StackCommerce
The world is opening up again to travel, but while you’re researching all the best travel tech you’ll need to take with you, don’t forget to grab a VPN subscription before you go. Not only will you want to stay safe on public WiFi in all those neat cafes, but you may want to pass the time in airports watching some of your favorite content from back home and it could be restricted in your location. A good VPN is key to your security and a big help with entertainment, so take a look at some of the bargains on offer at the moment.

FastestVPN: Lifetime subscription (10 devices)Get the utmost privacy and protection on up to 10 devices with military-grade encryption, NAT firewall, strict no-logging policy, and a kill switch. With 200 high-speed servers and unlimited bandwidth, you can access unrestricted content, and USA Netflix is supported.For a limited time only, get FastestVPN: Lifetime Subscription (10 Devices) for $17.49 (reg. $1200) with code ANNUAL30.Ivacy VPN: Lifetime subscriptionEnjoy powerful 256-bit encryption, completely anonymous P2P file-sharing and unrestricted access to bufferless HD video all at blazing fast speeds with over 1,000 servers in more than 100 worldwide locations. Also defeat port blocking and ISP speed throttling, log in onto up to five devices simultaneously.For a limited time only, get Ivacy VPN: Lifetime Subscription for $27.99 (reg. $1194) with code ANNUAL30.SurfShark VPN: Two-year subscriptionThis is the only VPN that allows you to connect an unlimited number of devices simultaneously, as well as use unlimited data and unlimited bandwidth. You also get ultimate protection and privacy with military-grade encryption, IPv6 leak protection, zero-knowledge DNS and a kill switch. Over 1,200 torrent-friendly servers let you bypass geo-restrictions to enjoy unrestricted content.For a limited time only, get SurfShark VPN: 2-Yr Subscription for $39.89 (reg. $290) with code ANNUAL30.BulletVPN: Lifetime subscription

Enjoy an enhanced browsing, content viewing, and gaming experience thanks to the premium grade carrier lines that provide the fastest possible speed on hundreds of highly encrypted servers. Unblock the top video sites such as Netflix, Amazon Prime Video, Hulu, BBC iPlayer and more.For a limited time only, get BulletVPN: Lifetime Subscription for $27.29 (reg. $540) with code ANNUAL30.Disconnect VPN Premium: Lifetime subscriptionKeep your data safe while increasing the speed of your internet connection. Block tracking and mask your location to access geo-restricted content. This is the New York Times anti-tracking tool of choice.Get Disconnect VPN Premium: Lifetime Subscription for $13.99 (reg. $300) with code ANNUAL30.SlickVPN: Lifetime subscriptionWith more than 125 gateways located in over 45 countries, SlickVPN uses connections with bank-grade 256-bit encryption to mask your traffic from everyone and provide HYDRA protection to keep you safe no matter where you are. Yet, you will still enjoy unthrottled speed while accessing your favorite content without geo-restrictions.For a limited time only, get SlickVPN: Lifetime Subscription for $13.99 (reg. $1200) with code ANNUAL30.KeepSolid VPN Unlimited: Lifetime subscriptionGet ultimate privacy and protection with military-grade AES 256-bit encryption and a zero log policy, with 24/7 customer support and no limits on speed or bandwidth. Enjoy the convenience of over 400 servers in more than 80 locations across the globe, as well as features such as Favorite Servers, Trusted Networks and more.For a limited time only, get KeepSolid VPN Unlimited: Lifetime Subscription for $27.99 (reg. $199) with code ANNUAL30.VPN.asia: 10-year subscriptionUsing high-strength 256-bit encryption, VPN.asia protects your data and hides your location while running in the background so it won’t slow down your internet connection. Best of all, it can easily be used on a wide variety of devices, including Amazon Firestick, Android TV and much more.For a limited time only, get VPN.asia: 10-Year Subscription for $55.99 (reg $290) with code ANNUAL30.NordVPN: Two-year subscription + $10 store creditThis is the service that was rated a perfect 5 out of 5 stars by PCMag, CNET and TrustPilot. It offers bulletproof security with double encryption (double data SSL-based 2048-bit encryption), a strict zero-logs policy and automatic kill switch. And you can still enjoy unrestricted instant high-speed access to your favorite content.For a limited time only, get NordVPN 2-Yr Subscription + $10 Store Credit for $62.30 (reg. $286) with code ANNUAL30.Private Internet Access VPN: Two-year subscription + $15 store creditGet access to more than 10,000 servers in over 70 countries and enjoy unlimited bandwidth at lightning-fast speeds on up to 10 devices simultaneously. Your privacy is secured by the no-logging policy and powerful encryption provided by the impressive Blowfish CBC algorithm protects your data.For a limited time only, get Private Internet Access VPN 2-Yr Subscription + $15 Store Credit for $48.97 (reg. $268) with code ANNUAL30.

