USB security flaw that was first found out about in the summer and was supposed to be unpatchable affects roughly half of devices that you connect over USB port. And there is bad news; it is hardly possible to sort out those insecure gadgets from the secure ones without taking every single one apart.
On Wednesday, during the ongoing PacSec security conference which was held in Tokyo city, hacker Karsten Nohl has introduced his updated research on the USB devices’ that he has called BadUSB fundamental insecurity. Karsten Nohl with his colleague researchers Sascha Krissler and Jakob Lell have together analyzed all of the USB controller chips that are being sold by biggest vendors in the industry to find out whether their hack would affect it. And the final results showed that approximately half of the USB controller chips were immune and didn’t get affected by the attack. But for an average consumer it is nearly impossible to predict which chip is used by a device.
BadUSB attack, that was revealed by Nohl himself in August during the Black Hat security conference, takes advantage of firmware which can be programmed and resides in USB’s controller chip. This basically means that controller chip itself on the thumb drive can be infected, instead of the memory stick’s Flash storage, by malware which has the capability to spread to any computer in contact, corrupt its files that are being stored on its drive or even start simulate a USB keyboard in order to start typing commands on the same victim’s machine.
Reprogrammability issue in USB controller chips being sold by industry’s biggest vendors such as Alcor, Phison, ASmedia, FTDI, Renesas, Microchip, Genesys Logic and Cypress has been tested by the research team of Nohl. Each chip’s version has been thoroughly checked by researchers by looking up its published specifications and by attempting to rewrite the firmware of the chip on the plugged device using it into a machine.
A blend of unpredictable results was found by researchers. USB storage controllers made by Phison, a Taiwanese firm, and were tested by Nohl, for example, were susceptible to reprogramming. However ASmedia’s chips weren’t. Meanwhile Genesys’, also Taiwanese company, controller chips using USB 2 standard were completely immune, however controller chips that used newer USB 3 standard were vulnerable. In different device categories such as keyboards, mice, USB hubs and webcams, the results generated even more chaotic Excel spreadsheets of “secure”, “inconclusive” and “vulnerable”.
The results of findings go way above initial research by Nohl, focusing only on Taiwanese firm Phison which owns largest market share amongst chipmakers. Nohl has published his findings about his teams analyzed chips.
However it is still a problem due to the fact that consulting analyzed data and findings by Nohl will not really do any good to the consumers. You can never be sure that USB device makers will label their product with the vague company’s chip from Taiwan like that computer makers advertising “Intel Inside”. The same USB device makers also switch chips quite often for the sake of getting those semiconductors just for a few cents cheaper. Earlier this year in the security conference called Shmoocon, security researcher Richard Harman, during the analysis of USB controller chips, has found that five or six different companies’ USB chips were used by Kingston.
Nohl even mentions that in order of being able to combat BadUSB, device makers will need to start labeling the chips which are used by their products.
The challenge in creating labeling system like that adds another obstacle in fixing issues which makes BadUSB such a menacing problem. Those same difficulties made Nohl to rethink whether he should make the proof-of-concept code public during the demonstration of BadUSB attack at the Black Hat conference, for quite an obvious reason – it could be simply replicated and used by malicious hackers. However another version of BadUSB attack was reverse engineered by two independent researchers which, in order to allow further studies of the problem and also pressure device makers to fix it, was published last month.
There already is one company that took action against BadUSB attacks to prevent it from doing further damage: Ironkey, Imation-owned USB device maker, requires its thumdrives’ new firmware updates to be signed with an signature, a signature that is unforgeable and cryptographic, preventing any malicious reprogramming. Nohl says that other USB device makers could and should follow that path as well.
However the USB chips by major vendors that he and his research team discovered to be immune to BadUSB attacks were protected from same attacks by pure coincidence. Nohl said that those chips were just custom-designed for a specific application to save money, theoretically making them somewhat impossible to reprogram. However, even then, Nohl said that every single chip which can be reprogrammed still is susceptible to BadUSB attacks.
Protecting your data is quite important in cyberspace. Despite BadUSB “malware” being somewhat different in the way it works, you can never be sure how malicious the code can get on your machine and what will it do with the data on it. Encrypting your whole traffic can be a good start and you can safely do that by using a VPN. NordVPN will be offering huge discounts while Cyber Monday is nearing, so go ahead and take a look at all of its features and why currently it’s one of the best on the market.
