Verizon’s ‘perma-cookie’: Just another example of how ISPs invade, threaten our privacy

ExpressVNPuse a vpn to stop verizon wireless from tracking you

**Update: Verizon forced ‘supercookies’ on all of their customers until March 2015, when several senators raised privacy concerns over the practice. One year later, in March 2016, Verizon agreed to a three-year consent decree and was forced to pay a $1.35 million fine after the Federal Communications Commission found the company violated the privacy of its users.**

For two years, Verizon Wireless, has been secretly altering people’s traffic by injecting a Unique Identifier Header, or UIDH, into all HTTP (web) requests. This UIDH allows advertisers to see Verizon customers’ identities as they browse unencrypted websites.

The story, which was reported in Wired and Ad Age, has security experts up in arms.

How the UIDH permacookie works

The UIDH is a unique combination of letters, numbers, and characters that identifies each Verizon Wireless customer. Let’s say you’re using your computer, smartphone, or any other device on an ISP that tracks you. As you browse the web, your device sends requests over the network to different servers on the web. Your ISP then inserts the UIDH, a unique tracking code, into each of your requests.

Since you’re the ISP’s customer, and since they run the network infrastructure, they know exactly which person made which network request, so they can match your tracking code to you. Not only does this give your ISP a lot of information about what sites you’re looking at, but it also makes it possible for other websites to track what you do online, too. Yikes.

For more, you can check out the infographic by Jonathan Mayer, a computer scientist and lawyer at Stanford who cobbled together the diagram based on information gleaned from Verizon’s patents and marketing materials.

As Mayer points out, “Whatever the merits of Verizon’s new business model, the technical design has two substantial shortcomings. First, the X-UIDH header functions as a temporary supercookie. Any website can easily track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required.”

Secondly, “while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header. All they do, seemingly, is prevent Verizon from selling information about a user.” Yikes.

This was confirmed by Verizon spokesperson Debra Lewis, who told Wired that there’s no way for users to turn off UIDHs – but that they could opt out of Verizon’s Relevant Mobile Advertising program

To find out if your ISP is giving you a UIDH, go tohttp://lessonslearned.org/sniff, created by Kenn White. Note that mobile Chrome and Flipboard can mask tracking beacons, so try using a different browser if you normally use those. Also, make sure you’re using cellular data (2G/3G/LTE etc.) because the UIDH only gets added on cellular data, and not on Wi-Fi.

White also believes that AT&T and Sprint are using the same sort of identifier beacons on their customers as well, so if you’re not a Verizon Wireless user, you should still be vigilant.

As Electronic Frontier Foundation technologist Jacob Hoffman-Andrews told Wired, “ISPs are trusted connectors of users and they shouldn’t be modifying our traffic on its way to the Internet.”

With confirmation that Verizon is uniquely identifying and tracking its users, who knows what other ISPs are doing?

My ISP is interfering with my Internet traffic… what do I do?

Here are some things that don’t work, as tested and reported by Cody Dunne, a Research Scientist at the IBM Watson team:

  • private browsing sessions
  • “do-not-track” features

Dunne found that neither private browsing nor do-not-track prevented UIDH interference.

So, how to prevent the UIDH tracking?

Always use HTTPS by using something like HTTPS Everywhere. However, this isn’t realistic as many websites don’t support HTTPS.

How about switching to other ISPs (Internet Service Providers)? While some people have floated the idea of switching wireless providers all together, the truth is that there’s no guarantee that your ISP isn’t tracking you or spying on you. Therefore, switching to a different ISP might actually mean giving a different ISP the opportunity to track you.

Bottom line: using a VPN is the best way to prevent your ISP from gathering or sharing data about you.

A VPN stops your ISP from tracking, spying on, or interfering with your Internet use by:

  1. encrypting your traffic, so that outsiders cannot see what’s inside;
  2. securing your traffic, so outsiders can’t modify your traffic. and
  3. anonymizing your traffic, so that outsiders cannot see who you’re communicating with (check out our post about metadata for more).

