Free VPNs are bad for your privacy
VPNs are in high demand as Americans scramble to keep access to TikTok and WeChat amid a looming government ban. There are dozens of free VPNs out there that promise to protect your privacy by keeping you anonymous on the internet and hiding your browsing history.
Don’t believe it. Free VPNs are bad for you.
The internet is a hostile place for the privacy-minded. Internet providers can sell your browsing history, governments can spy on you and tech titans collect huge amounts of data to track you across the web. Many have turned to VPNs, or virtual private networks, thinking that they can protect you from snoopers and spies.
But where VPNs try to solve a problem, they can also expose you to far greater privacy risks.
TechCrunch’s Romain Dillet has an explainer on what a VPN is. In short, VPNs were first designed for employees to virtually connect to their office network from home or while on a business trip. These days, VPNs are more widely used for hiding your online internet traffic, and tricking streaming services into thinking you’re another country when you’re not. That same technique also helps activists and dissidents bypass censorship systems in their own countries.
https://techcrunch.com/2020/09/24/free-vpn-bad-for-privacy/
#VPN #privacy #censorship
VPNs are in high demand as Americans scramble to keep access to TikTok and WeChat amid a looming government ban. There are dozens of free VPNs out there that promise to protect your privacy by keeping you anonymous on the internet and hiding your browsing history.
Don’t believe it. Free VPNs are bad for you.
The internet is a hostile place for the privacy-minded. Internet providers can sell your browsing history, governments can spy on you and tech titans collect huge amounts of data to track you across the web. Many have turned to VPNs, or virtual private networks, thinking that they can protect you from snoopers and spies.
But where VPNs try to solve a problem, they can also expose you to far greater privacy risks.
TechCrunch’s Romain Dillet has an explainer on what a VPN is. In short, VPNs were first designed for employees to virtually connect to their office network from home or while on a business trip. These days, VPNs are more widely used for hiding your online internet traffic, and tricking streaming services into thinking you’re another country when you’re not. That same technique also helps activists and dissidents bypass censorship systems in their own countries.
https://techcrunch.com/2020/09/24/free-vpn-bad-for-privacy/
#VPN #privacy #censorship
Forwarded from BlackBox (Security) Archiv
Caution: Norton VPN only protects with IPv6 disabled.
Norton now also provides VPN in its security product suites - a great feature, shamefully implemented.
Security Suites are not opened very often - so after one year of abstinence I was surprised that a VPN button suddenly appeared. You can freely choose the desired IP region, the performance is good, the connection is established super fast, everything just a click away - thanks Norton! And then the disappointment: Yes, the IPv4 address changes - the IPv6 address remains untouched. And with that the protection is just above zero! The real cheek: Not a word about it from Norton, no hint how to prevent IPv6 leaks. Very weak Symantec.
👀 👉🏼 Translated with DeepL:
https://www.tutonaut.de/vorsicht-norton-vpn-schuetzt-nur-mit-ipv6-deaktivierung/
#norton #vpn #ipv6 #leak #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
Norton now also provides VPN in its security product suites - a great feature, shamefully implemented.
Security Suites are not opened very often - so after one year of abstinence I was surprised that a VPN button suddenly appeared. You can freely choose the desired IP region, the performance is good, the connection is established super fast, everything just a click away - thanks Norton! And then the disappointment: Yes, the IPv4 address changes - the IPv6 address remains untouched. And with that the protection is just above zero! The real cheek: Not a word about it from Norton, no hint how to prevent IPv6 leaks. Very weak Symantec.