Overplay is a rapidly growing VPN provider that aims to offer a selection of servers in countries across the world to bypass various restrictions and remain secured. They are based in the United Kingdom.
There are two plans to choose from: SmartDNS and Global VPN. The first package provides ability to bypass geographical restrictions only and does not include data encryption, which should be looked for by anyone who is at least a little bit concerned about their privacy. The Global VPN plan offers regular VPN features by enhancing your SmartDNS package with data encryption to provide their users with ability to remain secure from online threats that a lot of people may consider necessary due to the ever occurring data crimes.
The SmartDNS package has 4 options starting with 1 month subscription for $4.95. Global VPN that in our opinion is much better option also has 4 different packages. The subscription length for the Global VPN varies from 1 month to a year and also includes 3 months and 6 months packages. Depending on the time you are willing to subscribe Overplay’s Global VPN you will have to pay $9.95, $27.95, $52.95 or $99.95.
Unfortunately, Overplay does not offer a free trial and the money back policy affects their Global VPN only. Even then you are only able to ask for a refund only for two days after buying the VPN. This only leaves less than two days to test all the features the provider offers and the stability of servers as well as their bandwidth.
Overplay offers servers in 48 different countries to choose from: Europe (29 servers), North America (12), South America (3), Oceania (4), Asia (8) and Africa (2). It looks like their focus is Europe as about 60% of all servers are located there. Though most of the countries have only a single server, it shows that they are looking to provide their customers with a convenient option to ensure that their VPN remains unnoticed.
Overplay allows you to choose from 3 different encryption methods: PPTP, L2TP/IPsec and OpenVPN. The data going through one of these protocols is encrypted using up to 256 bit encryption. Even though the used encryption may be as strong as other VPN providers offer, in pretty much all cases it is enough to keep your information secure.
It is one of the weakest points of Overplay service. Unfortunately, there are only 2 payment options to choose from – Credit Card and Google Checkout. Even though these payment methods are accessible to most of the people what we do not like is the lack of anonymous payment option like Bitcoin that is offered by most of other VPN providers.
Overplay offers customer support through 24/7/365 live chat and tickets. After testing the live support effectiveness we were not disappointed as we received informative answers that perfectly answered the questions we had about their service.
You are able to configure most of your network devices that you use in your daily live to connect to Overplay VPN network. They also have a custom VPN software that is close to being necessary to emphasize the strengths of the service. Although it does not work on all operating systems there are easy to use follow tutorials that will guide you as you are configuring your devices.
Even though Overplay does not track their users’ online activity, they do keep certain information about us. The logged information include login IP address, date/time and the duration of connection. Depending on the situation this information may be enough to find enough to relate your online traffic to you.
We would like a VPN to have no effect on our connection speeds and ping. Sadly, it is not he case with Overplay. The speed tests we have performed showed that the bandwidth while connected to a VPN was 2 times smaller than without VPN and it may influence your overall experience. Fortunately, we have not noticed any increase in ping. On the contrary, we even noticed a decrease in ping, which for some people may be even more valuable than download speed.
Overplay offers a VPN service that allows their users a variety of servers in different countries. However, the fact that they log specific information makes us want to offer to try NordVPN that does not log similar information and provide an ability to pay using Bitcoin maximizing their users’ anonymity which we consider to be the back bone of all VPN services.
Internet Security Alliance (ISA) which is currently based in USA has been entrenched since 2000 and is still attracting big-name corporations such as Northrup Grumman, Lockheed Martin and Verizon as well as other known public companies running businesses in fields such as defence, aviation, education, healthcare, manufacturing and financial services.
Think tank based in Virginia has advised Congress and White House officials on cyber-security in the past as well as US Cyber Security Framework not that long ago and does via thought leadership white papers, public policy and quite a few of face-to-face meetings.
Now it’s understandable that a European spin-off of the advisory body is as well in the works, having in mind that ISAFE (the Internet Security Alliance for Europe) is planned to be formally launched in 2015 spring.
Richard Knowlton, corporate security director at Vodafone group, will manage a small team which is based in Brussels, Belgium.