Check out our infographic below for a visualization about how it works.

stop isp spying

If you’re not already using a VPN, then the idea that your ISP could potentially be spying on you (or allowing others to spy on you) should give you ample reason to use one today.

ExpressVNP offers easy-to-use VPN apps for Windows, Mac, Android, iOS, Routers, and Linux. If you believe in your right to privacy, then you need a VPN.

ExpressVNP

Unsuspecting Android users could find malware wrapped in image files

ExpressVNP

Researchers have discovered a new technique which could allow malicious apps to be delivered to unsuspecting Android users via image files.

Fortinet malware researcher Axelle Apvrille and Corkami reverse engineer Ange Albertini devised a proof-of-concept (POC) attack and demonstrated it at last week’s Black Hat Europe conference in Amsterdam.

Using a custom tool developed by Albertini, dubbed AngeCryption, the pair were able to encrypt a payload Android application package (APK) and make it look like an image file (they used a PNG but other image file formats work just as well).

They then created a second APK which carried the ‘booby-trapped’ image. This second APK was not only wrapped around and hid the first, it also had the ability to decrypt and then install it.

In a *** accompanying the Black Hat talk the researchers wrote that “it is possible to encrypt any input into a chosen JPG or PNG image … the code is able to transform this unsuspicious image into another APK, carrying the malicious payload.” The *** goes on to say that “Static analysis, such as dis-assembly, of the wrapping APK does not reveal anything particular about that bytecode (apart if we undo the encryption packing).”

By tricking the Android app wrapping system in this way the duo were able to create a package that would likely evade detection and get past Google Play’s Bouncer, as well as security apps.

Apvrille and Albertinis’ testing revealed that the Android system did present a permission request when the legitimate wrapper file attempted to install the malicious APK but even that could be prevented by using DexClassLoader.

The pair also revealed how the attack could be implemented – the app in question can only be loaded if some data can be appended after the End of Central Directory (EOCD) zip marker – to achieve this they simply added another EOCD after the additional data.

The attack was found to work with the latest version of the Android operating system (4.2.2) but the pair’s responsible disclosure means the Android Security Team have been aware of the issue since 27 May, enabling them to create a fix which was made available on 6 June. Google’s solution prevents data being appended after EOCD but there is some doubt over whether it checks after the first instance. Thus the Android Security Team are continuing to look into the issue and further fixes may follow.

That said, the Android ecosystem is often not the quickest when it comes to disseminating security updates, and many users are either slow in installing them or choose not to do so, meaning many may be vulnerable to this type of attack for a while to come.

In the meantime, the researchers warn that there is no real way to detect what the payload APK does short of actually decrypting the image file. Their advice to security engineers is to keep a watchful eye on any apps that decrypt resources or assets, remembering that their POC could be obfuscated by an attacker.

They also suggest running applications within a sandbox until they can be checked for malicious or unexpected behaviour which will become evident when run even though the actual payload can be hidden.

Also, they recommend adding stronger constraints to APKs to prevent images from decrypting to a valid APK.

If you are interested in learning more about AngeCrypt you can find the Python script here and the slides used by Apvrille and Albertinis are available here.

ExpressVNP

Old ATMs susceptible to malware attacks, ATM scams on the rise

ExpressVNP

Back in the summer of 2010 the late Barnaby Jack gave a presentation at the Black Hat security conference in which he demonstrated the ‘jackpotting’ of two ATMs. During his presentation, Jack was able to get both machines to dispense cash by exploiting them both physically and remotely.

In the physical attack he used a flash drive pre-loaded with malware to gain administrator access to the ATM, giving himself control over its cash dispensing mechanism.

Now, more than a year after Jack’s untimely death, it seems that the security industry has still not caught up with the hackers who are increasingly able to exploit ATMs around the world without the need for expert knowledge or even the latest malware.

