Worried about the Ashley Madison hack? You should be

ExpressVNPashley madison hacks

ashley madison hacks

The first thing you see when you visit Ashley Madison, the Internet’s go-to adultery site, is a woman perching a finger to her lips. Unfortunately, shoddy security systems weren’t enough to keep Ashley’s confidential information a secret, with hackers successfully stealing more than 33 million users’ emails, credit card info and transaction details.


How It Happened

The hackers, known as the Impact Team, were able to obtain private data from both the site’s users and owners and said they would publish the information unless Madison’s parent company, Avid Life Media (ALM), would shut down its various sites. The hackers claimed ALM was intentionally deceiving its customers by not only creating fake profiles but also refusing to delete its existing ones.

ALM did not comply.

The hackers responded by releasing more than 10GB worth of data in July, and then 20GB over two separate occasions in August. While the first batch of information contains users’ private information, the latest batches focus more on ALM and its employees.

Bone-Chilling Revelations

The new information isn’t good. Now that journalists have had enough time to comb through the latest data dumps, startling revelations are coming to light, including the fact that the majority of Ashley Madison’s female users were fake.

“How the few actual women on Ashley Madison must have felt” by Reddit user Dracula_in_Auschwitz

Even worse, it’s now painfully obvious ALM was not onlyaware of their security weaknesses, they did absolutely nothing to fix it.

If big-name corporations aren’t taking the proper steps to secure your private information, who will?

Why You Should Be Worried

Even if you aren’t personally connected to the Ashley Madison hack, you could still be involved. That’s because a handful of the accounts registered were done under other people’s names and emails. And on a totally different but still totally terrifying note, data aggregation firms are currently slurping up the leaked data and are actually using it to sell to other companies.

The Ashley Madison hack is a great reminder why I use my father in laws name for all my web signups

— howardlindzon (@howardlindzon) July 20, 2015

A Lesson in Internet Security

While credit card info, names, photos and email addresses of the users were leaked, their passwords, thankfully, were hashed.

Unfortunately, a number of these passwords are so weak that practically anyone can break them. Just ask security expertDean Pierce, who reportedly cracked more than 4,000 Ashley Madison passwords in just a matter of days. The two most common passwords? “123456” and “password.”

We’ll let that sit for a minute…

All jokes aside, the Ashley Madison hack is scary–not only because it shows just how vulnerable so-called “high-security” domains are but also because it uncovers a fundamental flaw: people still don’t know how to create strong passwords.

“Nobody Was Watching”

In a recentMotherboard interview, the hackers openly bragged about how easy it was to penetrate the site. According to them, “Nobody was watching. No security.”

In the same interview they also mentioned having collected 300GB worth of employee emails and other sensitive documents, meaning this may only be the beginning of the financial and legal problems for ALM.

Avoid Getting F*cked

So what can we learn from all this? Two things. First, make sure you’reusing secure passwords, and second, any site—no matter how big—may be vulnerable, so it’s important you take the right preventative measures by beefing up your own personal security.

The next time you think about using your dog’s name for your password, think again.

Could the Ashley Madison scandal finally be the wake-up call for companies everywhere to improve their IT security? Leave a comment and let us know what you think.


Hackers can remotely control your car – #WTFWednesday


You think you’re in control of your car.

You’re driving down the highway at 75mph, singing along to your favorite song, when weird things start to happen.

First, the radio station changes to something you weren’t expecting. Next, your car horn blares and your headlights flash on and off like crazy.

Finally, the power cuts out. You’re left stranded on the side of the road. Your vehicle won’t start, and you have absolutely no idea what’s going on.

That’s when you realize you have no control over your car at all But these strange goings on aren’t anything supernatural. They’re the work of hackers, and they’ve taken control of your car.

It might all sound as unlikely as a ghost story. But it’s real—real enough for Chrysler to patch its Jeep line against hacking attacks.

Have driver safety and privacy taken a bizarre turn? We’re afraid so.

