Comparison : PPTP vs L2TP/IPSec vs OpenVPN

	PPTP	L2TP/IPSec	OpenVPN
Background	A very basic VPN protocol based on PPP. The PPTP specification does not actually describe encryption or authentication features and relies on the PPP protocol being tunneled to implement security functionality.	An advanced protocol formally standardized in IETF RFC 3193 and now the recommended replacement for PPTP on Microsoft platforms where secure data encryption is required.	An advanced open source VPN solution backed by 'OpenVPN technologies' and which is now the de-facto standard in the open source networking space. Uses the proven SSL/TLS encryption protocol.
Data Encryption	The PPP payload is encrypted using Microsoft's Point-to-Point Encryption protocol (MPPE). MPPE implements the RSA RC4 encryption algorithm with a maximum of 128 bit session keys.	The L2TP payload is encrypted using the standardized IPSec protocol. RFC 4835 specifies either the 3DES or AES encryption algorithm for confidentiality. IVPN uses the AES algorithm with 256 bit keys. (AES-256 is the first publicly accessible and open cipher approved by the NSA for top secret information).	OpenVPN uses the OpenSSL library to provide encryption. OpenSSL supports a number of different cryptographic algorithms such as 3DES, AES, RC5, Blowfish. As with IPSec, IVPN implements the extremely secure AES algorithm with 256 bit keys.
Security weaknesses	The Microsoft implementation of PPTP has serious security vulnerabilities. MSCHAP-v2 is vulnerable to dictionary attack and the RC4 algorithm is subject to a bit-flipping attack. Microsoft strongly recommends upgrading to IPSec where confidentiality is a concern.	IPSec has no major vulnerabilities and is considered extremely secure when used with a secure encryption algorithm such as AES.	OpenVPN has no major vulnerabilities and is considered extremely secure when used with a secure encryption algorithm such as AES.
Speed	With RC4 and 128 bit keys, the encryption overhead is least of all three protocols making PPTP the fastest.	L2TP/IPSEC has a slightly higher overhead than its rivals due to double encapsulation. Comparable to OpenVPN under most conditions.	When used in its default UDP mode on a reliable network OpenVPN should perform better than L2TP/IPSec.
Ports	PPTP uses TCP port 1723 and GRE (Protocol 47). PPTP can be easily blocked by restricting the GRE protocol.	L2TP/IPSEC uses UDP 500 for the the initial key exchange, protocol 50 for the IPSEC encrypted data (ESP), UDP 1701 for the initial L2TP configuration and UDP 4500 for NAT traversal. L2TP/IPSec is easier to block than OpenVPN due to its reliance on fixed protocols and ports.	OpenVPN can be easily configured to run on any port using either UDP or TCP. To bypass restrictive firewalls, OpenVPN can be configured to use TCP on port 443.
Setup / Configuration	All versions of Windows and most other operating systems (including mobile) have native support for PPTP. PPTP only requires a username, password and server address making it incredibly simple to setup and configure.	All versions of Windows since 2000/XP and Mac OSX 10.3+ and most mobile operating systems have native support for L2TP/IPSec.	OpenVPN is not included in any operating system release and requires the installation of client software. The software installers are very user friendly and installation typically takes less than 5 minutes.
Stability / Compatibility	PPTP is not as realiable, nor does it recover as quickly as OpenVPN over unstable network connections. Minor compatibility issues with the GRE protocol and some routers.	L2TP/IPSec is more complex than OpenVPN and can be more difficult to configure to work reliably between devices behind NAT routers. However as long as both the server and client support NAT traversal, there should be few issues. In practice L2TP/IPSec has shown itself it be as reliable and stable as OpenVPN for IVPN customers.	Very stable and fast over wireless, cellular and other non reliable networks where packet loss and congestion is common. OpenVPN has a TCP mode for highly unreliable connections but this mode sacrifices some speed due to the ineffeciency of encapsulating TCP within TCP.
Client compatibility	Windows Mac OSX Linux Apple iOS Android DD-WRT	Windows Mac OSX Linux iOS Android	Windows Mac OSX Linux Android IOS DD-WRT (with the correct build)
Conclusion	Due to the major security flaws, there is no good reason to choose PPTP other than device compatibility. If you have a device on which neither L2TP/IPsec or OpenVPN is supported then it may be a reasonable choice. If quick setup and easy configuration are a concern then L2TP/IPsec should be considered.	L2TP/IPSec is an excellent choice but falls slightly short of OpenVPN's high performance and excellent stability. If you are using a mobile device running iOS (iPhone) or Android then it is the fastest to setup and configure as it is supported natively.	OpenVPN is the best choice for all platforms. It is extremely fast, secure and reliable. Additionally, the IVPN multihop network is only available when connecting via OpenVPN. The only minor downside is the requirement to install the software client but on most platforms this only takes a few minutes.

