How, why and whether to enter the new VPN war zone – The Stack

A Virtual Private Network (VPN) is not an easy concept to understand or, once understood, to explain. The name is far from self-explanatory, and renaming it to something more approximate to what it is most popularly used for these days – such as ‘Online Country Changer’ – does not respect, for instance, the legitimate ways that businesses use VPNs - often to connect to locations only ten feet away.

In attempting to describe what a country-spanning VPN does, I recently resorted to the metaphor of having one’s windows replaced so that they provide a view of a different country than the one in which they’re actually situated. It’s not a bad metaphor, but I could tell from the response that I was still describing something ‘indistinguishable from magic’; something, perhaps, only available to 300-pound basement-dwelling darknet geeks who deal with the internet exclusively from a Linux command line.

Consider instead that the cable connecting your computer to the internet is probably about six feet long, more or less - even if you’re using Wi-Fi, since your router has to run a wire into the wall.

Now imagine (assuming you are in the UK) that the cable is 3000 miles long and doesn’t start connecting to the internet until it reaches, say, New York.

VPNs speed all your network requests through a secured and (usually) encrypted tunnel which terminates at a server physically located in the target country, and that’s where all your browsing will be seen to be done from.

While using a VPN, your ISP has no access to any of your browsing activity, and sees only a single encrypted connection. The ISP is very likely to know that it’s a VPN connection, despite the encryption, since it is charged with delivering the network packets to the VPN provider over a range of ports that are typically used by VPN services. Additionally the terminating IP address may be one known to be in use by a VPN provider. But that’s all the ISP can know about a VPN-user’s activity.

Business use of VPNs

In business-case use of Virtual Private Networks, the distances traversed can be significantly less than intercontinental – as little as the next office along. A company’s Human Resources department contains such sensitive information that its network is often walled off from the company’s intranet to defend it against general network attacks and potential data breaches. Since authorised users outside HR’s walled garden will still occasionally need access to it, this can be facilitated by a remote access VPN connection, for maximum security.

Site-to-Site VPN Connections are also used to create common company or corporate intranets even when the disparate departments are in different geographical locations.

VPN security protocols and Multihop routing

VPNs have various – and variously criticised – methods of security, starting at ‘none’. One of the oldest is Point-to-Point Tunnelling Protocol (PPTP), instituted by Microsoft in the days of Windows 95. A PPTP connection is unencrypted in itself, simply creating a tunnel and wrapping the data sent, with encryption handled by TCP or GRE. Despite its age and flaws, the ubiquity of the protocol - accountable to who created and diffused it - retains its place in the business market.

Better VPN security is provided by Transport Layer Security (TLS) and Secure Sockets Layer (SSL), which generate security-certificate-based parameters at the start (‘handshake’) of the connection. Thus the two entities connecting swap valid certificates with each other and establish mutual trust until end-of-session.

IP security (IPSec) is often used as an additional measure along with other security protocols. As with PPTP, its support by Microsoft, notably regarding its integration with the Active Directory service, secures its place even as a secondary protocol, and it’s most frequently found in a Layer 2 Tunnelling Protocol (L2TP) connection, where it handles the burden of encryption whilst housed in a superior tunnelling architecture than it can itself generate.

VPNs which offer ‘multihop’ routing provide an additional layer of anonymity to the end-user by attaching a different IP address to the user’s activity than the one in which they entered the VPN network. This does not mean that entities you connect to won’t necessarily know that you’re using a VPN, since all IP addresses in use by the providing company may well have been identified as such at any time; but it does mean that your own ISP can provide absolutely no clue where you went after you left the ‘last-known’ IP address it saw you disappearing into. It’s the digital equivalent of ‘losing a tail’ at the lights.

Negatively, sending one VPN connection to another in this way can have a deleterious effect on latency, something which Tor users (see below) must contend with, as the Onion Router network ‘hops’ them multiple times around Tor nodes (and IP addresses) in order to obfuscate their online tracks.

Can you trust your VPN provider?

Since a significant portion of potential customers are interested, for whatever reason, in securing anonymity online, VPN providers frequently claim to offer ‘logless’ browsing. With several qualifications, this isn’t completely possible, particularly if the provider is furnishing a DNS service – and most especially if it is watching your bandwidth consumption, since ‘data caps’ are completely impossible without log-files.

Anyone who has ever delved into web-centric servers and OSes such as CentOS knows the enormous extent to which logs are generated by default for practically all network actions; even if one restricts the output or later deletes it, the very least a VPN provider has to do is to know that you are using the service, because it has to assign you to an IP address. Since that IP address communicates with other services that likely have zero commitment to log-deletion, it is not possible to guarantee ‘anonymous browsing’ at all times, even where the VPN provider is honouring their commitment to a ‘zero knowledge’ service.

It has been noted that various VPN providers’ promises are frequently at odds, to a greater or lesser extent, with their terms and conditions, offering ‘anonymous surfing’ whilst explicitly stating in the SLA that they will respond to instances, for example, of copyright infringement by cancelling the user’s account – which effectively makes the provider an ISP once-removed.

In 2011 popular UK-based web proxy HideMyAss cooperated with a court order demanding information on a suspected member of the LulzSec hacking team, and was in possession of perfectly adequate records to secure an arrest for the target.

This year TorrentFreak published a list of 53 VPN providers that responded to the site’s questions about what information they log and keep, and it is interesting to note how many of these have ‘internal procedures’ for complaints against the service which would seem to defy the companies’ avowal of amnesia.

Installing a VPN, and falling foul of ‘migrated’ online identity

I use a VPN myself, provided by a company called Private Internet Access (there’s no endorsement intended, though I am not generally unhappy with the service provided – it is simply the only VPN to date that I have ever personally arranged for myself). Costing £25 a year, the installation is provided, to Mac users at least, via a mountable DMG file which installs the software and later provides a drop-down menu by which one can select a ‘country of apparent residence’.