👀 👉🏼 Translated with DeepL:
https://www.tutonaut.de/vorsicht-norton-vpn-schuetzt-nur-mit-ipv6-deaktivierung/
#norton #vpn #ipv6 #leak #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
Forwarded from Privacy Matters 🛡️
Media is too big
VIEW IN TELEGRAM
How to use Tor on your phone
📹 Watch it via:
YouTube || Invidious
🌐 Get TOR for:
• Android via: Website || F-Droid || Play Store
• iOS via: Apple Store
📡 @howtobeprivateonline
#TOR #Privacy #Guide #Browser #VPN
In this anonymity tutorial, you'll learn how to use Tor on your phone - both Tor Browser and Orbot on Android, and Onion Browser on iOS.📹 Watch it via:
YouTube || Invidious
🌐 Get TOR for:
• Android via: Website || F-Droid || Play Store
• iOS via: Apple Store
📡 @howtobeprivateonline
#TOR #Privacy #Guide #Browser #VPN
Forwarded from BlackBox (Security) Archiv
Apple apps on Big Sur bypass firewalls and VPNs — this is terrible
Don't worry though, Apple really, really, really cares about your privacy
For all of Apple’s talk of being privacy-first, often its marketing speak doesn’t match up with what it’s actually doing. And the latest example? Well, it’s Apple apps on Big Sur bypassing firewalls and VPNs.
I don’t need to tell you just how worrying this is.
👀 👉🏼 https://thenextweb.com/plugged/2020/11/16/apple-apps-on-big-sur-bypass-firewalls-vpns-analysis-macos/
#apple #apps #privacy #bypass #firewall #vpn #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
Don't worry though, Apple really, really, really cares about your privacy
For all of Apple’s talk of being privacy-first, often its marketing speak doesn’t match up with what it’s actually doing. And the latest example? Well, it’s Apple apps on Big Sur bypassing firewalls and VPNs.
I don’t need to tell you just how worrying this is.
👀 👉🏼 https://thenextweb.com/plugged/2020/11/16/apple-apps-on-big-sur-bypass-firewalls-vpns-analysis-macos/
#apple #apps #privacy #bypass #firewall #vpn #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
TNW
Apple apps on Big Sur bypass firewalls and VPNs — this is terrible
Security researchers have found that Apple apps on Big Sur bypass firewalls and VPNs — this is a huge security and privacy issue.
Forwarded from BlackBox (Security) Archiv
Cybercriminals’ favourite VPN taken down in global action
Law enforcement wiretapped the very service used by criminals to evade interception
The virtual private network (VPN) Safe-Inet used by the world’s foremost cybercriminals has been taken down yesterday in a coordinated law enforcement action led by the German Reutlingen Police Headquarters together with Europol and law enforcement agencies from around the world.
The Safe-Inet service was shut down and its infrastructure seized in Germany, the Netherlands, Switzerland, France and the United States. The servers were taken down, and a splash page prepared by Europol was put up online after the domain seizures. This coordinated takedown was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
http://telegra.ph/Cybercriminals-favourite-VPN-taken-down-in-global-action-12-22
via www.europol.europa.eu
#europol #cybercriminals #vpn #takedown #EMPACT
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@NoGoolag
📡@BlackBox
Law enforcement wiretapped the very service used by criminals to evade interception
The virtual private network (VPN) Safe-Inet used by the world’s foremost cybercriminals has been taken down yesterday in a coordinated law enforcement action led by the German Reutlingen Police Headquarters together with Europol and law enforcement agencies from around the world.
The Safe-Inet service was shut down and its infrastructure seized in Germany, the Netherlands, Switzerland, France and the United States. The servers were taken down, and a splash page prepared by Europol was put up online after the domain seizures. This coordinated takedown was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
http://telegra.ph/Cybercriminals-favourite-VPN-taken-down-in-global-action-12-22
via www.europol.europa.eu
#europol #cybercriminals #vpn #takedown #EMPACT
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@NoGoolag
📡@BlackBox
Telegraph
Cybercriminals’ favourite VPN taken down in global action
Law enforcement wiretapped the very service used by criminals to evade interception The virtual private network (VPN) Safe-Inet used by the world’s foremost cybercriminals has been taken down yesterday in a coordinated law enforcement action led by the German…
Mozilla VPN
Available in 6 countries now. More regions coming soon.
We currently offer Mozilla VPN in the US, the UK, Canada, New Zealand, Singapore and Malaysia.
