Schneier on Security

echo • May 7, 2024 12:20 PM

Most VPN to the best of my knowledge at the consumer level is bought on the basis of changing geolocation or lightly concealing traffic type and content from an ISP. It doesn’t need to be bullet proof just good enough to thwart consumer grade providers. Ditto most hum drum business stuff. The problems start creeping in when it involves valuable IP which can shift the future of industries or people dying. It’s not always going to be the usual big ticket military. It can be vulnerable persecuted minorities too.

The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself. Researchers from Leviathan Security explained:

Okay, change defaults or block option 121.

Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn’t implement option 121. For all other OSes, there are no complete fixes. When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks. Network firewalls can also be configured to deny inbound and outbound traffic to and from the physical interface. This remedy is problematic for two reasons: (1) a VPN user connecting to an untrusted network has no ability to control the firewall and (2) it opens the same side channel present with the Linux mitigation.

Okay, block option 121.

Doesn’t effect (verified) trusted networks.

As for Microsoft? Sheesh.

I know people don’t like my position but if you don’t like dead people then fix it. If it’s not fixed I’m going to assume people don’t care. If you don’t care then find a job in another profession.

echo • May 7, 2024 4:13 PM

Instead of talking about it is anyone going to fix it? If the hours put into talking were put into fixing it would be fixed by now.

Or is this one of those things where Microsoft et al get to ship dodgy product then soak $20 billion off the top of the GDP to sell security products? I think I just answered my own question…

echo • May 7, 2024 5:20 PM

re: Q: is anyone going to fix it?

A: No. It is not fixable.

Then how come the attack fails if option 121 is blocked client side i.e. “fully immunizes them from the attack”? It seems pretty fixable to me. Of course if the whole stack is barfed then redo the protocol. Or is this another see you in ten years thing where we get to see it recycled again?

I’m more and more convinced human rights and equality is way better than any technical solution, and making international law mean something. It just heads off so many problems before a technical response it required it’s not funny.

echo • May 8, 2024 6:39 AM

Mullvad is immune to this attack and the previous TunnelCrack
https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision

What was bothers me is lack of documentation for best practice and systems not being guaranteed to be safe and that consumer level people cannot tell simply from staring at a VPN whether it is secure or not. There’s also no accessible conformancy test. This rather proves my point.

Nuking client side support for option 121 would fix that unless there’s any reason why not. Like if it’s not needed and there’s no real world backward compatibility reasons for it why is it still there? If it has to be there can’t be be made an explicit request to turn it on and, yes, I know there are problems with that too but if it is a problem you have bigger worries.

Ordinary people may rightly be concerned about things like banking. For LGBT people living in places like Iran, Uganda, and Russia et al they have to worry about loss of being able to exercise fundamental rights or jail or a death sentence. More broadly blind people regularly have accessibility problems. Again, this comes back to best practice, reference code, and comformancy tests preferably being baked into toolchains. If vendors don’t take human rights seriously from step one you end up with problems later.

echo • May 8, 2024 8:06 PM

This attack does not seem aimed at those using well prepared point-to-point VPN. It is going for those hiding from Google, those doing banking at the hotel, dumb German military, and the people @echo worries about. For all of them VPN may be the problem, not the solution.

I assume everything with a plug on it is compromised. If it’s not one actor poking their sticky beak in it’s another. It can be a case of pick your actor and risk appetite.

GCHQ don’t care about your bank app. Odds on if you’re a UK citizen they have every transaction logged and maybe the sourcecode to the app and some input into the transaction processing systems. If GCHQ/MI6 want foreign bank details it’s known they have in the past by means mysterious been able to get them on demand much to the indignation of bank management. Or they may have got lucky and bigged it up for a laugh. Hard to say, really.

Germany has a multi-generational East-German integration problem which is also driving AFD support. The legacy of Soviet brainwashing looms large. Hans-Georg Maassen, one of their former chiefs was sacked for becoming “radicalised” and a far right supporter.

If the security services want to know what I am on about they either know already or can buy me lunch if they’re that desperate to find out. Like, what do you want to know?

Being a lady of a certain age I don’t need a laptop or internet. If I traveled to any country on my do-not-travel-there list it would be as a tourist doing tourist things and visiting touristy-places. At best I would be a social observer. I’ve found it’s always people on the outside who can really influence along with social movements on the inside.

Sometimes all you have left is your own happiness. It’s a thing.

echo • May 9, 2024 7:42 AM

<

blockquote>“GCHQ don’t care about your bank app. Odds on if you’re a UK citizen they have every transaction logged … ”

I assume that any state actor can get what they want from or about me, but I doubt that they want to waste time on a nobody like me (unless it’s a case of mistaken identity). No, protecting my financial transactions in suspect coffee shops is more about the organised scoundrels who would be very happy to fillet my bank account and spend freely using my data.