One’s earliest days in VPN-land are fraught with anomalies. Some of them are quite alarming, such as accidentally attempting to log in to your online banking ‘from America’ when your bank knows that you withdrew £20 from a cash machine in London only two hours ago. That kind of thing, be warned, can get your cards frozen.

Automated web services will feed you content based on your apparent IP address, which obviously is going to be associated with the country you chose to browse from. Weather reports suddenly become wildly inaccurate, whilst ads amusingly begin to target a resident of your ‘adopted’ locality, and you find yourself being offered fewer bargain umbrellas and more sun-screen. Depending on your VPN provider, certain protocols may behave erratically or become unavailable; in my case I cannot use FTP whilst connected via VPN, though it is easy enough to turn the VPN off for the duration of an FTP task.

Additionally you’ll find that a whole host of your favourite sites run geographical franchises worldwide in order to leverage geo-based advertising. Hence you’ll often be redirected to a version of a favourite site that is associated with the country you chose for your VPN. Depending on which one that was, the site may not necessarily be in English any longer. On a positive note, this is an easy way to see the more robust and content-rich American versions of sites which attempt to shunt UK viewers into an ad-specific ghetto version. But we’ll return to ‘geoblocking’ shortly.

A cheap and quick way to dip one’s toe in the waters of VPN is to try out the various web-browser plugins that enable proxy surfing on a per-browser basis, such as Hola Better Internet for Google Chrome. More advanced proxy users can configure their Firefox experience with FoxyProxy, in either the standard or the less intimidating basic version. More cutting-edge Firefox users can also try out the fledgeling Free Proxy List add-on, which lets users switch between the constantly emerging free proxies available at Proxy List.

Committing to VPN

Those enamoured of VPN life can commit to it very deeply if they want. At the simplest level one can configure a VPN to run on start-up, and to disconnect the computer from the internet whenever the VPN connection itself is shut down. Negatively this gives you nowhere to go if the VPN service itself should succumb to technical difficulties temporarily, and may cause some confusion as to whether the VPN or your ISP’s connectivity is at fault in the event of an outage.

That notwithstanding, you can go even further and configure your router to connect via a VPN by default. This is a marginal practice, but gives the advantage of supplying the security of a Virtual Private Network to any network-enabled device – such as smartphones, consoles or IoT devices – which accesses the internet via Wi-Fi.

DD-WRT provides a Linux-based open source router firmware framework through which you can truly take charge of a consumer-level router, configuring it to connect to your VPN provider by default. This involves flashing the factory firmware on a device that is not necessarily inexpensive, and needs to be approached with a sensible level of research and preparation. Broadcom-based routers can also be similarly mastered with Tomato’s slightly scary firmware replacement.

Committing to VPN connectivity to this degree is likely to be undertaken more for reasons of online security than geographical flexibility, since most users will need to be identified as resident in their own country in order to use banking services and local services which employ geoblocking (such as BBC’s iPlayer, for UK residents), among others. That said, there’s no technical reason not to launch a second, country-specific VPN connection on top of a same-country VPN tunnel for those occasions where you want to browse from a specific geo-locale for a while. However, latency is likely to be something of an issue in these circumstances - perhaps a chronic one if using Tor on top of all this.

VPNs in the news

VPN uptake at a consumer level is becoming a ‘war zone’ because issues about its use are commingled with The State’s current determination that a secure internet not prevent legitimate state authorities from gaining access to information about individuals who may be the subject of its investigations.

In March the tension between China and the West over post-Snowden surveillance revelations, prompted by a series of NSA-related scandals, led China to demand back-door access in any western technology imported either as a product or a service, a move that would make VPN usage in China problematic, or at best insecure. Since these severe measures are not yet in place, China is trying numerous other tactics to ‘uncloak’ VPN users, including JSON-based JavaScript exploits and blocking or degrading VPN throughput.

In Australia the Copyright Amendment (Online Infringement) Bill 2015 is thought by many privacy advocates to be an opportunity for the government to criminalise VPNs, despite rumours of an amendment that may exclude Virtual Private Networks from the scope of the act. But Australia is currently in the vanguard of pro-security legislation which does affect VPN services, and instructed Australian ISPs in April to stop offering VPN services, on the basis that they were being used to circumvent geo-blocking (of which, more below). The last few holdouts against this proscription have just crumbled.

Though the Tor foundation itself recommends the use of a VPN as an additional safeguard for users, some of the countries where confidentiality are most critical either block, attempt to block or monitor (or attempt to monitor) encrypted protocol tunnelling – such as Iran, periodically.

Russia is taking an increasingly aggressive stance against VPN usage, at least as it applies to the general public, and has even actively blocked a website that provided information about VPN blockades in Russia, and also provided advice on installing VPNs. Though privacy advocates wonder if Russia will really be able to block ‘unauthorised’ VPNs, the Russian administration has committed itself to trying.

VPNs in the firing line over geoblocking and regional licensing

Since the entire world economy is currently predicated on the different traction between national currencies, and since global businesses have to accommodate their prices to the consumer potential of individual economies, it isn’t surprising that VPNs, with their ability to level this playing field and at least partially circumvent regional restrictions, are becoming increasingly controversial as they apparently emerge from the edge into the mainstream. In 2013 Electronic Frontier Foundation member and privacy advocate Nick Pearson wrote in the Washington Post that his online privacy platform IVPN had seen a 56% upsurge in VPN sales in the wake of the Edward Snowden revelations.

Interestingly Google searches for ‘VPN’ were actually in decline for a long time before Snowden, and the opaque nature of the subject has not affected the search results trend for the term as much as some have estimated.

However this provides no information in itself about VPN uptake, whilst a similar look at the term ‘download Tor’ indicates a decided upward swing for the ‘secure’ browser that was originally invented to protect U.S. espionage operatives and their contacts around the world, and which in itself constitutes a VPN of sorts - albeit not quite as secure as many once imagined.