The Mozilla VPN clients are compatible with Windows 10 (64-bit only), Mac (10.15 and up), Android (version 6 and up), iOS (13.0 and up), and Linux (Ubuntu-only).
https://vpn.mozilla.org/
#mozilla #VPN
Available in 6 countries now. More regions coming soon.
We currently offer Mozilla VPN in the US, the UK, Canada, New Zealand, Singapore and Malaysia.
The Mozilla VPN clients are compatible with Windows 10 (64-bit only), Mac (10.15 and up), Android (version 6 and up), iOS (13.0 and up), and Linux (Ubuntu-only).
https://vpn.mozilla.org/
#mozilla #VPN
Mozilla
Get Mozilla VPN — Mozilla (US)
Use Mozilla VPN for full-device protection for all apps. With servers in 33+ countries, you can connect to anywhere, from anywhere.
Forwarded from BlackBox (Security) Archiv
pentest-report_mullvad_2021_v1.pdf
242.2 KB
Pentest-Report Mullvad VPN & Servers 11.-12.2020
“Mullvad VPN AB is owned by parent company Amagicom AB. The name Amagicom isderived from the Sumerian word ama-gi – the oldest word for “freedom“ or, literally,“back to mother” in the context of slavery – and the abbreviation for communication.Amagicom stands for “free communication”.”
This document is dedicated to a presentation of a security-centered project carried outby Cure53 for Mullvad. More specifically, the report describes the results of a thoroughand comprehensive penetration test and source code audit against the Mullvad VPNservers, infrastructure and related web applications and other exposed services. Theproject was completed in late 2020
https://cure53.de/pentest-report_mullvad_2021_v1.pdf
#pentest #mullvad #vpn #report #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
“Mullvad VPN AB is owned by parent company Amagicom AB. The name Amagicom isderived from the Sumerian word ama-gi – the oldest word for “freedom“ or, literally,“back to mother” in the context of slavery – and the abbreviation for communication.Amagicom stands for “free communication”.”
This document is dedicated to a presentation of a security-centered project carried outby Cure53 for Mullvad. More specifically, the report describes the results of a thoroughand comprehensive penetration test and source code audit against the Mullvad VPNservers, infrastructure and related web applications and other exposed services. Theproject was completed in late 2020
https://cure53.de/pentest-report_mullvad_2021_v1.pdf
#pentest #mullvad #vpn #report #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
Forwarded from BlackBox (Security) Archiv
Powerhouse VPN products can be abused for large-scale DDoS attacks
Around 1,500 Powerhouse VPN servers are exposed online and ready to be abused by DDoS groups.
Botnet operators are abusing VPN servers from VPN provider Powerhouse Management as a way to bounce and amplify junk traffic part of DDoS attacks.
This new DDoS vector has been discovered and documented by a security researcher who goes online as Phenomite, who shared his findings with ZDNet last week.
The researcher said the root cause of this new DDoS vector is a yet-to-be-identified service that runs on UDP port 20811 on Powerhouse VPN servers.
Phenomite says that attackers can ping this port with a one-byte request, and the service will often respond with packets that are up to 40 times the size of the original packet.
Since these packets are UDP-based, they can also be modified to contain an incorrect return IP address. This means that an attacker can send a single-byte UDP packet to a Powerhouse VPN server, which then amplifies it and sends it to the IP address of a victim of a DDoS attack —in what security researchers call a reflected/amplified DDoS attack.
https://www.zdnet.com/article/powerhouse-vpn-products-can-be-abused-for-large-scale-ddos-attacks/
#powerhouse #vpn #abuse #ddos #attacks
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag
Around 1,500 Powerhouse VPN servers are exposed online and ready to be abused by DDoS groups.
Botnet operators are abusing VPN servers from VPN provider Powerhouse Management as a way to bounce and amplify junk traffic part of DDoS attacks.
This new DDoS vector has been discovered and documented by a security researcher who goes online as Phenomite, who shared his findings with ZDNet last week.
