Information Technology

(Image: Shutterstock)
IPVanish sells itself short. This VPN service offers a lot more capability than it promotes on its home page. If you visit the IPVanish website, you’ll see all the usual stuff that you’d expect from a VPN provider. There’s the claim that it’s “the world’s best VPN;” information about the advantages of secure browsing; a list of testimonials from media outlets and customers; pricing and a list of apps. In other words, the same stuff you’re going to see when you visit the websites of most other VPN providers.What IPVanish doesn’t tell you is that it’s rich with options and information. While its app certainly makes it easy to just click-and-go, if you want to make an informed server choice, choose protocols, protections, and options, IPVanish gives you that capability.The thing is, you only discover this wealth of options and browsing controls once you’ve created an account and downloaded and installed the app. For users new to VPNs, it makes sense to hide the power behind a bunch of tabs. But IPVanish might attract more informed users (and influencers who recommend software to others) by providing a tab on its website about the options and power it provides to users who dig a little deeper.

IP Addresses: 40,000+Servers: 1,900+Locations: 75+Simultaneous connections: unlimited (terms of service apply)Kill switch: yesLogging: noPrice: $10.99 per month, or $44.99 per yearBest deal: $44.99 for one full year (renewals thereafter at $89.99/year)Trial: 30-day money-back guaranteeSupported platforms: iOS, Android, MacOS, Windows, Linux, routers, Amazon Fire devices, any Android-based media device

Server selection optionsI like how IPVanish provides the opportunity for VPN geeks to dig deeper into its connection settings. At the basic level, there’s a Quick Connect option that allows you to just push a Connect button and be up and running. But if you want to explore more deeply, you can hit the Server List tab. I like the Map tab the best, because it shows both the cities where servers are located and the number of servers in each city. The list view allows you to search for a location, and then sort by a variety of criteria. Filter combines both country specification and required latency. I chose More

StackCommerce
It looks like remote or hybrid models will be the new normal well into the future for both work and education. But while most people think their home network is utterly secure, that really isn’t always the case. Not to mention, a great many people will often be tempted to work in a variety of locations, which means using public WiFi networks that are notoriously vulnerable to hackers. Why take chances with your privacy and the security of your data when a lifetime of powerful protection from iProVPN is so affordable?

iProVPN includes several features to provide bulletproof protection to your privacy and your sensitive personal information. There is military-grade AES 256-bit Encryption to scramble your data so third parties can’t get anywhere near it. You also have a kill switch to immediately cut your connection to the internet if there is any disruption to your VPN server connections.But iProVPN also makes your experience a top priority, so your VPN service does not slow down your connection speeds. It also utilizes split tunneling, so that only selected traffic will actually pass through the VPN servers, allowing you to continue enjoying native content.While it will be a huge relief not to have to worry any longer about your identity, data, and online activities being exposed, iProVPN gives you the freedom to watch whatever you want no matter where you are, as well. You can instantly switch between more than 250 servers in over 20 countries, so you will easily bypass any geo-restrictions you might encounter on up to 10 devices simultaneously. Also, since iProVPN allows completely unlimited bandwidth, you can enjoy speedy downloading and high-quality streaming without having to worry about buffering or hitting any data caps.iProVPN has been featured on Engadget, MSN, Forbes, TNW, and more. And the service has garnered an extremely impressive average rating of 4.8 out of 5 stars on Trustpilot.Don’t miss this chance to get a lifetime of ultimate protection for your privacy and your most confidential personal data, as well as have access to high-quality content worldwide. Get iProVPN: Lifetime Subscription today while it’s currently available for only $39.99.

ZDNet Recommends More

Security vulnerabilities in millions of Internet of Things (IoT) devices, including connected security cameras, smart baby monitors and other digital video recording equipment, could allow cyber attackers to compromise devices remotely, allowing them to watch and listen to live feeds, as well as compromise credentials to prepare the ground for further attacks.The vulnerabilities in IoT devices that use the ThroughTek Kalay network have been disclosed by cybersecurity company Mandiant in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and ThroughTek.  

