[164770] in North American Network Operators' Group
Revealed: NSA program collects 'nearly everything a user does on
daemon@ATHENA.MIT.EDU (Marsh Ray)
Wed Jul 31 19:38:30 2013
From: Marsh Ray <maray@microsoft.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Wed, 31 Jul 2013 21:14:30 +0000
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Chris Boyd cboyd at gizmopartners.com Wed Jul 31 15:50:09 UTC 2013
>
> I would guess that it's becasuse many VPN services still support PPTP whi=
ch can be attacked as outlined here:
> http://www.schneier.com/paper-pptpv2.html
>
> --Chris
That link doesn't even mention the worst vulnerability in PPTP/MS-CHAPv2. S=
trangely, it's only in the PDF version http://www.schneier.com/paper-pptpv2=
.pdf at the bottom of page 6:
> Note also that the MS-CHAP response generation algorithm is also a weak
> link, even when passwords contain adequate entropy. It is clear that the =
NT
> hash can be recovered with just two DES exhaustive keysearches (about 256
> trial DES decryptions on average)
In other words, PPTP/MS-CHAPv2 is equivalent to encrypting your password wi=
th *single DES* and sending it over the untrusted network. It doesn't matte=
r how strong your plaintext password is. Not only can the passive eavesdrop=
per decrypt your VPN-tunneled data, he can obtain the NT hash which is a pa=
ssword-equivalent credential allowing him to impersonate the user to log in=
to any other network services.=20
Moxie Marlinspike and David Hulton described the exploit for it at Defcon 2=
0 last summer:
Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2
http://www.youtube.com/watch?v=3DvWXP3DvH8OQ
Moxie's Cloudcracker online service will decrypt your PPTP packet captures =
using an FPGA cluster from Pico Computing. Last I heard, the price was a fl=
at fee of $200, although it sometimes goes on sale.
http://www.h-online.com/security/features/A-death-blow-for-PPTP-1716768.htm=
l http://h-online.com/-1716768
So it's not just the NSA, it's any passive observer with a budget of $200 f=
or a one-off or ~$10K for their own hardware capability.
PPTP is old and busted, don't let your friends use it! If you've ever used =
it, change your password. IMHO, if there's any other protocol more deservin=
g of the "internet kill switch" I don't know what it is.
- Marsh
(sorry for not threading properly, I just subscribed to reply)
