The novel coronavirus pandemic has changed our lives in so many ways, and it will be many months before things even begin to get back to normal. In hot zones in particular, most stores and other nonessential businesses will have to remain closed potentially through the end of the summer. The painful truth is that many of them will never reopen. In fact, even restaurants that have been allowed to remain open for takeout and delivery orders may end up closing down permanently because business for many of them has been so slow. We should all do our best to support local businesses whenever were able to, of course.

As for personal impact, many of us are working from home or taking online classes from home for the first time. If thats the case, its important to remember that when it comes to the COVID-19 outbreak, not everyone is in this together. Most people band together and look for ways to help each other, even if that just means having a video chat once in a while with someone who might be lonely. But some people are trying to use the pandemic as an opportunity to take advantage of others. Thats especially true of nefarious hackers, which means you need to protect yourself.

Amazon is running a terrific deal for one day only on Friday that slashes the price of Webroot Internet Security Plus with Antivirus Protection Software to just $49.99. Thats a 2-year subscription, mind you, and it covers you for up to three devices. That means you can protect every computer in your home for the next two years, and itll only cost you $50! Its a fantastic deal, but its only available until the end of the day.

Here are the key details from Amazons product description:

Follow @BGRDeals on Twitter to keep up with the latest and greatest deals we find around the web. Prices subject to change without notice and any coupons mentioned above may be available in limited supply. BGR may receive a commission on orders placed through this article, and the retailer may receive certain auditable data for accounting purposes.

Image Source: Gorodenkoff/Shutterstock

See the article here:
Get 2 years of Webroot internet security and antivirus for $50 at Amazon - BGR

As much of the world works from home, an explosion of video conference calls has provided a playground not just for Zoombombers, phishermen and cybercriminals, but also for spies. Everyone from top business executives to government officials and scientists are using conferencing apps to stay in touch during the new coronavirus lockdowns and U.S. counterintelligence agencies have observed the espionage services of Russia, Iran, and North Korea attempting to spy on Americans video chats, three U.S. intelligence officials tell TIME.

But the cyberspies that have moved fastest and most aggressively during the pandemic, the intelligence officials say, have been Chinas. More than anyone else, the Chinese are interested in what American companies are doing, said one of the three. And that, in turn, has some U.S. counterintelligence officials worrying about one video conference platform in particular: Zoom. While the Chinese, Russians, and others are targeting virtually every tool Americans and others are using now that theyre forced to work from home, Zoom is an attractive target, especially for China, the intelligence officials and internet security researchers say.

An Apr. 3 report by The Citizen Lab, a research organization at the University of Toronto, found a number of shortcomings in Zooms security, including some that made it particularly vulnerable to China. It found that Zooms encryption scheme has significant weaknesses, including routing some encryption keys through Chinese servers, and that its ownership structure and reliance on Chinese labor could make Zoom responsive to pressure from Chinese authorities.

The U.S. intelligence officials stress there is no evidence that Zoom is cooperating with China or has been compromised by it, only that Zooms security measures leave gaps, some of which may make the application less secure than others. All three intelligence officials, who requested anonymity because they are not authorized to discuss ongoing operations with the media, said spies are using multiple applications to search government, corporate, and academic conversations for financial, personal, product development, research, and intellectual property information and leads. Federal experts have warned both government and private officials not to use video conference applications to discuss or exchange sensitive information. In a memo on Thursday, the Senate Sergeant-at-Arms told Senators not to use Zoom, according to one person who received the memo.

Keep up to date on the growing threat to global health by signing up for our daily coronavirus newsletter.

Zoom has responded to the particular criticism of its security with multiple public efforts to address the concerns. After initially claiming that its platform provides end-to-end encryption for all its conversations, Zoom later said some encryption was in fact absent from some online messaging tools. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it, wrote Oded Gal, the chief product officer for Zoom Video, in an April 1 blog post.

