Do not fall easily to the allure of “free” in the VPN world. There’s usually a catch because providers often explore other ways to make money from you. They may hide crucial features behind a paywall, or worse, they may sell your data for a profit.Also: The best VPN services: Expert testedYou can test the best VPNs for free with a trial or a money-back guarantee. But if you want a 100% free VPN to use for the long term, there is a handful of secure options you can choose from. The VPN provider’s reputation is important to ensure free apps don’t compromise your security once installed on your device, and so the only free services we can recommend are usually backed by their paying subscribers. What is the best VPN for free right now?We’ve extensively tested every major VPN on the market, including some free VPN offerings. Our pick for the best free VPN is Proton VPN More

Cyber criminals are preying on anxieties around the coronavirus outbreak in an effort to maximise the impact of their attacks – with some operations intensifying ransomware and DDoS attacks at a time when remote access to computer networks and online services is more vital than ever. A new paper from Europol – based on contributions […] More

The Office of the Australian Information Commissioner (OAIC) has asked that the powers given to the minister responsible under the pending Critical Infrastructure Bill, which would allow them to step in when a cybersecurity incident has occurred, be further defined to take into account the impact on individuals’ privacy.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 introduces a government assistance regime that provides powers to protect assets during or following a significant cyber attack. This includes the power to authorise information gathering directions, action directions, and intervention requests.
The Bill proposes that where an appropriate ministerial authorisation is in force, the Department of Home Affairs secretary can compel relevant entities to produce any information that may assist with determining whether power should be exercised in relation to the incident and asset in question.
“The secretary may also direct an entity ‘to do, or refrain from doing, a specified act or thing’,” the OAIC highlighted in its submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and its review into the Bill.
“This broad power should be balanced with appropriate safeguards, oversight, and accountability to ensure it is proportionate.”
The OAIC recommended that, in deciding whether or not to give the necessary authorisation, the minister responsible should be required to consider the privacy impacts of the exercise of these powers insofar as they apply to “business critical data” or other data that may include personal information.
“In our view, this would help to build both industry and community trust and confidence in the proposed framework,” the OAIC wrote.

“This requirement to consider privacy could be included in the matters that the Minister must have regard to when determining whether a direction or request is a proportionate response to a cybersecurity incident, as under ss 35AB (8) and (11).”
The OAIC said there is precedent for this approach in the Telecommunications (Interception and Access) Act 1979.
It also recommended the committee consider an amendment to ensure disclosure of protected information is permitted for the purposes of giving effect to the exercise of the information commissioner’s privacy functions.
“The OAIC wishes to ensure that the restrictions on an entity making a record of, using or disclosing protected information under [parts of the] Act do not limit the ability of the OAIC to exercise its privacy functions, or prevent entities from disclosing information required for compliance with and the administration of the Privacy Act,” it said.
The OAIC has also asked for an amendment to the Australian Information Commissioner Act 2010 to permit information sharing between regulatory agencies. The last recommendation is that the explanatory memorandum makes reference to the commissioner’s guidance function to indicate that it is intended that the OAIC is consulted in relation to any guidance on the personal information-handling obligations that would apply to the scheme.
HERE’S MORE More

Need a security key to protect your online accounts? Need a security key that will work on iphone, Android, or pretty much any modern laptop or desktop system running Windows, macOS, or Google Chrome?Don’t want to spend any more than $30?You need the Yubikey Security Key C NFC.And there’s a lot to like about the Yubikey Security Key C NFC.

Works out of the boxSupports both FIDO U2F and FIDO2/WebAuthn authentication protocolsCompatible with hundreds of popular websites and applications, including Gmail, YouTube, Dropbox, Twitter, Coinbase, Microsoft accounts (such as Office 365, Xbox live, etc.), and much more, as well as a huge range of password managersBuilt-in NFC supportTamper resistant, water resistant, and crush resistantSmall and highly portable

Don’t feel left out! Yubico has a USB-A form-factor key that you can buy for $25. All the other benefits of the Security Key C NFC (including NFC!), just a different connector. More

[embedded content]
Amazon’s Alexa voice assistant could be exploited to hand over user data due to security vulnerabilities in the service’s subdomains. 

The smart assistant, which is found in devices such as the Amazon Echo and Echo Dot — with over 200 million shipments worldwide — was vulnerable to attackers seeking user personally identifiable information (PII) and voice recordings. 
Check Point Research said on Thursday that the security issues were caused by Amazon Alexa subdomains susceptible to Cross-Origin Resource Sharing (CORS) misconfiguration and cross-site scripting (XSS) attacks. 
When Check Point first began examining the Alexa mobile app, the company noticed the existence of an SSL mechanism that prevents traffic inspection. However, the script used could be bypassed using the Frida SSL universal unpinning script. 
See also: Amazon’s Q2: $4 billion spent on COVID-19 and still nets $5.2 billion
This led to the discovery of the app’s misconfiguration of CORS policy, which allowed Ajax requests to be sent from Amazon subdomains.
If a subdomain was found as vulnerable to code injection, an XSS attack could be launched, and this was performed via track.amazon.com and skillsstore.amazon.com. 
According to Check Point, it would only take a victim to click on a malicious link to exploit the vulnerabilities. A victim routed to a domain via phishing, for example, could be subject to code injection and the theft of their Amazon-related cookies. 
An attacker would then use these cookies to send an Ajax request to the Amazon skill store, of which the request would send back a list of all skills installed in the victim’s Amazon Alexa account. 
By launching an XSS attack, researchers were also able to acquire CSRF tokens and, therefore, perform actions while masquerading as the victim. This could include removing or installing Alexa skills, and by using the CSRF token to remove a skill and then installing a new one with the same evocation phrase, this could “trigger an attacker skill,” the team says. 
Should a victim trigger this new skill unwittingly, it may be possible for attackers to access voice history records, as well as abuse skill interactions to harvest personal information. 
CNET: How China uses facial recognition to control human behavior
During tests, Check Point found phone numbers, home addresses, usernames, and banking data history could theoretically be stolen.
“Amazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim’s interaction with the bank skill and get their data history,” the team says. “We can also get usernames and phone numbers, depending on the skills installed on the user’s Alexa account.”
However, Alexa does redact banking information speficially in histories and logs. 
Check Point also provided proof-of-concept (PoC) code.
Skill abuse is an interesting form of attack and a potential way for cyberattackers to enter our homes — although the time window before malicious skills are spotted and removed may be short. 
TechRepublic: How companies are getting employees to take vacation this summer rather than hoard PTO
“It’s important to note that Amazon conducts security reviews as part of skill certification, and continually monitors live skills for potentially malicious behavior,” the researchers say. “Any offending skills that are identified are blocked during certification or quickly deactivated.”
Check Point researchers disclosed their findings privately to Amazon in June, and the security issues have now been patched. 
“We conducted this research to highlight how securing these devices is critical to maintaining users’ privacy,” commented Oded Vanunu, Check Point’s Head of Products Vulnerabilities Research. “Thankfully, Amazon responded quickly to our disclosure to close off these vulnerabilities on certain Amazon/Alexa subdomains. We hope manufacturers of similar devices will follow Amazon’s example and check their products for vulnerabilities that could compromise users’ privacy.”
“The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us,” an Amazon spokesperson told ZDNet. “We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More