Blog of the website «TechCrunch» Прогноз погоды

People

John Smith

John Smith, 49

Joined: 28 January 2014

Interests: No data

Jonnathan Coleman

Jonnathan Coleman, 32

Joined: 18 June 2014

About myself: You may say I'm a dreamer

Interests: Snowboarding, Cycling, Beer

Andrey II

Andrey II, 41

Joined: 08 January 2014

Interests: No data

David

David

Joined: 05 August 2014

Interests: No data

David Markham

David Markham, 65

Joined: 13 November 2014

Interests: No data

Michelle Li

Michelle Li, 41

Joined: 13 August 2014

Interests: No data

Max Almenas

Max Almenas, 53

Joined: 10 August 2014

Interests: No data

29Jan

29Jan, 32

Joined: 29 January 2014

Interests: No data

s82 s82

s82 s82, 26

Joined: 16 April 2014

Interests: No data

Wicca

Wicca, 37

Joined: 18 June 2014

Interests: No data

Phebe Paul

Phebe Paul, 27

Joined: 08 September 2014

Interests: No data

Артем Ступаков

Артем Ступаков, 93

Joined: 29 January 2014

About myself: Радуюсь жизни!

Interests: No data

sergei jkovlev

sergei jkovlev, 59

Joined: 03 November 2019

Interests: музыка, кино, автомобили

Алексей Гено

Алексей Гено, 8

Joined: 25 June 2015

About myself: Хай

Interests: Интерес1daasdfasf, http://apple.com

technetonlines

technetonlines

Joined: 24 January 2019

Interests: No data



Main article: Vpn

<< Back Forward >>
Topics from 1 to 10 | in all: 71

Facebook’s use of Onavo spyware faces questions in EU antitrust probe — report

18:24 | 6 February

Facebook’s use of the Onavo spyware VPN app it acquired in 2013 — and used to inform its 2014 purchase of the then rival WhatsApp messaging platform — is on the radar of Europe’s antitrust regulator, per a report in the Wall Street Journal.

The newspaper reports that the Commission has requested a large volume of internal documents as part of a preliminary investigation into Facebook’s data practices which was announced in December.

The WSJ cites people familiar with the matter who told it the regulator’s enquiry is focused on allegations Facebook sought to identify and crush potential rivals and thereby stifle competition by leveraging its access to user data.

Facebook announced it was shutting down Onavo a year ago — in the face of rising controversial about its use of the VPN tool as a data-gathering business intelligence dragnet that’s both hostile to user privacy and raises major questions about anti-competitive practices.

As recently as 2018 Facebook was still actively pushing Onavo at users of its main social networking app — marketing it under a ‘Protect’ banner intended to convince users that the tool would help them protect their information.

In fact the VPN allowed Facebook to monitor their activity across third party apps — enabling the tech giant to spot emerging trends across the larger mobile ecosystem. (So, as we’ve said before, ‘Protect Facebook’s business’ would have been a more accurate label for the tool.)

By the end of 2018 further details about how Facebook had used Onavo as a key intelligence lever in major acquisitions emerged when a UK parliamentary committee obtained a cache of internal documents related to a US court case brought by a third party developer which filed suit alleging unfair treatment on its app platform.

UK parliamentarians concluded that Facebook used Onavo to conduct global surveys of the usage of mobile apps by customers, apparently without their knowledge — using the intel to assess not just how many people had downloaded apps but how often they used them, which in turn helped the tech giant to decide which companies to acquire and which to treat as a threat.

The parliamentary committee went on to call for competition and data protection authorities to investigate Facebook’s business practices.

So it’s not surprising that Europe’s competition commission should also be digging into how Facebook used Onavo. The Commission also been reviewing changes Facebook made to its developer APIs which affected what information it made available, per the WSJ’s sources.

Internal documents published by the UK parliament also highlighted developer access issues — such as Facebook’s practice of whitelisting certain favored developers’ access to user data, raising questions about user consent to the sharing of their data — as well as fairness vis-a-vis non-whitelisted developers.

According to the newspaper’s report the regulator has requested a wide array of internal Facebook documents as part of its preliminary investigation, including emails, chat logs and presentations. It says Facebook’s lawyers have pushed back — seeking to narrow the discovery process by arguing that the request for info is so broad it would produce millions of documents and could reveal Facebook employees’ personal data.

Some of the WSJ’s sources also told it the Commission has withdrawn the original order and intends to issue a narrower request.

We’ve reached out to Facebook and the competition regulator for comment.