Computers On Wheels

Of course, the auto industry has been going down this road for a while now. Over the last couple of decades, cars have been transforming into computers on wheels. And what are computers, if not hackable?

At first there were trip calculators and diagnostic systems. Now the latest cars from marques like Ford and Infiniti have built-in Wi-Fi, Bluetooth, and telematics systems.

Security researchers Charlie Miller and Chris Valasek have already set about exposing the vulnerabilities. “The most hackable cars had the most features and were all on the same network and could all talk to each other,” they say.

Miller and Valasek’s Research Findings

2014 Infiniti Q50

The 2014 Infiniti Q50 was highly vulnerable to hacking, because its telematics, Bluetooth, and radio functions are on the same network as the engine and brakes. This makes it easier for a hacker to take control of the vehicle itself.

2014 Jeep Cherokee

In the 2014 Jeep Cherokee, “the radio can always talk to the brakes.” This allowed them to remotely kill a Jeep driving at 70 mph in a live test for Wired magazine.

2010 Ford Escape & 2010 Toyota Prius

The 2010 Ford Escape and 2010 Toyota Prius were hacked by Miller and Valasek in 2013. The pair were able to take control of both vehicles via acceleration, braking, steering, and more.

And these are just some of the weaknesses researchers know about.

Abysmal Security

The problem is serious enough that the US Government to taking action. In July, Senator Edward J. Markey filed a bill demanding new standards for car security.

“Cars are a major part of the Internet of Things,” said the senator. “We’ve moved from an era of combustion engines to computerized engines, but we haven’t put into place the proper protections against hackers and data trackers.”

Car security is “maybe 20 years behind” computer OS security, according to former DARPA and Google researcher Peiter Zatko. “It’s abysmal… there’s no security in cars, and the systems are wide open.”

From A Thousand Miles Away

Not so long ago, all you had to do to secure your vehicle was lock the doors.

But with automotive cybersecurity lagging 20 years behind, intruders now have a new way to get inside your car.

By hacking General Motors’ OnStar telematics system, researchers from the University of Washington were able to remotely control GM vehicles from a thousand miles away back in 2011.

More new exploits are coming, and things will probably get a lot worse before the car industry catches up its cybersecurity game.

So if you think you’re in control of your car, think again. Thanks to the auto industry’s cybersecurity failings, a hacker could get in at any time.

This is #WTFWednesday, our in-depth look at the cyber-security and data privacy stories you need to know about. Have a friend who you suspect might be the target of car hackers? Share this story with them!


ExpressVNP’s #WTFWednesday brings you weird, shocking, and creepy stories about data privacy—pulled straight from the news. Think your privacy is yours? Think again. You will feel uncomfortable. You will be outraged. You will think, “WTF?!”


Like this post? Hate it? Read more horror stories about the invasion of your privacy in our #WTFWednesday archive.


AT&T happy to help NSA spy on millions

ExpressVNPat&t helps nsa

When Edward Snowden told the world the NSA had friends in the American telecom industry, he didn’t name names. Nor did the documents he released mention any specific companies. But thanks to a recent investigation by ProPublica and the New York Times, the identity of the NSA’s most valuable partner in the business has been revealed: it’s AT&T.

“Extreme willingness to help”

The investigation reveals AT&T not only complied with NSA data requests, they were “highly collaborative”  and showed “extreme willingness to help” with the spy agency’s mass surveillance on American communications. The documents reveal this partnership to be one of the the oldest in the NSA’s history, beginning in 1985 shortly after AT&T became its own company.

The news is no doubt shocking to many of AT&T’s millions of customers. But to those who remember a certain report from 2006, these recent revelations are simply a confirmation of a long-held suspicion.

That report, published in 2006 by Salon and Wired, comes from former AT&T technician Mark Klein, who attempted to blow the whistle on a series of “secret rooms” installed by the NSA in AT&T facilities. The report claimed these rooms contained equipment that tapped into high-speed fiber-optic circuits through which “every individual message on the Internet” passed, feeding its contents straight to the NSA.