Oh for sure.

While everything is always a none zero risk it’s unlikely the local hippies or feminist collective are scalping your data. A second bank account can act as a buffer. Alternatively don’t use online banking. For anything serious all contracts and payments are to be account holder present with a signature in wet ink. If anything goes wrong it’s on their insurance not yours.

Being a lady of a certain age I remember a world before the internet when things like travelers cheques and bullion and a visit to the bank existed. I still prefer visiting the bank when I have an excuse. I felt my favourite banker was destined for the top and, sadly for me, the top felt so too and they gave him his own bank. We used to enjoy our conversations and I squeezed a confession out of him he enjoyed the skive which was quite the laugh at the time. His pet name for me was “Trouble”. Who me? He was always very careful and listened closely and looked after me. I appreciate that. I just wish the bank hadn’t moved MY banker but he deserved his success and I’m happy for him. He was one of the good ones.

Security indicators come in many forms. If it feels wrong it probably is.

echo • May 9, 2024 12:48 PM

Osint (Open Source Intelligence) is quite powerful. When you read Brian Kreb’s blog, or Belingcat, you can get an idea what is possible with just ingenuity and an internet connection.

I never read them myself. There is (some) overlap but otherwise different tribes with different goals and different tools and different methods and different skills. It’s no surprise technocentric hierarchical people in a traditionally male dominated industry can miss this. It does irk me a bit.

The OSI is less than 0.1%. There’s much more going on and that’s what interests me. I nearly but didn’t post some reports from people on the ground. Anyone here will almost certainly likely miss them or discount them. They provided me with a datapoint because I know what to look for.

It’s like the exploit mentioned in the topic. It puzzles me why it hasn’t been fixed or standard mitigations and warnings are not industry standard. I’m puzzled more when people obsess it and nothing changes while I’m more interested in the organisation and people and sense of a place where it may be located. Likewise with the demonstrations it’s not politicians or police and their ridiculous paramilitary equipment and vehicles providing security. The security is a society which prioritises the human rights and a sense of society and values.

I’m not stopping people reading Krebs or Bellingcat or obsessing tech. I’m just puzzled with their end game.

echo • May 9, 2024 5:37 PM

Right on. This is wrongly headlined as an attack on VPNs generally. It’s an attack on the VPNs used by people who either don’t know how to use a VPN, or don’t want to pay for a proper one.

That whiffs of blaming end users for problems caused by the industry. Punch up not down.

echo • May 9, 2024 8:19 PM

@lurker

It’s a free market. People are free to choose junk so-called VPNs. Somehow that becomes a “security” problem? Isn’t it a social problem if endusers aren’t sufficiently educated to know how to get the best product for their purpose? I regard it as a social problem that so-called “leaders of industry” are free to foist vulnerable products on the public. Magic wands are not allowed.

Where you place something on the technical, human rights, social, and economic security model can get a bit wild. Depending what it is can make it hit the grid in multiple places to multiple degrees.

I prefer regulated markets, standards, best practice, reference code, conformancy tests, adequate provider due diligence, consumer protection, and so on. You don’t need to be some mega certified with a ten year learning path job title and a need for a PhD for this. Some things sure but they’re often turnkey. All the IQ was baked in before you went anywhere near it. Of course some jurisdictions can have flaky standards so…

VPN’s are what they are but they can be a patch on a laundry list of problems. The basic internet was designed that way because of another set of problems. So the question “What are you buying?” can get a bit deep.

With regard to all this I think it’s important to be client led. There are limits obviously as well as balance of expertise and expectations. Sometimes a client can know 100x what you know and it’s your job to deploy your expertise in “getting **** done” to facilitate those goals within acceptable quality/ethical etcetera parameters. Mind you some clients know naff all so there is that too.

As you push your service/product you’re going to expand your market to varying degrees of expert and inexpert people with different needs. Some stuff is foolproof. Other stuff not so. Some situations are this and other situations are that. I just think it’s beholden on the provider to be aware of this. It’s all routine until it’s not and it’s that “not” bit where you start earning your money. Then there’s all the soft skills like customer service and support and so on. Each one can hit the security matrix.

So back to your assertion it’s a social problem? Um, sure there’s a lot of weight on that one and you can use it as your sole starting point. It has a lot going for it. At the same time it still operates within and is part of the security matrix. Failure of the social can lead to the collapse of the rest.

Magic wand? No but some practical considerations which when accumulated can make a lot of problems go away, or fixing them before they get worse, or sometimes solve problems you didn’t know you had.