Home Tags Virtual Private Network

Tag: Virtual Private Network

virtual private network also known as a VPN is a private network that extends across a public network or internet. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

VPNs can provide functionality, security and/or network management benefits to the user. But they can also lead to new issues, and some VPN services, especially “free” ones, can actually violate their users’ privacy by logging their usage and making it available without their consent, or make money by selling the user’s bandwidth to other users.

Some VPNs allow employees to securely access a corporate intranet while located outside the office. Some can securely connect geographically separated offices of an organization, creating one cohesive network. Individual Internet users can use some VPNs to secure their wireless transactions, to circumvent geo-restrictions and censorship, and/or to connect to proxy servers for the purpose of protecting personal identity and location. But some Internet sites block access via known VPNs to prevent the circumvention of their geo-restrictions.

A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunnelling protocols, or traffic encryption. A VPN available from the public Internet can provide some of the benefits of a wide area network (WAN). From a user perspective, the resources available within the private network can be accessed remotely.

Traditional VPNs are characterized by a point-to-point topology, and they do not tend to support or connect broadcast domains, so services such as Microsoft Windows NetBIOS may not be fully supported or work as they would on a local area network (LAN). Designers have developed VPN variants, such as Virtual Private LAN Service (VPLS), and layer-2 tunneling protocols, to overcome this limitation.


Too often, your network traffic is readable by advertisers, attackers, and snoops.

But a virtual private network, or VPN, like FrootVPN ensures that your Web traffic is fully encrypted and that you remain anonymous online. Unlike many other VPN services, FrootVPN is a barebones affair without a local client, and only a few servers available.
But its role in the attack remains unclear Fresh research has shed new light on the devious and unprecedented cyber-attack against Ukraine's power grid in December 2015. A former intelligence analyst has warned that launching similar attacks is within the capabilities of criminals, or perhaps even hacktivist groups, since most of the key components are readily available online. Zach Flom, an intelligence analyst at threat intelligence firm Recorded Future and a former US DoD computer network defense analyst, has published a study on the BlackEnergy malware, noting a spike in activity prior to the Ukraine attack that left more than 200,000 people temporarily without power on December 23. "In 2014, shortly after being picked up by APT [advanced persistent threat] groups and becoming more modular, we see a large spike in references to the malware and its increasing usage in European countries, namely Ukraine," Flom notes. "Whether or not the attack was nation state-sponsored, the source code for most of the components that were used is available for purchase and download on the open Web," Flom writes. "It's no longer far fetched that a similar attack could be conducted by non-nation state-sponsored groups for criminal purposes." BlackEnergy has evolved from a "relatively simple" distributed denial-of-service attack tool of early 2007 to a highly capable blob of malware over the last eight years, according to Flom. The warning of potential future misuse of BlackEnergy comes days after a US government report concluded that the December 2015 power outage in Ukraine – which affected 225,000 customers – was caused by outside attackers. Representatives of the US Department of Homeland Security (DHS), Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and other US government agencies traveled to Ukraine to collaborate and gain more insight into the attack.

The Ukrainian government and the three impacted power utilities (named elsewhere as Prykarpattya, Oblenergo and Kyivoblenergo) collaborated with the investigation, which concluded that the assault involved a great deal of coordination and planning, culminating with an attempt to destroy evidence on field devices using wiper malware. The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks.

According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities.

During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections.

The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access. All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack.

The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. The whole incident has generated a great deal of interest because it's reckoned to represent the first time that hackers have successfully attacked a power grid.

For context, it's worth pointing out that outages caused by squirrels chewing through electricity cables and the like are commonplace.

A growing number of experts have come to regard the Ukraine energy utility attacks as the most significant malware-based hack attack since Stuxnet hobbled Iranian nuclear centrifuges back in 2010. BlackEnergy malware was discovered on the affected companies' computer networks, however it is important to note that ICS-CERT investigators reckon the precise role of the potent cyber-pathogen in the attack remains as yet unclear. Each company also reported that they had been infected with BlackEnergy malware, however we do not know whether the malware played a role in the cyber-attacks.

The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments.
It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated.
It is important to underscore that any remote-access Trojan could have been used, and none of BlackEnergy's specific capabilities were reportedly leveraged. A mining company and a large railway operator in Ukraine were also hit by BlackEnergy, so the run of attacks was far from limited to the power distribution sector.

