While it's month old news, I'm just now realizing that we never surfaced an important report into Between the Lines that was written in December by ZDNet blogger George Ou. Ou unearthed a critical security weakness in one of the most commonly deployed methods for establishing virtual private networks that no organization should turn a blind eye to: PPTP. The digital establishment was apparently so distracted by the holidays that the only news outlet to pick up the news was Wi-Fi Networking News.
Sensing that Microsoft's PPTP protocol was equally vulnerable to dictionary attacks as Cisco's LEAP protocol, Ou asked Joshua Wright, who cracked LEAP, to see if the same techniques used to compromise LEAP could also be used on PPTP. Dictionary attacks thrive on the bad habits of users whose passwords are everyday words or names that can be found in a hackers' "dictionary." Such words make up the majority of passwords that are in use today. At Ou's request, Wright was successful in cracking into PPTP protected resources that relied on the MSCHAPv2 authentication protocol (which most PPTP VPNs use). While wireless networks are most at risk, the attack is also possible in wired scenarios as well. When the PPTP's susceptibility to dictionary attacks was brought to Microsoft's attention, Microsoft treated the report as non-critical and instead offered several recommendations that Ou found to be quite unreasonable. Instead, Ou recommends, it's time to ditch those PPTP-based VPNs in favor of ones based on the much more secure L2TP/IPSEC protocol.