Back in 2017 the European Commission fined Facebook $122M for providing incorrect or misleading information at the time of the WhatsApp acquisition. Facebook had given regulator assurances that user accounts could not be linked across the two services — which cleared the way for it to be allowed to acquire WhatsApp — only for the company to u-turn in 2016 by saying it would be linking user data.

In addition to investigating Facebook’s data practices over potential antitrust concerns, the EU’s competition regulator is also looking into Google’s data practices — announcing a preliminary probe in December.

 


0

As ransomware gets craftier, companies must start thinking creatively

18:00 | 8 January

Some say ransomware is in decline. Others say it’s getting craftier.

File-encrypting malware, known as ransomware, infects vulnerable computers and scrambles its files, inviting victims to return access to their data once they pay a ransom. Ransomware remains one of the most popular types of malware and is said to be a multi-billion dollar — albeit illegal — industry.

But as companies gain awareness and shore up their cybersecurity defenses, the cat and mouse game continues between ransomware-launching threat actors and their victims, which can range from small businesses to local governments.

“Ransomware is a lucrative business model for the adversary because they get paid directly by the victim,” Steve Grobman, chief technology officer at McAfee, told TechCrunch.

In the past few months, security experts have seen a reduction in the “spray and pay” attacks against a large number of businesses and an increase of more focused efforts against larger corporate targets. Now ransomware-focused threat actors are using creative means to break into systems and deploy ransomware for the threat actor’s payday.

Just this week, foreign currency exchange Travelex was forced to suspend services at its stores after it confirmed a malware infection on December 31. A week later, the company is still largely offline. Travelex said little beyond a prepared statement, but it was reported that the company was hit by the notorious Sodinokibi (or rEvil) ransomware.

 


0

Mozilla launches the next phase of its Firefox Private Network VPN beta

17:00 | 3 December

Mozilla today announced that its Firefox Private Network (FPN), which lets you encrypt your Firefox connections, is now in an extended beta after a few months of relatively limited testing in the Firefox Test Pilot program. This beta, however, is only available to users in the U.S. and the free service is restricted to 12 hours of encrypted surfing on Firefox’s desktop version for the time being. You’ll also need a Firefox account to use the extension.

What’s maybe even more interesting, though, is that Mozilla is also working on a more fully-featured device-level VPN service that will encrypt all of your Internet surfing and app usage across your Windows 10 devices (with other platforms coming, too). This new service is now accepting invitations.

The introductory price will be $4.99 per month, making this the first service that Mozilla is directly charging users for. Those prices will likely change, though, as Mozilla learns what users are willing to pay and as it evolves the service. Given that running a VPN is costly, it definitely makes sense that the organization can’t offer it for free.

Also new today is an update to Firefox Preview, the group’s next-gen mobile browser based on its own GeckoView engine, as well as picture-in-picture support for all video sites in Firefox desktop. Firefox Preview is the publicly available test version of a new iteration of Firefox for Android. The highlight here is that Firefox Preview will now get enhanced tracking protection, similar to its desktop brethren, in addition to other new features like a new search widget for the Android home screen and a revamped Send tab for sending tabs or collections of tabs to other devices.

.

 

 


0

NordVPN confirms it was hacked

17:15 | 21 October

NordVPN, a virtual private network provider that promises to “protect your privacy online,” has confirmed it was hacked.

The admission comes following rumors that the company had been breached. It first emerged that NordVPN had

, potentially allowing anyone to spin out their own servers imitating NordVPN.

VPN providers are increasingly popular as they ostensibly provide privacy from your internet provider and visiting sites about your internet browsing traffic. That’s why journalists and activists often use these services, particularly when they’re working in hostile states. These providers channel all of your internet traffic through one encrypted pipe, making it more difficult for anyone on the internet to see which sites you are visiting or which apps you are using. But often that means displacing your browsing history from your internet provider to your VPN provider. That’s left many providers open to scrutiny, as often it’s not clear if each provider is logging every site a user visits.

For its part, NordVPN has claimed a “zero logs” policy. “We don’t track, collect, or share your private data,” the company says.

But the breach is likely to cause alarm that hackers may have been in a position to access some user data.

NordVPN told TechCrunch that one of its datacenters was accessed in March 2018. “One of the datacenters in Finland we are renting our servers from was accessed with no authorization,” said NordVPN spokesperson Laura Tyrell.

The attacker gained access to the server — which had been active for about a month — by exploiting an insecure remote management system left by the datacenter provider, which NordVPN said they were unaware that such a system existed.

NordVPN did not name the datacenter provider.