Following reports of ATM hacking in Malaysia, in which gangs stole around $1 million, investigative reporter Brian Krebs took a closer look into the issue and discovered that the problem lies with the use of old infrastructure.

According to Krebs, the recent spike in malware attacks on ATMs is due to the age of the machines rather than the use of new high-tech skimming devices or a specific targeting of the now-defunct Windows XP operating system that many still use.

Owen Wild, global marketing director security compliance solutions at ATM manufacturer NCR, whose machines were fingered in the Malaysian attacks, told Krebs that the problem is industry wide, saying that “It’s occurring on ATMS from every manufacturer, multiple model lines and is not something endemic to NCR ATMs.” Wild did admit, however, that the Persona series of NCR ATMs attacked in Malaysia were old, having been superseded by a newer model seven years ago.

Wild revealed that around half of the NCR install base are still using the older Personas. This presents a problem to any operator who hasn’t dumped a pile of cash on Microsoft’s table in return for continuing security updates as compliance with PCI DSS (Payment Card Industry Data Security Standards) mandates the use of an operating system that is fully supported with continuing security updates.

Wild did add however that stand-alone machines were the bigger risk (because of the typically easier physical access for CD Rom and USB boots), whereas the use of Windows XP was not a major factor as operating systems were either being bypassed or manipulated with the software.

Wild went on to detail two types of attack. The first, he said, is ‘black box’ attacks in which an electronic device is used to bypass the infrastructure in the processing of the ATM and send an unauthorized cash dispense code to the ATM.

The second type of attack, which Wild says is on the increase, is the introduction of malware into older ATMs which have fewer protective mechanisms in place, having been designed at a time when such threats and risks were nowhere near as large as they are now.

Commenting on the availability of ATM manuals online, Wild said “You don’t have to be an ATM expert or have inside knowledge to generate or code malware for ATMs. Which is what makes the deployment of preventative measures so important.”

In terms of mitigating attacks against ATMs, our advice would be to:

  • Review physical security of the machine including placement, camera surveillance, the use of non-standard locks and the implementation of ATM security alarms
  • The regular checking of the machine to ensure no third party devices have been added to them
  • Security awareness training for staff to ensure they are on the lookout for socially engineered cons from criminals who may pose as engineers or inspectors
  • Training staff to respond to, and investigate, alarms and suspicious activity
  • Limiting the amount of cash within the ATM to the amount expected to be dispensed on any given day

ExpressVNP

Malware infects MS Office: Like you needed another reason to hate PowerPoint

ExpressVNP

“Death by PowerPoint” — it’s a common refrain from office workers inundated by one lifeless slideshow after another, desperately wishing a nap in the board room wouldn’t be noticed. But now there’s new reason to hate Microsoft’s big-name productivity tool: malware.

This is Not the File You’re Looking For

According to Lifehacker, Microsoft has released a security advisory about malicious Office files. Executing these files grants attackers the same permissions as whoever opens them, meaning they could potentially gain access to an entire network. What’s more, the vulnerability spans every release of Windows except for Server 2003. Microsoft’s Security TechCenter says that the malicious payload is part of an Object Linking and Embedding (OLE) component, meaning files must be opened to cause any harm. “In an email attack scenario, an attack could exploit the vulnerability by sending a specifically crafted file to the user,” notes the TechCenter statement. “In a Web-based scenario, an attacker would have to host a website that contains a specially crafted Microsoft Office file.”

Right now, this zero-day attack relies on PowerPoint files, but since all Office-based extensions support OLE, it’s possible a Word document or Excel spreadsheet could also be infected. Worst case? An attacker uses code like Trojan.Taidoor or Backdoor.Darkmoon to install new programs, delete data or create new admin accounts.

Save Yourselves!

Microsoft says that to protect yourself from this kind of Office malware, you should start by turning on User Account Control (UAC) so you’ll at least get a warning — and have to give approval — before any kind of OLE code is executed. You can also lower the access rights of both your own account and those of other users, and make sure to open any Office files in Protected View.

