Hola VPN used to perform DDoS attacks, violate user privacy

Hola is a VPN provider that purports to offer its users freedom from censorship, a way to access geoblocked content, and anonymous browsing. The service claims that more than 47 million people are part of its peer-to-peer network. But according to a group of researchers (calling themselves Adios), it's dangerously insecure: the client software has flaws that allow for remote code execution and features of the client enabled tracking. On top of that, critically, Hola sells access to its peer-to-peer network with little oversight, enabling it to be used maliciously. The nature and scale of problems with Hola has researchers now saying users should bid adieu to the software.

Since the initial reports, Hola has made some changes. One method of remote code execution was removed—though the Adios team says that others remain—and the tracking flaw has also been fixed. But the deeper problems remain, and they're fundamental to the way that Hola is built.

The company doesn't hide the fact that the Hola network is peer-to-peer. Users of the service form a large network, and Hola traffic is routed through this network, using the connections of other Hola users. This is great for Hola; it means that the company doesn't need to operate points of presence in different countries in order to make traffic appear to originate in these countries. But this is very risky for end users.

Read 7 remaining paragraphs | Comments

New remote exploit leaves most Macs vulnerable to permanent backdooring

Macs older than a year are vulnerable to exploits that remotely overwrite the firmware that boots up the machine, a feat that allows attackers to control vulnerable devices from the very first instruction.

The attack, according to a blog post published Friday by well-known OS X security researcher Pedro Vilaca, affects Macs shipped prior to the middle of 2014 that are allowed to go into sleep mode. He found a way to reflash a Mac's BIOS using functionality contained in userland, which is the part of an operating system where installed applications and drivers are executed. By exploiting vulnerabilities such as those regularly found in Safari and other Web browsers, attackers can install malicious firmware that survives hard drive reformatting and reinstallation of the operating system.

The attack is more serious than the Thunderstrike proof-of-concept exploit that came to light late last year. While both exploits give attackers the same persistent and low-level control of a Mac, the new attack doesn't require even brief physical access as Thunderstrike did. That means attackers half-way around the world may remotely exploit it.

Read 12 remaining paragraphs | Comments

Facebook users can now add OpenPGP keys for improved e-mail security

Facebook has announced that its users can add an OpenPGP public key to their profile. This will allow Facebook to encrypt notification e-mails, and for others to use the public keys for encrypted communications. Facebook is "gradually rolling out" this experimental feature, which will be available from your account's Contact and Basic Info page.

Facebook says it has chosen to use GNU Privacy Guard (GPG) for its implementation. Back in February, the company stepped in with a $50,000 donation when the GPG project was struggling to raise funds to secure its future. As far as the detailed implementation is concerned, Facebook's notifications will be encrypted using the RSA or ElGamal algorithms, and the company is "investigating the addition of support for GPG's newer elliptic curve algorithms in the near future." Facebook is also looking at ways of offering public key management on mobile devices, not currently supported.

When encrypted notifications are enabled on an account, Facebook will sign outbound messages using its own private key to provide greater assurance that the contents of inbound e-mails are genuine—one of the chief benefits of the new feature. It means, for example, that users can be sure that password reset messages do indeed come from Facebook rather than someone masquerading as the company.

Read 1 remaining paragraphs | Comments