Imagined or not, VPN usage as related to the circumvention of geo-restrictions has come into unusual focus in the last two years.

A fresh Wikileaks dump of the emails harvested by hackers in late 2015 has recently revealed that Sony Pictures lobbied online streaming provider Netflix to tighten up its famously relaxed stance on the numerous (subscribed and paying) users who employ VPNs to access Netflix territories outside their own. Sony Pictures’ president of Distribution Keith Le Goy wrote in one of the highlighted mails: “We have asked Netflix to take steps to more closely monitor circumvention websites, and to restrict methods of payment to more clearly weed out subscribers signing up for the service illegally. This is in effect another form of piracy -- one semi-sanctioned by Netflix, since they are getting paid by subscribers in territories where Netflix does not have the rights to sell our content,”

Since the U.S. version of Netflix has considerably more content than any of its continental annexes around the world, and since many of its customers are presumably only paying for the service because they can ‘work around’ regional restrictions in this way, the prospect of Netflix banning VPN geo-dodgers would be a major company decision affecting profitability.

VPN usage to address ‘net neutrality’ speed-bumps

One interesting use for a VPN is to circumvent protocol-based traffic-throttling by your ISP, particularly if you’re using Verizon to watch video streaming services such as Netflix in the United States. Since all the protocols and ports you’re using are hidden from your ISP whilst using a VPN, it can’t throttle Netflix or Hulu, because it doesn’t know for sure that you’re using these services. Likewise neither can the use of BitTorrent be individuated, blocked or logged. In the case of Hulu, however, that won’t be the last of your hurdles, since it retains a far more aggressive attitude to off-country VPN stowaways than Netflix currently does.

Related links
Russia readying for attempt to ban Tor, VPNs
Netflix to set prices according to local piracy levels
Belarus bans Tor and all anonymising internet technologies

Please enable JavaScript to view the comments powered by Disqus.

The role of proxies and protocols in malware investigations – We Live Security (blog)

A lot of people associate online anonymity with Tor, however it is a much deeper issue than this and does not relate only to privacy while browsing. In this post, we will learn some of the key concepts to keep in mind when analyzing malware, because when we talk about anonymity, we need to understand the role played by proxy servers and certain protocols used for communication in such cases.

It’s important to be aware of these concepts, because when someone is trying to establish an anonymous connection these are the fundamental tools employed.

What is a proxy and what types of proxies exist?

A proxy is nothing more than a tool allocated to act as an intermediary in communications. Depending on what type of proxy is used, it may be possible to identify the information sent by the user—and this may be recorded on some kind of equipment.

They can be used for a variety of purposes: managing bandwidth, applying restrictions on a network (for example on downloading applications or from websites), or blocking access to certain sites, just to name a few.

Basically, a proxy is situated between the client equipment and the destination equipment. The types seen frequently are:

Transparent proxy: does not modify requests or responses beyond requesting authentication and identification, in other words the fields should not be modified. When the client uses a transparent proxy, all requests sent to the destination server come from the IP address of the server. However, it adds a line in the header to indicate the original IP address from which the query came (i.e. the user’s IP address). Highly anonymous proxy: designed to ensure complete privacy for the user, as it does not reveal their IP address or any other type of information. This is the most highly sought-after type, due to the high level of anonymity it offers. Anonymous proxy: does not reveal the user’s IP address on the server from which queries are being made. Although it may contain the header X-Forward-For, where an IP address is shown, this can be the proxy’s IP rather than the client’s.

Now that we are clear about the differences between these types of proxies, we need to look at what type of activity is going to be carried out, in order to know which proxy type is best suited to the needs of the investigation.

Protocols used in the anonymization process

Protocols are sets of rules that enable communication between entities (client – service) in order to send information. The most frequently seen are HTTP, SOCKS4, and SOCKS5.

These are described in turn below:

HTTP: HTTP proxies (named as such due to filtering connections in this protocol) were designed to receive queries and redirect them to the requested resource. They are generally used for unencrypted connections, although they support SSL and FTP. SOCKS4: this protocol was designed for managing traffic between the client and the server, via an intermediary (proxy server). SOCKS4 only supports TCP communications, and does not have any methods of authentication. The extension that followed this, named SOCKS4A, was different in that it incorporated support for resolving names through DNS. SOCKS5: the subsequent and latest version of the above proxy, which incorporates support for TCP and UDP communications, as well as support for authentication from the client to the proxy How does anonymity help with investigations?

It’s important to know what type of information you are sending when you are connecting and interacting with a piece of equipment directly.

Let’s suppose you are carrying out a security audit with the relevant authorities, in order to dismantle a network of cybercriminals—you will need to run a lot of processes that interact with the equipment they are using to carry out their attacks. This way, with anonymity, the investigator would disguise their identity (i.e. IP address) constantly, without exposing their real identity.

If your actions were discovered by the cybercriminals, they might find out that you were trying to make connections from a network belonging to a branch of the authorities, due to the availability of records and public information, including that held by registration organizations.

It’s also useful if the investigator has instructed a tool to automatically download samples of malicious code from websites. If you wish not to leave any type of record anywhere (whether for reasons of confidentiality, for personal reasons, or the requirements of the situation), having tools with this ability will be of great use to you as an investigator.

Let’s consider the example of investigating a botnet: after identifying the address where the botmaster’s control panel is located, if you try to access it to check whether it is active, there are two potential outcomes:

In the case of direct interaction, the attacker may receive an alert in their log and suspect that someone—other than a bot—is attempting to connect to the server. When they notice that this activity is coming from a particular IP address, they might try to block it and thus deny access to their control panel, so that the investigator gets a negative response when they try to access it, meaning they cannot continue their investigation. In the case of having anonymity, the outcome could be very similar, except with the advantage of being able to change the network’s identity (the investigator’s IP address) and this explains all the aforementioned. In this case, you need to make sure to use a highly anonymous proxyso as not to leave any kind of trail. If the attacker blocks the (anonymous) IP address, in reality they would be blocking the address coming from the proxy server. Furthermore, you are protecting your digital identity, thereby preventing any type of attack in response.

