A flaw in a popular VPN technology could allow hackers to obtain a text version of encrypted communications with only "moderate effort," a tech security body has warned. Britain's national emergency response team, the National Infrastructure Security Coordination Centre, issued a warning this week about the safety of virtual private networks that use IPsec encryption and tunneling to connect remote workers to corporate networks. The flaw, which the NISCC rates as "high" risk, makes it possible for an attacker to intercept IP packets traveling between two IPsec devices. They could then modify the encapsulation security payload--a subprotocol that encrypts the data being transported. This could ultimately expose this data to an unauthorized third party. On its Web site, NISCC stated: "By making careful modifications to selected portions of the payload of the outer packet, an attacker can effect controlled changes to the header of the inner (encrypted) packet…If these messages can be intercepted by an attacker, then plaintext data is revealed." The NISCC includes a number of solutions to this issue in its advisory. Source: News.com
The same article is currently running on /. ...this is really old news (shame on slashdot). This advisory is pure hype, since it's been well known for ages now, and only affects very poorly implemented VPNs. I don't know of any VPN hardware or software which implements encryption without authentication by default, and many setups won't even allow such a configuration to take place. -AT