The possible motivations of the hackers range from an attempt to disable Ukraine economically to a test of the power of their malware against real life targets. Russia is the obvious prime suspect in this malfeasance, and this is supported by plenty of circumstantial evidence, although nothing incontrovertible and certainly no smoking gun. Security researchers at the SANS Institute have put together a reaction to the ICS-CERT report ahead of their own forthcoming study, which will focus on how to defend against similar attacks on industrial control systems in future. Industrial control system security expert Robert M Lee argues that ICS-CERT unnecessarily hedged its bets in calling BlackEnergy a central vector of the attack. "ICS-CERT is very shy in stating that BlackEnergy3 was involved in the incident," Lee writes. "I understand their hesitation, but the use of BlackEnergy3 to harvest credentials in the impacted organizations was very clear from publicly available sources.

The malware, however, was not responsible for the outage.
It just enabled the attackers, as the SANS team and others in the community have said all along," he added. ® Sponsored: Why every enterprise needs an Internet Performance Management (IPM) Strategy
Chocolate Factory rolls out geolocation filter on search results If you use Google in Europe, your search results will be censored under the Continent's right-to-be-forgotten policy – even if you try to use one of the ad giant's non-European sites. Until now if you used Google.com rather than, say, Google.de, you could still find results that have been removed at someone's request: the links would be censored on google.de but available on google.com From next week, though, if you connect to Google.com from an IP address with a European geolocation, you'll get the censored result. Under the right-to-be-forgotten policy, people can ask for results to pulled from the search engine on all queries made in the EU. Previously, the filters had only been applied to the local Google domains for each EU country. Users would now need to find other means, such as an overseas VPN to get around the filtered search results. Since the European Court of Justice ruled in 2014 that citizens had the right to order their names be expunged from embarrassing Google search results, the Chocolate Factory has been working with the EU courts to honor the requests. "We're changing our approach as a result of specific discussions that we've had with EU data protection regulators in recent months," wrote Google global privacy council Peter Fleischer. "We believe that this additional layer of delisting enables us to provide the enhanced protections that European regulators ask us for, while also upholding the rights of people in other countries to access lawfully published information." Fleischer acknowledged that Google has had "occasional disagreements" with the EU in how to enforce the directive, but said the Chocolate Factory will continue to comply with requests to pull information in Europe, even if many of those requests would still leave the results readily available for viewing on other search engines and anyone who would run a search query outside of the EU. ® Sponsored: Speed up incident response with actionable forensic analytics
Jerome Segura, a senior security researcher with Malwarebytes, was recently stumped by a cyber attack he was studying.
It seemed to keep vanishing. Segura often studies malvertising, which involves seeding ad networks with harmful online advertisements that then appear on websites, potentially delivering malware to a person's computer. It's a particularly insidious type of attack, since a person merely has to view an advertisement to become infected if their computer has a software vulnerability.  "We knew there was something different that malvertisers were doing," said Segura in a phone interview Thursday. The problem was they couldn't replicate the attack by viewing the malicious ad.
It's almost as if the attackers knew they were being watched. Cyber attackers often profile machines -- known as fingerprinting -- in order to attack ones that are being used by security researchers. Machines on certain IP addresses or VPN networks or those running virtual machines won't be attacked. Segura couldn't get another look at the attack until he went home and used his home computer rather than the ones in Malwarebytes' lab. The suspicious advertisement contained a one-by-one pixel GIF image.

That's not usual, as pixels are used for tracking purposes, but this one actually contained JavaScript. The JavaScript exploits an information leakage vulnerability (CVE-2013-7331) in older unpatched versions of Internet Explorer, Segura said.

The vulnerability can be used to parse a computer's file system and figure out if it's running certain AV programs. If a computer checked out, its user was redirected by the advertisement to a server running the Angler exploit kit, Segura said. It is not unusual for cyber attackers to do some quick reconnaissance on potential victims.