ZDNet Recommends More

Peloton has refuted claims made in an “urgent” US safety advisory warning of the risk to children caused by the Tread+. 

The Peloton Tread+, a treadmill that includes Internet and Bluetooth connectivity, a built-in soundbar, and display, is a product offered by Peloton designed to link to real-time exercise classes for users over 16 years of age. On April 17, the US Consumer Product Safety Commission (CPSC) released a video showing two children playing on a Tread+, one of which became temporarily trapped.  The CPSC then published a public health and safety notice to US consumers, urging users with children to “stop using the product immediately.” According to the US agency, the Peloton Tread+ has been linked to 39 incidents involving children and pets, with potential risks including abrasions and fractures. The death of a child has been recorded.  The commission has launched an investigation into the fatality, which was disclosed by Peloton in March. At the time, in a letter to users, Peloton CEO and co-founder John Foley said the company designs and builds products “with safety in mind,” but urged users to “keep children and pets away from Peloton exercise equipment at all times.” Separately, a three-year-old boy suffered head and neck injuries after becoming trapped under a Tread+, leading to what the CPSC calls “significant brain injury.”

“Peloton was shocked and devastated to learn in March that a child died while using the Tread+,” Peloton said. “Within a day of learning this news, Peloton notified CPSC. While preparing its report to CPSC, Peloton learned through a doctor’s report to CPSC’s public database that a child had experienced a brain injury. Peloton spoke to the family who reported that and the child is expected to fully recover.” “In light of multiple reports of children becoming entrapped, pinned, and pulled under the rear roller of the product, CPSC urges consumers with children at home to stop using the product immediately,” the agency warned.  According to the CPSC, one safety incident may have occurred when a parent was using the treadmill, and it may be that “the hazard cannot be avoided simply by locking the device when not in use.”  The US agency recommends that consumers should keep their Tread+ in a locked room and other objects, such as exercise balls, should be kept well away. In response to the alert, Peloton issued its own statement branding the advisory as “misleading” and “inaccurate.” “There is no reason to stop using the Tread+, as long as all warnings and safety instructions are followed,” the company said. “Children under 16 should never use the Tread+, and members should keep children, pets, and objects away from the Tread+ at all times.”   Peloton has also asked users to detach the Safety Key when the treadmill is not in use, as this would prevent the Tread+ from being inadvertently turned on, “precisely to avoid the kind of incident that [the CPSC’s] video depicts.” Furthermore, Peloton claims that the company was willing to make a joint statement with CPSC concerning the safety worries, but the agency “unfairly characterized Peloton’s efforts to collaborate and to correct inaccuracies in CPSC’s press release as an attempt to delay.” In a follow-up note, Peloton’s CEO said there was no obstruction to the investigation, with the exception of the agency’s demands for personal data from customers that requested this information was withheld. “Peloton is disappointed that, despite its offers of collaboration, and despite the fact that the Tread+ complies with all applicable safety standards, CPSC was unwilling to engage in any meaningful discussions with Peloton before issuing its inaccurate and misleading press release,” Peloton added.  Foley says the company has “no intention” of recalling or stopping sales of the Tread+.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Facebook has published new findings that unveil two Palestinian organisations have been running cyberespionage campaigns against government officials, student groups, and security forces.The two groups both used fake and compromised social media accounts posing primarily as young women, and also as Fatah or Hamas supporters, various military groups, journalists, and activists to build trust with people in order to trick them into installing malicious software.According to Facebook, one group dubbed as Arid Viper has been linked to the cyber arm of Hamas. Meanwhile, the other is linked to the Palestinian Preventive Security Service (PSS), one of the security arms of Palestine, where the current president is a member of the Fatah party. Fatah and Hamas have been engaged in a civil war since 2006.Publishing a threat report [PDF] of Arid Viper’s activity, Facebook said the threat actor used fully functional custom iOS surveillanceware that was capable of stealing sensitive user data from iPhones without requiring the devices to be jailbroken. The surveillanceware, labelled as Phenakite, was trojanised inside fully functional chat applications that used the open-source RealtimeChat code for legitimate reasons. This malware could also direct victims to phishing pages for Facebook and iCloud in order to steal credentials for those services. As this process used legitimate developer certificates, iOS devices did not need to be jailbroken to be surveilled. While Phenakite did not require a jailbreak for installation, once on a device, it needed to adhere to the usual operating system security controls that prevent access to sensitive information from unauthorised applications. To circumvent that, Phenakite came bundled with the publicly available Osiris jailbreak and the Sock Port exploit, which meant that Phenakite was capable of using Osiris to jailbreak all 64-bit devices on iOS 11.2 to 11.3.1 or the Sock Port exploit to extend this to devices running iOS 10.0 to 12.2 If the Osiris jailbreak was successful, Phenakite could then retrieve photos from the camera roll, take images with the device camera, retrieve contacts, silently record audio, access documents and text messages, and upload WhatsApp data.

