Microsoft warns of ‘man-in-the-middle’ VPN password hack

Microsoft yesterday warned Windows users of possible “man-in-the-middle” attacks able to steal passwords for some wireless   networks and VPNs, or virtual private networks.

It won’t issue a security update for the problem, however.

The security advisory was Microsoft’s reaction to a disclosure several weeks ago by security researcher Moxie Marlinspike at the Defcon conference.

In a blog post written shortly after his Defcon talk, Marlinspike explained his interest in MS-CHAP v2 (Microsoft Challenge Handshake Authentication   Protocol version 2). “Even as an aging protocol with some prevalent criticism, it’s still used quite pervasively,” Marlinspike   said. “It shows up most notably in PPTP VPNs, and is also used quite heavily in WPA2 Enterprise environments.”

At the same time, Marlinspike published “Chapcrack,” a tool that parses data for passwords encrypted with MS-CHAP v2, then   decodes them using the CloudCracker password cracking service.

Microsoft acknowledged the threat. “An attacker who successfully exploited these cryptographic weaknesses could obtain user   credentials,” the Monday advisory stated. “Those credentials could then be re-used to authenticate the attacker to network   resources, and the attacker could take any action that the user could take on that network resource.”  (Read More)

This entry was posted in IT Compliance, News, Security Awareness. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *