Monday, 21 April 2014

OpenVPN Found Vulnerable to Heartbleed, SumRando Safe

Our users' privacy and security are what drive us here at  SumRando.  And we were happy to report on this blog and through social media, the SumRando VPN has not been affected by the dreaded Heartbleed vulnerability that has rocked internet businesses and users.

As the analysis of Heartbleed continues, details are emerging about how few HTTPS-enabled sites have taken action to protect themselves and their visitors andnew ways to identify those sites susceptible to Heartbleed.  In the past several days, there has been recognition that the widely-used OpenVPN is exposed.  Evidence that OpenVPN has been affected by Heartbleed will likely signal to VPN users that they need to take additional measures to protect themselves.  While VPN users are typically more proactive consumers by seeking out such services, the news that a VPN service could be affected should cause concern.

Ars Technica reports that a VPN company successfully extracted keys from OpenVPN through OpenSSL.  Although OpenVPN had signaled the likelihood of exposure, it wasn’t until Wednesday that OpenVPN addressed the issue publiclySweden-based VPN Mullvad successfully extracted keys for the purpose of testing potential exposures with OpenVPN and warned that others with malicious intentions could inflict significant damage.  Mullvad will not be sharing their code because of potential damage it could do to those who have not already upgraded to protect against Heartbleed.

Here at SumRando, we are happy that our VPN has not been affected by Heartbleed.  We immediately took action to ensure our VPN’s security.  We share our users’ concerns about Heartbleed’s impact on other trusted services, and we are happy to answer any questions you might have about Heartbleed as it relates to SumRando VPN.  Feel free to comment below or send us an e-mail us directly at contact@sumrando.com.

Friday, 18 April 2014

Still Worried About Heartbleed? Developers Offer HB Identifier

Heartbleed quickly went from whispers (or screams) within the cybersecurity world to a trending topic on Twitter and other social media as word spread that internet users needed to consider measures to protect themselves and their information from the security vulnerability.  Web platforms and products (including us atSumRando) released statements confirming that their operations were not affected by Heartbleed, while others warned that information could be vulnerable.

This week, Ars Technica is reporting that developers at Netcraft have developed a browser extension to help internet users identify sites potentially vulnerable to the Heartbleed bug.  This extension would allow users to identify websites that could have been susceptible in order to identify data that was potentially exposed.  

If providers have already identified whether or not they were affected (or should have), why do we need this identifier?  AT reports that far too few secure websites have updated their infrastructures to ensure their safety:

Figures Netcraft provided Wednesday show why people should be on the lookout for sites with potentially compromised keys. Of the 500,000 HTTPS-enabled sites the company estimates were vulnerable to Heartbleed, only 80,000 of them have revoked and replaced their old certificates. That means the vast majority of formerly vulnerable sites remain susceptible to spoofing attacks and in some cases passive eavesdropping even though the gaping Heartbleed hole may have been plugged.

How does this extender work?  AT explains:

The extension works on the Chrome, Firefox, and Opera browsers. It's available here, and you can read Netcraft's description of it here. Once installed, it provides a bleeding heart icon and warning sign when users visit a site that remains susceptible to one or more of the risks posed by Heartbleed, the extremely critical bug that allows attackers to pluck sensitive data from the memory of vulnerable servers. Exposed data most often seems to include usernames and passwords, but it can also include taxpayer identification numbers and even the private encryption keys that are a website's crown jewels.

The Netcraft extension will alert users if an OpenSSL-powered site has yet to install an update that's immune to Heartbleed exploits. It also lets people know if sites that have updated OpenSSL are still using an HTTPS encryption certificate that has yet to be changed since OpenSSL was updated. That latter alert is crucial, since possession of a private encryption key makes it possible for attackers to impersonate HTTPS-protected sites with malicious sites that are almost impossible for most end users to detect. Out of an abundance of caution, all sites that were vulnerable to Heartbleed should assume their keys are now in the hands of malicious attackers.


To read more about this extension, check out yesterday’s post on Ars Technica.

Wednesday, 9 April 2014

Change All Your Passwords: "Heartbleed" Bug Threatens Your Internet Safety

TechCrunch and other sources are confirming the severity of the OpenSSL bug known as "Heartbleed" that threatens to compromise internet users' safety.  All internet users are encouraged to change all of their existing passwords to protect their most sensitive information.

Codenomicon, a security company out of Finland, tested this potential vulnerability and advised that internet users take immediate action.  According to their analysis, up to 66% of the market share could be affected with open source web servers like Apache and nginx particularly vulnerable to the Heartbleed bug.

What should you do immediately?

Changing your passwords is inconvenient but easy; encourage those in your life who might not understand this threat as well to follow suit.  We would encourage our readers to share this and other stories about Heartbleed to help get the word out as soon as possible through social media and personal contact.  Like all issues related to internet privacy, the goal here is to protect as many people as possible even if others don't fully understand what all is at stake.  If you are not going to change all of your passwords, consider changing at least your main/most sensitive online accounts (e.g. bank accounts, e-mail accounts, etc.).