It goes without saying (but here it is anyway) that you should avoid downloading or opening any unfamiliar Office files, especially since antivirus programs won’t target these trusted file types. In addition, most of these Office-based attacks rely on spear-phishing — if attackers can use social media and browsing data to track your actions online, they can more easily craft emails you’re likely to open rather than delete out of hand. Try a VPN to protect your actions online and make sure no one is poking their nose into your business.

Sand In Your Eyes

There’s more bad news for Microsoft: Windows IT admins aren’t safe from a Shellshock-type attack, previously thought to be a Linux and Unix-only problem. Researchers at a Belgian Security company recently found a way to replicate a command-line injection vulnerability in Windows shells scripts, which could allow malicious actors full access to vulnerable computers. It’s worth noting that this flaw isn’t present in official Windows scripting, but third-party Windows scripts pose real risk. This vulnerability extends even into new Windows 10 previews, according to Seculert CTO Aviv Raff; so long as users audit any outside scripts for access permissions the threat level should remain low — good to hear since Microsoft probably won’t patch this hole.

And guess what? This isn’t the first problem Microsoft has encountered with PowerPoint files. At the beginning of October, NATO and several European telecom companies were attacked by a group called the “Sandworm Team”. Using the CVE-2014-4114 vulnerability, these attackers leveraged OLE components to execute malicious code on target machines — just like the current zero-day issue. The difference? In Sandworm’s case Office files with corrupted CLEs linked to other, external files, requiring an active Internet connection for the hackers to complete their attack. The new version, CVE-2014-6352, doesn’t require this kind of outside action, meaning Network Intrusion Prevention Systems (NIPS) won’t spot the problem.

Although Microsoft issued a fix for Sandworm on October 14th, there’s no official patch for the new PowerPoint problem — and it hasn’t spread far enough to get a catchy name like Heartbleed or Shellshock. Still, the exploit should be on your radar, since Office files are so common and used by a host of different programs — some of which aren’t Microsoft approved or tested.

If you didn’t hate PowerPoint before, feel free to jump on the bandwagon, since a corrupted .PPT file could now mark the death of your computer.

ExpressVNP

Sick and tired: Ebola malware *** the rounds

ExpressVNP

What are your chances of contracting Ebola, the awful haemorrhagic fever spreading through West Africa? Despite recent media coverage the answer is extremely low since the virus isn’t airborne. As a recent Vox article points out, you’re far more likely to be a victim of“tip-over”, which is what happens when heavy furniture or appliances fall down and kill you — 30 people per year in the United States die from this “threat”.

Public perception, meanwhile, holds fast that Ebola is coming, and coming soon. So it’s no surprise that a group of hackers has been leveraging Ebola panic to spread new malware — that’s right, humanity is just as bad as you always imagined. Here’s what to watch out for.

WHO?

According to The Verge, scammers are using several legitimate-looking sources in an effort to make you open malware-laden emails. The most worrisome supposedly come courtesy of the World Health Organization (WHO) and claim to be “safety tips” for combating the spread of Ebola. These emails likely contain a variant of the DarkComet Remote Access Trojan (RAT), which gives attackers access to your files, webcam, passwords and just about anything else on your computer. What’s more, it can hide from most antivirus programs.

Other emails are coming from “the Mexican government”. Apparently, Mexican officials are so concerned about the Ebola patients in nearby Texas that they’re spamming American users with emails about how to “cure” the disease. These ones come with detailed instructions on how to enable the Macro function of Microsoft Word, which is then used to download a malware attachment. Not content with just hacking your computer, these attackers are *** you do some of the work.