ZDNet Recommends

It’s tracked as CVE-2021-28372 and carries a Common Vulnerability Scoring System (CVSS) score of 9.6 — classifying it as a critical vulnerability. Upgrading to the latest version of the Kalay protocol (3.1.10) is highly recommended to protect devices and networks from attacks.  SEE: A winning strategy for cybersecurity (ZDNet special report)While Mandiant hasn’t been able to compile a comprehensive list of all the affected devices, ThroughTek’s own figures suggest that 83 million connected devices are connected through the Kalay network. Previous research by Nozomi Networks also found vulnerabilities in ThroughTek, but the new vulnerabilities disclosed by Mandiant are separate and allow attackers to execute remote code on devices. Researchers were able to combine dissembling ThroughTek libraries via official apps from both the Google Play Store and Apple App Store with developing a fully functional implementation of ThroughTek’s Kalay protocol. This allowed key actions to be taken, including device discovery, device registration, remote client connections, authentication, and the processing of audio and video (AV) data. 

By writing an interface for creating and manipulating Kalay requests and responses, researchers could identify logic and flow vulnerabilities in the Kalay protocol — most notably, the ability to identify and register devices in a way that allows attackers to compromise them.Attackers achieve this by obtaining a Kalay-enabled client device’s uniquely assigned identifier, which can be discovered via web APIs such as mobile applications. Once they’ve obtained the UID of a device, they can register it, which causes Kalay servers to overwrite the existing device, directing attempts to connect to the device into the path of the attacker. By doing this, attackers can obtain the username and password needed to access the device, which they can then use to access it remotely — complete with the ability to monitor audio and video data in real time. “Once an attacker obtained UIDs, they could redirect client connections to themselves and obtain authentication materials to the device. From there, an attacker could watch device video, listen to device audio, and potentially compromise the device further depending on device functionality,” Erik Barzdukas, manager of proactive services at Mandiant Consulting, told ZDNet. Not only is this a massive privacy violation for the users, particularly if the cameras and monitors are installed inside their own homes, but compromised devices in enterprise settings could allow attackers to snoop on sensitive discussions and meetings, potentially providing them with additional means of compromising networks.There’s also the potential for devices to be recruited into a botnet and used to conduct DDoS attacks. “This vulnerability could potentially allow for remote code execution on the victim device, which may be used maliciously in a variety of its own ways, like potentially creating a botnet out of the vulnerable devices or further attacking devices on the same network as the victim device,” said Barzdukas.Exploiting CVE-2021-28372 is complex and would require time and effort from an attacker. But that doesn’t make it impossible, and the vulnerability is still considered critical by CISA.  SEE: The cybersecurity jobs crisis is getting worse, and companies are making basic mistakes with hiringMandiant is working with vendors who use the Kalay protocol to help protect devices from the vulnerability, and recommends that no matter the manufacturer, IoT users should regularly apply patches and updates to devices to ensure they’re protected against known vulnerabilities. “Regardless of whether you own one of the impacted devices, Mandiant strongly recommends consumers and businesses with smart devices keep their devices and applications up to date,” said Barzdukas. “Consumers and businesses need to set aside time — at least once a month — to check if their smart devices have any updates to install,” he added. “As an IoT solution provider, we are continuously upgrading sufficient software and cloud service to provide higher security mechanisms to apply in devices, connections, and client app. Although we cannot limit what API/function that developers will use in our SDK, ThroughTek will strengthen our educational training and make sure our customers use it correctly to avoid a further security breach,” a ThroughTek spokesperson told ZDNet. “Also, we have been working with CISA to mitigate this vulnerability,” they added.Mandiant’s security disclosure thanks ThroughTek — and CISA — “both for their cooperation and support with releasing this advisory and commitment to securing IoT devices globally”. MORE ON CYBERSECURITY  More

