Privacy Vulnerability Exposes VPN Users' Real IP Addresses (thestack.com) 94
An anonymous reader writes: A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN. The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the unsuspecting user's IP address. This issue persists even if the victim has disabled port forwarding. PP discovered that five out of nine prominent VPN providers that offer port forwarding were vulnerable to the attack.
Re: They embed Linux and you get that (Score:1)
PPTP is from Microsoft, champ. -PCP
Re: Damn people are getting dumb (Score:5, Insightful)
This is a mistake, then. If you want to torrent and avoid copyright holders, you need to use a SEED BOX somewhere overseas where they don't keep records. And then VPN from your home or whatever into that seed box. The box runs your torrents for you. The only traffic your IP sees is the encrypted transfers of completed files between you and the seed box. NOT VPN'd torrents.
This is of course not foolproof but it adds a nice layer between your own IP and the infringing activity. It also helps if you are on a bandwidth capped account as your connection doesn't have to support all the torrent traffic. And for cost, a seed box with VPN is not a lot more than a VPN alone. So it's not a big deal.
Well, a lot of people use vpns to hide their torrenting, and IP addresses are how copyright trolls find you and send you letters, so it kinda is an issue if you're paying for a VPN to hide your torrenting, and thus not get caught
Re: Damn people are getting dumb (Score:4, Insightful)
This is a mistake, then. If you want to torrent and avoid copyright holders, you need to use a SEED BOX somewhere overseas where they don't keep records.
Or how about a more novel idea: Instead of paying to avoid copyright, either actually pay for the movies you watch or don't watch them. Seriously, I use a VPN and I use bittorrent for legitimate purposes, and you are ruining my ability to use my tools responsibly.
Just like the idiots that shine laser pointers at landing airplanes so now I cannot use a laser pointer to responsibly teach my daughters astronomy, you are abusing and ruining a tool for nothing of value. If you are so addicted to movies that you cannot even afford to pay for your habit, then you need counseling.
Re: Damn people are getting dumb (Score:5, Insightful)
What about the many, many movies that never actually get released where I live (likely 20% or more never get released here, as a way of "protecting" the domestic movie producing market here)? Oh, I get it, you want me to wait until they are released on DVD and have me import them, right? Too bad about region encoding, apparently I am a "thief" for wanting to buy & watch DVD's in a different region.
I am happy to pay for content, but don't make it impossible to do so and I'll stop circumventing. Hell, the money I pay for a VPN could go to the content provider instead.
Re: Damn people are getting dumb (Score:4, Funny)
Or how about a more novel idea: Instead of paying to avoid copyright, either actually pay for the movies you watch or don't watch them.
I tried that. No one would take my money. And 6 months later when they did want to take my money they wanted to take twice as much as normal because... well I assume they had the added cost of dubbing the original so people said "aluminium" instead of "aluminum" and had to put the missing 'u' back into various words in the subtitles. Maybe they even edited the footage so the toilets flushed in the opposite way, that would justify the cost.
Re: (Score:2)
I tried that. No one would take my money.
When regional exclusion comes into account, I for all means support copyright infringement. My comments were addressed to those who circumvent copyright when moral (not necessarily legal) means are available to them, in order to save money.
If the producers and distributors of the media do not see you as a potential customer and refuse to offer their product in your area, then you are doing no moral harm by acquiring the media by alternative distribution channels.
Re: (Score:2)
While you're on the topic of morals what's your view on the producers endlessly locking up content in copyright, forever milking the customer for every cent they can bare while passing on almost none of the profits to the people who created that work, all the while taking people to court for ludicrously over inflated payouts?
Even if I would be pirating due to financial reasons I would justify it to myself as "doing no moral harm" quite comfortably.
Re: (Score:2)
While you're on the topic of morals what's your view on the producers endlessly locking up content in copyright, forever milking the customer for every cent they can bare while passing on almost none of the profits to the people who created that work, all the while taking people to court for ludicrously over inflated payouts?
Even if I would be pirating due to financial reasons I would justify it to myself as "doing no moral harm" quite comfortably.
That is not the doing of the producers, rather it is the doing of the politicians. Now ask yourself what did the politicians give to the people when they took away works that should be in the public domain?
I'm all for rebelling against unjust laws, but the truth is that I'll support copyright infringement for an informative work, but not for an entertainment work. One could argue that the entertainment works become culture, to that I answer: when you pirate you are actively basing your culture on non-free
Re: (Score:2)
Must be pretty powerful if it can illuminate the moon.
Re: (Score:1)
Self-righteous preaching is also incredibly patronizing.
Stats consistently show that not only do most pirates pay for content but tend to pay more than average. The primary reason why content gets "stolen" (MPAA/RIAA corporate propaganda) is due to the following
1. Most of the stuff people downplay they wouldn't have paid for.
2. Convenience. You can instantly get whatever you want without running through hoops of DRM and delays due to royalites.