Also interesting is how perfectly many of the email subject lines capture current Ebola fears. For example:

  • What you really need to know about the deadly Ebola outbreak
  • SHOCKING Health Alert: Secret Cure for Ebola?
  • CDC Alert: 1.4 Million EBOLA Victims by January?
  • First GMO Foods, now Ebola. What Obama doesn’t want you to know

Luckily, security firm Trustwave says this malware campaign is fairly low-volume, but that doesn’t change facts: users are sick and tired of being scammed.

Perpetually Terrible

And guess what? This isn’t the first time attackers have used tragedy and disease to steal passwords and other personal data. In March, scammers leveraged public interest in the disappearance of Malaysia Airlines flight MH370, creating fake Facebook posts that claimed the plane had been recovered in Bermuda. When users clicked on a video purporting to show the dramatic rescue they were redirected to first “like” the hackers’ page and then download a video viewer which was — you guessed it — malware.

In 2009, attackers created an email campaign centered around the H1N1 outbreak. Users received notification that they’d been chosen for a government vaccine program and were then directed to a legitimate-looking CDC website where they gladly entered all sorts of personal information. And in 2005, Bird Flu panic led to a malware attack using Word documents that supposedly contained critical information about the epidemic. When opened, the document installed the Ranky-FY Trojan, which enabled malicious actors to control any infected computers.

Lock it Down

With scammers always on the lookout for the next big panic, how do you stay safe? First off, do yourself a favor and start running a secureVPN whenever you connect. Sure, it won’t protect you from clicking on something ridiculous but it severely handicaps attackers looking to spy on what you do online and then create a behavior-based phishing attack. Maybe you live in Texas; maybe you are concerned about Ebola and want to know more, but don’t give that away to malicious attackers: lock down your connection and encrypt your data.

Also, don’t open anything that contains the words “SHOCKING”, “ALERT” or for good measure “OBAMA” in the subject line. If you’re curious about what’s contained in the email do a quick search — you’ll either turn up useful information or get warned off because it’s a scam.

Want to stay safe? Secure your connection, don’t take scammer bait — and maybe stay away from large, precariously-balanced televisions.

ExpressVNP

Smart meters, dumb security? Hacking the Internet of Things

ExpressVNP

According to the UK’s Department of Energy and Climate Change, almost 100,000 smart meters were installed in homes through the second quarter of 2014 — in Spain, millions of these energy monitoring devices are on tap to be installed by 2018. As noted by a recent BBC article, however, leveraging the Internet of Things (IoT) isn’t without risk: despite their “smarts”, meters and other types of home automation technology can easily be hacked.

Home Sweet Home?

Independent researchers Javier Vidal and Alberto Illera took apart a smart meter to see if it could be compromised. They discovered encryption keys buried in the device’s firmware that were used to communicate with “nodes” further up the power distribution system. With the keys and a meter’s unique ID number in hand, Vidal and Illera found they could send false messages to the power company, either under or over-reporting the amount of energy used. They also warned that it might be possible for criminals to spoof user IDs and avoid paying altogether, or even cut off power to specific homes. The pair took their findings to the manufacturer, who is now working to solve the problem.

But as Kaspersky Lab analyst David Jacoby discovered, smart meters aren’t the only connected machines at risk in your home. In August, Jacoby attempted to hack devices in his house and found that “two popular network-attached storage (NAS) devices contained more than 14 vulnerabilities that could enable remote system command execution under the highest administrative privileges.” In addition, passwords for the devices were both weak and unencrypted, providing an easy way for attackers to install malicious tools or perform attacks on his home network. Jacoby’s DSL router and smart TV were also vulnerable: the router had hidden functions named “web cameras” and “access control,” while the television didn’t use authentication or encryption when downloading content such as thumbnails or widgets, *** it susceptible to man-in-the-middle (MitM) attacks.

On the Road Again

If connected devices in your home are under siege, you can always escape by jumping in the car and driving off into the sunset, right? Unfortunately not. The Economist notes that “modern cars are essentially a collection of computers on wheels,” and researchers have already shown that it’s possible to hack these systems and take control. This includes minor annoyances such as changing the radio station or adjusting the temperature to more dangerous activities like wrenching the wheel to one side or cutting power to the engine. Luckily, most of these attacks require direct access to the car itself, but the speed of IoT adoption is starting to outpace even this kind of physical security.