Read More

Iranian anti-censorship software ‘Simurgh’ circulated with malicious backdoor

Simurgh is an Iranian stand-alone proxy software for Microsoft Windows. It has been used mainly by Iranian users to bypass censorship since 2009. The downloadable file is less than 1 MB and can be downloaded within a reasonable amount of time even with a slow internet connection, which makes it convenient for many users in Iran. Simurgh runs without prior installation or administrator privileges on the computer and therefore, can be copied and used from a USB flash drive on any shared computer (i.e Internet cafes).

Simurgh is available for free download from its official website https://simurghesabz.net. After running the executable file, a user interface (see below) opens. When the user clicks “Start”, Simurgh will attempt to establish a secure connection. The web browser will then open a new window to provide users with a test page, confirming their secure connection originating from a different country.

Download PDF version

Click here to read an update to the post. (Last updated: May 30)

Click here to read the post in Farsi.

Click here to read media coverage on this post.

It has recently come to our attention that this software is being recommended and circulated among Syrian Internet users for bypassing censorship in their country. This information led to the discovery and analysis of a back-doored version of this software.

The malicious copy will install the Simurgh software, but will also install an undesirable backdoor on the victim’s computer. This software is distributed as “Simurgh-setup.zip” and is identifiable via the following md5 and sha256 hashes:

5e2a714fdfc2309af843056e8c5ae7d3 Simurgh-setup.zip
9c1a238d87e3bad41708c2e98f753442a224ed9df994e1a34083b2bf336047e5 Simurgh-setup.zip

When you unzip this file you are presented with Simurgh-setup.exe

379480c807812f3521466f7ff5ffa273 Simurgh-setup.exe
e20438a4cf90b67dab613451cc5b3bc35256413461dafdfc35425429d8d478df Simurgh-setup.exe

The installer from the most recent legitimate version of Simurgh looks like this:

Executing the malicious version starts an installation dialogue which looks like this:

In addition to creating a copy of Simurgh in:

C:\Program Files\Simurgh\Simurgh.exe

The malicious GUI installer drops 4 binaries in C:\windows\system32\drivers:

MSINET.OCX – 73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31
richtx32.ocx – 318cc48cbcfaba9592956e4298886823cc5f37626c770d6dadbcd224849680c5
shdocvw.dll – fdae6764d190bf265dbc2df352174ccdcc97b1680545e348f1ee1111b0808693
lsass.exe – 9320d247dd94f610f31037df8eda75fe79991f126d2e55d35a9532d09ff79896

The first three files are legitimate Microsoft system files which appear to be dependencies of the fourth, ‘lsass.exe’. This file is VB6 native code and is installed as an implant to allow persistent access to the victim’s computer and to provide data exfiltration capabilities.

As part of the installation the following registry entry is written which ensures the running of the Trojan on logon:

HKLM\software\microsoft\windows nt\currentversion\winlogon\shell explorer.exe C:\WINDOWS\system32\drivers\lsass.exe REG_SZ 0

On startup, ‘lsass.exe’ deletes ‘C:\WINDOWS\Media\Windows XP Start.wav’. This file is the ‘navigation’ sound in Explorer, IE, and other applications based on a common set of controls. Since ‘lsass.exe’ uses several of these controls, this is presumably done to prevent ‘clicking’ sounds during the operation of the implant. However, this will also lead to a lack of navigation sounds in other applications, where they would be expected.