The main thing is to keep in mind the differences between HTTP, SOCKS4, and SOCKS5 In many cases of investigations, including security audits and malware analyses, it’s best to leave nothing to chance. Therefore, it’s necessary to consider what type of activity you are going to carry out, what type of anonymity you will need, and what type of connection you are going to use (although for better security, SOCKS5 is recommended).

Conclusion

Beyond the concept of anonymity, there are various other issues to keep in mind depending on the requirements of the situation. While Tor is a free network for browsing based on privacy, there are other tools such as Privoxy and ProxyChains, to name just two, which also help in maintaining privacy while using tools.

In the day-to-day running of an investigation, you have to constantly evaluate what type of activity you need to carry out, and whether or not it requires anonymity. If it does require anonymity, you need to analyze what level, and, of course, the higher the security of the connection, the better the conditions will be.

As investigators, it’s essential to understand how things work and not to limit yourself to one particular tool. This enables you to develop your own customized tools, and will help you in analyzing malware.

Image credits: ©Grant Hutchinson/Flickr

Author Ignacio Pérez, ESET

How ‘free’ geo-dodging and proxy services are selling you out – Sydney Morning Herald

Of the proxy services tested, 79 per cent force users into unencrypted browsing, 16 per cent inject ads.

Of the proxy services tested, 79 per cent force users into unencrypted browsing, 16 per cent inject ads. Photo: Louise Kennerley

Netflix, Hulu and a host of other content streaming services block non-US users from viewing their content. As a result, many people residing outside of the United States seek to circumvent such restrictions by using services that advertise "free" and "open" web proxies capable of routing browser traffic through US-based computers and networks. Perhaps unsurprisingly, new research suggests that most of these "free" offerings are anything but, and actively seek to weaken browser security and privacy.

The data comes from Austrian researcher and teacher Christian Haschek, who published a simple script to check 443 open web proxies (no, that number was not accidental). His script tries to see if a given proxy allows encrypted browser traffic (https://), and whether the proxy tries to modify site content or inject any content into the user's browser session, such as ads or malicious scripts.

Haschek found that 79 per cent of the proxies he tested forced users to load pages in unencrypted (http://) mode, meaning the owners of those proxies could see all of the traffic in plain text.

"It could be because they want you to use http so they can analyse your traffic and steal your logins," Haschek said. "If I'm a good guy setting up a server so that people can use it to be secure and anonymous, I'm going to allow people to use https. But what is my motive if I tell users http only?"

Haschek's research also revealed that slightly more than 16 per cent of the proxy servers were actively modifying static HTML pages to inject ads.

Virtual private networks (VPNs) allow users to tunnel their encrypted traffic to different countries, but increasingly online content providers are blocking popular VPN services as well. Tor offers users the ability to encrypt and tunnel traffic for free, but in my experience the service isn't reliably fast enough to stream video.

Haschek suggests that users who wish to take advantage of open proxies pick ones that allow https traffic. He's created and posted online a free tool that allows anyone to test whether a given proxy permits encrypted web traffic, as well as whether the proxy truly hides the user's real internet address. This blog post explains more about his research methodology and script.

Security-conscious users who wish to take advantage of open proxies also should consider doing so using a Live CD or virtual machine setup that makes it easy to reset the system to a clean installation after each use. I rely on the free VirtualBox platform to run multiple virtual machines, a handful of which I use to do much of my regular browsing, tweeting, emailing and other things that can lead sometimes to malicious links, scripts, etc.

This tutorial offers a fairly easy-to-follow primer on how to run a Live CD installation of a Linux distribution of your choosing on top of VirtualBox.

KrebsOnSecurity

Follow Digital Life on Twitter

“Free” <b>Proxies</b> Aren't Necessarily Free — Krebs on Security

facebooktwittergoogle_plusredditpinterestlinkedinmail

Netflix, Hulu and a host of other content streaming services block non-U.S. users from viewing their content. As a result, many people residing in or traveling outside of the United States seek to circumvent such restrictions by using services that advertise “free” and “open” Web proxies capable of routing browser traffic through U.S.-based computers and networks. Perhaps unsurprisingly, new research suggests that most of these “free” offerings are anything but, and actively seek to weaken browser security and privacy.

proxyThe data comes from Austrian researcher and teacher Christian Haschek, who published a simple script to check 443 open Web proxies (no, that number was not accidental). His script tries to see if a given proxy allows encrypted browser traffic (https://), and whether the proxy tries to modify site content or inject any content into the user’s browser session, such as ads or malicious scripts.

Haschek found that 79 percent of the proxies he tested forced users to load pages in unencrypted (http://) mode, meaning the owners of those proxies could see all of the traffic in plain text.

“It could be because they want you to use http so they can analyze your traffic and steal your logins,” Haschek said. “If I’m a good guy setting up a server so that people can use it to be secure and anonymous, I’m going to allow people to use https. But what is my motive if I tell users http only?”

Haschek’s research also revealed that slightly more than 16 percent of the proxy servers were actively modifying static HTML pages to inject ads.

Virtual private networks (VPNs) allow users to tunnel their encrypted traffic to different countries, but increasingly online content providers are blocking popular VPN services as well. Tor offers users the ability to encrypt and tunnel traffic for free, but in my experience the service isn’t reliably fast enough to stream video.

Haschek suggests that users who wish to take advantage of open proxies pick ones that allow https traffic. He’s created and posted online a free tool that allows anyone to test whether a given proxy permits encrypted Web traffic, as well as whether the proxy truly hides the user’s real Internet address. This blog post explains more about his research methodology and script.