Australian-based OCR Labs has become the first accredited non-government operator that provides digital identity services to the private sector under the federal government’s Trusted Digital Identity Framework (TDIF).By becoming an accredited provider, OCR Labs now ensures its private sector customers, such as those in banking, finance, and telecommunications that are using its identity services can “trust that their identity information can be verified, and is protected”, Minister for Employment, Workforce, Skills, Small and Family Business Stuart Robert said.”We want Australians to have confidence that their information is private and secure, regardless of who holds it. It has become increasingly important in this digital age to be able to establish trust, particularly online,” he said.OCR Labs applied for accreditation in February and was required to undergo a series of evaluations to ensure it met the TDIF standards, rules, and guidelines that set out best practices for digital identity services.OCR Labs satisfied 262 TDIF requirements, including protective security, privacy assurance, risk management, usability, and accessibility, and demonstrated it met the applicable requirements of the fourth iteration of the TDIF, which was published in May 2020. The company will be required to continually demonstrate it meets the TDIF obligations by undertaking annual assessments. OCR Labs intends to further enhance its TDIF accreditation to Identity Proofing Level 2 Plus before the end of 2021.

“Digital Identity underpins the government’s Digital Economy Strategy that will allow Australian businesses like OCR Labs, and in particular small business, to capitalise on the opportunities that digital technologies are creating, enabling them to grow and create jobs as part of Australia’s economic recovery,” Robert said. The federal government’s myGovID was the first to be granted a TDIF accreditation, followed by Australia Post’s Digital ID. Eftpos said it has also applied for its ConnectID to become TDIF accredited.Elsewhere, the federal government announced it has transitioned to the Australian Immunisation Register (AIR) to source all information related to the nation’s COVID-19 vaccine rollout.Previously, data was a mix between self-reported information about the number of doses administered by each jurisdiction, and the aged care and disability sector, and AIR for primary care. The transition to AIR will now include information about doses administered by the Australian Defence Force, Department of Foreign Affairs and Trade, and Australian Institute of Sport (AIS), which vaccinated the Australian Olympic Team as part of primary care, as well as the total number of doses for each jurisdiction from all channels and data derived from AIR, plus metrics on people with at least one dose and people who are fully vaccinated. The Department of Health touted the move as one that would provide access to more “comprehensive and consistent data”.  “Transitioning to AIR reporting ensures data is consistent and aligned across all reporting,” it said.”Jurisdictions have access to AIR so all governments in Australia have the same information base. The update of vaccination information into AIR is generally within 24 hours of the vaccination taking place.”Collating COVID-19 vaccination data comes off the back of Australia’s Data and Digital ministers agreeing on Friday to a national data sharing work program, following the signing of the Intergovernmental Agreement on Data Sharing by all Australian governments at the National Cabinet in early July. The agreement to work on a data-sharing work program was first raised during a meeting between the ministers back in April.According to the communique from the latest meeting, the ministers have agreed to take action to address national priority data sharing areas. These initial areas will include natural hazards and emergency management, waste management, and road safety, with plans that future priority data sharing areas will include family, domestic, and sexual violence, closing the gap, and veterans’ health. Further, the ministers agreed to reform the federal and state and territory data sharing system under the work program by developing an Australia Data Network, standardising operating procedures for data sharing activities, improving data discoverability through machine-readable metadata for data sharing priorities, and adopting a share-once use-often model for aggregate de-identified administrative data. “The intergovernmental agreement on data sharing recognises data is a shared national asset and aims to maximise the value of data to deliver outstanding policies and services for citizens. The agreement commits all jurisdictions to share data as a default position, where it can be done securely, safely, lawfully, and ethically,” the communique said.The communique also detailed that the ministers discussed opportunities to explore possibilities of how digital birth certificates could be used for “future interoperability to support citizens’ engagement with governments”.In April, the New South Wales government announced it was working on the development of a national digital birth certificate. The NSW government said it is looking into how to incorporate it with the federal government’s myGov. Related Coverage More