But Segura said this time around, the attackers are also taking other steps that make it very difficult for ad networks and security researchers to detect bad behavior. The malicious ad, including the one-by-one pixel, was also delivered over SSL/TLS, which makes it harder to detect potentially malicious behavior, Segura said. The malicious ad was carried by Google's DoubleClick and dozens of other ad networks.
It appears the attackers had set up fake domains and even LinkedIn profiles months before to appear they were legitimate before supplying their malicious advertisement to the online advertising companies. "It shows you how deceptive they can be and how many fake advertisers are out there," he said. Segura said he has been in touch with DoubleClick and other online advertising companies, but the malvertising ad is still running in some places. The automated nature of online advertising and the labyrinth of relationships between companies has made filtering malicious ads difficult, he said. "What criminals have figured out is it's easier to infiltrate a third partner that works with Google but doesn't necessarily have the same security screening and tight guidelines," Segura said. Malwarebytes posted a writeup of its research on its blog.
As usual, winter's been bleak. You're ready to go ... anywhere else.
Somewhere warmer, brighter, more fun.  And someone else is there waiting and ready to steal your information -- and your money -- in the process.  Travel scams are ripe and ripening as the days grow longer, in some high and very low tech ways.  "The really staggering message that came through in 2015 was that it was the year attackers spent a lot less time and energy on really sophisticated technology intrusions and instead spent the year exploiting us," says Kevin Epstein, vice president of the Threat Operations Center at Proofpoint.  Criminals don't just want to grab your information when you're planning either. Your trip itself makes you a target, too.  Pre-trip hacking Travel is a focus of scamming for two reasons.  The first is money -- lots of it. "Booking the trip turns out to be a great way to give away a lot of money," says Epstein. "You voluntarily provide lots of personal information." Not only do most sites require you to put in your credit card information to book a trip, but many also have you create a login and password to use the site.  If a criminal can make you believe that you're putting that kind of information into the right place, they can take over your money and your digital life. Or, if they can send you something that looks legit, and you download what they ask, they get into your computer and everything that's stored therein.  The second reason is that travel companies have lagged behind when it comes to the security of their sites. When other online sectors strengthened their walls, scammers went the path of least resistance, which lately has been travel.  Banks, says Charlie Abrahams, senior vice president at MarkMonitor, used to be the subject of such cloning, by have "taken steps to deal with it," adding that MarkMonitor has recently seen an uptick in travel companies requesting the same kinds of service they have been providing for banks.  "We deal with sites that illegally pretend to be a site for the purposes of capturing credential information," says Abrahams.
Some of these sites can be found by searching for deals, and some by clicking on emails that purport to be from a legitimate travel entity.  Fraudsters are also moving into the app space with travel as a target, though attacks there aren't big -- yet.

Abrahams says that MarkMonitor has been spending more time scanning online app stores "because there are a lot of apps there that are completely fake," he says.
Sometimes these apps will glom onto famous name brands in the hopes of just getting people to download the apps; they may also be looking to get your information too.
Sticking to big name brands and downloading only from well known app stores like iTunes or Google Play is the best way to keep those out of your life, and off your data.  The same is true for where you go online to book your travel, says Epstein. "If you pick the wrong site, you've just handed over everything to someone."  Sticking to known companies there too, whether that's with hotels or airlines or cruise companies themselves or well-known online travel agents, is your best bet.

Deals that look too good to be true probably are. Read the find print too, and make sure that if your booking is cancelled -- especially by the booker -- that the entire amount isn't considered a non-refundable deposit.  Epstein also suggests calling the hotel to make sure they have the booking in case something went awry.  While on the road The scams don't stop there, of course.

Traveling presents more ways that criminals can get into your life, especially if your guard's down because you're on the beach, drinking margaritas, or both.  "Free Wi-Fi is the most dangerous cyber vector" for travelers says Epstein.

Even if your hotel offers it for free, don't use it.
If you can't create your own Wi-FI network by tethering, Epstein says stick to your phone.
If you must use your laptop, make sure you use full tunnel encrypted VPN.

That way, what you're sending or receiving is protected.  Securing your laptop and phone might sound basic, but Epstein says it's something that travelers can forget about -- especially the laptop.  "If you don't know where something is, even if you get it back, it may not be what you thought it was," he says.

That's because someone could put malware on it. "It's a path into your company.
It's a front door."  If you can, he says, leave the corporate laptop at home.
If you must bring it with you, have it locked away in a place where only you know the password.  Besides, it's a vacation. Who wants to bring their laptop with them on that? Now you have a security reason not to work with you. This story, "How to avoid common travel and vacation scams" was originally published by CIO.
That middle part is under a lot of potential fire.Riseup.net Ramon Lobato is senior research fellow at Swinburne University of Technology in Australia. His book Geoblocking and Global Video Culture, coedited with James Meese, has recently been published by Institute of Network Cultures (free PDF).