3. A work was originally copyright protected to encourage conten
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Bold sections and everything...
You know that no one actually cares if you use a laser pointer responsibly, right? It's a null issue. Same for your legitimate use of BitTorrent... no one is stopping you or making it harder. P2P is not illegal and there are so many trackers out there that even if it were the powers that be would never be able to stop them all. Even if they did THAT someone would just come up with something different enough to avoid the wording of law but similar enough so that you can still u
Re: (Score:2)
Instead of paying to avoid copyright, either actually pay for the movies you watch
I can't tell you how many times I've sat there throwing money at my television and nobody would take it. If the copyright holder won't let me buy it, then I feel no guilt about torrenting it.
Re: (Score:2)
I can't tell you how many times I've sat there throwing money at my television and nobody would take it. If the copyright holder won't let me buy it, then I feel no guilt about torrenting it.
I agree with you 100%. I was addressing those who do have proper channels to acquire media.
Re: (Score:2)
Or you could take the low-hanging fruit principle. Are studios likely to go after people who obfuscate their presence or likely to just record IP addresses and John Doe them to their nearest ISP?
I think VPN torrenters or those using SOCKS proxies will be relatively safe until everyone starts doing it.
Re: (Score:1)
Yes it's probably your friend or neighbor, nobody cares about your IP address anymore.
And doxers
Clever but not earthshaking. (Score:5, Interesting)
Bigger problems (Score:5, Insightful)
The only requirement is that the attacker has port forwarding enabled on the same VPN network as its target. A phishing link or laced image file, for example, is then sent to the victim which leads the traffic to a port under the hacker’s control.
So... using a social engineering attack can expose the victim's IP address. Am I missing something? Cause to me this falls under the category of "Well no shit, Sherlock!" If you can convince a user to run a malicious payload, then having an IP address exposed is the least the victim's problems.
Re: (Score:1)
If someone obtains a VPN connection and routes all of their traffic over that connection, it's reasonable for them to assume that their real IP address won't "leak." Masking one's origin is often the entire purpose of a VPN, at least from a consumer standpoint. Even if the user opens malware or clicks a specially crafted link, there should still be an expectation that any resulting traffic won't reveal the user's true IP. Some of the commercial VPN services are obviously doing it properly, as the exploit do
Re: (Score:1)
So:
"A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN"
Is a misleading scare tactic opening, and "Privacy Vulnerability Exposes VPN Users' Real IP Addresses" is a scare tactic title, when it should really be "poorly implemented VPNs can leak users real IP"
Re: (Score:2)
Is it having all servers in one nation under one brands internal control?
Servers in a lot of nations but under total control of the brand?
Some internal network with a way in and a totally different server network out?
An external wired router passing the totality of all OS, app network traffic to a VPN should not be leaking any ISP ip.
Re: (Score:2)
"Masking one's origin is often the entire purpose of a VPN, at least from a consumer standpoint."
Uhhh... nope, why should that be the case?
The purpose of a Virtual Private Network is to, well, Virtually making a Private Network, as if it was Local (LAN is another interesting acronim here) over other non-local networks.
And then, the article states " The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the u
Re: (Score:3)
The term VPN has been co-opted by providers that provide VPN and routing services. People pay for this service so that they can mask their true location -- for example, to use video services not available in their country.
Individual users are not using the VPN to connect to each other, but instead to connect to the VPN endpoint, from where their encapsulated packets are routed to the destination website (and obviously, the replies are routed back the same way)
Re: (Score:3)
"The term VPN has been co-opted by providers that provide VPN and routing services. People pay for this service so that they can mask their true location -- for example, to use video services not available in their country."
Oh, I see now! People got fooled into buying a VPN service when they wanted and anonymizer service.
"Individual users are not using the VPN to connect to each other, but instead to connect to the VPN endpoint, from where their encapsulated packets are routed to the destination website"
An
Re: (Score:2)
VPNs and anonymous proxies are both used for avoiding geo-blocking. Saying someone should only use the latter is somewhat silly, considering anonymous proxies are even more leaky than a well-configured VPN.
Re: (Score:3)
>> "Masking one's origin is often the entire purpose of a VPN, at least from a consumer standpoint."
> Uhhh... nope, why should that be the case?
To avoid a subpoena for the records of the connecting IP address, or to fool geo-IP based content restrictions from blocking people outside the UK from watching BBC programs, or to evade the "Great Firewall" of China, or to avoid tracking a command control center for a botnet, or to avoid detection of the "amazing offer" as coming from Nigeria, or simply to
Re: (Score:2)
"To avoid a subpoena for the records of the connecting IP address, or to fool geo-IP based content restrictions"
No. That's -maybe, what a consumer would want, not what a VPN offers.