In addition to ensuring persistence, ‘lsass.exe’ enumerates basic details of the system (IP address, hostname, victim username) and provides keylogging functionality. This binary contains three javascript files which are written out as the text files:

C:\WINDOWS\system32\win.txt
C:\WINDOWS\system32\1.txt
C:\WINDOWS\system32\2.txt

These act as basic HTML templates for data mined from the victim’s system (such as keystrokes). Processing of ‘win.txt’ renames it to ‘upl.htm’ which is then sent via HTTP post request to a remote site registered with a Saudi Arabian ISP.

If this Trojan is found to be installed on a computer one must consider all online accounts (E-mail, banking, etc.) to have been compromised and it is advised that all online passwords be changed as soon as possible. While this Trojan is detected by most anti-virus software as malicious, AV software cannot always be guaranteed to clean up an infected system and a full re-install is suggested.

This Trojan has been specifically crafted to target people attempting to evade government censorship. Given the intended purpose of this software, users must be very careful if they have been infected by this Trojan. Additionally, they should be cautious about installing software, especially circumvention software, from untrusted sources. Where possible, software should be downloaded from trusted official websites over HTTPS. If checksums or cryptographic signatures are provided by the software vendor, these should be checked prior to installation.

UPDATED: May 30, 2012

Media coverage

• Toronto Star
• Slashdot
• BBC News
• Der Spiegel
• The Register
• CNET
• Sophos’s Naked Security blog
• CSO Australia
• Computerworld
• Infosecurity Magazine
• The Hosting News
• eSecurity Planet
• Ping! Zine Web Tech Magazine
• Threatpost
• Help Net Security

Since our report was published, the Simurgh team has taken several important steps to warn their users about this threat.

The Simurgh team warns their users directly on the website https://simurghesabz.net/ with a prominent message in Arabic, Farsi and English about the malicious versions of the software. They post MD5 checksums of the official binaries and malicious packages, as well as instructions for how to check MD5 checksums against downloaded software. If you use Simurgh you should immediately compare your installer against the checksums posted on the official site.

You can also find these checksums below:

Official binaries
– simurgh120.20100910.exe – 07855ead46bb15718ee73d513bdb9678
– simurgh120beta.20100326.exe – ddecf8ac6c96c148cc7c42183d25baa9

Malicious installer packages
– Simurgh-setup.zip – 5e2a714fdfc2309af843056e8c5ae7d3
– Simurgh-setup.exe – 379480c807812f3521466f7ff5ffa273
– Simurgh-setup.exe – 300b0d061dfb9c9c6d7bdeecc74169f1
– simurgh[homs-sin.ibda3.org].exe – c8c8817af66312cfcfcb1ddf952f9d98

As Sophos has pointed out in a recent blog post on Naked Security http://nakedsecurity.sophos.com/2012/05/29/spying-trojan-targets-iranian-web-surfers-dissidents/, the splash page that loads when Simurgh is initialized to show the users’ IP has been configured to warn users who may be compromised.

If you see a warning you should immediately run an antivirus program to remove the software or for greater assurance, reinstall your operating system.

In addition to the steps Simurgh has taken, we have made outreach to and notified the provider that was hosting the malicious version of Simurgh and they have now taken down the malicious package.

Read More

Psiphon : Local mobile phone users bypass billing as devs try to disable free Internet

MANILA - Psiphon, a free mobile app that’s available on Android, recently started trending on social media after some local users found a way to use it to gain free unlimited Internet access.

The users under local carriers Smart, Globe, and Sun Cellular have been using the mobile app to go online without incurring data charges, and have even managed to bypass the data caps that are supposed to limit those with unlimited mobile data subscriptions.

Psiphon continues to work even now, allowing users to browse the Web without load with the use of their tablets or smartphones.