Users who wish to take advantage of open proxies also should consider doing so using a Live CD or virtual machine setup that makes it easy to reset the system to a clean installation after each use. I rely on the free VirtualBox platform to run multiple virtual machines, a handful of which I use to do much of my regular browsing, tweeting, emailing and other things that can lead sometimes to malicious links, scripts, etc.

I’ll most likely revisit setting up your own VirtualBox installation in a future post, but this tutorial offers a fairly easy-to-follow primer on how to run a Live CD installation of a Linux distribution of your choosing on top of VirtualBox.

Tags: Christian Haschek, free proxies, free proxy, http proxy, live cd, Virtualbox, VPNs, Web proxies

Google offers faster Web access on Android phones – Techworld Australia

Google speeds Web pages

Google speeds Web pages

Google will deliver lighter versions of Web pages in search results for Android phones users with slow connections in India and Brazil.

The feature, which will be rolled out in India in two weeks, has been field tested in Indonesia, where it was found that the pages, converted on the fly, load four times faster and use 80 percent less data than before, Hiroto Tokusei, a Google product manager wrote Thursday in a blog post.

A Google spokesman said the company did not have a name for the new feature, which is primarily targeted at emerging markets. He said it was too early to comment on the company's plans to offer the service on phones other than those running the Android operating system.

Rather than linking to a page directly from search results, Google links to its own servers, where it generates what it calls a transcoded version of the page on the fly. The process involves compressing graphics and removing some JavaScript functions.

The technique is likely to be similar to that used by specialized mobile browsers such as Opera Mini, which route mobile browsing sessions through a proxy server where pages are compressed.

Users can view a page in its unmodified form by choosing an option at the top of the page, Tokusei said.

The technology targets the over 200 million Indians accessing the Internet from a smartphone, sometimes with slow and costly Internet connections.

Users will see the converted pages if Google detects that they are on a slow network connection in a country where the conversion, also called transcoding, is enabled.

Google has limited advertisements to three per page and disabled Google Analytics scripts to make the pages lighter. In a support page for website providers, Google said it was working on ways to enable analytics without compromising low bandwidth responses.

Some pages cannot currently be transcoded, and these include pages from websites that require cookies, use significant amount of data like video sites, or are technically difficult to transcode, according to Google. The pages will be labeled as non-transcoded in search results.

To reach users in emerging markets, a number of Internet companies are looking at ways to deliver Internet services over low bandwidth connections. Facebook said recently it had started rolling out in Asia its Facebook Lite, a low-data version of Facebook for Android for slow networks. Facebook Lite will also be available soon in parts of Latin America, Africa and Europe.

John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service. Follow John on Twitter at @Johnribeiro. John's e-mail address is john_ribeiro@idg.com

Join the TechWorld newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesAndroid OSGoogleinternet

More about FacebookGoogleIDGNewsTwitter

Kaspersky compromise points to nation-state actors – CSO Online

Kaspersky Labs disclosed a network compromise on Wednesday, which leveraged a new class of malware unlike anything the company has seen before. Given the similarities with previous versions, Kaspersky is confident the malware is a revamped version of Duqu first seen in, 2011.

In a post on Forbes.com, Eugene Kaspersky said that those responsible for the attack on his company were being silly. "This was a case of industrial espionage, plain and simple. Nevertheless, the more I think about it, the less it makes sense," Kaspersky wrote.

The malware, Duqu 2.0, "is a generation ahead of anything we’d seen earlier – it uses a number of tricks that make it really difficult to detect and neutralize," Kaspersky added in a company blog post on the topic.

Duqu 2.0 was detected by Kaspersky with a tool designed to discover advanced malware, but the product is far from complete. However, the company was fortunate that it worked well enough in its alpha state to notice something amiss.

But that doesn't mean that the team behind Duqu didn't do all they could to remain hidden.

“This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high," said Costin Raiu, Director of Kaspersky Lab’s Global Research & Analysis Team in a statement.

"To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it. It also doesn’t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers.”

It isn't clear how the attackers were able to infiltrate the network, but the running theory proposed by Kaspersky is that an employee in a small APAC office was targeted by a Phishing campaign. This theory supported by the fact that when the attack's origin was discovered, the attackers deleted the staffer's email and browsing history. The company is currently processing backup logs and other data to confirm the attack's source.

While the attackers on Kaspersky's network were looking for corporate secrets and code, they were also using Duqu 2.0 to target several high-profile foreign dignitaries and politicians at the venues where the Iranian nuclear talks were taking place (P5+1) and the 70th anniversary event of the liberation of Auschwitz-Birkenau.

"Attacking us was hardly the smart move: they’ve now lost a very expensive technologically-advanced framework they’d been developing for years. Besides, they tried to spy on our technologies… which are accessible under licensing agreements," Kaspersky's blog post added.

"As mentioned, our investigation is still underway; it will require a few more weeks to get the whole picture in all its detail. However, we’ve already verified that the source code of our products is intact. We can confirm that our malware databases have not been affected, and that the attackers had no access to our customers’ data."

Kaspersky has released a detailed report on the Duqu 2.0 malware, as well as IOC data. The full details are available here.

These Ex-Israeli Surveillance Agents Hijack Your Browser To Profit From Ads – Forbes

At the start of last month, Google and Stanford University researchers released a report on a largely legal yet dubious practice in the advertising industry. It’s called ad injection.

The process effectively intercepts users’ traffic to inject content, namely, those irritating adverts and popups that seem to come from nowhere. Media rightly jumped on the report, highlighting the companies named as the top ad injectors. What went unnoticed, until now, is that most of the searchable organisations involved in this potentially dangerous business are based in Israel. They also happen to have links to the nation’s military and its top signals intelligence agency, the Israeli equivalent of the NSA or GCHQ: Unit 8200, which works out of the Israel Defense Forces (IDF).

Ad injection is an old business that started taking off at the turn of the Millennium. It forms part of the convoluted world of personal data trading and marketing. The software used to inject ads arrives not quite as malware, but via what are known as “potentially unwanted programs”, often bundled into application downloads or offered as directly-downloaded browser extensions. The Stanford and Google researchers, who collected data on the industry during the summer of last year, flagged 50,870 Chrome extensions as unwanted ad injectors, 38 per cent of which they decided were malware harmful to the security of users’ data.

Once on a user’s browser, the injector will effectively hijack a browser session and insert adverts on the page when a partnered website is visited. In most cases, the software has complete control over what appears on the user’s screen, to the extent it might hijack mouse clicks or force other interactions on the site. The user simply has to trust the software won’t do anything malicious.

Injectors also increase the chances of infection from malicious ads, which launch exploits on people’s computers when the browser parses their content, as the ad chain isn’t particularly well monitored, partly because of the huge number of companies involved. If a criminal hacker can find a weak link in that chain, they can have their ads injected into people’s web sessions, hence repeated cases of so-called “malvertising”.

A vulnerable ad injector could be exploited by hackers to kill security protections in the browser, notes Udi Yavo, CTO at Israeli security company enSilo, and they can relay plenty of information back to the software author, including usernames and passwords.

Yavo believes ad injectors “run the fine line between ads and malware”. “I would even make the claim that the behavior of the two is nearly identical. The difference between the two is simply the author’s intention. While the first is considered a form of revenue-generation through the media, the second is pure cybercrime,” he tells FORBES.

The number of those affected by ad injection is astonishing – more than five per cent of unique daily IP addresses accessing Google, representing tens of millions of users, according to the research report. And people hate it. Of more than 100,000 Chrome user complaints in July 2014, nearly 20 per cent were about ad injection. It’s the real scourge of the web, according to its actual users.

The providers make a lot of money too. When the Yontoo browser plugin modified 4.5 million users’ private Facebook sessions to include ads, it reportedly earned the creator $8 million. That particular piece of intrusive kit was run by serial entrepreneur Arie Trouw, who built Sambreel Holdings, yet another maligned ad injection specialist.

But his entities have far less coverage than a handful of Israeli businesses full of former intelligence officials. It appears their offensive cyber and big data skills honed during their years at Unit 8200 have made them particularly adept at the practice.

Superfish

So, who are they? I recently reported on one of those firms, Superfish, and its links to the surveillance industrial complex. After it was spotted sitting on Lenovo PCs intercepting traffic throughout late 2014, breaking web encryption along the way, essentially destroying any trust users could have had in their online sessions, it emerged that not only its founder Adi Pinhas was formerly of 8200, he was also employed by Verint, which was linked to NSA surveillance. The company that actually created the encryption-breaking tech behind Superfish, Komodia, was also connected to Israeli intelligence services via its owner Barak Weichselbaum.

Superfish was dominating the ad injection game before the Lenovo caused it much strife. Google and Stanford found the firm injected ads into more than 16,000 websites and was making tens of millions in revenue a year doing so. By the researchers’ extrapolations, Superfish appeared in 3.92 per cent of Google views. It has been irritating Apple Mac, Microsoft Internet Explorer and Mozilla Firefox users as far back as 2010. Many complaints about its Window Shopper tool can be found in cursory Google searches.

The Superfish tech, designed to show “visual ads” (essentially image-led adverts), installs a “little man-in-the-middle proxy” on the user’s computer and configures the browser to go through it so it can inject content into pages, explains Lee Brotherston, researcher at Leviathan Security. Sometimes this injection includes a piece of front-end web code called an iframe that points the browser to the Superfish web server to insert content dynamically. According to Google’s study, the tool also reports every site a user visits, their language and country back to Superfish’s server.

The company did not respond to requests for comment on its practices. It is imminently going out of business, according to a post on its website.

Jolly Wallet

Despite Superfish’s dominance there are many others. Ranked by the researchers as the second most popular ad injecting program with 2.4 per cent of Google views, Jolly Wallet doesn’t actually install software on the users’ hard drive and wasn’t classed by the study as an ad injector per se. It does, however, typically come packaged in a browser extension with permissions to read and alter all web content, its aim being to present cashback offers across different sites. It also often runs alongside other injection libraries.

Like Superfish, web denizens have complained about the tool being installed on their computers without their apparent knowledge, pointing to another issue with ad injectors: they often appear on systems from unknown sources.

Jolly Wallet was created by Radyoos, which was co-founded in 2011 by Roy Zisapel, who is also CEO of security provider Radware. He doesn’t advertise his connections to Unit 8200, though in an article from 2011 Zisapel notes he was part of the division. Zisapel seems to be using his experience in both offensive and defensive cyber to profit in two huge markets. He declined to be interviewed for this article.

Jolly Wallet on Walmart

Jolly Wallet in action on the Walmart website

VisAdd

According to one spyware removal advice site, Jolly Wallet can deliver ads from another Israeli firm, VisAdd, though it was not possible to confirm the connection. VisAdd is a strange, ostensibly shady entity. It has a static website that reveals almost nothing about what services the firm offers. ‘Who Is?’ searches reveal nothing. It’s only through looking at the VisAdd privacy policy in Google caches of the site that it’s possible to tell the firm was born in Israel.

But it was growing when Google looked at the firm last year, growing from 0.5 per cent of page views at the start of the research to 1.4 per cent at the time of writing earlier this year. The script scans for specific keywords including “add to basket”, “free shipping”, and “product review” in multiple languages and when detected payloads are dropped onto the user’s browser. It would also hoover up information on user clicks and surfing behavior. Anyone who wants to remove the tool via the VisAdd site can try, though the service provided does nothing whatsoever.

There’s no evidence the firm is connected to Israeli government surveillance, but given its location, it’d be no surprise if it was controlled by Unit 8200 alumni.

VisAdd website

The website of Israeli ad injection provider VisAdd provides almost no information about the company. Nor does its removal tool actually work.

