Security Explorations, a Polish security researcher firm, has discovered more than twenty vulnerabilities in the Google App Engine Java environment. Security Explorations said that revealed flaws can allow native code execution and Java security sandbox escape, moreover there might be even more vulnerabilities that have not been verified yet.
Adam Gowdiak, the CEO of Security Explorations letter on Full Disclosure says that there supposedly are even more flaws in the environment that the company will still try to verify them.
Google App Engine (GAE) is a service hosted by Google that offers businesses to create and manage applications that may be written in Java, PHP, Go, Python and other programming languages and software development kits are available and supported for these languages. Each kit includes libraries and APIs implemented for the App Engine, a supposedly safe sandbox environment that reproduces App Engine services on user’s computer as well as many deployment tools for the cloud.
The vulnerabilities that were discovered would allow attackers to circumvent GAE’s Java Runtime Environment (JRE) Class whitelist, bypass the Java Virtual Machine security sandbox and also make various inadmissible system calls. Gowdiak said that they were able to exploit 17 of the vulnerabilities with proof-of-concept code from at least 22 of the flaws which provided an escape from the security sandbox.
Web-hosted applications should be stopped from communicating or in any other way interfere with each other by the design of Google’s Java security sandbox. Applications that are being used on this environment can store and query data in the App Engine data store but is not allowed to write to the file system or perform any sort of system calls.
Gowdiak said that they were able to gain access to files of binaries and classes including the JRE sandbox binaries. Lots of other information was also discovered by the security firm about the GAE Java sandbox by extracting it from debugging tools and protocol buffering methods.
He also said that there are a lot more flaws waiting for verification, the count might increase well beyond 30. However, Security Explorations had to stop their investigation due to Google suspending their GAE account. A more aggressive research into the sandbox trying to issue various system calls to learn more about the sandbox has resulted into a suspension of their account. Gowdiak wrote that this is undoubtedly their own operation security fault and only wished for Google to reinstate their account to continue the research.
Knowing that Google appreciates and takes all reports of vulnerabilities in its products very seriously Gowdiak hoped that Google would let them complete their work investigating the GAE Java security sandbox. The Security Explorations would then be able to verify the remaining vulnerabilities and other possible exploits and would provide a report on their findings to Google as well as the security community.
The flaws that were discovered are the result of some mistakes related to known Java security problems. Security Exploration researchers were able to find a way to escape the GAE Java security sandbox and achieved native code execution in the environment. That meant they were able to execute code outside the sandbox and start poking into the operating system sandbox layer.
It is very important to be aware of any security issues pertaining any applications especially the ones used for VPN. We were very impressed with the custom Windows software that is offered by NordVPN. It seemed to be very well developed, very easy to use and had lots of amazing features implemented.
The list packages consist of 5 different plans depending on what service and location you are looking for. 4 of these plans are for VPN and 1 for smart DNS for those not interested in protecting their data but accessing geo-restricted websites from US, UK and Poland only. The VPN plans are split depending on what location you want your VPN server to be located in: US, UK, or Liberty (Netherlands and Romania). The last VPN package allows you connect to any VPN server in the CactusVPN network and use Smart DNS for $16 extra ($54.99 compared to $38.99) a year.
Torrents are allowed on the Netherlands servers only and if you use the P2P service on other servers your account may be suspended.
CactusVPN allows you to use up to 3 different devices at a time. However, you can not connect with the different devices to the same server.
The server and country count is probably the biggest drawback of the CactusVPN service. Each basic VPN plan allows you to connect only to a few servers and does not provide access to various websites that is accessible from countries other than your VPN server is located in.
The amount of servers in each package is acceptable: US VPN package allows you to connect to 4 different servers, the UK package offers one server more. The Liberty package also offers 5 servers in Netherlands and 1 additional server in Romania. Therefor, anyone who buys the VPN + Smart DNS package can connect to any of the 15 servers in the network.