The researcher said the root cause of this new DDoS vector is a yet-to-be-identified service that runs on UDP port 20811 on Powerhouse VPN servers.
Phenomite says that attackers can ping this port with a one-byte request, and the service will often respond with packets that are up to 40 times the size of the original packet.
Since these packets are UDP-based, they can also be modified to contain an incorrect return IP address. This means that an attacker can send a single-byte UDP packet to a Powerhouse VPN server, which then amplifies it and sends it to the IP address of a victim of a DDoS attack —in what security researchers call a reflected/amplified DDoS attack.
https://www.zdnet.com/article/powerhouse-vpn-products-can-be-abused-for-large-scale-ddos-attacks/
#powerhouse #vpn #abuse #ddos #attacks
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag
ZDNet
Powerhouse VPN products can be abused for large-scale DDoS attacks
Around 1,500 Powerhouse VPN servers are exposed online and ready to be abused by DDoS groups.
Former malware distributor Kape Technologies now owns ExpressVPN, CyberGhost, Private Internet Access, Zenmate, and a collection of VPN “review” websites
https://restoreprivacy.com/kape-technologies-owns-expressvpn-cyberghost-pia-zenmate-vpn-review-sites/
https://alternativeto.net/news/2021/9/kape-technologies-buys-expressvpn-for-936-million/
#vpn
https://restoreprivacy.com/kape-technologies-owns-expressvpn-cyberghost-pia-zenmate-vpn-review-sites/
https://alternativeto.net/news/2021/9/kape-technologies-buys-expressvpn-for-936-million/
#vpn
RestorePrivacy
Kape Technologies (Formerly Crossrider) Now Owns ExpressVPN, CyberGhost, Private Internet Access, Zenmate, and a Collection of…
Kape Technologies (formerly Crossrider) has now acquired four different VPN services and a collection of VPN “review” websites that rank Kape’s VPN holdings at the top of their recommendations. This report examines the history of Kape Technologies and its…
VPN Provider Agrees to Block Torrent Traffic and The Pirate Bay on U.S. Servers
VPN Unlimited has settled a copyright lawsuit filed by several movie companies. The VPN provider stood accused of failing to take action against subscribers who were pirating films. As part of the settlement, the company agreed to block BitTorrent traffic and prominent pirate sites including 'Pirate Bay,' 'YTS', and 'RARBG' on U.S. servers.
https://torrentfreak.com/vpn-provider-agrees-to-block-torrent-traffic-and-the-pirate-bay-on-u-s-servers-220117/
#vpn #torrent
VPN Unlimited has settled a copyright lawsuit filed by several movie companies. The VPN provider stood accused of failing to take action against subscribers who were pirating films. As part of the settlement, the company agreed to block BitTorrent traffic and prominent pirate sites including 'Pirate Bay,' 'YTS', and 'RARBG' on U.S. servers.
https://torrentfreak.com/vpn-provider-agrees-to-block-torrent-traffic-and-the-pirate-bay-on-u-s-servers-220117/
#vpn #torrent
Torrentfreak
VPN Provider Agrees to Block Torrent Traffic and The Pirate Bay on U.S. Servers * TorrentFreak
To resolve a piracy lawsuit, VPN Unlimited has agreed to block torrent traffic and pirate sites including 'Pirate Bay,' 'YTS', and 'RARBG.'
The at least until recently CIO of big #VPN #ExpressVPN is one of the three former U.S. intelligence operatives who agreed today not to fight charges they illegally helped UAE hack people. Kind of makes you think.
Sep 14, 2021
https://twitter.com/josephmenn/status/1437885720169836544
Sep 14, 2021
https://twitter.com/josephmenn/status/1437885720169836544
Twitter
The at least until recently CIO of big VPN ExpressVPN is one of the three former U.S. intelligence operatives who agreed today not to fight charges they illegally helped UAE hack people. Kind of makes you think.