VPN offers seamless connectivity between two non-topologically contiguous data networks, not anonymity.
Re: (Score:2)
They don't want anonymity! They want to bypass geo-blocking. That is a perfect use for a VPN.
Re: (Score:2)
"They want to bypass geo-blocking. That is a perfect use for a VPN."
No, it isn't, or else, this full Slashdot article wouldn't exist.
Re: (Score:1)
Re: (Score:2)
"VPN means "encrypted proxy". Nothing more, nothing less, at least in this context."
Yeah, well... and RAID means backup. But then, surprise, surprise!
Re: (Score:2)
"In other words, masking one's origin to make it appear you're part of a different network..."
Sorry no, but no. Masking oneself to look like coming from a different network is -who would imagine, "masquerading". VPN is tunneling so you don't see the multiple hops between your network and the one on the other side of the tunnel so, in fact, it more helps than hinders, the other side to know your real IP address.
Re: (Score:2)
You really should read up about VPNs as you seem woefully misinformed about how they work and what they are used for. Seriously. It was funny before, but now it's kind of embarrassing.
that's what a proxy is for, not a VPN (Score:2)
If that's your goal, you should be using a SOCKS proxy. VPNs are designed for an entirely different purpose.
So while there is some truth to your statement, some people do that, their actions make about as much sense as:
Inserting a screw is often the entire purpose of a hammer, at least from a clueless standpoint.
You CAN hammer a screw in, and many people have done it. I have, once. Sometimes it works. But it would be stupid to say that a hammer is broken because it's not very good for inserting screws.
Re: (Score:2)
As far as I can tell from the first page of google "incoming connections socks proxy" socks doesn't really allow for incoming connections. However I see many vpn providers support port forwarding.
I've been wanting to setup a ftp server at home for a while but I don't want to pay the extra cash for a static ip.
How would you go about it?
Vpn?
Web hosted ftp?
Or something else?
Re: (Score:2)
The reason I mention static ip is that's the only thing my isp offers that will bypass their Nat. While a permanent static ipv4 address would be handy it would also cost about the same as 10 years of vpn service.
I would hope that I will be able to get real broadband within 10 years. But att has been saying they would for the last 15 years or so.
what's this goal? vps or dyndns and sftp/scp (Score:2)
> How would you go about it?
> Vpn?
> Web hosted ftp?
> Or something else?
What's the purpose, the goal? A $5 vps might be a solution, Google Drive might be. For being just like running an ftp server at home, dyndns solves the dynamic IP problem , sftp simplifies port forwarding and makes it more secure, but doesn't 100% solve the NAT issue. Some sort of vpn, possibly via an ssh port forward, to an external service may be needed if you must accept remote connctions conveniently. I suppose the act
Re: (Score:2)
The root of the problem is I have one of those iPads with only 16GB of memory. So I can only fit a small amount of my library (after apps and whatever else only about 2GB left for media) if i had gotten one of those 128GB iPads or a expandable android tablet I wouldn't have have much of an issue.
So my goal is to be able to in the fewest steps possible be able to transfer files to the oplayer app on the ipad as needed the app only supports http,samba,ftp,Dropbox and wd wifi storage.
The http support is flakey
That's interesting (Score:2)
That's an interesting situation. I can certainly see a VPN with a port forward as being a reasonable solution, especially if you need a lot of storage. I'm assuming your ISP doesn't -also- offer IPv6 as well as the NAT IPv4.
SSH port forwarding is a fast, easy way to set up a VPN with port forwarding in one command. Even if you don't use it for this purpose, it's a good tool to have in your toolbox. It requires that you have a shell account internet-facing box, which might be a $5/month web hosting account.
Re: (Score:2)
If you're running a dragnet rather than spear-fishing, you just need to put the link out there somewhere
Then everyone in the world will hit that with their public IP. How can you tell the difference between the public IP of your targets and the 1,000,000,000 other IPs?
Re: (Score:1)
Re: (Score:2)
Duh, attacker is a script.
Re: (Score:1)
Re: (Score:2)
If you can convince a user to run a malicious payload, then having an IP address exposed is the least the victim's problems.
It's not as hard as you'd think. All you have to do is convince a user to make a connection to the VPN provider's IP at a specific port.
In a common VPN use case where the VPN user doesn't want his IP known to the world, torrenting, it's pretty easy to convince a torrent client to connect to a specific IP/port: just join the swarm on that specific IP/port and wait for your target's torrent client to connect to you! It doesn't matter how savvy the computer operator is when the torrent client is a dumb piece o
Untold requirement? (Score:2)
TFA says that it is possible to trigger a request to the VPN gateway itself, by embedding a link to its address (example: <img src=”http://1.2.3.4:12345/x.jpg”>, and that request will show the real IP.