“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” said the spokesperson. “On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”

According to the spokesperson, the expired private key could not have been used to decrypt the VPN traffic on any other server.

NordVPN said it found out about the breach a “few months ago,” but the spokesperson said the breach was not disclosed until today because the company wanted to be “100% sure that each component within our infrastructure is secure.”

A senior security researcher we spoke to who reviewed the statement and other published evidence, but asked not to be named as they work for a company that requires authorization to speak to the press, called these findings “troubling.”

“While this is unconfirmed and we await further forensic evidence, this is an indication of a full remote compromise of this provider’s systems,” the security researcher said. “That should be deeply concerning to anyone who uses or promotes these particular services.”

NordVPN said “no other server on our network has been affected.”

But the security researcher warned that NordVPN was ignoring the larger issue of the attacker’s possible access across the network. “Your car was just stolen and taken on a joy ride and you’re quibbling about which buttons were pushed on the radio?” the researcher said.

The company confirmed it had installed intrusion detection systems, a popular technology that companies use to detect early breaches, but “no-one could know about an undisclosed remote management system left by the [datacenter] provider,” said the spokesperson.

It’s also believed several other VPN providers may have been breached around the same time. Similar records

— and seen by TechCrunch — suggest that TorGuard and VikingVPN may have also been compromised, but spokespeople did not return a request for comment.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

 


0

Flaw in Cyberoam firewalls exposed corporate networks to hackers

21:27 | 10 October

Sophos said it is fixing a vulnerability in its Cyberoam firewall appliances, which a security researcher says can allow an attacker to gain access to a company’s internal network without needing a password.

The vulnerability allows an attacker to remotely gain “root” permissions on a vulnerable device, giving them the highest level of access, by sending malicious commands across the internet. The attack takes advantage of the web-based operating system that sits on top of the Cyberoam firewall.

Once a vulnerable device is accessed, an attacker can jump onto a company’s network, according to the researcher who shared their findings exclusively with TechCrunch.

Cyberoam devices are typically used in large enterprises, sitting on the edge of a network and acting as a gateway to allow employees in while keeping hackers out. These devices filter out bad traffic, and prevent denial-of-service attacks and other network-based attacks. They also include virtual private networking (VPN), allowing remote employees to log on to their company’s network when they are not in the office.

It’s a similar vulnerability to recently disclosed flaws in corporate VPN providers, notably Palo Alto Networks, Pulse Secure and Fortinet, which allowed attackers to gain access to a corporate network without needing a user’s password. Many large tech companies, including Twitter and Uber, were affected by the vulnerable technology, prompting Homeland Security to issue an advisory to warn of the risks.

Sophos, which bought Cyberoam in 2014, issued a short advisory this week, noting that the company rolled out fixes on September 30.

The researcher, who asked to remain anonymous, said an attacker would only need an IP address of a vulnerable device. Getting vulnerable devices was easy, they said, by using search engines like Shodan, which lists around 96,000 devices accessible to the internet. Other search engines put the figure far higher.

A Sophos spokesperson disputed the number of devices affected, but would not provide a clearer figure.

“Sophos issued an automatic hotfix to all supported versions in September, and we know that 99% of devices have already been automatically patched,” said the spokesperson. “There are a small amount of devices that have not as of yet been patched because the customer has turned off auto-update and/or are not internet-facing devices.”

Customers still affected can update their devices manually, the spokesperson said. Sophos said the fix will be included in the next update of its CyberoamOS operating system, but the spokesperson did not say when that software would be released.

The researcher said they expect to release the proof-of-concept code in the coming months.

 


0

Mozilla launches a VPN, brings back the Firefox Test Pilot program

19:22 | 10 September

Mozilla today announced that it is bringing back the Firefox Test Pilot program to allow users to try out new features before they are ready for mainstream usage. While the name is familiar, though, the overall goals of the new program are a bit different from the last iteration and the focus is less on crazy experiments and more on beta testing products that are almost ready for public consumption.

The first new project in the Test Pilot program is the beta of the Firefox Private Network VPN service, which is now available in the U.S. for Firefox desktop users.

The Firefox Test Pilot program has gone through its share of iterations. First launched three years ago, it quickly became the incubation ground for a number of new features. In January of this year, though, the organization decided to shut it down.

Why bring it back now? Clearly, Mozilla was getting valuable feedback from the Test Pilot users, who were surely among the most dedicated Firefox fans.

The organization says that it wanted to take time to evolve the program and this new version is indeed somewhat different. “The difference with the newly relaunched Test Pilot program is that these products and services may be outside the Firefox browser, and we will be far more polished, and just one step shy of general public release,” the team explains.

