Tech News

If you use a VPN (virtual private network) connection, you might not be as anonymous or secure as you thought, as reports have surfaced of a security flaw that allows a users real IP address to be pinpointed. This news comes courtesy of a VPN provider by the name of Perfect Privacy, although there are certainly caveats when it comes to tracing a real IP using the vulnerability. The flaw is described as "port fail" and it affects virtual private network providers that offer port forwarding – if they have no protection implemented against this issue, of course.

Expect to hear a whole lot more about Li-Fi - a wireless technology that transmits high-speed data using visible light communication (VLC) - in the coming months. With scientists achieving speeds of 224 gigabits per second in the lab using Li-Fi earlier this year, the potential for this technology to change everything about the way we use the Internet is huge. And now, scientists have taken Li-Fi out of the lab for the first time, trialling it in offices and industrial environments in Tallinn, Estonia, reporting that they can achieve data transmission at 1 GB per second - that is 100 times faster than current average Wi-Fi speeds. We are doing a few pilot projects within different industries where we can utilise the VLC (visible light communication) technology, Deepak Solanki, CEO of Estonian tech company, Velmenni, told IBTimes UK. Currently we have designed a smart lighting solution for an industrial environment where the data communication is done through light. We are also doing a pilot project with a private client where we are setting up a Li-Fi network to access the Internet in their office space.

As quickly as researchers discover ways to remove and block Remote Access Trojans (RAT) used for spying on mobile devices and computers, hackers are creating new spyware strains from previously discovered malware – and they are developing more advanced capabilities from the original malware. Most recently, Egyptian hackers used the njRAT spyware exploit kit to create KilerRat, a new remote access tool (RAT) that targets the Windows operating system and allows the attacker to take over control of Windows computers. The attackers can remotely delete, edit, and rename files or folders; view the webcam of infected computers; monitor key logging on infected computers; and collect stored passwords in the computers browsers. The malware can also use the infected computers as a proxy for network traffic, enabling DDOS attacks, and convert .exe files to jpg, score, mp3, wav, txt mp4 or flv files. As a result, it is more difficult to identify computers that have been infected with the malware. In a blog post, AlienVault researcher Peter Ewane wrote that many antivirus tools "had a difficult time" detecting the malware at the time of the release.

Frequent security updates and a patch-as-you-go approach to software flaws have led a number of security experts to question whether the problem needs a fresh approach. Microsoft, Adobe and Oracle unveiled over 200 updates in October alone, many marked critical, backing up the notion that security patches are now an inevitable reality for the industry. Fraser Kyne, principal systems engineer at security firm Bromium, told V3 that the current approach is "akin to putting a sticking plaster over a gaping wound". "Patching itself is fundamentally flawed. It is always reactive, you can only patch for known issues, it is expensive and it is time consuming. Many organisations even find themselves in the position where they cant patch as it would break their line of business apps," he said, noting how entrenched the problem has become. "There are some unsolvable factors at play here: developers are fallible, users are gullible, and attackers are resourceful. More code simply means more vulnerabilities, and the rewards for exploiting these vulnerabilities are clear." The commercial problem As with every industry, commercial interests often collide with innovation. Richard Cassidy, EMEA technical director at Alert Logic, warned that this is a major problem facing the industry today. "Vendors are locked into the innovation battle, with consumer demands for better, faster and more capable applications, seeing code releases at an astonishing rate," he told V3. This pace of innovation has an "inevitable" outcome: software vulnerabilities. "Historically, developers will work to best practice coding from a security perspective, but all too often project deadlines and production demands will mean that the focus needed in the area of security often suffers," he said. Cassidy believes that patch management needs to evolve past its current "antiquated" state and that organisations must start thinking about other options. "In addition to an updated, agile patch management process, organisations need to implement better tools to identify when their own infrastructure is being subject to an undiscovered vulnerability so that they can respond immediately and ultimately reduce the window of opportunity provided to attackers," he told V3. Yet as fast as a business can respond it is well-known that the exploitation of security vulnerabilities is now a lucrative business for cyber criminals, meaning there is a huge community of vulnerability-sharing taking place. Bharat Mistry, cyber security consultant at Trend Micro, told V3 this has become so big because the value of these exploits can be huge. "One of the reasons why we are seeing so many patches is that there is a big underground community that trades in vulnerabilities and exploits, especially the new zero-days such as the recent Adobe flash vulnerabilities," he said. "For the discovering party it is seen as potentially easy money with relatively low cost of entry. And when you do find a new zero-day it can be sold for a significant amount of money. This has attracted significant numbers of people to look into this marketplace." These marketplaces, often underground and held on websites on the so-called dark web, act as a sort of eBay for hackers to buy and sell sophisticated zero-day vulnerabilities, malware and even denial-of-service tools. It is not just the odd hacker doing this either. A breach at Italian surveillance firm Hacking Team led to the discovery of major security vulnerabilities in software such as Flash and Windows that the company used to make its tools work.

The backdoor was being loaded via a hidden XSS attack Ciscos Web-based VPN service has been dealt a heavy blow by security researchers at Volexity which found at least two methods through which hackers installed backdoors on the service, stealing corporate accounts passwords as employees were logging into their accounts. The backdoors were loaded through different snippets of JavaScript code loaded on Ciscos ASA WebVPN service, performing a simple XSS attack on the logon.html page, right where corporate users were entering their username and password combos. Attackers are exploiting the CVE-2014-3393 vulnerability to load these JavaScript snippets, and then they were modifying the login page so they could record what users typed in the login fields. This bug was fixed in February 2015, but as we all know, not all companies like to update their services / equipment, so the hackers have exploited it long since after.

AVG has updated its privacy policys language, and in the amended document, the security firm admits that it can "make money from [its] free offerings with non-personal data." These "non-personal" info include your devices brand, language and apps in use, among other things. The company is adamant that it does not sell anything with identifying information, and the data that it does collect is anonymized and stored without anything that can link it back to you. According to the updated policy, AVG can collect data you yourself provide -- plus, it can use cookies to track your searches and your activities on websites, apps and other products. It can then use those details to "build anonymous data profiles" or create statistical information, which it can then sell. A spokesperson from the company said that AVG updated the language to be more transparent and make sure people know that it can make money off its free products using their information. The new rules will take effect on October 15th, 2015 and by continuing to use AVG after that, you already agree to the collection -- unless you take the steps to opt out. The spokesperson said that "users who do not want [the security firm] to use non-personal data in this way will be able to turn it off."