The Brazilian government has released a note stating the National Treasury has been hit with a ransomware attack on Friday (13). According to a statement from the Ministry of Economy, initial measures to contain the impact of the cyberattack were immediately taken. The first assessments so far have found there was no damage to the structuring systems of the National Treasury, such as the platforms relating to public debt administration.The effects of the ransomware attack are being analyzed by security specialists from the National Treasury and the Digital Government Secretariat (DGS). The Federal Police has also been notified. The Ministry noted new information on the incident “will be disclosed in a timely manner and with due transparency”.A further statement released jointly with the Brazilian Stock Exchange today (16) noted that the attack did not affect “in any way” the operations of Tesouro Direto – a program that enables the purchase of Brazilian government bonds by individuals.The incident at the National Treasury follows a major cyberattack that emerged in November 2020, against the Brazilian Superior Electoral Court. The attack brought the Court’s systems to a standstill for over two weeks. At the time, the event was considered to the most comprehensive attack ever orchestrated against a Brazilian public sector institution, in terms of its complexity and the extension of the damage caused.In July, the Brazilian government announced the creation of a cyberattack response network aimed at promoting faster response to cyber threats and vulnerabilities through coordination between federal government bodies.

The DGS, which operates under the Special Secretariat for Management and Digital Government of the Ministry of Economy, will have a strategic role in the formation of the network. The DGS is the central body of SISP, a system utilized for planning, coordinating, organizing, operating, controlling and supervising the federal government’s information technology resources across more than 200 bodies. In the private sector, major ransomware attacks that emerged in 2021 in Brazil involved large companies such as healthcare firm Fleury and aerospace conglomerate Embraer. More

Colonial Pipeline is sending out breach notification letters to 5,810 current and former employees whose personal information was accessed by the DarkSide ransomware group during an attack in May. The company admitted in an August 13 letter that on May 6, the ransomware group “acquired certain records” stored in their systems. 

ZDNet Recommends

“The affected records contained certain personal information, such as name, contact information, date of birth, government-issued ID (such as Social Security, military ID, tax ID and driver’s license numbers) and health-related information (including health insurance information). Not all of this information was affected for each impacted individual,” the letter said. Bloomberg reported in May that before locking down the pipeline’s business systems, the group stole almost 100 GBs of data. Colonial Pipeline said it was offering victims of the hack two free years of “identity restoration” and credit monitoring services from Experian. They urged those affected to check their credit reports for any unauthorized activity. The letter was first reported by Bleeping Computer and a company official confirmed to CNN Business that personal information was lost during the ransomware attack. The attack on Colonial Pipeline, which left significant parts of the East Coast without gas for several days, kicked off a swift change in the government’s response to ransomware incidents. Since the attack, multiple new regulations have been released for critical industries in general as well as the oil and gas industry specifically. 

Colonial ended up paying a ransom of $4.4 million to the DarkSide group due to the urgency of the gas crisis, but US law enforcement managed to get a portion of it back. Due to increased law enforcement interest globally, the people behind DarkSide shuttered their operation and some members reformed under a new name: BlackMatter. The Record spoke with the operators behind BlackMatter, who specifically cited the Colonial Pipeline attack as “a key factor for the closure of REvil and DarkSide,” adding that the group has now “forbidden that type of targeting and we see no sense in attacking them.” More

Clear Secure, the tech company that operates the Clear identity platform used at airports and other venues, published its second quarter financial results on Monday, its first quarterly report as a publicly-traded company. Revenue declined year-over-year, though total bookings grew 102 percent year-over-year thanks to a strong rebound in traveling during the second quarter. Shares fell in after-hours trading.
Clear Secure
The company reported basic and diluted net loss per share of 3 cents. However, that does not reflect a full quarter of results since Clear Secure’s initial public offering occurred on June 30. Revenue for the quarter was $55.2 million, down 8 percent year-over-year. Analysts had been expecting a net loss of 31 cents per share on revenue of $54.21 million. “We entered the year bullish on travel and the recovery has been faster and stronger than we expected,” CEO Caryn Seidman-Becker  and CFO Kenneth Cornick, co-founders of the company, wrote in a shareholder letter. “Aligned with the convenience economy, travelers are craving CLEAR’s touchless, frictionless, predictable travel journey. We are gaining share in existing airports, opening new airports and launching new products.”The rebound in travel led to strong Total Bookings growth. However, the strength in Total Bookings was not reflected in revenues, since revenues lag behind Total Bookings — Clear Secure bills members upfront and recognizes that revenue over the life of a membership, usually 12 months. Meanwhile, Clear Secure’s non-aviation platform, particularly Health Pass, gained significant momentum in the quarter with new partners and existing and new members. 

