antivirus protection and outdated software.
Rather than spoof a certificate, Citigroup hackers exploited an insufficient authorization error in the bank’s IPsec VPN. They were able to penetrate Citigroup's defenses by first logging on to the site reserved for its credit card customers. Once inside, the hackers jumped between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times, allowing them to capture private data.
The Gucci network attack, however, was not an exploitation of an inherent VPN security flaw. Instead, this was a case of a poorly deployed VPN, Enders said.
Preventing a VPN breach
"There's no silver bullet” for preventing a VPN breach, Enders said. Every type of VPN could be breached via insider knowledge or social engineering, where hackers email or call an employee and trick them into sharing their credentials.
"[However,] an ID management system would address the problem of a single network engineer taking over complete control of the network. In many cases we have seen, network engineers are fired and then still have full control over the network. … If the Gucci network deployed a managed IPsec VPN that tied into an identity management system, which would take care of user provisioning … this could have been avoided," he said.
In the end, the strongest assurance against today's VPN breaches is a strategy that not only involves strong technology, but a key security policy and proper education of end users. IPsec VPNs prove safer than their SSL VPN counterparts given the holes uncovered from recent VPN breaches.
"Deploying IPsec with a managed client, a managed client firewall and an integrated managed VPN system that ties into your identity management system, really offers the maximum protection. This would achieve a really good security overall," Enders concluded.
*Editor's note: RSA was removed from this list when it was confirmed that stolen SecurID information was not the result of a VPN breach, but the result of a sophisticated APT (advanced persistent threat) attack.