-----BEGIN PGP SIGNED MESSAGE----- Findnot.com IP Address Privacy Breach and Unencrypted Data Vulnerability Advisory ID: FN15294 Release Date: 2006-04-18 Last Update: 2006-04-18 Severity: Critical IMPACT: Unexpected Intermittent IP Address Privacy Breach, Immediate Loss of Anonymity and Unencrypted data sent directly out to the Internet. Exposure to DNS lookup spoofing. Where: From localnetwork, and from remote servers. Solution Status: Unpatched Software: Findnot.com's VPN Service which uses Microsoft PPTP Client Related Advisories: FN15398 DESCRIPTION: Several vulnerabilities have been reported in Findnot.com's Microsoft PPTP VPN Service Client, which can cause intermittent immediate loss of anonymity and privacy while using the service: * IP Address Privacy Breach: Exposing your REAL IP address during Internet activity to remote sites whom seconds ago the remote sites saw an anonymous IP address. * Encryption Data Link Broken: Sending Unencrypted directly out to the Internet viewable by users on the local network, ISP, or local snooping Government; all while the user assumes all data is encrypted between their machine and the VPN server. * DNS Spoofing: While disconnected and the VPN is attempting reconnection, on an unsecured DNS system in a shared computer setting such as a WiFi Hotspot, hotel or internet cafe. www.hostname.com may actually be directed toward a spoofed website all the while the user assumes they are using the secure VPN DNS servers. This vulnerability is caused due to a problem with the VPN software dropping the machine's routing of data through the VPN and sending it directly over the Internet to sites being accessed when the VPN encounters a disconnection with the remote VPN server. The vulnerability has been reported by many users of the Findnot.com system. It is most likely to happen on a congested Findnot.com server, or because of an internet connection problem somewhere between your machine and the VPN server. FINDNOT.COM'S SOLUTION: >>From the vendor's website: "...If you are concerned about a connection to one of our servers being dropped during a transaction like a download and your real ip address then being revealed relax. In most applications ...[when the]... VPN server drops, the application times out." http://web.archive.org/web/20050326031144/http://www.findnot.com/howitwo rks.html Yes, they actually tell you to "relax" about your privacy being breached. A rash and irresponsible statement coming from a so-called provider of anonymous Internet services. The vendor instead of recommending that the VPN therefore not be used advise the customer to "relax" but then contradict themselves in a following recommendation that: "...For real bullet proof protection just run the application through the SSH Proxy..." http://web.archive.org/web/20050326031144/http://www.findnot.com/howitwo rks.html In other words if you are concerned about your IP address privacy, and your data encryption don't use the VPN, use the SSH Proxy. It is concerning to say the least that they are so hypocritical about use of the VPN despite the clear and present danger to anonymity it presents. It brings into question other aspects of their setup. In fact the SSH Proxy has its own Vulnerability covered in the Security Advisory: Findnot.com DNS Privacy Breach (Advisory Id: FN15398) covering a vulnerability exposing the websites you visit to snoopers on your wireless connection, local network, or ISP while using the 'SSH Proxy' service of Findnot.com. VALIDATION: Load etherape and sniff on your local internet connection interface. Choose a very busy Findnot.com server where a disconnect is likely due to connection issues with the VPN server, or play with your local internet connection cable by disconnecting it temporarily to simulate an internet connection