All your traffic is secured using SSL with AES 2048 bit key certificated and 256-bit AES encryption for OpenVPN, SSTP and SoftEther protocols, or 128 bit MPPE encryption for PPTP protocol. If you want to use L2TP/IPsec protocol you can choose between AES 128 and 256 encryption strength. OpenVPN, SSTP and SoftEther seem to be secured really well and you should always use them or L2TP/IPsec in the worst case scenario.
There are numerous payment options to choose from: PayPal, Credit or debit card, Webmoney, CashU and others. However, we were disappointed by the lack of bitcoin payments. We believe that every VPN provider must provide an option to anonymously pay and bitcoin is regarded as the best option to do it.
In case you have any questions regarding the service you may read a FAQ or open a ticket to ask questions directly. There is no live support which is slightly regrettable though does not cause much of a problem. Both FAQ and the support team provide information that will help you find information you may want about CactusVPN or solve any issues regarding the service.
The Windows client is very simple and allows you to easily change between servers and protocols, though we strongly recommend to use OpenVPN whenever possible. There is also a feature that we really like to kill an app if the connection to a VPN server drops and prevents your real IP from getting exposed.
No activity logs are kept and only connection logs are kept for 3 days for troubleshooting purposes. Such log policy is rather good from a users perspective as no information is kept for more than a couple of days, preventing possible activity log exposure to government.
We were very happy with the speed result we have achieved results similar to the ones when using the IP provided by ISP. However, we noticed a slight increase in latency even though the VPN server was located nearby.
CactusVPN is a promising VPN provider that offers a high quality service and may grow in the future. However, the lack of server locations and no option to pay with bitcoin prevents it to be considered among the best VPN providers like NordVPN.
Consumer product of Dropbox has been borrowing third party products’ extensive ecosystem to provide users greater benefits. However this same standpoint towards Dropbox consumer’s product ecosystem sadly has been lacking from another Dropbox product which was launched earlier this year, Dropbox for Business. It seems that this is soon going to change with the announcement of new API for the Dropbox for Business product. (In reality it was more of a publication that broke an embargo, rather than an announcement, but that’s how it is). New API will deliver new needed features into enterprise offering of Dropbox.
The core Dropbox for Business will be able to be connected to a wide range of third-party enterprise tools thanks to the new Dropbox for Business API. Examples include and are not limited to:
This is a huge step for Dropbox towards clearing up the largest enterprises’ concerns about its ability to protect their sensitive data. Performing this move, Dropbox is capable of offering an existing trusted third party vendors ability to coat products on top of the core Dropbox for Business core offering – plenty of enterprises already put their trust in existing vendors’ security solutions so having these vendors protect Dropbox, should also, at least in principle, increase the sales process of Dropbox. By making an API open, the company besides credibility benefit also allows for a broader enterprise functionality delivery and thus is plausible of ticking more of the boxes on the requirements list of enterprise than ever before.
Putting third party applications aspect aside, DropBox for Business customers will also have an ability to build applications of their own using the APIs if they have some sort of workflows or needs that could not be satisfied otherwise. There are reported partners that are already integrating with Dropbox for Business right at launch, including IBM WebSphere Cast Iron, Microsoft MSFT Azure AD, Dell Data Protection, nCrypted Cloud, Domo, Centrify, Okta, Splunk, CloudLock, Sookasa, Mover.io, SkySync, CirroSecure, Meldium and Ping Identity.
Notably Dropbox for Business pricing is most likely going to stay where it is, at $15 a month per user level, which is the same as enterprise pricing of the Box (before applied bulk deals) and thus this move by Dropbox gives yet another chance in a battle against the Box. After all, Box had API-based ecosystem for quite a long time already.
It’s not easy not to take this announcement as another Dropbox move to take on the Box, in some sense at least, it is exactly that. However at the same time this Dropbox move means a world full of possibilities. There is vast amount of opinions that agree on Dropbox having the best user experience and interface compared to any other file synchronization and sharing product, this step opens up a world of command and control on enterprise level without reducing Dropbox’s UI efficacy.