LiquidVPN Ordered to Pay Filmmakers $14m in Copyright Damages
A group of filmmakers has won over $14 million in damages from VPN provider LiquidVPN. The default judgment finds the company guilty of copyright infringement and DMCA violations, in part by promoting the Popcorn Time app. The order also awards $250,000 in trademark damages in favor of 42 Ventures, which owns the Popcorn Time trademark.
https://torrentfreak.com/liquidvpn-ordered-to-pay-filmmakers-14m-in-copyright-damages-220330/
#vpn #liquidvpn
A group of filmmakers has won over $14 million in damages from VPN provider LiquidVPN. The default judgment finds the company guilty of copyright infringement and DMCA violations, in part by promoting the Popcorn Time app. The order also awards $250,000 in trademark damages in favor of 42 Ventures, which owns the Popcorn Time trademark.
https://torrentfreak.com/liquidvpn-ordered-to-pay-filmmakers-14m-in-copyright-damages-220330/
#vpn #liquidvpn
Torrentfreak
LiquidVPN Ordered to Pay Filmmakers $14m in Copyright Damages * TorrentFreak
With a default judgment, a group of filmmakers has won over $14 million in damages from VPN provider LiquidVPN.
India Orders VPN Companies to Collect and Hand Over User Data
A new government order will force virtual private networks to store user data for five years or longer.
In India, virtual private network companies will be required to collect extensive customer data -- and maintain it for five years or more -- under a new national directive from the country's Computer Emergency Response Team, known as CERT-in. It's a policy that will likely make life more difficult for both VPN companies and VPN users there.
The body, under the country's Ministry of Electronics and IT, announced Thursday that VPNs in the country will have to keep customer names, validated physical and IP addresses, usage patterns and other forms of personally identifiable information. As first reported by Entracker, those who don't comply could potentially face up to a year in prison under the governing law cited in the new directive.
The directive isn't limited to VPN providers. Data centers and cloud service providers are both listed under the same provision. The companies will have to keep customer information even after the customer has canceled their subscription or account. And, in all case, CERT-in will require the companies to report on their users' "unauthorized access to social media accounts."
https://www.cnet.com/news/privacy/india-orders-vpn-companies-to-collect-and-hand-over-user-data
#india #vpn #userdata #privacy
A new government order will force virtual private networks to store user data for five years or longer.
In India, virtual private network companies will be required to collect extensive customer data -- and maintain it for five years or more -- under a new national directive from the country's Computer Emergency Response Team, known as CERT-in. It's a policy that will likely make life more difficult for both VPN companies and VPN users there.
The body, under the country's Ministry of Electronics and IT, announced Thursday that VPNs in the country will have to keep customer names, validated physical and IP addresses, usage patterns and other forms of personally identifiable information. As first reported by Entracker, those who don't comply could potentially face up to a year in prison under the governing law cited in the new directive.
The directive isn't limited to VPN providers. Data centers and cloud service providers are both listed under the same provision. The companies will have to keep customer information even after the customer has canceled their subscription or account. And, in all case, CERT-in will require the companies to report on their users' "unauthorized access to social media accounts."
https://www.cnet.com/news/privacy/india-orders-vpn-companies-to-collect-and-hand-over-user-data
#india #vpn #userdata #privacy
CNET
India Orders VPN Companies to Collect and Hand Over User Data
A new government order will force virtual private networks to store user data for five years or longer.
https://gadgets360.com/internet/news/expressvpn-vpn-servers-india-removed-cert-in-government-order-3031361
#VPN #India #gov #expressVPN
#VPN #India #gov #expressVPN
Gadgets 360
ExpressVPN Rejects Government's Demands, Removes VPN Servers in India
ExpressVPN said the government's order was "incompatible with the purpose of VPNs."
Android leaks connectivity check traffic
An ongoing security audit of our app identified that Android leaks certain traffic, which VPN services cannot prevent. The audit report will go public soon. This post aims to dive into the finding, called MUL22-03.