The new Test Pilot program then is less about giving users the opportunity to test some of the Firefox team’s more eccentric ideas and more like a traditional public beta test program.

Screen Shot 2019 09 10 at 5.51.49 PM

The new VPN project, the team writes, is a good example of this approach. It’s a Test Pilot project because the team wants to fine-tune it a bit more before its public release.

The Firefox Private Network isn’t so much about trying to circumvent geo-restrictions and instead mostly focuses on giving users access to a private network when they are on public WiFi and helping them hide their locations from website and ad trackers (and indeed, a lot of the new Test Pilot projects will focus on privacy). That’s probably why Mozilla doesn’t refer to it as a VPN either, though that’s obviously what it is.

“One of the key learnings from recent events is that there is growing demand for privacy features,” Mozilla’s Marissa Wood writes today. “The Firefox Private Network is an extension which provides a secure, encrypted path to the web to protect your connection and your personal information anywhere and everywhere you use your Firefox browser.”

Mozilla is partnering with Cloudflare for this launch and Cloudflare is providing the proxy server for it. It’s available as a Firefox extension, but only in the U.S. and fore Firefox desktop users. For now, it’s available for free, though there have been some hints that Mozilla will at some point start charging for the service. Since it’s not a full VPN service, it remains to be seen how much the organization will be able to charge for it. Last year, Mozilla partnered with ProtonVPN and offered that service for $10 per month.

It’s worth noting that Opera, too, includes a free built-in VPN service, which includes the ability to set your location to either the Americas, Europe or Asia.

If you want to give the new service a try, you only need a Firefox account and sign up here.

 

 

 


0

13 ways to screw over your internet provider

21:24 | 2 September

Internet providers are real bastards: they have captive audiences whom they squeeze for every last penny while they fight against regulation like net neutrality and donate immense amounts of money to keep on lawmakers’ good sides. So why not turn the tables? Here are 13 ways to make sure your ISP has a hard time taking advantage of you (and may even put it on the defensive).

Disclosure: Verizon, an internet provider guilty of all these infractions, owns TechCrunch, and I don’t care.

1. Buy a modem and router instead of renting

The practice of renting a device to users rather than selling it or providing it as part of the service is one of the telecommunications industry’s oldest and worst. People pay hundreds or even thousands of dollars over years for equipment worth $40 or $50. ISPs do this with various items, but the most common item is probably the modem.

This is the gadget that connects to the cable coming out of your wall, and then connects in turn (or may also function as) your wireless and wired router. ISPs often provide this equipment at the time of install, and then charge you $5 to $10 per month forever. What they don’t tell you is you can probably buy the exact same item for somewhere between $30 and $100.

The exact model you need will depend on your service, but it will be listed somewhere, and they should tell you what they’d provide if you ask. Look online, buy a new or lightly used one, and it will have paid for itself before the year is out. Not only that, but you can do stuff like upgrade or change the software on it all you want, because it’s yours. Bonus: The ISP is limited in what it can do to the router (like letting other people connect — yes, it’s a thing).

2. Avoid service calls, or if you can’t, insist they’re free

I had an issue with my Comcast internet a while back that took them several visits from a service tech to resolve. It wasn’t an issue on my end, which was why I was surprised to find they’d charged me $30 or so every time the person came.

If your ISP wants to send someone out, ask whether it’s free, and if it isn’t, tell them to make it free or ask if you can do it yourself (sometimes it’s for really simple stuff like swapping a cable). If they charge you for a visit, call them and ask them to take it off your bill. Say you weren’t informed and you’ll inform the Better Business Bureau about it, or take your business elsewhere, or something. They’ll fold.

When someone does come…

3. Get deals from the installer

If you do end up having someone come out, talk to them to see whether there are any off the record deals they can offer you. I don’t mean anything shady like splitting cables with the neighbor, just offers they know about that aren’t publicized because they’re too good to advertise.

A lot of these service techs are semi-independent contractors paid by the call, and their pay has nothing to do with which service you have or choose. They have no reason to upsell you and every reason to make you happy and get a good review. Sometimes that means giving you the special desperation rates ISPs withhold until you say you’re going to leave.

And as long as you’re asking…

4. Complain, complain, complain

This sounds bad, but it’s just a consequence of how these companies work: The squeaky wheels get the grease. There’s plenty of grease to go around, so get squeaking.