And yes, it gets worse. Security expert Jay Radcliffe found it was possible to hack his wireless insulin pump and change the amount of insulin administered, effectively *** him a target for a kind of wireless murder. Billy Rios of security firm Qualys says “there are just super *** flaws in some medical devices.”

Back to the Stone Age?

It’s not all doom and gloom — companies tend to be receptive when researchers discover flaws and many obvious issues with wearble and connected home IoT devices have already been remedied. But what can end users do to limit risk?

One option is to pass on IoT altogether, but with governments rushing to wirelessly connect critical infrastructure and monitor domestic power usage, this will get progressively more difficult. Part of the solution comes from social pressure: users must demand that the devices they use come with built-in security that never skips encryption or offers administrative backdoors. For enhanced control, take charge of your own connection — at home and on your mobile devices, opt for a fully encrypted, anonymous connection that effectively hardens your home against attackers. They’re looking for an easy way in through “dumb” meters or not-so-smart televisions; make it difficult and they’ll go somewhere else.

The Internet of Things offers real benefits for homes, vehicles and even medical devices but when personal data meets wireless connections, things can get complicated. Keep it *** — stay protected.

ExpressVNP

YouTube malware: Sweet Orange swallows YouTube

ExpressVNP

Watch YouTube much? Statistics say you do — according to the video sharing site’s official statistics page, over 1 billion unique users visit and more than six billion hours of video are watched every month. The site is also seeing increased monetization with more than a million registered advertisers, many of which use TrueView in-stream ads. As noted by QZ, the market for ads on YouTube has nowhere to go but up: analysts at Jefferies say it could bring in $7 billion worth of revenue for Google in 2015 and easily top $30 in the next few years. With YouTube now responsible for 40 percent of all online video consumption, there’s a massive amount of headroom.

And there’s a problem. Recently, the site was targeted by ads infected with the “Sweet Orange” exploit kit, and has now sent over 113,000 users in the United States to malware-infected webpages. Here’s what you need to know.

Juicy Target

As noted by security firm Trend Micro, which first discovered this exploit, the vast majority of users affected are from the United States: 95.84 percent, to be exact. And while this kind of “malvertising” is a common way of convincing users to click on legitimate looking links, it’s the first time YouTube has been targeted to such a degree. In fact, attackers were able coordinate their efforts with the release of big-traffic videos, for example “a music video updated by a high-profile record label” that saw over 11 million views. The sheer volume of users targeted and the precision with which such attacks were carried out is cause for enough for concern — but how did malicious actors manage to get their foot in the door?

Foreign Oranges?

The natural assumption here is that the Sweet Orange gang is hiding out in another country, but analysis of the malware’s redirect patterns says otherwise. It starts with modified DNS information, specifically that of a Polish government site. The site itself wasn’t compromised — instead, attackers added their own server-specific subdomains to alter the original DNS. Users who clicked on malicious ads were first taken to a redirect server in the Netherlands, then a second server in the same region and finally back to a server in the United States.

In this case, Sweet Orange relied on two Internet Explorer vulnerabilities: CVE-2013-2551 and CVE-2014-0322, which ultimately led users to pages infected with the KOVTER family of malware, often used in ransomware attacks. A security patch released by Microsoft in 2013 eliminates the relevant vulnerabilities, but Sweet Orange can also target Java and Flash.

Google’s Answer

In an email to Business Insider, Google said “our teams have taken the appropriate actions to resolve this issue,” and noted that “the security of our users is a top priority.” According to a January 2014 blog post by the search giant, they’re always on the hunt for “bad ads” and removed more than 350 million in 2013 — up from 220 million the previous year.

