PPT VPN vulnerability found, exploited

From: David White 
------------------------------------------------------
> Just thought I would pass this on to you guys... Saw a tweet on this story:
>
> http://gadgets.ndtv.com/internet/news/rent-a-hacker-to-unscramble-coded-web-traffic-for-200-248744

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I thought we all got the memo that PPTP is insecure[1]... circa 1998[2]... Regards, dtb [1] - https://en.wikipedia.org/wiki/Point-to-Point

=============================================================== From: Mike Harrison ------------------------------------------------------ Yeah, you would have to an encryption layer on top of it. It wasn't even considdered secure, ever, that I remember, just a useful want to encapsulate a route. I'm getting really really tired of addressing BASIC network security with IT directors at places.. They'll spend a lot of money on barbed wire and guards.. and none on IT.

=============================================================== From: Bret McHone ------------------------------------------------------ Guards and wires are visual and easy for everyone to understand. Technology is hard for most to understand how it actually works, and even harder on how to secure it and the pitfalls of various configurations. Consider it job security, or at a minimum follow the "CYA" method when dealing with those managing systems they don't understand. -B On Jul 29, 2012 5:27 PM, "Mike Harrison" wrote:

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 thought we all got the memo that PPTP is insecure[1]... circa 1998[2]... Not sure what it was originally, just a way to authenticate a GRE tunnel? They kept bolting on weak ciphers. IPSec FTW. uh-huh. Too many people forgot that security is *every* user's responsibility, and there is no magic silver bullet product that makes all the bad things re-route themselves elsewhere.... The way I see it, if you're too stupid to NOT click on the link in the airline reservation confirmation email for the flight YOU DIDN'T RESERVE, you are a liability in front of the keyboard. First offense should be a termination worthy offense. There's enough awful BS for you to stumble upon without introducing the stupidity variable. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAV27IACgkQABP1RO+tr2RNHwCeMoKUPrLwDjyDEP47vaLpvYGa waEAn0vQOH3NdAQqjrISgqSbeuej3fIB =E1+m -----END PGP SIGNATURE-----

=============================================================== From: Ed King ------------------------------------------------------ ----- Original Message ---- From: Dave Brockman The way I see it, if you're too stupid to NOT click on the link in the airline reservation confirmation email for the flight YOU DIDN'T RESERVE, you are a liability in front of the keyboard. First offense should be a termination worthy offense. terminate... 1) the employee for being stupid? 2) the human resources person for not taking action after multiple documented complaints about employee ("oh, but he's such a nice guy") ? 3) the admin for not filtering crap from employee's inbox? 4) the ceo for being too cheap to approve purchase of said filter? 5) me, for being too sexy for this job?

=============================================================== From: Bret McHone ------------------------------------------------------ There's a lot of blame to pass around, but you can NEVER too sexy. :D -B documented=20

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So sorry that I didn't clarify that for you. I don't do stupid. Multiple? I said FIRST OFFENSE. If it flows beyond that, then there is more than one failure. Technology cannot solve stupid. Again, there is no magic bullet that magically protects you from all the badness. Show me a SPAM filter that filters out 100% of SPAM, and I'll show you a horrific FP rate and missing emails. See above... Don't click the link Ed! Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAWlhYACgkQABP1RO+tr2RGnwCeKX7MPfHUIVkExdPPisfy2ija 678AmwZyyj+VKC3vowHshIKr9ZG1OBYS =mkwI -----END PGP SIGNATURE-----

=============================================================== From: Ed King ------------------------------------------------------ Non sequitur. Biological units are inherently inferior. This is an inconsistency. ----- Original Message ---- From: Dave Brockman To: CHUGALUG Sent: Mon, July 30, 2012 9:11:42 AM Subject: Re: [Chugalug] PPT VPN vulnerability found, exploited -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So sorry that I didn't clarify that for you. I don't do stupid. Multiple? I said FIRST OFFENSE. If it flows beyond that, then there is more than one failure. Technology cannot solve stupid. Again, there is no magic bullet that magically protects you from all the badness. Show me a SPAM filter that filters out 100% of SPAM, and I'll show you a horrific FP rate and missing emails. See above... Don't click the link Ed! Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAWlhYACgkQABP1RO+tr2RGnwCeKX7MPfHUIVkExdPPisfy2ija 678AmwZyyj+VKC3vowHshIKr9ZG1OBYS =mkwI -----END PGP SIGNATURE-----