“In just over a year since its launch, Health Pass has scaled and become a trusted product. Our partners are looking for an easy, secure, and privacy-centric solution for testing and vaccination attestation,” Seidman-Becker  and CFO Kenneth Cornick wrote. “Health Pass gives consumers access to and control of their health data.”Clear Secure partnered with the state of Hawaii in the quarter to bring Health Pass to travelers to meet entry requirements without quarantine. Health Pass integrates with hundreds of providers and partners like Walmart, Atlantic Health, California and New York State. Clear Secure’s Total Cumulative Enrollments grew 26 percent year-over-year to 6.3 million, reaching 7 million on August 15. The growth was driven by both CLEAR Plus enrollments and platform enrollments. Incremental enrollments in the quarter were 760,000, more than double the first quarter of 2021. The company experienced overall strength in new member growth, though many of its markets remained below 2019 levels.Second quarter Total Cumulative Platform Uses grew 19 percent year-over-year to 65.5 million, driven by airport verifications as well as Health Passes uses. For Q3 2021, Clear Secure expects revenue of $65.5 million to 66 million. Analysts are expecting revenue of $65.32 million.

Tech Earnings More

The GNU C Library (glibc) is essential to Linux. So, when something goes wrong with it, it’s a big deal. When a fix was made in early June for a relatively minor problem, CVE-2021-33574, which could result in application crashes, this was a good thing. Unfortunately, it turned out the fix introduced a new and nastier problem, CVE-2021-38604. It’s always something!

The first problem wasn’t that bad. As Siddhesh Poyarekar, a Red Hat principal software engineer wrote, “In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug.” Still, it needed patching and so it was fixed. Alas, the fix contained an even nastier bug.While checking the patch, Nikita Popov, a member of the CloudLinux TuxCare Team, found the problem. It turns out that it is possible to cause a situation where a segmentation fault could be triggered within the library. This can lead to any application using the library crashing. This, of course, would cause a Denial-of-Service (DoS) issue. This problem, unlike the earlier one, would be much easier to trigger. Whoops.Red Hat gives the problem in its Common Vulnerability Scoring System (CVSS) a score of 7.5, which is “high.” An attack using it would be easy to build and requires no privileges to be made. In short, it’s bad news. Popov himself thinks “every Linux application including interpreters of other languages (python, PHP) is linked with glibc. It’s the second important thing after the kernel itself, so the impact is quite high.”Popov found the problem while doing “his usual routine of porting CVE-2021-33574 fix to our supported distros.”  He found that null pointers could be passed in certain situations. Technically, the problem lay in the ‘mq_’ function family. These provide POSIX compliant message queue application programming interface (API) functionality. Typically these are used for inter-process communications (IPC) processes. Every Linux application including interpreters of other languages (Python, PHP) is linked with glibc library.

Popov found “two situations where the Linux Kernel would use the message NOTIFY_REMOVED while passing copied thread attributes along the way in the data.attr field. Unfortunately, a host application is able to pass a NULL value there if it wants glibc to spawn a thread with default attributes. In this case, glibc would dereference a NULL pointer in pthread_attr_destroy, leading to a crash of the entire process.”The C programmers among you are already closing their eyes and shaking their heads ruefully. One of the common rules of C programming is to never, ever dereference a null pointer. The question isn’t “Will it crash the program?” It’s “How badly will it crash the program?”  The good news is both the vulnerability and code fix have been submitted to the glibc development team. It has already been incorporated into upstream glibc.In addition, a new test has been submitted to glibc’s automated test suite to pick up this situation and prevent it from happening in the future. The bottom line is sometimes changed in unrelated code paths can lead to behaviors changing elsewhere without the programmer realizing what’s going on. This test will catch this situation.The Linux distributors are still working out the best way to deploy the fix. In the meantime, if you want to be extra careful — and I think you should be — you should upgrade to the newest stable version of glibc 2.34 or higher. Related Stories: More