But even accounting for Google’s diligence, these numbers are worrying. Sure, the company is catching more bad ads, but it’s not all thanks to better security practices or threat assessments — as YouTube viewership rises, so too does the interest of malicious attackers. And the best way in? Legitimate-looking ads.

Avoiding the “Bad Ads”

You could stop watching YouTube.

Take a deep breath — while this would solve part of the problem, it’s not really necessary. Instead, start with a secure VPN to prevent ads from determining your location or obtaining any data that might make you more likely to spare a click. Next, update your browser and read any warnings it displays about “suspicious” content. If you’re getting notified, chances are you should stay away. The biggest change to make, though? Don’t click on ads. Just don’t. Enjoy the video, but use the can’t-skip advertising time the same way you do when watching TV: get up, get a snack or check your email, and let the malvertising fall on deaf ears.

ExpressVNP

Soggy cardboard? Dropbox says it wasn’t hacked

ExpressVNP

Snowden called it, apparently. In a recent interview, the NSA whistleblower warned cloud storage users to avoid Dropbox because the service doesn’t use encryption. Now, links to hundreds of Dropbox usernames and passwords have appeared on a Reddit thread, with a call to donate Bitcoins if interested parties want to see more.

But the company says their servers are safe, instead pointing the finger at third-party services and reused passwords. So what’s the bottom line — is Dropbox nothing more than soggy cardboard, or a convenient target for leak scams?

Easy Access

“Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts” says a Pastebin message in one of the leak threads. “More to come,” it promises, “keep showing your support.” According to The Next Web, Reddit users allegedly confirmed the hacked credentials were legitimate, but had no way to tell if Dropbox was to blame.

It’s not difficult to see possible hack architecture here: as noted by Edward Snowden, the cloud service is light on encryption. Although they’ve beefed up their service to include encryption for files on their servers and in transit, they don’t offer any kind of protection for files on user computers. More importantly, Dropbox has both user data and passwords on-hand; other services like SpiderOak say they keep no readable version of this information on their machines. This means a Dropbox leak could have happened at either the user end or if hackers gained access to company servers — Dropbox maintains this never occurred.

Pointing the Finger

When news of the leak went public, Dropbox reset all user passwords. Then, they released a statement to Techly, saying “Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts.” These “other services” remain a mystery, however, since Dropbox has no idea where the credentials came from. The service does say that most of the passwords posted were already expired, and a follow-up post on the company’s blog shifts some of the blame to users, saying “we strongly encourage users not to reuse passwords across services.”

So what’s the final verdict? Was Dropbox really hacked? As it stands, the answer appears to be “no” — and even if it were true, no one seems interested in paying for more leaks, since donations to the hacker’s Bitcoin address are stalled at around five cents.

But here’s the thing: real or fake, from Dropbox or some other site, this leak speaks to a common concern. Is your data ever really safe?

Not Exactly Rare

Dropbox isn’t alone in the cloud breach gang. Who can forget the recent iCloud celebrity picture thefts or “The Snappening”, which saw thousands of illicit Snapchat photos and videos posted online. Some critics have taken to calling down users for trusting cloud services in any form, and certainly the Snowdens of the world agree: keeping all of your data offline is the safest possible option.

It’s also a tall order. We’ve become accustomed to on-demand file sharing, instant access to photos,videos and all manner of communication. Asking the average user to stop using cloud services is like asking them to put down the smartphone and have a full-length dinner conversation; it could happen, but it wouldn’t be fun for anyone. And sure, services like Spider Oak offer better protection than your “typical” cloud storage provider but given the sheer amount of data users are willing to share, save and transmit online, hackers can always find a way through.

Unless you’re anonymous. Sure, use cloud storage and shop online, but instead of doing it under your own IP address use our secure VPN service to cloak your actions from prying eyes. Think of it like a “tunnel” between your computer and the Internet at large, protected by 256-bit encryption. In effect, you’re invisible: hackers see only our IP address and no one can snoop on your Dropbox passwords or hot Snapchats, even if you’re using a public WiFi hotspot.