Usually this means calling up and doing one of several things. You can complain that service has been bad — outages and such — and ask that they compensate you for that. You can say that a competing ISP started offering service at your location and it costs $20 less, so can they match that. Or you can say your friend just got a promotional rate and you’d like to take advantage of it… otherwise you’ll leave to that phantom competitor. (After all, we know there’s often little or no real competition.)

What ISPs, and, more importantly, what their customer service representatives care about is keeping you on as a customer. They can always raise rates or upsell you later, but having you as a subscriber is the important thing.

Note that some reps are more game than others. Some will give you the runaround, while others will bend over backwards to help you out. Feel free to call a few times and do a bit of window shopping. (By the way, if you get someone nice, give them a good review if you get the chance, usually right after the call or chat. It helps them out a lot.) Obviously you can’t call every week with new demands, so wait until you think you can actually save some money.

Which reminds me…

5. Choose your service level wisely

ISPs offer a ton of choices, and make it confusing on purpose so you end up picking an expensive one just to be sure you have what you need. The truth is most people can probably do pretty much everything they need on the lowest tier they offer.

A 1080p Netflix stream will work fine on a 25 Mbps connection, which is what I have. I also work entirely online, stream high-def videos at a dozen sites all day, play games, download movies and do lots of other stuff, sometimes all at the same time. I think I pay $45 a month. But rates like mine might not be advertised prominently or at all. I only found out when I literally asked what the cheapest possible option was.

That said, if you have three kids who like to watch videos simultaneously, or you have a 4K streaming setup that you use a lot, you’ll want to bump that up a bit. But you’d be surprised how seldom the speed limit actually comes into play.

To be clear, it’s still important that higher tiers are available, and that internet providers upgrade their infrastructure, because competition and reliability need to go up and prices need to come down. The full promise of broadband should be accessible to everyone for a reasonable fee, and that’s still not the case.

6. Stream everything because broadcast TV is a joke

Cord-cutting is fun. Broadcast TV is annoying, and getting around ads and air times using a DVR is very 2005. Most shows are available on streaming services of some kind or another, and while those services are multiplying, you could probably join all of them for well under what you’re paying for the 150 cable channels you never watch.

Unless you really need to watch certain games or news shows as they’re broadcast, you can get by streaming everything. This has the side effect of starving networks of viewers and accelerating the demise of these 20th-century relics. Good ones will survive as producers and distributors of quality programming, and you can support them individually on their own merits. It’s a weird transitional time for TV, but we need to drop-kick them into the future so they’ll stop charging us for a media structure established 50 years ago.

Something isn’t available on a streaming service? 100 percent chance it’s because of some dumb exclusivity deal or licensing SNAFU. Go pirate it for now, then happily pay for it as soon as it’s made available. This method is simple for you and instructive for media companies. (They always see piracy rates drop when they make things easy to find and purchase.)

This also lets you avoid certain fees ISPs love tacking onto your bill. I had a “broadcast TV fee” on my bill despite not having any kind of broadcast service, and I managed to get it taken off and retroactively paid back.

On that note…

7. Watch your bill like a hawk

Telecoms just love putting things on your bill with no warning. It’s amazing how much a bill can swell from the quoted amount once they’ve added all the little fees, taxes and service charges. What are they, anyway? Why not call and ask?

You might find out, as I did, that your ISP had “mistakenly” been charging you for something — like equipment — that you never had nor asked for. Amazing how these lucrative little fees tend to fall through the cracks!

Small charges often increase and new ones get added as well, so download your bill when you get it and keep it somewhere (or just keep the paper copies). These are really handy to have when you’re on the phone with a rep. “Why wasn’t I informed my bill would increase this month by $50?” “Why is this fee more now than it was in July?” “Why do I pay a broadcast fee if I don’t pay for TV?” These are the types of questions that get you discounts.

Staying on top of these fees also means you’ll be more aware when there are things like mass refunds or class action lawsuits about them. Usually these have to be opted into — your ISP isn’t going to call you, apologize and send a check.

As long as you’re looking closely at your bill…

8. Go to your account and opt out of everything

When you sign up for broadband service, you’re going to get opted into a whole heap of things. They don’t tell you about these, like the ads they can inject, the way they’re selling this or that data or that your router might be used as a public Wi-Fi hotspot.

You’ll only find this out if you go to your account page at your ISP’s website and look at everything. Beyond the usual settings like your address and choice of whether to receive a paper bill, you’ll probably find a few categories like “privacy” and “communications preferences.”

Click through all of these and look for any options to opt out of stuff. You may find that your ISP has reserved the right to let partners email you, use your data in ways you wouldn’t expect and so on. It only takes a few minutes to get out of all this, and it deprives the ISP of a source of income while also providing a data point that subscribers don’t like these practices.