No one’s data is safe

“Every individual message on the Internet” may sound like a gross exaggeration, but it’s probably closer to the truth than you think. Klein also claimed AT&T’s corporate relationships with other providers routinely filter their traffic through the same circuits that the NSA taps in their secret rooms, meaning just because you’re not an AT&T subscriber doesn’t mean your emails haven’t passed through their hands.

Klein has been largely forgotten in the almost 10 years since his first public statement. But this new analysis of the NSA documents has more or less completely vindicated him.

Old evidence, new analysis

So why did it take several years for Snowden’s documents to reveal AT&T as the NSA’s prime ally? The leaked documents never mention AT&T by name, instead using the code name “Fairview” to describe their partner organization.

The authors of the investigation also published a walkthrough of their path through the “breadcrumbs” on the trail of evidence that led them to establish AT&T as the true partner. These breadcrumbs include:

  • ? The date August 5, 2011. An NSA newsletter claimed data collection resumed on this date following an outage caused by an earthquake. According to the Japanese station servicing that area, only one cable was put back into service on that date, and according to the FCC that cable is operated by AT&T.
  • ? Proprietary acronyms. Descriptions of Fairview programs in NSA documents use the terms “SNRC” and CBB”, which ex-AT&T employees confirmed is jargon specific to AT&T.
  • ? U.N. contracts. Internal documents revealed the NSA tapped fiber-optic data from the U.N. headquarters with the help of Fairview. Separate records indicate AT&T operated the U.N.’s fiber-optic network at the time.

AT&T’s response

In response to the findings, Reuters quoted a representative from AT&T:

We do not voluntarily provide information to any investigating authorities other than if a person’s life is in danger and time is of the essence. For example, in a kidnapping situation we could provide help tracking down called numbers to assist law enforcement.

“Not voluntarily” is hard to reconcile with “extreme willingness to help”. Clearly someone isn’t telling the truth, or maybe the representative is actually just clueless. One has to wonder how many AT&T employees are even aware of the secret partnership. In any case, it is certainly within AT&T’s best interests to downplay the relevance of this story.

Are we even surprised?

It’s hard to shock the public anymore when it comes to the extent of the NSA’s reach. The real news story here isn’t that your emails are being tapped, or that AT&T is the culprit. It’s that at least a few AT&T employees did it with smiles on their faces.

From a practical standpoint, you should assume that any message you send over the Internet can be intercepted by corporate or government spies, regardless of whether you’re an AT&T customer. That’s why encryption is important. You can’t stop your data from being collected, but you can make it very difficult to read.


Featured image: iko / Dollar Photo Club


Windows 10 has weak default privacy settings

ExpressVNPwindows 10 lacks privacy

Windows 10 is here. Generations of Microsoft users have learned to be wary of major upgrades, but this one has a tidal wave of buzz behind it. Users are hungry for insights to help them decide whether to upgrade now or wait for improvements. And depending on who you listen to, Windows 10 is either the best operating system Microsoft has ever designed, or a total privacy nightmare. So which is it? The answer is… yes.

If it seems too good to be true…

Most reviews of Windows 10 are positive. The popular Start menu is back after a notorious absence from Windows 8. Gone are the frustrating separate tile interfaces for desktops and tablets. Xbox integration makes it easy to connect a controller and play straight from your laptop, even over Wi-Fi. Aside from some complaints about the new Edge browser and scattered crash reports, Microsoft’s new operating system is by most accounts a successful realization of their decades-long dream of a clean, enjoyable experience consistent across all devices. The best part? It’s FREE!

Free, but at a cost

The motivation for Windows 10’s unbeatable price tag becomes obvious once you discover its tendency to send personal data back to Microsoft even when it has no apparent reason to do so. This would be troublesome enough were it just part of the OS’s default privacy settings, but some users report that even with all apps that might ostensibly need to communicate with Microsoft switched off or disabled, Windows 10 still does send Microsoft your data as soon as you hit the Start button.

