I am connecting to a VPN that is known to be malicious. Numerous machines on the network including the VPN server its self are all compromised. What precautions should I take to protect myself?
Assume you're connecting to an actively hostile network, such as a hotel WLAN during a hacker conference. All your traffic will be monitored and probably intercepted.
Make sure you're up to date on kernel and network patches
Set your firewall to deny-all-inbound
Assume all network connections not subject to a non-repudiation technology like SSL, SSH, or DNS-SEC will be subject to man-in-the-middle, and even some of those will be.
Don't trust the DNS servers you are given, they're much more likely to be compromised.
Beware invisible network proxies (DNS, HTTP, IRC, you name it)
Whatever credentials you use on the VPN server will be captured
Disable any applications that do background polling such as email, IM, and social-network clients before connecting.
The key thing to keep in mind is that the VPN just opens a network connection (or it should) and isn't a conduit for malware code.
When I'm attending tech conferences where they're teaching network analysis, I assume all of the above. It's more white-hat in those cases (usually) but it still is good practice.
If the VPN server itself is hostile, make sure that you can override whatever routing instructions it provides. Several client/server pairs enforce routing ALL traffic via the VPN to help prevent accidental leaks of data over the insecure network, which puts it in a prime position to sniff all of your traffic.
Make sure that your trusted SSL cert list is up-to-date, especially with the Comodo reseller compromise earlier this year. As I understand it, several browsers hardcoded revocations for the certs involved (like mail.google.com) so even if the VPN blocks access to CRLs your browser may reject these certs if you're using the latest version. Otherwise, you might get caught out with a MITM attack spoofing these sites with an apparently valid cert.
Also don't send anything over this VPN in plaintext that you'd want to keep from the attacker, since the attacker is presumably reading everything you send over the VPN. This includes session cookies, plaintext email and website passwords, etc. Check that any automated connections (eg pop/imap email clients) are disabled before connecting.
Record the fingerprint of a handful of SSL certificates before and after connecting to see if they are altering the SSL connections somehow. If you use ssh and it suddenly warns you that the host key fingerprint has changed, don't continue to connect. Set up a few sites in your hosts file to check to see if the results from dig/nslookup over the connection matches to test for DNS poisoning/proxying to redirect you to bad sites.
Assume you're connecting to an actively hostile network, such as a hotel WLAN during a hacker conference. All your traffic will be monitored and probably intercepted.
The key thing to keep in mind is that the VPN just opens a network connection (or it should) and isn't a conduit for malware code.
When I'm attending tech conferences where they're teaching network analysis, I assume all of the above. It's more white-hat in those cases (usually) but it still is good practice.
If the VPN server itself is hostile, make sure that you can override whatever routing instructions it provides. Several client/server pairs enforce routing ALL traffic via the VPN to help prevent accidental leaks of data over the insecure network, which puts it in a prime position to sniff all of your traffic.
Make sure that your trusted SSL cert list is up-to-date, especially with the Comodo reseller compromise earlier this year. As I understand it, several browsers hardcoded revocations for the certs involved (like mail.google.com) so even if the VPN blocks access to CRLs your browser may reject these certs if you're using the latest version. Otherwise, you might get caught out with a MITM attack spoofing these sites with an apparently valid cert.
Also don't send anything over this VPN in plaintext that you'd want to keep from the attacker, since the attacker is presumably reading everything you send over the VPN. This includes session cookies, plaintext email and website passwords, etc. Check that any automated connections (eg pop/imap email clients) are disabled before connecting.
Record the fingerprint of a handful of SSL certificates before and after connecting to see if they are altering the SSL connections somehow. If you use ssh and it suddenly warns you that the host key fingerprint has changed, don't continue to connect. Set up a few sites in your hosts file to check to see if the results from dig/nslookup over the connection matches to test for DNS poisoning/proxying to redirect you to bad sites.