Knowlton’s – whose been on the Internet Security Alliance board for over two years – official title will be ‘director’. He says that the advisory body was first to moot the idea for a European equivalent. Since then it has received public support from Art Coviello, RSA’s executive chairman and a man that during Evanta Global CISO Executive Summit has briefly detailed this initiative. It also received support from the EU Commission itself.
Coviello had the following to say at the conference: “Knowlton was the one to establish a chapter of the European ISA version in order to make sure that industry’s security needs are heavily supported by European legislators and public policy.”
“The ISA is just one of the examples of industry assembling to influence policy on issues of cross-industry significance such as regulation and taxes – there is long precedent of companies coming together to affect the outcomes. If we can do that to protect our bottom lines, we can surely do that to safeguard our business operations and maybe our very existences. Since those are the stakes for which we are playing.”
Knowlton said that he was right away in benefit of the idea and noted that differentiator of the group is the lack of industry bias.
Knowlton continued that his first thought was “this is brilliant, there is nothing like that in Europe. While lots of [public body] companies are more or less good however most are not cross-sector or multinational.”
“Currently we do not have a formal organization, but we are already getting people interested. You could call it more of a union.” He added that the group is sending out a news bulletin of cyber-security to 70-80 large companies.
Currently the group consists of nine private corporations including Vodafone and more huge (though unnamed) companies from Netherlands, Germany and UK that are multinational.
Knowlton admitted that he is still looking to widen the group’s geographical horizons despite most of these companies (not)mentioned above have strong presences in various sectors such as insurance, network and automotive infrastructure, telecommunications and financial services.
Before continuing that he still hopes to recruit corporations from Italy, France and Spain in the near feature, he added: “I am pretty satisfied with the cross-section we’ve got and I think it’s important to widen the geographical reach.”
“It’s very important to be trans-country so that we’re not limited to the usual suspects.”
According to Knowlton, European group will be very similar to the US version in terms of role – it will focus on raising security awareness, thought leadership, and advocating public policy – but also Knowlton notes that members of US group will only be able join it as affiliate members. Thus, such members won’t be able to board and it won’t influence organization’s ‘steering’.
Currently the group is in discussions with EU national governments and commission and adds that formal launch is going to be announced at the EU cyber security conference’s press which will happen in Brussels later on in this month, where workshops have been set-up to compare and contrast the US NIST directive as well as EU’s NIS scheme.
President of cyber threat intelligence firm CSG Invotas and board member of the ISA, Paul Nguyen, pointed out that this move does make sense in an age where such thing as international collaboration is required.
Nguyen said: “multinational large European corporations share many similar challenges that cyber-security creates”.
Cyber-security is certainly one of the biggest points in the current age where Internet is everything. To protect your privacy and important personal data, you should consider using a VPN, and a great one. We recommend NordVPN, a bunch of amazing features that takes your privacy to the top level and provides one of the greatest support to its subscribers making it all a bang for buck.
Besides a free package proXPN also offers a chargeable “Premium” subscription. While the “Premium” clients are not restricted in their VPN usage abilities, free proXPN users have limited choice of servers, they also have to use a connection with limited bandwidth. Furthermore, for them VPN is not available on mobile devices.
Of course none of these limitations affect premium users that can choose from 3 different subscription lengths. The smallest package will allow you to enjoy “Premium” advantages for a month. There are also 6 and 12 months subscription packages. They cost $9.95, $49.95 and $74.95 respectively.
Moreover, each of the packages include “7-day RISK-FREE trial” during which you can cancel your subscription.
The server list is far from significant. There are 7 servers only in 4 countries to choose from. Such a small server list is really worrying us as it may cause high ping if you connect from area far away from one of the servers. Furthermore, it forces a higher server population which leads to increased server load and decreased internet speeds. However, probably the most discouraging factor must be the geographically restricted websites. Considering that VPN is a popular option to bypass geographical restrictions that some websites may have, 4 countries to choose IP from may be a little too few.
proXPN offers their clients 2 options when connecting to a VPN server: PPTP and OpenVPN protocols. For encryption they use 2048-bit key which is strong enough for anybody who is concerned about their privacy. Please note that if you are looking for PPTP protocol you will have to pay for the service as only OpenVPN protocol is accessible for free users.
There are 2 options to pay for the proXPN subscription: PayPal and Credit Card (Visa, Mastercard, American Express). Although, at least one of these options is always convenient for VPN users, the fact that they do not accept Bitcoin will definitely not be pleasant for privacy fanatics.