Thanks to Hadi Sohrabi, Jinying Li, and other contributors to the book for their insights on VPN regulation. As info security expert Bruce Schneier and his Berkman Centre for Internet and Society colleagues pointed out in a report last week, there are now about 865 encryption-related products available globally.

From free and paid VPNs to voice encryption tools, this market stretches far beyond the borders of the United States.

Today, the encryption economy includes no fewer than 55 different countries across Europe, Latin America, the Asia-Pacific, and the Caribbean. The sprawling ecology of software development creates an obvious problem for governments and security agencies seeking to monitor or contain privacy software.

Free software and other distributed projects typically exist “on multiple servers, in multiple countries, simultaneously,” and companies selling anonymization software can relocate across borders with relative ease. To those paying attention, none of this is news. Many observers also agree that legislative regulation of encryption would be a risky venture.

But as a general rule, perhaps we shouldn't be too quick to assume that the Internet will always and inevitably find a way around the lumbering nation-state. In the context of the current discussion, it’s worth bearing in mind that governments have many other options at their disposal when it comes to controlling the use of privacy software. While these options are rarely fully effective as a containment measure, they can have some effect when it comes to deterring new users from taking up particular technologies. Let’s take the case of VPNs as an example. Once a business networking tool, the VPN has in recent years morphed into a subscription-based personal service for online security, anonymity, and remote server access, becoming one of the most user-friendly faces of privacy software.

Governments around the world are now scrambling to keep up with the rapid take-up of VPN services and their diverse applications for consumers, citizens, and criminals alike. As part of an international research project, a team of digital media researchers and I have been tracking and comparing international trends in VPN use, culture, and regulation. Over the last year, we have been studying how VPNs (and other privacy software) are being used for entertainment, politics, and communication in different countries.

The results have been eye-opening. One of the emerging themes is that different governments take different approaches to regulating VPNs.
In countries with strong Internet censorship, a common strategy is a combination of legislative bans and network-level blocks.
In China, home to the world’s most sophisticated Internet censorship system, numerous VPN websites have been taken offline under the guise of a crackdown on unlicensed telecoms services.
VPN traffic has been disrupted via deep-packet inspection and port blocking, too. Similar ban-and-block systems are in place in several Gulf states, including Bahrain, Oman, and Saudi Arabia, and in Pakistan. Reports suggest that Russia has been considering such a move. Elsewhere, technical blocks are being combined with more malicious measures.

Freedom House reports that Syrian authorities “have developed fake Skype encryption tools and a fake VPN application, both containing harmful Trojans.” And a new twist on the tale was recently seen in Iran, where the state has tried entering the VPN marketplace itself.

According to advocacy group Small Media, Iranian authorities experimented in 2013 with setting up their own “official” VPNs.

These VPNs were known to be government-linked but worked perfectly well for checking Facebook or YouTube, so long as users were not put off by government surveillance. Then of course we have the whole issue of private regulation in the form of platform-level VPN blocking.
Video services such as Netflix, Hulu, and BBC iPlayer—with variable levels of efficacy and enthusiasm—have all been using third-party commercial software to block access from IP addresses suspected of being used by VPNs. What does all this mean for the future of privacy software products like VPNs? The signs are mixed.

Tech liberationists are probably right to insist that the distributed nature of cryptography and encryption mean that tech communities will usually find a way around top-down regulation.

And service-providers have many options in the ongoing game of whack-a-mole, such as switching jurisdictions, changing server ranges, and inventing new workarounds. At the same time, we should be careful not to assume that VPNs, voice scramblers, e-mail encryption, or any other technology products are entirely beyond the bounds of regulation at the point of use as well as production. Security agencies are far from powerless in this game, especially when the main aim is to discourage uptake across the board rather than stamp out use among techies. In other words, the nation-state still has a few tricks up its sleeve.

The stakes of this debate will only increase in the coming years as anonymization and privacy technologies enter further into the mainstream of tech culture.
Google warrant fingers culprit A rogue IT manager has been sentenced to 30 months in prison after he changed jobs and decided to take revenge on his former employer. From 2007 to March 2012, Nikhil Nilesh Shah, 33, worked at mobile apps developer Smart Online in North Carolina, US.

After moving on to another job, Shah accessed his old company's servers three months later and deleted large amounts of information, including some of the firm's intellectual property. The FBI began investigating the case and soon fingered Shah as a prime suspect.