Having your data safe on one of those cloud systems is a great idea, however a solution such as VPN with high security standards is also recommended in order to protect your data-in-transit. We recommend NordVPN which is known for its amazing security features and strong encryption that will virtually protect you and your personal data and information from anyone.
ibVPN is a VPN provider owned by a Romanian company – Amplusnet. This provider offers a variety of features for a small price. ibVPN does not limit their service with VPN but we will be focusing on their VPN features and quality.
ibVPN offers a great variety of plans to choose from. There most popular plan is called Total VPN and costs $69.95 for a year. Another VPN package named Ultimate VPN costs $82.95 for an annual subscription. The latter plan differs from the Total VPN package only by offering 17 servers more though the country count is the same and allowing a second simultaneous connection. There are also two additional plans the first one is dedicated for P2P traffic and a DNS package that is dedicated for streaming and bypassing geo-restrictions. The last plan is not a VPN and does not encrypt your data traffic.
In our opinion making Ultimate VPN have more servers does not provide any significant advantages over the most popular plan. However, we consider their main plan to be highly lacking since only one connection is allowed per account which in our opinion is too little. Therefore, an additional plans that offers more simultaneous connections is very important although the price increases dramatically: from $69.95 (1 connection) to $169.95 (3 connections).
There is also a free trial for anyone who wants to test the VPN before fully committing into buying it. Nevertheless, it lasts only 6 hours and it would be really hard to receive a reliable impression of the overall quality of their service.
Depending on the package you pick you may choose from a total of 80 servers in 34 countries (Ultimate VPN). It should be enough to bypass most of the restrictions you may face online and provide the required security to stay anonymous. If you are not interested in the variety of servers but rather the ability to use torrents and decide to choose a package dedicated for that, you will be able to choose from 9 servers in 6 countries.
ibVPN uses PPTP, L2TP, OpenVPN and SSTP protocols to provide a VPN service that can be used on any device that supports VPN. However, SSTP protocol is only available for Windows Vista and later version of the operating system. Furthermore, it works only with the servers in US, UK and Turkey. 256 bit encryption is used along with every protocol except PPTP that runs only 128 bit encryption. Also OpenVPN has 1024 bit authentication key.
You should find your preferred payment option without much of a hassle since ibVPN provide quite a few payment options to chose from, including PayPal, Credit Card, Perfect Money, Paymenwall, Bitcoin, etc. We highly value that they accept Bitcoin since it is the option that offers the biggest anonymity of them all which goes along the idea of the VPN.
Besides reading information on FAQ and ibVPN knowledge base you can contact support by opening a ticket, writing an e-mail or by contacting a live support that is available 24/7. We found out that the response is very quick and insightful. Moreover, there is a possibility to arrange a remote assistance with a support team member which can be a great help sometimes.
The ibVPN software is very simple and at the same time offers all the main features that a good VPN client requires to have. You can easily switch between servers, protocols, server load and basic user information. The software also has very important features like kill switch that protects your IP from getting exposed in case the VPN connection unexpectedly drops.
Considering all the trouble government goes to obtain information about us, no log policy is crucial for any VPN provider. However, ibVPN can not brag about it since they keep information with connection length, date, time and the VPN server you have connected to. Fortunately, the information is kept for 7 days only and normally should not be used against us. However, it still can be and we should be aware about it.
After testing the speeds during the free trial period we were pleasantly surprised that the speeds were very similar to our original bandwidth without VPN. However, regularly using the service after the free trial we have commonly had issues with the speed being terribly bad and we were only barely able to browse internet.
The first impressions that ibVPN leaves are really great. However, as you keep using their VPN you start experiencing issues with your VPN speeds and the lack of simultaneous connections allowed by their main package. That is why we consider NordVPN and other providers that offer more than one simultaneous connection with their main package and more reliable connection speeds to be better option when looking for a VPN provider.
