VPN client group passwords online

[Gary Flynn <flynngn () JMU EDU>]

FYI,

I ran across this google hack that looks for Cisco VPN
client configuration files. I found many and most of
them were at universities. All have group names. Most
have encrypted group passwords that I understand can
be recovered once loaded with the help of a tool. I saw
one file with a cleartext group password.

Granted, there are probably other authentication
mechanisms above and beyond the group key but knowledge
of a shared group key enables man-in-the-middle attacks.

Google search:
!Host=*.* intext:enc_UserPassword=* ext:pcf

VPN auth vulnerabilities
http://www.jmu.edu/computing/security/vpnauth.shtml


--
Gary Flynn
Security Engineer
James Madison University