9. Share your passwords

Your friend’s internet provider gets him streaming services A, B and C, while yours gives you X, Y and Z. Again, this is not about creators struggling to get their content online, but rather all about big media and internet corporations striking deals that make them money and harm consumers.

Share your (unique, not reused!) passwords widely and with a clean conscience. No company objects when you invite your friends over to watch “Fleabag” at your house. This just saves everyone a drive!

10. Encrypt everything and block trackers

One of the internet companies’ many dirty little deals is collecting and selling information on their customers’ watching and browsing habits. Encrypting your internet traffic puts the kibosh on this creepy practice — as well as being good security.

This isn’t really something you can do too much to accomplish, since over the last few years encryption has become the rule rather than the exception, even at sites where you don’t log in or buy anything. If you want to be sure, download a browser plug-in like HTTPS everywhere, which opts you into a secure connection anywhere it’s available. You can tell it’s secure because the URL says “https://” instead of “http://” — and most browsers have other indicators or warnings as well.

You should also use an ad blocker, not necessarily to block ads that keep outlets like TechCrunch alive (please), but to block trackers seeded across the web by companies that use sophisticated techniques to record everything you do. ISPs are among these and/or do business with them, so everything you can do to hinder them is a little mud in their eye.

Incidentally there are lots of ways you can protect your privacy from those who would invade it — we’ve got a pretty thorough guide here.

11. Use a different DNS

Bryce Durbin / TechCrunch

On a similar note, most ISPs will usually be set up by default with their own “Domain Name Service,” which is the thing that your browser pings to convert a text web URL (like “techcrunch.com”) to its numerical IP address.

There are lots of these to choose from, and they all work, but if you use your ISP’s, it makes it much easier for them to track your internet activity. They also can block certain websites by refusing to provide the IP for content they don’t like.

TechCrunch doesn’t officially endorse one, but lots of companies offer free, fast DNS that’s easy to switch to. Here’s a good list; there are big ones (Google, Cloudflare), “open” ones (OpenDNS, OpenNIC) and others with some niche features. All you need to do is slot those two numbers into your internet configuration, following the instructions they provide. You can change it back at any time.

Setting up a VPN is another option for very privacy-conscious individuals, but it can be complicated. And speaking of complicated…

12. Run a home server

This is a bit advanced, but it’s definitely something ISPs hate. Setting up your home computer or a dedicated device to host a website, script or service seems like a natural use of an always-on internet connection, but just about everyone in the world would rather you sign up for their service, hosted on their hardware and their connection.

Well, you don’t have to! You can do it on your own. Of course, you’ll have to learn how to run and install a probably Unix-based server, handle registry stuff, install various packages and keep up to date so you don’t get owned by some worm or bot… but you’ll have defied the will of the ISP. That’s the important thing.

13. Talk to your local government

ISPs hate all the things above, but what they hate the most by far is regulation. And you, as a valued citizen of your state and municipality, are in a position to demand it. Senators, representatives, governors, mayors, city councils and everyone else actually love to hear from their constituency, not because they desire conversation but because they can use it to justify policy.

During the net neutrality fight, a constant refrain I heard from government officials was how much they’d heard from voters about the issue and how unanimous it was (in support, naturally). A call or email from you won’t sway national politics, but a few thousand calls or emails from people in your city just might sway a local law or election. These things add up, and they do matter. State net neutrality policies are now the subject of national attention, and local privacy laws like those in Illinois are the bane of many a shady company.

Tell your local government about your experience with ISPs — outages, fees, sneaky practices or even good stuff — and they’ll file it away for when that data is needed, such as renegotiating the contracts national companies sign with those governments in order to operate in their territories.

Internet providers only do what they do because they are permitted to, and even then they often step outside the bounds of what’s acceptable — which is why rules like net neutrality are needed. But first people have to speak out.

 


0

What you missed in cybersecurity this week

21:00 | 1 September

There’s not a week that goes by where cybersecurity doesn’t dominates the headlines. This week was no different. Struggling to keep up? We’ve collected some of the biggest cybersecurity stories from the week to keep you in the know and up to speed.

Malicious websites were used to secretly hack into iPhones for years, says Google

TechCrunch: This was the biggest iPhone security story of the year. Google researchers found a number of websites that were stealthily hacking into thousands of iPhones every week. The operation was carried out by China to target Uyghur Muslims, according to sources, and also targeted Android and Windows users. Google said it was an “indiscriminate” attack through the use of previously undisclosed so-called “zero-day” vulnerabilities.