For some, that’s a small price to pay for the speed and responsiveness that only Microsoft’s central servers can provide. After all, users have come to expect their software to adapt to their own personal behavior, which is impossible to do without Microsoft recording that behavior and sending it “back to the lab”. But for others, the costs of Microsoft’s privacy policy are too great to bear, especially when it comes to how the corporate giant uses the data:

We share your personal data with your consent or as necessary to complete any transaction or provide any service you have requested or authorized. We also share data with Microsoft-controlled affiliates and subsidiaries; with vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our services; and to protect the rights or property of Microsoft.

Consent of the cloud-networked

Unfortunately for privacy-conscious users, “with your consent” would be more accurately described as “unless you tell us not to” because most of the data-collecting features are enabled by default.

Concerned users should avoid Microsoft’s recommendation to select the “Express” option during setup — which, among other things, allows third parties to send you ads based on the data Microsoft collects — and instead use Slate’s guide to configuring Windows 10 for maximum privacy.

All this data collection may not seem like anything new to jaded Internet users, but it’s something of a change of pace for Microsoft, a company previously famous for downplaying cloud services and focusing on self-contained software. With Windows 10, Microsoft has officially joined Apple and Google in the age of cloud-based computing. Gone are the days when you had to open a web browser to “sign on” to the Internet. Microsoft’s new generation of users are signing onto the Internet — wonders and dangers alike — from the moment they open their computer.

If you’re concerned about what information Windows 10 is collecting, good VPN software can help protect your privacy.


Featured image: esebene / Dollar Photo Club


He ate a tablet to avoid police arrest – #WTFWednesday

ExpressVNPman eats ipad

Usually when you swallow a tablet, it’s for medicinal purposes. You feel better afterwards.

But for one man in St. Petersburg, Russia, eating a tablet meant chowing down on something more of the computer variety. And pretty soon afterwards, he was as dead as a PepperPad.

With the police at his door, the man faced a deadly decision. He could allow the police to arrest him. Or he could take action. Unfortunately, the action he chose was a little severe: he ate his tablet—screen, circuit boards and all. (Note: Sputnik News cheekily reports: “It is unknown whether the deadly device was Android or Apple.”)

How on Earth did it come to this?

Police Report

It all started at around 5pm one quiet Sunday in June, reports the Moscow Times. Neighbors heard the man throwing large objects out the window of his apartment in Parnas, in the north of St. Petersburg, including his own furniture.

Russian police were soon on the scene.

“A 41-year-old unemployed man was found in the apartment, who resisted arrest when apprehended by police, after which he continued to conduct himself inappropriately,” said a police statement.

After the police arrived, the man—who hasn’t yet been named—started to eat the device.

It’s not clear from the report what caused the man most damage—eating the tablet, or the police’s interventions. The report continues:

The officer at the scene stopped the action (eating the tablet), in the course of which he received bodily injury… The officer immediately called for the emergency services. The man lost consciousness and died before the arrival of the medics.

How Far Would You Go?

An investigation is now underway into what really happened.

Maybe he was mentally ill. Maybe he just really didn’t want to be arrested. Or—speculating here—maybe he was a private citizen who didn’t want the police to access whatever was on his tablet—so passionate that he was willing to die to protect his own privacy.

It isn’t a course of action we at ExpressVNP would ever recommend, and our thoughts go out to his friends and family.

But if this man did indeed eat his tablet to protect his digital privacy, then that gives us some food for thought. How far would we go to protect our own privacy?

You’ve been reading #WTFWednesday, our weekly close-up on bizarre stories related to your digital privacy. If you know someone who’d find this story tasty, why not share it?


ExpressVNP’s #WTFWednesday brings you weird, shocking, and creepy stories about data privacy—pulled straight from the news. Think your privacy is yours? Think again. You will feel uncomfortable. You will be outraged. You will think, “WTF?!”


Like this post? Hate it? Read more horror stories about the invasion of your privacy in our #WTFWednesday archive.


Friends don’t let friends browse the web unsecurely




Love ExpressVNP?

