Information Security News mailing list archives
Flaws in widely used corporate VPNs put company secrets at risk
From: InfoSec News <alerts () infosecnews org>
Date: Wed, 24 Jul 2019 08:03:30 +0000 (UTC)
https://techcrunch.com/2019/07/23/corporate-vpn-flaws-risk/ By Zack Whittaker TechCrunch July 23, 2019Researchers have found several security flaws in popular corporate VPNs which they say can be used to silently break into company networks and steal business secrets.
Devcore researchers Orange Tsai and Meh Chang, who shared their findings with TechCrunch ahead of their upcoming Black Hat talk, said the flaws found in the three corporate VPN providers — Palo Alto Networks, Pulse Secure and Fortinet — are “easy” to remotely exploit.
These VPNs — or virtual private networks — aren’t your traditional consumer VPN apps designed to mask where you are and hide your identity, but are used by staff who work remotely to access resources on a company’s network. Typically employees must enter their corporate username and password, and often a two-factor code. By connecting over an HTTPS (SSL) connection, these providers create a secure tunnel between the user’s computer and the corporate network.
But Tsai and Chang say the bugs they found allow anyone to covertly burrow into a company’s network without needing a working username or password.
[...]
-- Subscribe to InfoSec News https://www.infosecnews.org/subscribe-to-infosec-news/ https://twitter.com/infosecnews_
Current thread:
- Flaws in widely used corporate VPNs put company secrets at risk InfoSec News (Jul 24)