An announcement has been made by WhatsApp in which they state, that it’s going to encrypt all of its 600 million users’ text messages. This move is quite a big step forward towards perfect privacy mainly due to a fact that all the encryption will be done by default; however it is expected that this move will also be criticized by police and spooks worldwide.
The release of this security measure that has been announced recently has been described by the application creators as the “biggest end-to-end encryption deployment ever.” App makers count on this “chat between the users encrypting’ feature, to protect their messages from eavesdroppers.
End-to-end encryption on Facebook-owned WhatsApp has some limits. Thus far, it only works on Android, it’s only able to cover text messaging (compared to pictures or group messages), and it is still potentially vulnerable to the attacks of man-in-the-middle since it’s not possible to verify person’s, that you are messaging, identity.
Whisper Systems that’s behind the software, called TextSecure, used for encryption – noted in a blog post that they are working on issues mentioned above, but besides that they seem to be quite happy about it so far.
An estimate amount of monthly active users that WhatsApp have is 600 million and all of them send out billions of messages daily.
TextSecure, the open-source software, gives two devices permission to exchange both encryption and decryption key in such a way that neither an eavesdropper nor even the TextSecure servers can crack. Considering the fact that WhatsApp uses this same system and it has not been compromised for the feds, application cannot decrypt users’ messages in transit, and data is encrypted by TextSecure at rest. TextSecure uses HMAC-SHA256, AES256 and Curve25519 to encrypt and safeguard chat messages over the wires.
Perfect forward secrecy is also provided by the software due to which a new AES key is used for each message: even if a single text message is decrypted by an attacker, all of the past messages still would not be possible to be cracked using same unique key.
iMessage system belonging to Apple, according to Cupertino (PDF, page 30), works similarly, minus the fact that Apple manages public keys’ central database: every Mac and iThing that is registered, and every single text sent over is encrypted with the public keys for each of the receiving user’s devices.
In other words a text message sent to anyone can be delivered to every receiver’s device simultaneously. If federal agents would persuade Apple to secretly, without letting anyone else know, create for a target an extra pair of private key, with the feds holding the private key to have an ability to decrypt the conversation, well, that is another thing to worry about. However Apple states that it is not able to decrypt messages since it does not hold private keys for user.
Looking at the wider picture of things, usual everyday messages as well as personal data and information protected by strong encryption soon might become standard. So far, encryption requires extra technical knowledge or extra effort. However there are easy to use VPN services such as NordVPN that barely requires any additional technical knowledge if any and offer very strong encryption. NordVPN is considered as one of the strongest and most secure VPN providers that offer exceptional features, on top of strong encryption for your personal information, such as kill switch technology, DNS leak resolver, P2P support and most importantly no logs policy.
So to put it differently: whenever you are having an online chat with your siblings and beloved ones over encrypted text, it’s no game for miscreants and crims, as well as a massive headache for GCHQ and the NSA.
Officials of the UK and the US – and actually even top cop of EU – blame technology companies that encrypt data for hampering their efforts against terrorism. With the FBI’s head claiming access to encrypted phones, in the eyes of authorities unbreakable encryption is not meant to be used by little people.
Besides that US government has given Whisper Systems $455,000 to fund development of TextSecure software. While we are at this, WhatsApp’s founder Jan Koum recently announced his generous giving of $1m to the FreeBSD Foundation.
As an ending to this blog post, we shall calm you down by noting that you should not worry about any battery consumption issues on the phone which may be caused by an extra computation needed to encrypt and decrypt data as TextSecure is not noted to be a power hog.
Present-day mobile devices often feature electronic components to perform both encryption and decryption of the data quickly and in a way that is power-efficient, however it is not always supported; for example, Qualcomm’s Snapdragon 805 includes crypto accelerators that do not have publicly available drivers on Android. This processor is being used on devices such as Nexus 6 smartphone.