Unlike most VPN providers proXPN does not offer live support. Nevertheless, if you are looking for quick help you may contact them via phone call as they provide support over the phone. Besides this uncommon support service you may also contact proXPN via e-mail or twitter.
The website does not mention that they work 24/7 though the website tells that you are free to contact them day or night.
The software is easy to use and the installation is really user friendly since the software itself recognizes the platform and we do not need to select it ourselves. Once you are logged in to your proXPN account you can choose the server to connect to and protocol you want to use. Other than that the client does not have any special features.
The website states that VPN provider keeps logs for 14 days. The information they keep for these two weeks include logs of connections initiated to VPN servers.
The fact that they are keeping logs is not really heartwarming. Nevertheless, the period they keep them is very short and for foreign authorities to gain access to these logs would require much more time. Therefore, there is not much to worry about the log policy.
After testing the speeds on various proXPN servers and with different protocols we have noticed a significant speed decrease. The speed test indicated that over half of the internet speed was lost when connected to proXPN servers. What is even worse we managed to maintain only a third of the original bandwidth on some of the servers.
The test results were really unsatisfying as we noticed that have to trade speed for privacy while other VPNs does not reduce bandwidth this significantly.
While proXPN may have some interesting features like free VPN, it highly suffers from the low speed as it strongly reflects in user’s browsing experience. Great internet speeds are a requirement for an everyday VPN user and thus they tend to choose providers like NordVPN that does not significantly affect your internet bandwidth.
Everyone has heard and more or less knows of Black Friday, but what is Cyber Monday?
Every year after American Thanksgiving, a day that marks the start of Christmas season, follows up the Black Friday. Majority of the stores on that day open up quite early and offer crazy deals, which causes the chaos and sometimes even madness with injuries.
So what is Cyber Monday and when is Cyber Monday happening? What are the best Cyber Monday deals? Hold on, we will tell you all about it.
Shop.org came up with a term “Cyber Monday” in 2005 after their research showed a substantial increase in online sales on the first day (which happens to be Monday) right after Thanksgiving Day.
Since the outset of Cyber Monday sales, online buyers have started to speak about it more and more. Between the years of 2006 and 2011, Cyber Monday deals doubled the sales online to over $1.2 billion.
Such success of Cyber Monday has definitely made itself notorious not just in the US but pretty much everywhere, including countries all over Europe, the United Kingdom and Canada. In fact, a lot of huge offers still are appearing in online stores as late as the next Friday right after Black Friday makes it Cyber Week, not just Cyber Monday.
A lot of online stores took the advantage of this upswing in online buyers spending by offering various Cyber Monday deals including free shipping, savings options, incentives and discounts. And various VPN providers are not any different by offering their own best Cyber Monday deals. Instead of risking taking a punch in the face during Black Friday sales, you may feel much safer buying online especially on days such as Cyber Monday. But buying online has its own threats since most online consumers these days do not worry enough about their own cyber security which causes various personal data thefts and complains to online retailers.
So what should you do to make your online buying safer? How can you protect your online privacy and personal data? How can you hide yourself from unwanted tracking?
Well, first off we advise you to take a look at various VPN providers and which ones offer best Cyber Monday deals for variety of features. Once you find one that seems acceptable, you should definitely hook up with it. Just to make your life easier for you, we will recommend one of few VPN providers that offer features that are not available in many others.
NordVPN, notorious for its features such as kill-switch technique, double data encryption ability to use P2P and no logs policy with extremely easy to use interface, currently is offering a huge 50% discount on annual subscription plan making it as low as $5.05 (€4) per month. NordVPN, on top of such killer price, also offer additional coupons for the new users.
Why wait for a Cyber Monday sale, when you can take advantage of one of if not the best and amazing VPN providers’ features that keeps expanding globally and offers more and more servers for you needs as well as extremely high security. You can pay using various payment gateways such as Paymentwall, Paypal and even Bitcoin if you need more anonymity.
Prepare yourself for the great deals, bargains and gifts hunting while Cyber Monday is nearing by protecting yourself and your personal data. Start using NordVPN right now, especially if you are going to shop online using a mobile or tablet device, which is also supported by them (very easy to follow tutorials are written for you to easily setup a VPN with NordVPN service) and have fun shopping!