The subsequent investigation by The Citizen Lab found other weaknesses. During a test of a Zoom meeting with two users, one in the United States and one in Canada, the Citizen Labs researchers found that the key for conference encryption and decryption was sent to one of the participants from a Zoom server apparently located in Beijing. A scan located a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server, their report says.

Zooms headquarters are in San Jose, California and it is listed on the NASDAQ. The companys main applications have been developed in part by three companies in China that all are named Ruanshi Software, the Citizen Lab study found. Two are owned by Zoom, and one is owned by a company called American Cloud Video Software Technology Co., Ltd. Zooms most recent SEC filing says the company employs at least 700 research and development employees in China, and job postings for Ruanshi Software in Suzhou, China include positions for C++ coders, Android and iOS app developers, and testing engineers, the Citizen Lab reported.

Zoom says it is not alone in having workers and servers in China, and says it has resolved the issue of encryption keys being routed through a server there. Zoom is not unique among its U.S. based teleconferencing peers in having a data center and employees in China; Zoom is perhaps just more transparent about it, the company said in a statement to TIME. Ruanshi is the Chinese name that Zoom uses to name our subsidiaries in China, the company said, and Our engineers are employed through these three subsidiaries and we are fully transparent about itall of this is disclosed in our filings. The company added that it has a number of documented controls and protections in place to protect data and prevent unauthorized access, including from Zoom employees. These controls are strictly enforced across the Company, regardless of jurisdiction.

In the wake of the Citizen Lab report, Zoom has taken other steps to reassure users about its commitment to security. On April 8, Alex Stamos, former chief security officer at Facebook and Yahoo, posted a note on Medium saying Zoom CEO Eric Yuan had called and asked if I would be interested in helping Zoom build up its security, privacy and safety capabilities as an outside consultant, and I readily agreed.

Sens. Amy Klobuchar of Minnesota and Michael Bennet of Colorado and Reps. Frank Pallone of New Jersey, the Chairman of the House Energy and Commerce Committee, and Jan Schakowsky of Illinois have called for the Federal Trade Commission to investigate whether Zoom has taken the measures necessary to protect its users. Multiple state attorneys general already have begun looking into the company, Politico reported. And despite Zooms reassurances, some intelligence experts remain concerned about its vulnerabilities. Zooms links to China, regardless of what its CEO promises, create a persistent threat, former director of the National Security Agency and the Central Intelligence Agency Michael Hayden, tells TIME.

Please send tips, leads, and stories from the frontlines to virus@time.com.

Thank you! For your security, we've sent a confirmation email to the address you entered. Click the link to confirm your subscription and begin receiving our newsletters. If you don't get the confirmation within 10 minutes, please check your spam folder.

Contact us at editors@time.com.

See the original post here:
Foreign Spies Are Targeting Americans on Zoom and Other Video Chat Platforms, U.S. Intel Officials Say - TIME

Google has removed an Android VPN program from the Google Play store after researchers notified it of a critical vulnerability. The app, SuperVPN, has been downloaded over 100 million times.

Virtual private networks (VPNs) let users create encrypted connections to online servers that then serve as their gateway to the Internet. They enable users to tunnel safely to the internet when using untrusted local connections such as those in public places like coffee shops. In theory, they should stop intruders from sniffing your traffic on insecure networks. SuperVPN is one of dozens of programs that supposedly serve this function for Android devices.

VPNpro, a company that reviews and advises on VPN products, warned in February of a vulnerability in the product that could cause a man in the middle (MITM) attack, enabling an intruder to insert themselves between the user and the VPN service. It said at the time:

What this VPN app has done is to leave its users, people seeking extra privacy and security, to actually have less privacy and security than if theyd used no VPN at all.

The program was sending encrypted data, but it hard coded the decryption key, the review site said. Decrypting the data revealed information about SuperVPNs server, certificates, and authentication credentials. VPNpro was able to replace that data with its own.

That means the attacker can force SuperVPN to connect to a fake server, enabling them to see all of the users data including passwords, private text, and voice messages, VPNpro said.