Hackers could steal a Tesla Model S by cloning its key fob — again

Wired: For the second time in two years, researchers found a serious flaw in the key fobs used to unlock Tesla’s Model S cars. It’s the second time in two years that hackers have successfully cracked the fob’s encryption. Turns out the encryption key was doubled in size from the first time it was cracked. Using twice the resources, the researchers cracked the key again. The good news is that a software update can fix the issue.

Microsoft’s lead EU data watchdog is looking into fresh Windows 10 privacy concerns

TechCrunch: Microsoft could be back in hot water with the Europeans after the Dutch data protection authority asked its Irish counterpart, which oversees the software giant, to investigate Windows 10 for allegedly breaking EU data protection rules. A chief complaint is that Windows 10 collects too much telemetry from its users. Microsoft made some changes after the issue was brought up for the first time in 2017, but the Irish regulator is looking at if these changes go far enough — and if users are adequately informed. Microsoft could be fined up to 4% of its global annual revenue if found to have flouted the law. Based off 2018’s figures, Microsoft could see fines as high as $4.4 billion.

U.S. cyberattack hurt Iran’s ability to target oil tankers, officials say

The New York Times: A secret cyberattack against Iran in June but only reported this week significantly degraded Tehran’s ability to track and target oil tankers in the region. It’s one of several recent offensive operations against a foreign target by the U.S. government in recent moths. Iran’s military seized a British tanker in July in retaliation over a U.S. operation that downed an Iranian drone. According to a senior official, the strike “diminished Iran’s ability to conduct covert attacks” against tankers, but sparked concern that Iran may be able to quickly get back on its feet by fixing the vulnerability used by the Americans to shut down Iran’s operation in the first place.

Apple is turning Siri audio clip review off by default and bringing it in house

TechCrunch: After Apple was caught paying contractors to review Siri queries without user permission, the technology giant said this week it will turn off human review of Siri audio by default and bringing any opt-in review in-house. That means users actively have to allow Apple staff to “grade” audio snippets made through Siri. Apple began audio grading to improve the Siri voice assistant. Amazon, Facebook, Google, and Microsoft have all been caught out using contractors to review user-generated audio.

Hackers are actively trying to steal passwords from two widely used VPNs

Ars Technica: Hackers are targeting and exploiting vulnerabilities in two popular corporate virtual private network (VPN) services. Fortigate and Pulse Secure let remote employees tunnel into their corporate networks from outside the firewall. But these VPN services contain flaws which, if exploited, could let a skilled attacker tunnel into a corporate network without needing an employee’s username or password. That means they can get access to all of the internal resources on that network — potentially leading to a major data breach. News of the attacks came a month after the vulnerabilities in widely used corporate VPNs were first revealed. Thousands of vulnerable endpoints exist — months after the bugs were fixed.

Grand jury indicts alleged Capital One hacker over cryptojacking claims

TechCrunch: And finally, just when you thought the Capital One breach couldn’t get any worse, it does. A federal grand jury said the accused hacker, Paige Thompson, should be indicted on new charges. The alleged hacker is said to have created a tool to detect cloud instances hosted by Amazon Web Services with misconfigured web firewalls. Using that tool, she is accused of breaking into those cloud instances and installing cryptocurrency mining software. This is known as “cryptojacking,” and relies on using computer resources to mine cryptocurrency.

 


0

What security pros need to know from Black Hat & Def Con 2019

17:56 | 15 August

Black Hat and Def Con came and went as quickly as it ever does. The week-long pair of back-to-back conferences, referred to as “hacker summer camp,” draws in the security crowd from across the world onto Las Vegas, where startups tout their technologies as hackers and researchers reveal their findings.

This year we saw ordinary-looking charging cables that can hack your computer, we found out that cloud backups are easily exposed, robocall blocking apps aren’t as privacy-focused as you might think, and your corporate VPN and office printer are targets for hackers (and if they fail there they’ll just ship a hardware exploit to your mailroom.) Even students can easily hack their own school systems.

The obvious takeaways might be to never plug anything into your computer and that all your data is already ‘pwned’.

But what does that all mean to the average security professional, let alone the CISO at the top of the corporate chain? Between the villages and the many speaker tracks — not to mention the darting between hotels — it’s tough to know exactly what we should take away from the shows.

We spoke to four security experts who were there and asked them what their primary takeaways were for security decision-makers.

Internet of Things is a risk factor

 


0

Hundreds of exposed Amazon cloud backups found leaking sensitive data

21:00 | 9 August

How safe are your secrets? If you used Amazon’s Elastic Block Storage, you might want to check your settings.