But in order to get the real IP? the attacker must be able to eavesdrop the traffic between the victim and the VPN gateway, right?
Re: (Score:2)
Is that a secret? (Score:5, Insightful)
I don't know that VPN's are supposed to hide the end IP addresses. They made a tunnel through the Internet so you can 'pretend' to be on the same Local network as the remote host. (That's the Virtual part.) They also encrypt that traffic so the Internet doesn't get to listen to what you say. (That's the Private part.)
No where in VPN do I see that it's an 'anonymizing proxy' or something else that's supposed to obfuscate either of the end-points. Sure a lot of people started using VPN's for that purpose, but claiming there's a vulnerability or flaw in IPSec or OpenVPN because it's not 'anonymizing' seems like you've missed the mark a bit.
Re: (Score:2)
The ip found on the net should always stop back at the VPN provider. Thats the idea of the router for a system like openvpn. Your entire OS, all apps, web use can only connect via the VPN, no leaking an ISP IP out. The idea that anyone looking back from the VPN IP can see the users ISP is not the best news.
Re: (Score:2)
"The "anonymizing" part is that the VPN becomes your IP for that session. "
That's a side effect at most.
"Your entire OS, all apps, web use can only connect via the VPN, no leaking an ISP IP out"
Sorry, but seemingly you don't understand what you are talking about. Once stablished, your Virtual Private Network is a Network just like any other else: you can route it, bridge it, masquerade it... In fact, that's the very goal of a VPN: making two topologically disconnected networks look like connected through
Re: (Score:2)
This is more about the services offered to show a VPN providers IP vs an ISP rather than a traditional "two distant offices" secure networking.
Re: (Score:2)
" This is more about the services offered to show a VPN providers IP vs an ISP rather than a traditional "two distant offices" secure networking."
So what? The expectation is exactly the same: what happens on a node working as ending point for a VPN with regards other networks that node has access to is up to the node, not the VPN.
So if a VPN ends in my computer I'll give for granted all other networks on my computer are visible to the other end unless I'm taking positive steps for that not being the case.
Re: (Score:2)
Re: (Score:2)
Security services vs VPN? (Score:3)
http://www.theguardian.com/wor... [theguardian.com]
".. decode the encrypted traffic certified by three major (unnamed) internet companies and 30 types of Virtual Private Network (VPN) – used by businesses to
provide secure remote access
or under the new UK net laws "Snooper's Charter: Why aren't VPNs and Tor mentioned in the Investigatory Powers Bill?" (November 5, 2015)
http://www.ibtimes.co.uk/snoop... [ibtimes.co.uk]
".. but surprisingly, nowhere in the proposal does it mention the use of Virtual Private Networks (VPN)."
What can be done? Some creative way for an internal double VPN?
This could also show that VPN use is vulnerable at a city, state, private sector or federal level/budget rather than just a shorter list of advanced nations with a domestic collect it all capability.
Re: (Score:2)
A good wired modern router with OpenVPN support will often offer a fast, newer dual core cpu that can support the needed encryption.
That should cover any leaking from within the users OS, apps, software, malware.
This is absolutely nothing (Score:2)
Re: (Score:1)
This isn't about exposing internal IP addresses.
The idea is that the victim's routing table allows access to the VPN's server, in order to route your encrypted traffic there.
The attacker set's up port forwarding on the VPN, and gets you to connect to that forwarded port somehow.
Because your traffic to the VPN isn't tunneled through the VPN, your real IP address is used to connect to the VPN server on that port, which then gets forwarded to the attacker and then they can see your real IP address.
correct, there is always a host route to the vpn-provide, which must bypass the tunnel. So the solution is to block all outgoing ports to the vpn server, except 1194 or whatever vpn port is used, and possibly DNS (however I'd rather use my own DNS server, which connects through a different vpn to 8.8.8.8)
Also, by cascading two vpn-tunnels this attack is easily foiled
How it actually works (Score:2)
First of all this assumes the VPN incoming and outgoing IP is the same. This would be expected if you're using your home router as your VPN as you have only one IP but I don't think it should be for larger commercial providers, especially if you're using them to "hide you".
Then it assumes the attacker can open ports on that IP (as a feature offered by the provider). If you connect to that IP:port you'll be doing it over your normal non-encrypted interface because of the way the routing table is configured o
Not what VPNs are for (Score:2)
The point of a VPN is not to keep your local IP address secret. The point is to establish a secure connection between your computer, and a remote private network. I would argue that if a VPN kept your local IP address a secret, this would itself be a security vulnerability, from the perspective of the owner of the private network!
SpearPhishing only? (Score:2)
Basically if the attacker is able to host a service (via port forwarding) on the IP of the same VPN endpoint that the target is going out through, then when the target visits that service (via phishing email, malicious website linked images, etc.) the VPN service will allow the attacker to see the origin of the request.