The VORACLE OpenVPN Attack: What You Need to Know
Many of us know that using a VPN (Virtual Private Network) adds an extra layer of security to our Wi-Fi networks. But VORACLE, a recently discovered vulnerability that was announced at a security conference by security researcher Ahamad Nafeez, is making some people reconsider this this steadfast safety tip. Let’s look under the hood at this vulnerability to understand what was impacted and why, and what we should do in the future when it comes to safely connecting to Wi-Fi.
Under the Hood of a VPN
A VPN is a connection between a secure server and your mobile device or computer. Through the VPN your activity and information on the internet is encrypted, making it difficult for anyone else to see your private information. Many of us use a VPN for work when we travel, some of us use them to watch videos online, and more and more of us use them as a best practice to help keep our information safe any time we want to use a Wi-Fi connection that we’re not sure about.
About the VORACLE VPN Vulnerability
At a high level, VORACLE leverages a vulnerability found in the open-source OpenVPN protocol. OpenVPN is an open-source protocol used by the majority of VPN providers, meaning many VPN products are affected.
The VORACLE attack can recover HTTP traffic sent via encrypted VPN connections under certain conditions, the first being that the VPN app in use enables compression via the OpenVPN protocol. A hacker must be on the same network and able to lure you to an HTTP (not HTTPS) site with malicious code through phishing or a similar other tactic. The attack can happen on all web browsers but Google Chrome, due to the way in which HTTP requests are made.
Luckily the McAfee Safe Connect VPN was not built on the vulnerable OpenVPN code. That said, I want to take this opportunity to remind you of something we talk about a lot in the security industry: relying on only one layer of security is simply not enough today. Here are some tips and best practices to stay safe.
- Set up multi-factor authentication whenever possible. This tip is especially important for valuable accounts like email or social media, which might be connected to financial information. With multi-factor authentication in place, you’ll be better protected by combining your usual login information with another layer of protection, such as a one-time-password sent to your phone, bio metrics (say, a thumb print), or a security token that you’ll need to confirm before getting access to your account.
- Use secure websites (HTTPS) whenever possible. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted. Most websites are moving toward this standard practice, so if you notice yourself landing on a website with just HTTP, stay alert.
- Avoid making financial transactions until you’re on a network you trust. Sharing personal data like your credit card information can lead to unnecessary vulnerabilities. The best bet is to wait until you’re on your home network with additional layers of security such as McAfee’s Secure Home Platform already in place.
- Consider using your mobile network and being your own hotspot. If your mobile or IoT data plan includes a hot spot, consider using that over Wi-Fi to avoid some of the challenges that come with it in the first place.
- Do continue to use a personal VPN when you’re on the go and using Wi-Fi– just be sure to do so while having an additional layer of security in place so that if a similar vulnerability is discovered, you’ll already have a backup.
More antivirus and malware news?
- Microsoft Windows OLE CVE-2019-0885 Remote Code Execution Vulnerability
- 17 essential tools to protect your online identity, privacy
- Chinese man pleads guilty in $100M stolen software ring
- Answering the "So What" Question on Cyber Threat Intelligence
- Apple lawyer says meeting FBI demand would help hackers ‘wreak havoc’
- As FBI Warns Election Sites Got Hacked, All Eyes Are on Russia
- Businesses are building shopper profiles based on sniffing phones’ WiFi
- Crying ‘Wolf!’ seems to work for security
- A Closer Look at the Exploit Kit in CVE-2015-0313 Attack
- 5 tips to help CIOs overcome patching problems