New research just presented at the Def Con security conference reveals how companies, startups, and governments are inadvertently leaking their own files from the cloud.

You may have heard of exposed S3 buckets — those Amazon-hosted storage servers packed with customer data but are often misconfigured and inadvertently set to “public” for anyone to access. But you may not have heard about exposed EBS volumes, which poses as much if not a greater risk.

These elastic block storage (EBS) volumes are the “keys to the kingdom,” said Ben Morris, a senior security analyst at cybersecurity firm Bishop Fox, in a call with TechCrunch ahead of his Def Con talk. EBS volumes store all the data for cloud applications. “They have the secret keys to your applications and they have database access to your customers’ information,” he said.

“When you get rid of the hard disk for your computer, you know, you usually shredded or wipe it completely,” he said. “But these public EBS volumes are just left for anyone to take and start poking at.”

He said that all too often cloud admins don’t choose the correct configuration settings, leaving EBS volumes inadvertently public and unencrypted. “That means anyone on the internet can download your hard disk and boot it up, attach it to a machine they control, and then start rifling through the disk to look for any kind of secrets,” he said.

Screen Shot 2019 08 07 at 2.14.30 PM

One of Morris’ Def Con slides noting the types of compromised data found using his research, often known as the “Wall of Sheep.” (Image: Ben Morris/Bishop Fox; supplied)

Morris built a tool using Amazon’s own internal volume search feature to query and scrape publicly exposed EBS volumes, then attach it, make a copy and list the contents of the volume on his system.

“If you expose the disk for even just a couple of minutes, our system will pick it up and make it copy of it,” he said.

It took him two months to build up a database of exposed volumes and just a few hundred dollars spent on Amazon cloud resources. Once he validates each volume, he deletes the data.

Morris found dozens of volumes exposed publicly in one region alone, he said, including application keys, critical user or administrative credentials, source code, and more. He found several major companies, including healthcare providers and tech companies.

He also found VPN configurations, which he said could allow him to tunnel into a corporate network. Morris said he did not use any credentials or sensitive data as it would be unlawful.

Among the most damaging things he found, Morris said he found a volume for one government contractor, which he did not name, but provided data storage services to federal agencies. “On their website, they brag about holding this data,” he said, referring to collected intelligence from messages sent to and from the so-called Islamic State terror group to data on border crossings.

“Those are the kind of things I would definitely not want some to be exposed to the public Internet,” he said.

He estimates the figure could be as many as 1,250 exposures across all Amazon cloud regions.

Morris plans to release his proof-of-concept code in the coming weeks.

“I’m giving companies a couple of weeks to go through their own disks and make sure that they don’t have any accidental exposures,” he said.

 


0
<< Back Forward >>
Topics from 1 to 10 | in all: 71

Site search


Last comments

Walmart retreats from its UK Asda business to hone its focus on competing with Amazon
Peter Short
Good luck
Peter Short

Evolve Foundation launches a $100 million fund to find startups working to relieve human suffering
Peter Short
Money will give hope
Peter Short

Boeing will build DARPA’s XS-1 experimental spaceplane
Peter Short
Great
Peter Short

Is a “robot tax” really an “innovation penalty”?
Peter Short
It need to be taxed also any organic substance ie food than is used as a calorie transfer needs tax…
Peter Short

Twitter Is Testing A Dedicated GIF Button On Mobile
Peter Short
Sounds great Facebook got a button a few years ago
Then it disappeared Twitter needs a bottom maybe…
Peter Short

Apple’s Next iPhone Rumored To Debut On September 9th
Peter Short
Looks like a nice cycle of a round year;)
Peter Short

AncestryDNA And Google’s Calico Team Up To Study Genetic Longevity
Peter Short
I'm still fascinated by DNA though I favour pure chemistry what could be
Offered is for future gen…
Peter Short

U.K. Push For Better Broadband For Startups
Verg Matthews
There has to an email option icon to send to the clowns in MTNL ... the govt of India's service pro…
Verg Matthews

CrunchWeek: Apple Makes Music, Oculus Aims For Mainstream, Twitter CEO Shakeup
Peter Short
Noted Google maybe grooming Twitter as a partner in Social Media but with whistle blowing coming to…
Peter Short

CrunchWeek: Apple Makes Music, Oculus Aims For Mainstream, Twitter CEO Shakeup
Peter Short
Noted Google maybe grooming Twitter as a partner in Social Media but with whistle blowing coming to…
Peter Short