problem. The VPN will disconnect and you will immediately see your network traffic going directly out on to the net unencrypted, and connections being made directly to the sites being accessed by your applications. Your DNS queries will also be happening at your local ISP or gateway machine revealing what sites you are accessing to the operator of the DNS server. SUGGESTED SOLUTION: When Findnot.com VPN is used, Firewall ALL applications from access directly to the net, and only allow them access to the VPN interface when it is up. Toggle your firewall settings to allow all applications access to the internet interface when not using the Findnot.com VPN. Contact your system administrator for instructions, as this is not a trivial task, and beyond the scope of most Internet users and this document. Or use a real solution. Use an alternative VPN client such as the Open Source OpenVPN system which does not have these vulnerabilities. Endnote: Please note that for readability we have adopted a 'Secunia Advisories' like format but that this is not a Secunia advisory. -----BEGIN PGP SIGNATURE----- Version: MailVault 2.2 from MailVault Corporation http://www.mailvault.com iQA/AwUAREbqkJmYJws4aHIREQLjPQCdF9umlbefbIhKSc0AigRybcf2o9kAmgKc Gl7O1N4A+uJ4XWDeP25B7NzC =ghrQ -----END PGP SIGNATURE----- PGP Public Key for "123 Privacy Advisories" <123privacy_advisory@mailvault.com>: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: MailVault 2.2 from MailVault Corporation http://www.mailvault.com mQGiBERG5GoRBADP1Tumaiq2mSrqSjwXOW6Y3bye9qbBMbNYrpJe9yF8uVY1vhAV S5yDarhIVU7k0Km7Rq0GIk369sO7J0q78kcAd2QVX15lBqHbryjXqN7ev3aFzIFz t96sp5URkNz4c5/vuLHPOaLpfXdEFyr8/idtzRoMcRqw0gtl7OL8zUv+/QCg/xSG BsuKgIir5DFk3m3vahFeksMD/jIhr/yHbT4ab9VgZL8qHILQS4ZlpxX+7HK+ntOv f9rHt5VXZwI/v+VA6oxouSgFp6KOmPURj4yjT92wfNgOygMh5/yZj5rbfRZowDvh zu8/DV3XwuVb+ymyRFAXq7GzsAeDxRwIrEnsz2wUEN+NOMu+lcVSPpAqy1p8d4h4 lMRIA/9lBQme7kzNAytBoHdmtMz+4MSYJFg4qehGodvbRP1oyzWDEZGN7iAVqOvn rs8ldUu1I/a0gjis4uRqmd9AVtcuJpxFMESPtzq1y0ePEko+yXJsrOJFfjTYQe31 WXnT6y0GJUSHXbTcaVMmq0bGowfMhEIgnp1X+qLkzsp+X12UPLQ8IjEyMyBQcml2 YWN5IEFkdmlzb3JpZXMiIDwxMjNwcml2YWN5X2Fkdmlzb3J5QG1haWx2YXVsdC5j b20+iQBOBBARAgAOBQJERuRqBAsDAQICGQEACgkQmZgnCzhochFTsgCgtFNgT+MD xceR561C3T9ZjHJ+EGgAnRp//iVsm1OugQVahOtFnwNZNhaDuQQNBERG5GoQEAD5 GKB+WgZhekOQldwFbIeG7GHszUUfDtjgo3nGydx6C6zkP+NGlLYwSlPXfAIWSIC1 FeUpmamfB3TT/+OhxZYgTphluNgN7hBdq7YXHFHYUMoiV0MpvpXoVis4eFwL2/hM TdXjqkbM+84X6CqdFGHjhKlP0YOEqHm274+nQ0YIxswdd1ckOErixPDojhNnl06S E2H22+slDhf99pj3yHx5sHIdOHX79sFzxIMRJitDYMPj6NYK/aEoJguuqa6zZQ+i AFMBoHzWq6MSHvoPKs4fdIRPyvMX86RA6dfSd7ZCLQI2wSbLaF6dfJgJCo1+Le3k XXn11JJPmxiO/CqnS3wy9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadW oxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeS Wc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0 iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF04 0zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQ ClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6z3WFwACAg//ROHp1o+CXwk83ndQ JJrnAvoMBIkJU+dokEX5it+IAy2rXfhMCnSwX6M5AJ23iFptmgvQYb6rzNyjhEHi 7nhYTw3RF5cIu4VELvD8/FTAxeMF9ik/dk+pRCbTQs4MeHUMPZlRECPb3vmCDIee eCYvlmVkEfyMPjQ/uogKp4nI++0clsruK9mfNffgzC/BJu5rhx6J5JtnpJ7rwr26 BwgvhZc66CjIUX6izJjhlFMKmzckX7/UKkN4FJtHANfkBZkW2DxIx1Jv/MHgtKuc N0Wpfcuqg2q9YIFgWXubn8oZ1cTZn1o5ThLXjDUDTGhN9vZb2y2HoU5qNFHtBTlC IJo92lWNjm9V6xkZ6y8NGxeSwoic9pyszDShs/Sc8lWBChaD5sYCzlqjX8xkieRu aroPU9+FNYcpeXvgSYVqO+TinK3U4eLY8Cb85p1JC8GGcBiJ7M4Ta+qv6xx6loOM 3KtkwFjzLC1m7oH+VSQOa/KBmNAdysHqASYrm9Jkf7hHHtBQBCLM01SvXhrQyr/W rzk6XdSluJKfyOCXPRDZrCxEAeYXNFl8R89gvZa0xhbaUf8/eWEvoqLDCgP+9YTL ktvm8JRvTmOQn4QKQ0jyLMe6tx2Ks64KPCdOv32UARfk662FFfPGTtZECWsToyck wH0FwgEmQknpYwyHcLh0125OnGGJAEYEGBECAAYFAkRG5GoACgkQmZgnCzhochHo tACg64TXmnTUP9+N6MafC7j1rY8OWaUAnA+WrgTWOXlK8joVeQj7WZjKifTf =F3GJ -----END PGP PUBLIC KEY BLOCK-----