No Problem PPC

No Problem PPC is ranked as the seventh most popular ad injector, with 0.44 per cent of Google pageviews. The company’s main service allows website owners to connect visitors with contractors and small businesses they might be looking for. If the user is interested they can offer up information and call listed companies provided by the widget. Useful, no?

But the company’s tool has been seen bundled with other apps as a browser extension, Brotherston says. And, as with the others listed here, there are a number of removal walkthroughs for No Problem PPC. Company founder Daniel Shaked, an IDF reserve for nearly 12 years, notes over email the firm offers up its JavaScript to free software providers, and this has been used to deliver all kinds of ads, including “deceptive” ones, though this has “nothing to do with us”. Shaked says No Problem doesn’t push out ads, it only connects web users with professionals, first online then over the phone, and it makes money where it facilitates that final call.

iRobinHood

Ranked 11th on Google’s most popular ad injectors is DonationTools, run by a company called iRobinHood. Its package both modifies what appears on the page and adds a toolbar to the browser, says Brotherston, who carried out a brief analysis on DonationTools. The version he tested also tried to change the default search engine.

As the name would suggest, iRobinHood attempts to encourage web users to donate to charity. “Every search or purchase made online automatically generates commissions to third parties. iRobinHood redirects these revenues to registered non-profit organisations,” its website says.

In a brief telephone conversation with FORBES, founder Moti Golden said he could not comment on its ad injection practices, indicating his organisation was going through financial difficulties, whilst he had suffered a family bereavement. The organisation counts a number of ex-IDF members amongst its developers, according to LinkedIn profiles, including a former digital forensics expert and a computer crimes investigator.

Are its practices forgivable given its aims? A Google search shows many are concerned about what the program can do, with some labelling it adware and advising users to steer well clear as its pop-ups link to non-charitable offers. Giving is good but such forceful tactics have clearly put off some.

Crossrider

A vast number of companies are affiliated with ad injectors, either packaging their tools or funnelling ads down to them. One of the biggest is Crossrider, the majority stake of which is held by billionaire Teddy Sagi, a serial entrepreneur and ex-con who was jailed for insider trading in the 1990s. His biggest money maker to date is gambling software developer Playtech. Co-founder and CEO Koby Menachemi was part of Unit 8200, where he was a developer for three years.

Teddy Sagi billionaire

Teddy Sagi, whose net worth is around $3.5 billion, is the majority stakeholder in Crossrider, which works with a large number of ad injectors.

According to the Google report, Crossrider was doing plenty of work with Superfish whilst it was still swimming, amongst many others, using various kinds of ad injection techniques. It allows app developers to build those injection capabilities into their software, using the Crossrider platform, but it seems bad actors have used this for their own means. US antivirus giant Symantec ranks one service based on Crossrider’s software, Crossid, as adware with a “high” risk impact. It warns Crossid can inject content and collect information about the user, such as IP address, operating system and browser information.

Is Google wrong?

Crossrider’s VP for mobile Ran Goldi says his company is keen to clean up the ad injection industry to ensure that real criminal malware doesn’t land on people’s PCs. He admits too many bad actors find a way onto the ad chain to insert their malicious code onto the web, hence the firm’s participation in the Microsoft Clean Software Alliance.

But he doesn’t believe the market is an inherently evil one, far from it. When Superfish intercepted people’s traffic from their Lenovo PCs, it was simply trying to provide a useful service, “to give better offers to people in terms of buying and shopping”. He and Idan Aharoni, a security-focused entrepreneur and former department head at RSA’s anti-fraud team in Tel-Aviv, believe Google has its own interests at heart when criticising ad injection, given its primary source of revenue comes from ads.

“Naturally Google has something to lose from these ad injections, so obviously they are going to paint it as ‘dangerous’. Malvertising, the real danger, can happen in Google Adwords just as it is possible to appear in any other ad network,” says Aharoni.

Scared of the ex-spies who sell you?

As for the ad injection industry’s connection to Unit 8200, Goldi believes the skills used in signals intelligence are the same as those required in targeted ads. “It’s pretty much the same thing – catching the bad guy from the intelligence point of view and targeting a good guy to give them the right [content],” he says.

Given Israel “dominates advertising, period”, adds Goldi, it should be no surprise the injection game is full of former intelligence officials. 8200 is also the biggest unit in the IDF and military service is compulsory in Israel. Many leave to go into various tech markets, not just security.

But Brotherston says the involvement of ex-8200 personnel in the “very dangerous” injection business is “troubling”. “When Snowden released a cache of documents on what signals intelligence was doing within Five Eyes, people were outraged at what their governments were doing with this information. Now consider that Unit 8200 probably has very similar mandates, but is part of another country’s government. If they have access, via ex-members, then a signals intelligence unit potentially has direct access to view the contents of what someone is browsing and modify the content,” he added.

Nicholas Weaver, computer security researcher at the International Computer Science Institute in Berkeley, doesn’t believe the Unit 8200 connection to add injection is of great concern and wouldn’t be abused for malicious purposes. But he has different concerns around Unit 8200. He’s worried injectors may be transmitting user data from across the world to Israeli servers over unencrypted HTTP connections. “What worries me is whether any of these systems might cause users to fetch data from Israeli servers over HTTP. These companies may consider themselves benign, but the Israel government is notorious for hacking and industrial espionage, and the Israeli government can use any such traffic to hack individual targets,” Weaver adds.

“Traffic visible to an adversary is not just an information leak, but a vector they can use to attack.”

Even publishing information on ad injection can land users in legal trouble. Another Israeli firm, Flash Networks, appears to be injecting ad content over Airtel 3G at the network layer – a method described by Weaver as “objectionable”. According to a report from India, a local activist called Thejesh GN has been sent a cease and desist letter from the firm’s local lawyers, asking him to remove content from GitHub that showed how the injection worked. Again, some of the Flash Networks team, including its VP of research and development, spent their formative years in Unit 8200.

Exposing former spies, it seems, can prove troublesome.