Wait, what exactly is Heartbleed?

For the more tech-savvy:
Codenomicon provides a detailed (and more technical) explanation of Heartbleed's origin and potential threat at heartbleed.com:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
For the less tech-savvy:
For users looking for a less technical summary of this bug, Tumblr issued a statement to their users (who might be exposed), which provided a concise breakdown of the threat and actions to take.

A major vulnerability, known as “Heartbleed,” has been disclosed for the technology that powers encryption across the majority of the internet. That includes Tumblr.
We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.
But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.
This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.
Users who are less tech-savvy might also find the BBC's coverage of the bug helpful.

What can you do to help others?

We also encourage our readers to comment on this blog post, tweet at our Twitter handle (@SumRando), or comment on our Facebook posts if they have additional information to share.  We thank all of you in advance for your intel on this critical matter.


Sunday, 6 April 2014

Brazil’s ‘Internet Constitution’ to Bolster Privacy, Protect Neutrality

To say countries and world leaders outside the U.S. have been mobilized in the wake of revelations about the NSA’s international and domestic surveillance efforts would be an understatement.  Among the United States’ most outspoken critics has been Brazilian President Dilma Rousseff.  In October, Brazil announced its plan to host an “international summit of government, industry,civil society, and academia” on internet governance in part due to failed negotiations with the U.S., to alter the NSA’s controversial provisions.  

Brazil made news this week by inching closer to passing what has been dubbed the country’s “Marco Civil da Internet” (Internet Constitution), which is focused on bolstering the country’s policies regarding internet privacy, freedom of expression, net neutrality, and cybersecurity. On Tuesday, Brazil’s lower chamber passed the legislation.  

According to Al Jazeera, the bill limits the collection and use of metadata and preserved net neutrality, the latter of which had recently been threatened by telecommunications companies. The long-debated bill could act as a model for other countries as it balances the oft-competing interests of individuals, government, and corporations “while ensuring that the Internet continues to be an open and decentralized network.”  The competing interests of individuals and corporations were on full display as the bill’s final contents have been hotly debated.  Corporations lobbied for the exclusion of net neutrality provisions, which would have stratified access to different types of Internet content.  

In deference to those same corporations, the bill eliminated a provision that would have required that corporations store data within Brazil.  Instead, the law stipulates that these companies must comply with relevant Brazilian law regardless of where data is stored.  Analysts such as those at TechCrunch are attributing the bill’s passage to the emergence of passionate, internet-based activists that launched a variety of “Save the Internet”-style campaigns.  Brazilian celebrities such as musician Gilberto Gil heightened the issue’s profile in the mainstream.

One of the key limitations critics have cited about the law is that issues of international jurisprudence (i.e. how this Internet Constitution would affect surveillance like that conducted by the NSA) remain unresolved.  Some of Rousseff’s allies bemoan the compromise that excluded the local data storage provision since it would have helped circumvent international intrusion, but supporters are hopeful that requiring that companies comply with Brazilian law can improve such an effort. 


Although the law continues to allow certain activities that limit privacy, many in the international community see this recent effort as a positive step forward.  Considering Rousseff’s outspoken world leadership against surveillance and for cybersecurity, including this year’s international summit, implementation of this law could inspire other countries to follow suit.  

Wednesday, 2 April 2014

Three Lessons from Turkey’s Social Media Attack

As we reported recently, the Turkish government passed a law in early March to allow the Turkish Telecommunication Authority (TIB) to block access to designated websites within 4 hours of the initial request.  The country’s most prominent critic of social media, Prime Minister Recep Tayyip Erdogan, championed the law as he decried social media as a menace. 

Erdogan recently elicited a firestorm of activity within Turkey and across the world when he ordered TIB to block access to Twitter across the country on March 20.  He was apparently following through on a promise he made during a political rally earlier that day, assuring supporters that he would eradicate social media from the country, including Twitter, Facebook, and YouTube.

The events unfolding in Turkey over the past several weeks and months act as reminders of how grave the consequences are when we allow freedom of expression to be threatened.   Regardless if you have been following the story or not, we can all be reminded of the following three lessons:

1. Destructive laws have consequences; President Gul underestimated that reality.

President Abdullah Gul, who approved the recent law attacking freedom of expression, publicly condemned Erdogan’s actions, calling the Twitter shutdown “unacceptable.”  He railed against the Prime Minister, saying that the law only protects instances in which websites were violating privacy, according to the BBC.  For observers of the country’s march toward such an impasse about freedom of expression, Gul’s surprise seemed puzzling.  How could he not have seen what was coming in that law he approved, when the law’s detractors had so clearly articulated its dangers?  Gul and other leaders distanced themselves from Erodgan’s actions, but it remains unclear if there will be longer-term political ramifications for the polarizing Prime Minister.

2. “Shutting down” social media reinforced its power and omnipresence.