Sharing is caring! Refer a friend and you both get 30 FREE days!
Help your friend, BFF, or frenemy stay secure and private online today.

So how does it work? EASY!


Step 1: Sign up for ExpressVNP

(if you have not yet already)

Signing up is super fast and easy! All plans are covered by our no-hassle, no-questions, 100% 30-Day Money-Back Guarantee.



Step 2: Refer your friends

We’ll give you a unique referral link to share with your friends. There are no limits to how many referrals you can make!


Step 3: They sign up for ExpressVNP

Once your friend signs up, you’ll get notified and we’ll reward you both with 30 free subscription days!



Step 4: You each get 30 days for free!

Once your friend signs up, you’ll get notified and we’ll reward you both with 30 free subscription days!



So basically…



What are you waiting for? A friend in need is a friend without ExpressVNP.



Reddit? Russia says forget it

ExpressVNPrussian reddit ban

If you’re looking for no-holds-barred Internet discussion, Reddit is a good place to start. Along with threads discussing virtually every subject known to man—both SFW and NSFW—the site also hosts “ask me anything” (AMA) discussions, allowing redditors to engage in lively discussion with celebrities, technology experts, and revolutionaries alike.

In Russia, however, it seems that Reddit user “rsocfan” went a little far, because the country’s media oversight and censorship agency, Roskomnadzor, has blocked a number of pages for his how-to discussions about growing Psilocybe mushrooms.

Rules and Regulations

Russia isn’t exactly known for accepting non-conformist Internet opinions. As noted by the BBC, for example, any bloggers in Russia with more than 3,000 followers must register with the government and follow the same rules as mass media outlets. The Washington Post describes this situation faced by bloggers “in theoretical violation of the law at all times”; popular Russian bloggers live in fear that they could potentially face punishment if authorities decide to crack down on them. And in recent months, Roskomnadzor has been busy issuing stern warnings to sites like Facebook, Google, and Twitter if they don’t comply with Russian data-handling laws.

Now Reddit is in the crosshairs thanks to a post made two years ago about growing illegal drugs. In a recent Reddit thread—”TIFU by getting Reddit banned in Russia” in the TIFU (Today I F—ed Up) subreddit—original poster rsocfan explains how he got Reddit banned in Russia. He had made the post about mushrooms to see how Roskomnadzor would respond, since the agency technically has the authority to block any website without court approval.

And while Roskomnadzor was slow to move, the media oversight agency eventually caught up, read the post, and demanded that Reddit admins block the offending content for Russian users.

When Roskomnadzor received no immediate response from Reddit, the agency banned large sections of the site. Many Russians were unable to access Reddit all together, because approximately one third of the country’s ISPscan’t properly filter content blocks based on the HTTPS protocol.

This prompted a response from the Reddit site administrators, who did not want their Russian users to lose access to their site. A day after the blacklist began, it was lifted when the site admins contacted Roskomnadzor and agreed to their terms. The offending post is now blocked for users in Russia.

Original poster rsocfan loves the irony of the whole incident. The offending thread hadn’t attracted much interest when he first posted it, but this entire censorship incident thrust it into the spotlight. In effect, Roskomnadzor drew attention to the very thing it was trying to hide!

Curating Content

Over the past few years, Roskomnadzor has been slowly chipping away at citizen Internet freedoms by mandating blogger registrations, along with *** site owners responsible for anything posted in the comments sections of their websites by other users. Some organizations have closed their forums all together, while others have hired moderators to sniff out any “extremist” content.

The agency has also taken several bloggers to court—Alexey Navalny had his blog blocked and was handed a suspended sentence for calling a “protest rally”, triggering a response from the Attorney General’s Office that ordered Roskomnadzor to ban his blog and start legal proceedings.

But the Russian government isn’t the only large organization curating Reddit content. As noted by a recent article in The Verge, the site itself is also taking a harder line with forums deemed offensive or inappropriate. In July, Reddit announced that specific communities which existed “solely to annoy” would no longer be searchable and would not generate any revenue for the company.