The Android malware deployed by Arid Viper, meanwhile, required victims to install apps from third-party sources on their devices. The group used hundreds of attacker-controlled sites, along with the aforementioned fake social media accounts, to create the impression that the apps were legitimate in order to convince victims into installing them. The trojanised chat applications in both Android and iOS were primarily pretending to be dating apps. Examples of the trojanised chat applications.
Image: Facebook
In all instances, the successful installation of these tools did not require any exploits, which the report said suggests that Arid Viper operators heavily relied on social engineering to distribute their malware. Of particular concern to Facebook was that Arid Viper’s use of custom surveillanceware demonstrated that this capability was becoming increasingly attainable by adversaries even if they are not as technologically sophisticated. “As the technological sophistication of Arid Viper can be considered to be low to medium, this expansion in capability should signal to defenders that other low-tier adversaries may already possess, or can quickly develop, similar tooling,” Facebook said. Meanwhile, PSS used similar tactics of utilising social engineering to coerce their targets into installing Android and Microsoft malware, Facebook said. PSS malware, once installed onto devices, collected information such as device metadata, call logs, location, contacts, and text messages. In rare cases, it also contained keylogger functionality.Rather than targeting pro-Fatah individuals, the PSS used its malware to targets various groups, including people opposing the Fatah-led government, journalists, human rights activists, and military groups including the Syrian opposition and Iraqi military.According to Facebook, these findings are the first public reporting of this particular cyberespionage activity conducted by PSS.   Following the investigation into the conduct of Arid Viper and PSS, Facebook has released a set of indicators addressing such activity. The indicators include 10 Android malware hashes, two iOS malware hashes, eight desktop malware hashes, and 179 domains.Facebook has also notified targeted individuals and industry partners, which led to Arid Viper’s developer certificates being revoked and various accounts and websites being blocked or removed. Last month, Facebook said it disrupted a network of hackers tied to China that were attempting to distribute malware via malicious links shared under fake personas. The malware allegedly targeted around 500 users.Related Coverage More

A new Android trojan has been identified by security researchers, who said on Monday that once it is successfully installed in the victim’s device, those behind it can obtain a live stream of the device screen and also interact with it via its Accessibility Services.

The malware, dubbed “Teabot” by security researchers with Cleafy, has been used to hijack users’ credentials and SMS messages to facilitate fraudulent activities against banks in Spain, Germany, Italy, Belgium, and the Netherlands.Cleafy’s Threat Intelligence and Incident Response team first discovered the banking trojan in January and found that it enabled fraud against more than 60 banks across Europe. By March 29, Cleafy analysts found the trojan being used against Italian banks and by May, banks in Belgium and Netherlands were also dealing with it. Research shows that Teabot is still under development but initially only focused on Spanish banks before moving on to banks in Germany and Italy. The malware now is currently supporting 6 different languages, including Spanish, English, Italian, German, French, and Dutch. The app was initially named TeaTV before repeatedly switching titles to “VLC MediaPlayer,” “Mobdro,” “DHL,” “UPS,” and “bpost.” “When the malicious app has been downloaded on the device, it tries to be installed as an “Android Service,” which is an application component that can perform long-running operations in the background. This feature is abused by TeaBot to silently hide from the user, once installed, preventing also detection and ensuring its persistence,” the Cleafy report said. Once the TeaBot is installed, it will request Android permissions to observe your actions, retrieve window content, and perform arbitrary gestures. ‍When the permissions are granted, the app will remove its icon from the device, according to Cleafy study.

Saumitra Das, CTO of cybersecurity firm Blue Hexagon said Teabot represents a shift in mobile malware from just being a sideline issue to being a mainstream problem just as malware on traditional endpoints. “Threat actors realize the true potential of mobile devices and the threat they can pose to the end-user,” Das said.  “It is important to remember that even though the apps are not on Google Play, the phishing/social engineering tactics used by the actors behind Teabot/Flubot are as good as any threat family on the PC side; that within a short time frame, they can manage to get a huge infection base. These threats should not be underestimated.” More

Special Feature Enterprises are seeing more mobile and Internet of things attacks amid broad threat surfaces and security lapses, according to a Verizon report. Verizon’s Mobile Security report for 2020, which is based on 1,100 cybersecurity and business professionals, lays out some the landscape. To wit: 43% of companies have said they have sacrificed security. […] More