Did Dropbox get hacked? Maybe. Is it vulnerable? Absolutely. Don’t trust soggy cardboard; get your data a steel cage.

ExpressVNP

New documentary shining light on Snowden: Citizenfour

ExpressVNP

In May of 2013, few people in the United States — let alone worldwide — knew anything about Edward Snowden.

The mild-mannered IT security contractor and former CIA employee had the usual circle of family and friends but wasn’t exactly a newsmaker, until in June he leaked a host of classified NSA documents detailing government surveillance programs. He’s become an international symbol of the struggle for personal data privacy and control, called a villain by some and a revolutionary by others. According to the man himself, however, “I’m neither traitor nor hero. I’m an American.”

Now, a new documentary “Citizenfour” by Laura Poitras looks to run headlong into the firestorm created by Snowden and the NSA to show a different version of the man painted technology turncoat.

Citizenfour

Poitras was among the few present in Hong Kong last year when Snowden first revealed details of NSA surveillance programs. He initially reached out to journalist Glenn Greenwald, but broke off communications when Greenwald refused to encrypt his messages. Snowden then contacted Portias after seeing her documentary about another NSA whistleblower, William Binney. Signing his emails as only “Citizenfour”, Snowden arranged a meeting with Poitras, Greenwald and Guardian journalist Ewen McAskill in Hong Kong.

The three were understandably skeptical about Snowden’s claim, since none had any idea who he was and his claims sounded like outlandish, paranoid pulp novels. As noted by Forbes, the man was so consumed with finally giving full access to everything he knew that he neglects to give any information about himself. McAskill says he’s never heard of Snowden, prompting the bookish young man to rattle off his resume. Again, McAskill interrupts and says the man hasn’t even given his real name — and soon enough, all three come to realize the implications of Snowden’s disclosure.

Ultimately, the film is an effort to give Snowden context, to let the man himself speak about what he’s leaked and what it means for Americans and the world at large. While the NSA wants to brand him traitor and claims he’s a Russian spy, Greenwald says “this is the first time people can see who Snowden really is. They can decide what they think about him.”

The Real Threat

So what exactly did Snowden reveal that was so damning to the NSA? It starts with information about PRISM, which gives the American government access to citizens’ Google, Microsoft Yahoo accounts, and moves into revelations about GCHQ, the NSA’s British partner; under project Tempora, the agency intercepted private from the fibre optic cables which form the backbone of the Internet at large, data which was allegedly shared with the NSA. In addition, Snowden disclosed that telecomms company Verizon was bound by a secret court order to hand over the phone records of millions of Americans every day. And while the US government has done its best to profile him as a traitor and defector, recent polls show 55 percent of Americans agree with Snowden’s decision to release details on PRISM and similar programs.

Dire Warnings

What of the man himself? According to Wired, he’s now living in Moscow with his girlfriend, where his temporary visa has been extended another three years. He original destination was Latin America, he says, but the US cancelled his passport while he was in Russia. And while he’s not exactly a public figure in Moscow, he does take time for the occasional “remote interview” with publications like the New Yorker. His message? Citizens need to protect their own privacy. “Get rid of dropbox,” he says, because it doesn’t support encryption, and stop using Facebook and Google. He argues that the oft-heard refrain of “I have nothing to hide” is akin to giving up your right to privacy — the government must justify its violation of your rights, rather than forcing you to defend them.

It’s a familiar song from a (now) recognizable face: users are legitimately concerned about their privacy online and how vulnerable they may be to secret government programs, malicious attackers or even corporations. One *** solution is a secure VPN. Browse wherever, whenever and with the peace of mind that the only IP address hackers or governments will ever see is ours: you keep your right to anonymity, we give you the speed and worldwide access you want.

Love him or hate him, Snowden has a point: Never surrender your right to privacy.

ExpressVNP