We researched the reported leak, and concluded that Android sends connectivity checks outside the VPN tunnel. It does this every time the device connects to a WiFi network, even when the Block connections without VPN setting is enabled.
We understand why the Android system wants to send this traffic by default. If for instance there is a captive portal on the network, the connection will be unusable until the user has logged in to it. So most users will want the captive portal check to happen and allow them to display and use the portal. However, this can be a privacy concern for some users with certain threat models. As there seems to be no way* to stop Android from leaking this traffic, we have reported it on the Android issue tracker.
https://mullvad.net/en/blog/2022/10/10/android-leaks-connectivity-check-traffic
#Android #VPN #mullvad
An ongoing security audit of our app identified that Android leaks certain traffic, which VPN services cannot prevent. The audit report will go public soon. This post aims to dive into the finding, called MUL22-03.
We researched the reported leak, and concluded that Android sends connectivity checks outside the VPN tunnel. It does this every time the device connects to a WiFi network, even when the Block connections without VPN setting is enabled.
We understand why the Android system wants to send this traffic by default. If for instance there is a captive portal on the network, the connection will be unusable until the user has logged in to it. So most users will want the captive portal check to happen and allow them to display and use the portal. However, this can be a privacy concern for some users with certain threat models. As there seems to be no way* to stop Android from leaking this traffic, we have reported it on the Android issue tracker.
https://mullvad.net/en/blog/2022/10/10/android-leaks-connectivity-check-traffic
#Android #VPN #mullvad
Mullvad VPN
Android leaks connectivity check traffic | Mullvad VPN
An ongoing security audit of our app identified that Android leaks certain traffic, which VPN services cannot prevent. The audit report will go public soon. This post aims to dive into the finding, called MUL22-03.
MAPPING OF EGRESS POINTS USED BY VPN PROVIDERS
Introduction
This is a follow up on my previous article about
“Are VPN providers more trustworthy than your local ISP?“.
In this article I was mapping different VPN provider’s internet egress points.
The mapping candidates
The countries I’m mapping against are the same as in my previous article.
Sweden
Netherlands
Germany
Switzerland
United Kindom
When selecting VPN providers, I have this time used a wider collection of providers, compared to my last article.
Including this time:
F-Secure Freedome
AirVPN
ExpressVPN
NordVPN
Private Internet Access (PIA)
PureVPN
IPVanish
OVPN
Kaspersky Secure Connect (Hotshield)
AzireVPN
PrivateVPN
MullvadVPN
Kaspersky is not maintaining it’s own VPN service. It’s using the service from HotShield
https://www.skadligkod.se/vpn/mapping-of-egress-points-used-by-vpn-providers
#vpn #archive #as9009 #m247
Introduction
This is a follow up on my previous article about
“Are VPN providers more trustworthy than your local ISP?“.
In this article I was mapping different VPN provider’s internet egress points.
The mapping candidates
The countries I’m mapping against are the same as in my previous article.
Sweden
Netherlands
Germany
Switzerland
United Kindom
When selecting VPN providers, I have this time used a wider collection of providers, compared to my last article.
Including this time:
F-Secure Freedome
AirVPN
ExpressVPN
NordVPN
Private Internet Access (PIA)
PureVPN
IPVanish
OVPN
Kaspersky Secure Connect (Hotshield)
AzireVPN
PrivateVPN
MullvadVPN
Kaspersky is not maintaining it’s own VPN service. It’s using the service from HotShield
https://www.skadligkod.se/vpn/mapping-of-egress-points-used-by-vpn-providers
#vpn #archive #as9009 #m247
Free Android VPN Security Flaws: 100 Apps Tested
I tested the 100 most popular free VPNs in the Google Play store and found significant security and privacy flaws affecting Android apps that have been installed over 2.5 billion times worldwide.
#Android #VPN #Infosec
I tested the 100 most popular free VPNs in the Google Play store and found significant security and privacy flaws affecting Android apps that have been installed over 2.5 billion times worldwide.
#Android #VPN #Infosec