Now, CEO Steve Huffman says they’re banning the most offensive of these forums and quarantining others that “generally make Reddit worse for everyone else.”

So what’s the difference here? If Reddit, like Russia, gets to decide what users can access, aren’t they exercising some powers of censorship, too? Huffman’s take on the subject sheds some light: “banning is like capital punishment. We take banning very seriously, which is why it takes so long for us to do it.”

Contrast this with Roskomnadzor, which looks to ban users and posts for even small infractions and without the need for outside approval. It’s quite apparent that Reddit acts when necessary—for the greater good—while many government agencies act seem to act at random.

Bottom line? If you’re in Russia and live on Reddit, get a VPN or other proxy gateway since it’s a safe bet Roskomnadzor won’t be signing up for an AMA any time soon.


 Featured image: (1) ravennka / Dollar Photo Club, (2) Psilocybe.tampanensis.one by Workman is licensed under CC BY-SA 3.0 (images have been combined and modified)


Mac users vulnerable to adware and worse while Apple procrastinates on bug fix

ExpressVNPmac adware is rotten

Malware might still only be a minor threat to Mac users, but adware continues to grow like a plague. The latest exploit comes in the form of a Trojan horse posing as a download utility.

The virus attacks a recently-discovered vulnerability specific to systems running OS X Yosemite. It modifies a file called sudoers, giving all users—including guests—the privilege to write files and install new programs without requiring a password. Once that’s done, it installs adware and junkware, opening the door to pop-up ads and other pests. It’s not exactly threatening, but it is irritating.

Luckily, adware seems to be the extent of the danger so far, and this is the first known exploit. Hypothetically, more malicious hackers could use the lack of password protection to install much more harmful malware, according to Malwarebytes’ Thomas Reed.

Apple has patched the vulnerability in the beta versions of Yosemite and its upcoming major release, El Capitan, but the update isn’t yet available for non-beta users. Until then, the best way to avoid it is to be cautious of what you download.

Does this look infected?

Once the virus has root permissions on the host computer, it runs the VSInstaller app, which in turn installs the VSearch adware. Typically, this adware turns certain words into hyperlinks or displays pop-up ads. If you think you might be infected, find instructions for removing it here.

The virus will also install a variant of an adware called Geneio and junkware dubbed MacKeeper, which you can find removal solutions for here and here, respectively.

Lastly, the virus directs the user to download the Download Shuttle app—a download accelerator and manager—on the App Store.


The flaw in Yosemite was first disclosed to the public by German researcher Stefan Esser last month. Esser has received some scorn for allegedly blogging about the vulnerability before alerting Apple.

The exploit reflects poorly on Apple, who created the zero-day bug when adding new error-logging features to Yosemite. Worse yet, Apple failed to act after being alerted to the vulnerability by another researcher who goes by the Twitter handle @beist prior to Esser’s release.

A bit depressing when you see someone releases bugs you also found but you keep quite as you reported it to vendor, you wanna be good. #fail

— beist (@beist) July 22, 2015

Now that the first known exploit is already spreading, Apple is left with little excuse as to why its users aren’t protected.

Esser created a software tool to protect against the exploit, but seeing as he was the person who drew adware scammers’ attention to the bug in the first place, not everyone trusts him. You can find his fix here, but be wary that it isn’t sanctioned by Apple.

Adware epidemic

Adware is becoming more and more prevalent on Macs because it often goes undetected by antivirus programs. In the 2014 Security Bulletin from Kaspersky Labs, nearly half of the top 20 most common threats designed for OS X were adware programs.

“As a rule,” the report reads, “these malicious programs arrive on users’ computers alongside legitimate programs if they are downloaded from a software store rather than from the official website of the developer.”

Once installed, adware adds advertising links in web browsers’ bookmarks, causes pop-up ads, and changes the default search engine, among other behaviors. Even if an antivirus program spots and deletes the original adware installer files, the infection will likely have already spread.

Try ExpressVNP for Mac for better Internet security and privacy.


Featured image: Vidady / Dollar Photo Club