After they got a warrant to search his Gmail inbox, the team found incriminating evidence – specifically that Shah had emailed to himself details of the company's servers, plus its Cisco ASA VPN and PIX firewall configurations. In addition, the FBI subpoenaed Facebook and AT&T for their records on Shah.

The Facebook warrant yielded nothing useful, but the AT&T data allowed the Feds to triangulate and pinpoint his location at the time Smart Online was hacked. Even more damning were chat logs from his Google account, which revealed Shah talking about how he could infiltrate Smart Online's servers and boasting that he had hacked his old employer. He was arrested in New Jersey on January 8, 2014. Shah immediately asked for his lawyer and eventually worked out a plea deal with the FBI. He pled guilty to causing the transmission of computer code, damaging computers, and causing loss of at least $5,000 in value. He was sentenced to 30 months in prison on Tuesday this week, and must pay the firm $324,462 in compensation. ® Sponsored: Building secure multi-factor authentication
Cisco Adaptive Security Appliance(ASA)Internet Key Exchange versions 1 and 2(IKEv1 and IKEv2)contains a buffer overflow vulnerability that may be leveraged to gain remote code execution.
The malware once known as AlienSpy is back in action after original domains shut down.
Updated OpenStack Networking packages that resolve various issues are nowavailable for Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) forRHEL 7. Red Hat Enterprise Linux OpenStack Platform provides the facilities forbuilding a private or public infrastructure-as-a-service (IaaS) cloudrunning on commonly available physical hardware. This advisory includespackages for:* OpenStack Networking serviceOpenStack Networking (neutron) is a virtual network service for OpenStack.Just as OpenStack Compute (nova) provides an API to dynamically request andconfigure virtual servers, OpenStack Networking provides an API todynamically request and configure virtual networks. These networks connect'interfaces' from other OpenStack services (e.g. virtual NICs from ComputeVMs). The OpenStack Networking API supports extensions to provide advancednetwork capabilities (e.g. QoS, ACLs, network monitoring, etc.) Before applying this update, ensure all previously released errata relevantto your system have been applied.Red Hat Enterprise Linux OpenStack Platform 6 runs on Red Hat EnterpriseLinux 7.2.The Red Hat Enterprise Linux OpenStack Platform 6 Release Notes contain thefollowing:* An explanation of the way in which the provided components interact toform a working cloud computing environment.* Technology Previews, Recommended Practices, and Known Issues.* The channels required for Red Hat Enterprise Linux OpenStack Platform 6,including which channels need to be enabled and disabled.The Release Notes are available at:https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/6/html/Release_Notes/index.htmlThis update is available through the Red Hat Network. Details on how to usethe Red Hat Network to apply this update are available athttps://access.redhat.com/site/articles/11258Red Hat OpenStack 6.0 for RHEL 7 SRPMS: openstack-neutron-2014.2.3-33.el7ost.src.rpm     MD5: 1af76335ef49842ecea5c651b03aa4c0SHA-256: 014b1db87edaa90e2f7fbd215ade0c198c39f52e3274781b4de2e9c99c10965f python-UcsSdk-     MD5: 842d6110b03731891d1e4a8ffee1d633SHA-256: 924e216e78a955e255ae9aefda4dd23d6f0619b40cf9dc6e580ffb27417b7131 python-neutronclient-2.3.9-2.el7ost.src.rpm     MD5: c62ee49da041ca1619bf59fd7c86c019SHA-256: aa4adf2762b6984a0dd561fa941ab56ad37b4c2fa5deb35c118a08f422c9150a   x86_64: openstack-neutron-2014.2.3-33.el7ost.noarch.rpm     MD5: 37c93bf6a0fbd35d05f784b12873e6efSHA-256: b3f3c052182e29cce515546df0c4131ab5871ce115f3e469dda6a914b71eedfc openstack-neutron-bigswitch-2014.2.3-33.el7ost.noarch.rpm     MD5: eb78d5c05b03cd817ac0c657c064c1baSHA-256: 03bf25d9e985c26d32f592e11e842107ec51d8db7e55810a7dcbd2abd5b7f585 openstack-neutron-brocade-2014.2.3-33.el7ost.noarch.rpm     MD5: 192580a2e292214bb6cb316ca6c0c982SHA-256: d00e1e3269cae62d9c99bcaa11f9c83f7d3439c9bed6b13c18c5f914078d3581 openstack-neutron-cisco-2014.2.3-33.el7ost.noarch.rpm     MD5: 3b3973f9864efece0587f4d1f606c95dSHA-256: 7ace6a9ea7fad7a9022bef12f303a1a26b284ac0771c7de3c61fe1b6f25c1c68 openstack-neutron-common-2014.2.3-33.el7ost.noarch.rpm     MD5: f80af81f0df7e8cd27701b16e9f0fbd6SHA-256: 14deaf0ae0fc263672033ea582e4bdcf8c7bb1b35b126b2a96ba8b19904c4361 openstack-neutron-embrane-2014.2.3-33.el7ost.noarch.rpm     MD5: 0a9ef11ab119b17d030287200786ce52SHA-256: a49caeca54bb0b8c6e3e6eb76653b750b4c590c7a0a8bd1b77b89f78f6eef187 openstack-neutron-hyperv-2014.2.3-33.el7ost.noarch.rpm     MD5: 684825e4168bceea4ba8f51831c8c949SHA-256: 7a3d1506a08c42a1d4b377165f9e51060538ccb2eb9be0cb42a57deebe5fea2d openstack-neutron-ibm-2014.2.3-33.el7ost.noarch.rpm     MD5: e69096f3b77fc2ae3616683ec0d3c4e3SHA-256: 8e5034a3d8c65137bb941d666bba34887a06ec2472b07a06b223011aa9bb24e7 openstack-neutron-linuxbridge-2014.2.3-33.el7ost.noarch.rpm     MD5: 44dd6220a9d238dadd2a24cb17467ee8SHA-256: b4e40cd5509031337f7fba75b4634daa60cd4f4dfaddd839fd6e0aaaf9a9ef1d openstack-neutron-mellanox-2014.2.3-33.el7ost.noarch.rpm     MD5: fa4f1c2703c52ca2cf72f7bb26945142SHA-256: 55b676f1a2ef1cd396e0c64f6d05a510ffab42813a05461103a783097b2bd532 openstack-neutron-metaplugin-2014.2.3-33.el7ost.noarch.rpm     MD5: b679c24c36ecd194ef26f4e17f44ed87SHA-256: dc7e615cd782a394375c627f6de5727a85dbde7db833c5105acc3c8455e1b341 openstack-neutron-metering-agent-2014.2.3-33.el7ost.noarch.rpm     MD5: 8e29443c4389e07a65b1ca8f38fbed34SHA-256: 3ba4722b8e8740b20a6bd5a7ca13d0de4c3d58ecb9db1cbcf51710b5451fb209 openstack-neutron-midonet-2014.2.3-33.el7ost.noarch.rpm     MD5: e7f4d3f1d0fbcea1ddafe2d4e833502fSHA-256: 2c9cce5c76d1c5d6cd71b5b221ffa105099919079366f52f1da61f782138c288 openstack-neutron-ml2-2014.2.3-33.el7ost.noarch.rpm     MD5: 956cee42f568cd9eeceb7339c4bef1e1SHA-256: 4a5c4b34192e7e30ed8dba71308e74be85d633830ca0d22a1f8e45537bb73f1a openstack-neutron-nec-2014.2.3-33.el7ost.noarch.rpm     MD5: ac54e97a2b9322f744aba9c14b4b3da2SHA-256: 88899d713ce571143645f83a8269fcc5320d6cf92ad4464d1f6fe664f07f2d1d openstack-neutron-nuage-2014.2.3-33.el7ost.noarch.rpm     MD5: 281f9c2dceebf00041678b8ecab8e125SHA-256: 76a2e5e6ae466ed532db674301bc025ea92776051dd9cb6debf01ced8adb1d24 openstack-neutron-ofagent-2014.2.3-33.el7ost.noarch.rpm     MD5: 87e741300aaf1969fca40e1e4fd6a200SHA-256: c6b2c2a0a0d796f69173cff025695f3e43baae3ed34a8e567cfdfcdee9a5f070 openstack-neutron-oneconvergence-nvsd-2014.2.3-33.el7ost.noarch.rpm     MD5: d672f7ae8ac1b795a6c8d0c665b09a08SHA-256: 5d7d0b2e5ac541426c24a638075ea7eab372a5d048a556acbf79de8353664f07 openstack-neutron-opencontrail-2014.2.3-33.el7ost.noarch.rpm     MD5: d356022b5ce12c1b0805d2965f17a9cdSHA-256: 2117a2106acd45eca428a31260b5c838ac380b1b59d8bd8fc84af16fc9accc00 openstack-neutron-openvswitch-2014.2.3-33.el7ost.noarch.rpm     MD5: 54c4d218f4ac5f257a328222b68b3dbdSHA-256: df2b27da70117701b3ece3ec2bbfa3a049b72ed84fc67841302ac6d2808363d1 openstack-neutron-plumgrid-2014.2.3-33.el7ost.noarch.rpm     MD5: 39040c7f2246b62f7576ba2e4acdb88fSHA-256: e8eacae778627eac55ba8fedf5913d8ae633bcb9ec6eea6384223c4c65feb347 openstack-neutron-ryu-2014.2.3-33.el7ost.noarch.rpm     MD5: 943911bbafc46e110dec982bc0ae1bcdSHA-256: bb1acb2483005d8f75b7a8ac2959231debcc1761abd53770898e7cfcc36bd603 openstack-neutron-sriov-nic-agent-2014.2.3-33.el7ost.noarch.rpm     MD5: 8efe05ee8018ebd122941753b0bdc731SHA-256: 8d747bc8ef196ff7a0d321cc11387d07a958395c83dfffd950130816d5701f55 openstack-neutron-vmware-2014.2.3-33.el7ost.noarch.rpm     MD5: fec1eecb7d8892b7dfaa67752c2f1c25SHA-256: d70f9a00d4128c174f855fe18606c778851cb8edef4a1933512bc47600930447 openstack-neutron-vpn-agent-2014.2.3-33.el7ost.noarch.rpm     MD5: 40ca4a7051fb53026bb27a2f640f2bd4SHA-256: ba7e5e378fb0590c9f91afc9393b13563994042b158557ea45ef09812075babc python-UcsSdk-     MD5: 03903a68d36c8ed0e7cf8e8dbd67fb75SHA-256: 44be32e38735ba57f24d7f8dfabf0942461865a5e2069a65f6ea54457f3d8133 python-neutron-2014.2.3-33.el7ost.noarch.rpm     MD5: 5761a1239b7c02fa01ff618d63a3075eSHA-256: ddd6f33a1601911b2016d0588c37a34e21cfb768075a88c4f07ae12cd45b3ee3 