Using the app couldn’t be simpler. You just download it and install it on your device, and you could be online browsing your favorite web sites free of charge within a few minutes — no technical knowledge required.

But all of this may soon come to an end. As we reported last week, Psiphon issued a statement to local users through one of their web sites, warning of an upcoming software update that will remove the ability to connect to the Internet for free.

Psiphon CEO and VP of Commercial Management Karl Kathuria sent us an e-mail to outline what really happened with Psiphon in this whole kerfuffle.

According to Kathuria, the previous Psiphon software update was intended to improve performance in certain areas, “making it harder to block the software and thus improving the experience for our existing user base.”

But shortly after the update, they noticed that Psiphon became “extremely popular” here in the Philippines.

The reason, according to reports sent to Psiphon and various social media postings, was that the app was being used not to bypass censorship but to bypass the billing paywall of local mobile providers.

So in the interest of making users use the app as intended, Psiphon will be updated soon to disable the free mobile Internet access.

Kathuria said in a statement, “Obviously, we intend to continue to make Psiphon available to everyone. Our next update will not stop Psiphon working in the Philippines, but it will prevent it being used for people to get free Internet connectivity.”

“The purpose of Psiphon is to bypass censorship,” Kathuria continued. “And we need to make sure that’s what it’s being used for.”

via interaksyon

Read More

Installing Windows 7 on VirtualBox Status 0xc0000225?

Today, after downloading a MS Windows7 Ultimate 64bit  edition I wanted to test it on a Virtual machine. I have VirtualBox installed on my PC so I give this a try to see if the .ISO I have downloaded is working and really a 64bit edition.

I created my new virtual machine and tried installing Windows 7 from my .ISO file but behold a glitch!

It says:

Windows Boot Manager

Windows failed to start. A recent hardware or software change might be the cause. To fix the problem:

1. Insert your windows installation disc and restart your computer.
2. Choose your language setting, and click "Next."
3. Click "Repair your computer."

If you do not have the disc, contact your system administrator or computer manufacturer for assistance.

Status: 0xc0000225

Info: An unexpected error has occurred.

The fix is real simple.

All you have to do is open the settings for your virtual machine:

System > Enable IO APIC

Save your new changes and launch the virtual machine again, everything will now run smoothly and you'll be able to install Windows 7.

Read More

Qnap Firmware Reflash / Recovery

Stuct At Booting When HDD’s Are Not Plugged In

If you cannot access the NAS after Step 3, please do the following:

1. Turn off the NAS.
2. Take out all the hard disk drives.
3. Restart the NAS.

You will hear a beep after pressing the power button, followed by 2 beeps 2 minutes later. If you cannot hear first beep, Please contact your local reseller or distributor for repair or replacement service.

If you cannot Hear the two beeps, and Qnapfinder couldnt find your NAS, the NAS Firmware is Damaged. To fix this problem, please follow “Qnap firmware Recovery / Reflash” Documents for your device model.

If you couldn’t solve problem by yourself, Please contact your local reseller or distributor for repair or replacement service.

If Qnapfinder can find Qnap, fallow these steps;

1 – Download Putty software;

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

2 – Plug in all of your HDD’s with right order while device is still working. Dont restart Qnap yet. Check if all HDD’s are alright and recognized by Qnap. If any of HDD doesn’t recognized or size seems “0″, plug out that HDD.

3 – Log with putty by entering the Qnap IP / user name / password. (Username / Password: admin / admin. Port need to enter 22.)

Now enter these command down below; (Choose command from this screen and “copy” Then go to putty, just pr “pess right mouse button once. By this way, you can paste commands automatically)

# config_util 1 -> (it must say “mirror of root succeed”. if it gives “mirror of root failed” error, stop this step and request help from Qnapsupport.)

# storage_boot_init 1

# df

If dev/md9 (HDA_ROOT) appears full, please contact QNAP support team

# reboot

Now Qnap should reboot well. If you can reach Qnap interface after restart, check RAID system, and change broken HDD with a new one.

Read More