Security News This Week: Your VPN Probably Isn’t Private

Posted on Posted in Hacker News

SO MANY HACKS, so few days in the week to write alarming stories about every one. Here’s our roundup of what you have may missed this week.

First, some news: a shocking revelation that the GCHQ, England’s spy organization, has been spying on Amnesty International. This is ironic, considering the UK government is party to the Wassenaar Agreement, which explicitly forbids regimes from spying on human rights groups.

The MIT media lab, along with two bitcoin entrepreneurs, revealed a prototype for Enigma, a system designed to encrypt data that can be shared with untrusted computers to run computations without being decrypted.

Researcher Ben Caudill will unveil a hardware proxy at DefCon designed to move you up to two and a half miles away from your IP address using a radio connection.

In movie news, a mysterious teaser trailer has finally been released for Snowden, the Oliver Stone-directed flick about the whistleblower and former NSA contractor.

And you may have noticed a slight anomaly: Tuesday’s leap second caused some sporadic outages across the Internet just after midnight.

But that’s not all. As always, to read the full story linked in each post, click on the headlines. And be safe out there!

Five More Months of Mass Surveillance Under Defunct NSA Program

The more things change, the more they stay the same, right? The Freedom Act may have signaled an end to the Patriot Act’s bulk collection of American phone records, but not so fast: its demise will be postponed for a bit. A FISA court approved the government’s request to renew the illegal dragnet surveillance program for what is to be a six-month transition period. The only irony is that the program already shut down amidst congressional feedback, so restating it after its lapse seems rather silly…but here we are. The eventual good news is that records will need to be requested from phone companies on an as-needed basis, and with permission from the FISA Court, once this “transition period” is over. Senator Wyden, one of NSA’s biggest critics, said it best: “This illegal dragnet surveillance violated Americans’ rights for fourteen years without making our country any safer. It is disappointing that the administration is seeking to resurrect this unnecessary and invasive program after it has already been shut down.”

Many Popular VPNs Aren’t Actually Private

Shocker: Commercial virtual private networks often claim to offer privacy and anonymity, but a group of researchers from Sapienza University and Queen Mary University have tested 14 of the most popular ones and found that 10 leak data, and all but one are vulnerable to DNS hijacking that leads to leaked IPv6 data. If you’ve been using a VPN for anonymity, protection from monitoring and tracking, or censorship circumvention, now’s the time to switch to Tor, the researchers concluded.

New Details About The NSA’s XKEYSCORE Program Revealed

The Intercept published 48 classified documents it got from Edward Snowden about the powerful mass surveillance tool XKEYSCORE dating as late as 2013.

What do they say? It looks like the incredibly broad surveillance tool can collect email messages, chat transcripts web searches, sites visited, photos, phone calls, social media traffic, logged keystrokes, username and password pairs, file uploads to online services, and even Skype sessions. Querying the information is as easy as running a search on Google, allowing NSA to search for activities based on a person’s location, nationality, and sites they visit by simply entering a phone number, a name, or an email address. Using a VPN or a public Wi-Fi network can’t protect users from this threat: cookies track your behavior through multiple sites. Although there are some rules that would not allow analysts to run certain queries, the oversight is extremely limited, the Intercept explains.

Washington Post Begins Encrypting Its Website

Eat your heart out, New York Times: looks like WaPo beat you to the punch. In a move that’ll make it harder for government agencies and other third parties to track site visitors’ reading habits or alter content, the Post began turning on HTTPS encryption by default on parts of its website last Tuesday. Its home page, national security page, and technology news site are already using HTTPS, and the paper has announced that it’ll be rolling it out for the rest of the site over the coming months.

French Malware Named After Your Favorite Cartoon Character

Fred Flintstone’s pet dinosaur has been in a lot of spin-offs, but this is a first: a powerful piece of malware named Dino, which searches and steals data from target’s computers, has been found in the wild. Joan Calvet, the ESET researcher who found the malware, believes that it was created by French spies to target Iran, and that it’s been deployed on only a small number of people. The code is similar to Babar and Casper, two other espionage tools in the so-called Animal Farm, leading Calvet to believe it was written by the same authors.

Quelle: WIRED

Facebooktwittergoogle_plus