Is Airtel Secretly Injecting Scripts Into User’s Web Browser? If So, It’s … – Trak.in (blog)

You wouldn’t believe it even if you are not a loyal Airtel user. We were not expecting such behaviour from Airtel either, but the truth is truth. Airtel is now being accused of secretly injecting Javascripts, and iframes into the web browser and is trying to alter the browsing experience.

We are not sure if Airtel is doing it deliberately or it is due to some technical glitch. It might also happen if the user who reported this anomaly was using some kind of proxy while using Airtel 3G and the scripts were inserted as some kind of web optimizations. But according to Thejesh GN, an InfoActivist and programmer, Airtel is inserting javascripts into user browsing sessions. Check out these screenshots shared by him.

Airtel script injected 1

Airtel script injected 1

This injection of scripts without user consent is a highly unethical thing.

According to a GitHub thread, Airtel is also inserting iframe into the browser forcibly.

Here is the tweet by Thej:

As reported on the GitHub thread, the inserted iframe tries to insert a toolbar into the browsing session.

iframe embedded

iframe embedded

It is worth noting the parent URL of both the iframe and the javascript (223.224.131.144) belongs to Bharti Airtel, Bangalore. As per the GitHub thread that URL leads to the following webpage of Flash Networks, but it gave us a 404 when we tried to open it.

IP information

IP information

We were certainly not expecting an ISP like Airtel to come to this for collecting user data from the browser. Getting user data is like hitting a gold mine these days. Internet companies, ad companies, and intelligence agencies are willing to pay any price for getting such personal info.

If it is proved that Airtel is doing this purposely then it can soon land up in the court of law.

PS: Airtel has already been condemned nation-wide for violating net neutrality via its Airtel Zero platform, and it certainly won’t be in the best interest of the company to do such a malicious thing.

We have contacted Airtel for a word about this and we’ll update the post as soon as they give some clarification.

[Updated]

It looks like even Vodafone has been accused of doing the same. One of our readers, Dayson Pais pointed us out on Facebook that Vodafone does this when user is connected through USB dongle. He also showed us a screenshot of the same. here it is.

Vodafone script insertion

Vodafone script insertion

The encircled script is essentially inserted when users browse through their USB dongle. Vodafone around the globe has been accused of doing so, You can check this, this, this and this

If Vodafone and Airtel are doing it, chances are that other telecom operators may be doing the same. If you come across something like this with your mobile operator, do let us know.

Related

ChrisPC Free Anonymous Proxy 6.10 – TechCentral.ie

Setting up an anonymous proxy is generally a very effective way to maintain your browsing privacy, but it can also be a complicated process. Unless, that is, you get some help from ChrisPC Free Anonymous Proxy, which makes it as easy as clicking a button.

Just about everything happens from a single dialog, and the main option you might want to consider there is choosing your preferred proxy country. There are 50 possibilities, from Argentina to the USA, or you can simply accept the default “Random Country” setting and see what happens.

Once you’ve sorted that out, though, all that’s left to do is click “Connect to proxy”. ChrisPC Free Anonymous Proxy will then find a proxy server for you, modify your settings to use it, and you’ll immediately be ready to surf with your new identity and IP address. (Although it may be wise to restart your browser, just to avoid potential problems.)

This all worked just fine for us; we were given a French IP address and could then browse as normal. Browsing speeds were a little slow, but you can always try connecting to another server. And the program also allows you to selectively activate the proxy for, say, just Opera, so you could use that only when necessary, and turn to another browser when performance was important.

ChrisPC Free Anonymous Proxy won’t (for the most part) allow you to watch TV from sites such as Hulu, the BBC and so on. The developers have produced an Expat addon which they claim will do the trick, though – it’s yours for $14.99.

Please note, ChrisPC Free Anonymous Proxy attempts to install additional free software during its setup process. There’s lots of it, and you need to do different things to avoid installing each one (click Decline here, Skip there, clear some checkboxes maybe) so read each step carefully before clicking “Next” or “Finish”.

Version 6.10:

– Improved and optimized connection speed for Germany, UK, USA proxies.
– Updated ads blocker and privacy scripts.
– Improved support for Windows 10.
– Other minor fixes and improvements.

ChrisPC Free Anonymous Proxy 6.10 – TechCentral.ie

Setting up an anonymous proxy is generally a very effective way to maintain your browsing privacy, but it can also be a complicated process. Unless, that is, you get some help from ChrisPC Free Anonymous Proxy, which makes it as easy as clicking a button.

Just about everything happens from a single dialog, and the main option you might want to consider there is choosing your preferred proxy country. There are 50 possibilities, from Argentina to the USA, or you can simply accept the default “Random Country” setting and see what happens.

Once you’ve sorted that out, though, all that’s left to do is click “Connect to proxy”. ChrisPC Free Anonymous Proxy will then find a proxy server for you, modify your settings to use it, and you’ll immediately be ready to surf with your new identity and IP address. (Although it may be wise to restart your browser, just to avoid potential problems.)

This all worked just fine for us; we were given a French IP address and could then browse as normal. Browsing speeds were a little slow, but you can always try connecting to another server. And the program also allows you to selectively activate the proxy for, say, just Opera, so you could use that only when necessary, and turn to another browser when performance was important.

ChrisPC Free Anonymous Proxy won’t (for the most part) allow you to watch TV from sites such as Hulu, the BBC and so on. The developers have produced an Expat addon which they claim will do the trick, though – it’s yours for $14.99.

Please note, ChrisPC Free Anonymous Proxy attempts to install additional free software during its setup process. There’s lots of it, and you need to do different things to avoid installing each one (click Decline here, Skip there, clear some checkboxes maybe) so read each step carefully before clicking “Next” or “Finish”.

Version 6.10:

– Improved and optimized connection speed for Germany, UK, USA proxies.
– Updated ads blocker and privacy scripts.
– Improved support for Windows 10.
– Other minor fixes and improvements.