VPNpros researcher Jan Youngren discovered the vulnerability in October 2019, adding that its developer, SuperSoftTech, likely based in Beijing, didnt respond to its notification. Instead, it notified the Google Play Security Reward Program (GPSRP), operated for Google by HackerOne. That team couldnt get a response from SuperSoftTech either, so it removed the program from the Google Play store on 7 April, 2020.

This isnt the first time that SuperVPN has cropped up in vulnerability research. It also got a mention in a 2016 paper that researched security risks in Android VPNs. That research, presented at the Association for Computing Machinerys 2016 Internet Measurement Conference (IMC), found that 13 antivirus programs detected malware activity in the software. It took third place in a ranking of Android VPNs most often flagged with malware-like activity by antivirus programs.

SuperVPN wasnt the only Android VPN to raise VPNpros concerns. It identified nine others in its February blog post that it said had critical vulnerabilities leaving their users vulnerable to to MITM attacks. A quick check shows that several of them are still available for download on the Play Store.

Read more from the original source:
Google removes Android VPN with critical vulnerability from Play Store - Naked Security

Researchers at German pentesting company Enable Security just published an intriguing blog post about a security problem they found in the popular online collaboration tool Slack.

The short version is that they uncovered a way to poke around inside the private parts of Slacks network, so they disclosed it, Slack fixed it and paid them a $3,500 bounty

and then, as sometimes happens when the rest-of-life gets in the way, it was another two years before they got the green light to publish their findings.

In some ways, the bug bounty progress report makes more fascinating reading than the blog post itself, because it shows how the responsible disclosure process allows for affable and open technical discourse between the bug finders and the bug fixers, without giving needless hints to crooks along the way.

But well focus on the blog post here because it includes some really simple but very effective advice that anyone running real-time collaboration services (a hot topic right now!) can take on board.

Whether youre interested in live text chat, audio or video, this report could help you improve your own security, and that of your users.

One problem that so-called end-to-end or peer-to-peer software has on most internet-connected networks is that very few computers these days have network identifiers what are known as IP numbers assigned uniquely to them.

Heres why.

The modern internet numbering system known as IPv6 (there is no IPv5 numbering system because the suffix -5 had already been used for other things) gives each device on the internet a 128-bit number.

Even using just 64 bits worth of that so-called address space, you can count all the way from zero to 264-1, which is enough to number more nearly 20 million million million devices uniquely.

But the older IPv4 system is still used by the vast majority of devices out there, and it has just 32 bits, which gives you an absolute maximum device count of just over 4000 million (4 billion).

As large as that sounds, there are already billions of mobile phones around the world, plus billions more laptops, routers, cloud servers, smart kettles, street signs, lampposts

so you can see why 32-bit network numbers are a real problem these days, and have been for years.

(In practice, there arent even 232 values available because about half-a-billion IPv4 numbers are set aside for purposes other than identifying individual devices.)

Most networks these days make do with one IP number thats shared between all the computers on the local network (LAN), which make do with so-called private IP numbers that are reserved for internal use only.

These private IP numbers dont get past the router, so they dont need registration or any central authority to control them, but they dont identify your computer globally in any useful or usable way.

If youve ever wondered why your computer may show up with an IP number such as 192.168.1.12 at home, and something very similar, such as 192.168.1.13 at the coffee shop you (used to) frequent, its because those numbers are private only, and as long as theyre allocated on separate LANs they wont get in each others way.

As an aside, if youve ever had the misfortune to have all the computers on your network blocklisted at the same time because just one of them did something naughty, such as sending spam

thats because all traffic out of your network has the very same IP number once it joins the public internet, so your individual computers cant be blocked independently they stand or fall together.

Your router therefore acts as a sort of traffic proxy that figures out which incoming network packets are replies to what outgoing network requests, and redirects them accordingly.

Thats called NAT, short for Network Address Translation, and its a decent enough solution if all you want to do is establish connections from your private network to servers on the public internet, as you did when you browsed to this web server to start reading this article.