python-neutronclient-2.3.9-2.el7ost.noarch.rpm     MD5: da2ffee34671239ea1095a578e6c3373SHA-256: 0418dac7c84c2651225b44c2c10eae1733f7f0040279fa7ce0ce0011cb658819   (The unlinked packages above are only available from the Red Hat Network) 1250137 - ipset functional tests assume system capability1266975 - ipset - Hash is full, cannot add more elements1277859 - Backport UCS Manager code to OSP 61278786 - python-neutronclient should pass additional arguments to client.construct_http_client into keystoneclient1291687 - Backport: L3 agent: explicit call to resync on init may lead to double syncing1292589 - neutron-l3-agent cannot correctly create routers on RHEL 7.21297908 - Add python-UcsSdk to RHEL OSP 61297946 - DBDeadLock Error deleting floating IP1298598 - AssertionError: Calling waitall() from within one of the GreenPool's greenthreads will never terminate These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
PayPal cuts off UnoTelly, which touts geo-blocking circumvention to customers.
Insecure commercial and internal mobile app coding practices leave the door wide open to cyber attackers, a security researcher has discovered. A lot emphasis is placed on the millions of mobile malware samples being detected, but insecure apps could represent an even greater threat, according to an analysis of the top 1,000 apps. “A scan of just over 600 of the top apps so far shows a very obvious and alarming trend,” said James Lyne, global head of security research at Sophos. “Programming practices are pretty bad despite there being ready-made security functionality available to consumers, but this is just not being used,” he told Computer Weekly. Although the study includes relatively few in-house mobile apps, Lyne said that so far, most are lining up with the worst of the commercial applications. The study compares the maturity of app development in the mobile and traditional desktop worlds, focusing on the use of encryption, data transmission, authentication and data storage. “It is really no surprise that these two worlds are not in alignment, but it is quite shocking how many applications, including large brands, are failing to make use of the security features available on mobile devices,” said Lyne. Despite the existence of easy-to- use application program interfaces (APIs) that will perform proper validation of the transport [layer], most app developers continue to use older, less secure methods of exchanging data.   The study shows that an alarming majority of apps are failing to do things such as certificate pinning or public key pinning to prevent man-in-the-middle attacks. “Many developers seem to be using recycled code for making connections that they have simply copied from somewhere that will accept any certificate, enabling attackers to steal data easily on open Wi-Fi connections unless a VPN [virtual private network] connection is being used, but relatively few people do,” said Lyne. Local storage of data Another area of common failings is local storage of data. Although most of the latest iOS and Android devices will do volume-based encryption by default and provide very good functionality to store “secrets” that have extra encryption applied and are unlocked only if the app is authenticated, Lyne said this functionality is used very poorly and inconsistently by most mobile apps. “Only around 3% of apps stick to an astonishing amount of best practice, like the Twitter app which has two-factor authentication, but then there is this cliff where all of the best standards and practices are not applied and all the data is put into the same unimportant bucket to be stored on the device,” he said. The result is a very weak app ecosystem, where app A can see data from app B and there is a “flat” data model on the device, similar to that which was on PCs up until a few years ago. The study also focuses on the use of credentials and authentication, and has found this to be another area of poor practice in about 90% of the apps analysed. Credentials are often sent “over the wire” using just hashing, often with outdated mechanisms such as MD5 and SHA-1, without salting instead of using standards such as OAuth and SAML.   “The majority of the authentication we have seen uses models that are abysmally poor,” said Lyne. “Loads of MD5 passwords unhashed are being sent, which requires the user to have an incredibly strong password to avoid it being cracked. Authentication poorly deployed “Authentication, which should be a very solved problem in 2016 with all the wonderful program libraries available and all the functionality built into mobiles, is very poorly deployed,” he added. In many cases, simply adding a single argument to the code would turn on the built-in functionality that would fix the problem, said Lyne. In some of the latest Android releases, he said, Google has done some “amazing work” to implement security features in the operating system. “We are seeing some really good generic exploit prevention in Android, but on top of that you have this layer of apps that are failing to do the security basics and check for basic flaws,” he added.   Lyne blames the huge focus on rapid app development over “quality solution engineering” and “almost no investment” in checking mobile apps for poor programming practices. “Any rudimentary penetration testing or quality assurance processes as part of a software development lifecycle would catch stuff like this,” said Lyne. The risk to the enterprise is that this failure to do rudimentary security controls can be picked up by attackers using any source code scanner, he said. “At the same time, businesses are putting pretty much the same sensitive company data on mobiles as they have put on PCs in the past, and tend to trust mobiles more than PCs,” he said. “But this study shows that the mobile industry does not have the same checks and balances or the same maturity.” This means the fear that mobiles will become an easy route for attackers into the enterprise is likely to be realised as the lines between PCs and mobiles continue to blur. “The lack of security basics in mobile apps and processes for checking flaws is a really bad combination now, but in one or two years’ time, when there is even more data on mobiles and they have an even greater position of trust, we are likely to end up with a really nasty mess,” said Lyne. Attackers are aware of this situation and could already be exploiting the fact that most mobile apps are “leaving the door wide open”, but it is hard to quantify that, he said. And even if it is not being exploited yet, Lyne said: “We are building an ecosystem with massive trust on one side and a provable lack of integrity on the other, which is a terrible combination that could really burn us.” We are building an ecosystem with massive trust on one side and a provable lack of integrity on the other, which is a terrible combination that could really burn us James Lyne, Sophos He believes there is an urgent need for fundamental change, but says regulation is unlikely to deliver the necessary results. “It is very difficult to create a regulatory framework that has sufficient specificity to drive the desired technical behaviours,” said Lyne. However, he said some legal action could be taken in light of the fact that some failures are so great and tantamount to releasing a car to market without testing the brakes once, that they could be classified as “negligence” and challenged legally. But even if regulators or others challenge the status quo on grounds of negligence, Lyne said it is unlikely to drive any significant change. “What is really required would be a change in consumer or end-user values to believe that mobile application security is important, but that is unlikely given the trust people have in mobiles and the fact that most are completely unaware of the flaws,” he said. “The only thing likely to break the back of it is a really, really bad or nasty series of incidents that force companies to make changes due to bad press and consumers becoming more wary and demanding in terms of security. But in the meantime, who knows how much data siphoning is occurring.”