Generally speaking, however, a NATting router can only deal reliably with incoming traffic after a computer on the LAN has initiated an outbound connection otherwise it has no idea which network flows (as they are called) belong to which device.

For peer-to-peer chats, whether theyre one-to-one calls or group calls, you have a problem each participant can dial out to the call by connecting outwards to any or all of the others, but no one can accept the call because incoming network traffic relies on an already-open connection to a public server first.

Stalemate!

One solution to this problem is known as TURN, which is a rather forced acronym meaning Traversal Using Relays around NAT. (Relays Using NAT Traversal would be clearer to write in full, but wouldnt be a good acronym.)

The idea is that a server on the public internet acts as an answering machine that accepts calls from other computers, even if they are behind NAT routers, and applies suitable identification and authentication as needed.

For any call that users are trying to connect to, the TURN server ends up on the receiving end of outbound connections from everyone on the call, so it can act as a relay or broker that shuffles one callers outbound data into the right recipients inbound data channel and vice versa, thus simulating an end-to-end connection between two or more computers that would otherwise be kept apart by their NAT routers.

This isnt an ideal solution, especially if the TURN server is in New York and the callers are both in San Diego, say, because the packets are crossing a continent only to come straight back again, and it also means that everyones call latency gets affected by the load on the TURN server.

But by making TURN into a lightweight data packet shuffling service, its nevertheless proved to be a very useful system that works for all sorts of traffic, not just for audio, or video, or whatever.

Because TURN servers can broker traffic between arbitrary services on arbitrary computers, you dont need to add TURN code to every type of server you run, meaning that you can dedicate TURN servers entirely to their job of packet brokering.

This means you can therefore configure and tune TURN your servers for optimum throughput, without worrying if those tweaks would reduce performance for other service types on your network such as web, database and streaming servers.

But this general-purpose nature of TURN means that you need some way for a TURN server to allow the original caller to specify where they want to go to reach the other end of their TURN call.

And the primary functions of TURN is to broker traffic past NAT routers, which means that TURN needs to be able to make sense of IP traffic that a router itself would ignore because the destination computers have internal-only IP numbers that make no sense on the public internet.

You can probably guess where this is going.

There are almost certainly several network ports open on your laptop right now, many of them listening on localhost, which is a special series of IP numbers from 127.0.0.0 to 127.255.255.255 that are reserved for your computer to access itself only from itself.

Localhost addresses (127.0.0.1 is usually used) are so special that many operating systems dont even send local network packets through the networking subsystem.

To improve the speed, security and reliability of local-to-local connections they often just shuffle the data directly in memory between the sending program and the receiver.

Likewise, your router probably has an administration web server running on an IP number such as 192.168.1.254 or 192.168.0.1 to keep it safely cut off from the outside world but accessible to computers inside your network.

But if you have a TURN server, it is already inside your network, so if you accidentally permit an incoming caller to specify an internal-only IP number as its target, you may end up brokering packets between an outsider and some internal service that would otherwise be invisible to outsiders.

Peeking into internal Slack resources via Slacks TURN servers in this way is what our intrepid researchers were able to do, two years ago.

By placing fake calls with recipients that were inside Slacks own network, using a mixture of localhost and private IP numbers, they were able to boldly go where no caller was supposed to.

They made an informative video (its slow going but surprisingly easy to follow) of what happened:

If you are a Slack user, there is nothing to do.

Slack already did it for you, which is why this report is public only now.

But if you run your own TURN servers, the researchers suggest checking that you have configured your server to ignore connection brokering requests to any internal-only IP numbers.

This protects you from access control mistakes down the line, because there is no down the line.

For the server described in their paper (called coturn), the configuration they recommend is as follows:

If youre a networking person you will probably recognise those ranges anyway they cover multicast, LAN-only IP numbers, localhost-only IP numbers, autoconfiguration IP numbers, reserved-for-documentation IP numbers and more.

Remember: the earlier you block bad traffic, the less harm it can possibly do!

More:
Slack in the security spotlight lessons for collaboration servers - Naked Security