The Twitter shutdown inflamed Erodgan’s opposition and generated international attention for the shutdown and the country’s largely problematic privacy laws.  Turkish internet users, more savvy than the TIB, circumvented the Twitter “block” by using alternative means to communicate with each other and the world.   Almost immediately after Erodgan’s orders were carried out by the Telecommunication Authority, Twitter users across the world starting using the hashtag #TurkeyBlockedTwitter (among other variations) to spread the word about Erdogan’s inflammatory actions.  Erodgan’s effort suffered at the mercy of the very qualities of social media he vilified: Providing an avenue to distribute sensitive information broadly and quickly organize anti-government demonstrations.  When President Gul eventually declared his condemnation of the event, he did so on Twitter first.  Twitter itself offered support to Turkish users by offering helpful tweets and then successfully filed petitions in Turkish court to challenge the blockage.

3. This story doesn't have an end, and Turkey’s hostile environment continues to worsen.

Just yesterday, the BBC reports that the Turkish government has continued to increase its social media censorship efforts.  Learning from their initial mistakes, the Turkish government is instructing internet service providers (ISPs) to block access to domain name servers such as Google, Level 3, and OpenDNS, and redirect users away from their desired destinations.   Considering Erdogan’s political party, Justice and Development Party (AK), performed well in this week’s local elections – elections he had personally framed as a referendum on his rule – it does not appear Turkish citizens can expect these restrictions to cease.  


What are your thoughts on the recent events unfolding in Turkey?  What other lessons can we learn from these developments?

Tuesday, 18 March 2014

After CIA Incident, Time for Feinstein to Evolve on Privacy Oversight

Last week, Senator Dianne Feinstein (D-CA) signaled that she too recognizes the destructive influence of government surveillance.  For too long, she had been among the most high-profile public defenders of the United States government’s NSA surveillance.  As the Chairwoman of the Senate Intelligence Committee, Feinstein has publicly defended the legality of the NSA’s efforts under the Patriot Act.  Aiming at another large government agency, she publicly lambasted the Central Intelligence Agency (CIA) on the Senate floor for allegedly violated the separation-of-powers principles in disputes over documents Feinstein’s committee was analyzing regarding CIA “black sites” used for counterterrorism efforts between 2002 and 2006.  Central to her claims is what she believes is evidence that the CIA withdrew documents from Senate control without consent.

Many critics have suggested Feinstein’s emboldened attack on the CIA signals hypocrisy, not recognizing the grave potential harm the NSA’s surveillance has on millions of Americans and people abroad.  Feinstein has failed to recognize that her allegations against the CIA rooted in the Constitution’s Fourth Amendment are wildly similar to constitutional critiques of the NSA’s invasive counterterrorism measures.  Feinstein has also showed little evolution the matter as recently as last fall when she introduced an NSA “reform” bill after facing significant political pressure.  Rather than stop the NSA’s unconstitutional actions, her anti-privacy “reform” bill sought to essentially codify the NSA’s actions.  Feinstein’s reform bill was reform in name only. 

This Trojan horse wasn't lost on many of Feinstein’s Congressional colleagues.  Feinstein came under fire by civil liberties advocacy groups across the board, and even the original author of the Patriot Act, Representative James Sensenbrenner Jr. (R-WI), came out against Feinstein’s bill saying that it extended an abuse of the original legislation.  Rep. Sensebrenner gave voice to those who felt Congressional oversight had “hit the gas pedal” rather than “put the brakes on overreaches” in offering a bill to reel in NSA and other agencies exploiting the Patriot Act with a Senate equivalent sponsored by Sen. Patrick Leahy (D-VT).  Feinstein had offered what many concluded was a bill to codify NSA’s invasive programs with superficial, ultimately inconsequential reporting requirements.


Feinstein and her Congressional allies have an opportunity to recognize the destructive influence surveillance has on all people, not just classified Congressional inquiries but all unconstitutional abuses of power that spy on citizens.  The Senator’s full-throated indigence and willingness to go toe-to-toe with the CIA signals resolve but not enough resolve.  As the Chairwoman of the Senate Intelligence Committee, with oversight over the NSA and other agencies engaging in surveillance, Feinstein ought to show leadership to restore the rights of all citizens to be free of government surveillance.  Just as the CIA’s alleged actions have deeply concerned Feinstein, the NSA’s confirmed actions bear similar consideration and action.

Snowden & ACLU at SXSW: Consumers Must Protect Themselves, Tech Companies Must Innovate

In his longest public appearance since fleeing the United States, Snowden appeared via webcast with Ben Wizner and Christopher Soghoian from the American Civil Liberties Union (ACLU)'s Project on Speech, Privacy, and Technology.  Snowden was the ACLU’s featured speaker and spoke for about an hour (full video).  The conversation (click here for full transcript) began by looking at how internet surveillance and other government intrusion has fundamentally changed the internet, easily transitioning into a discussion about how those in the technology sector –startups and otherwise – can better encrypt communications and heighten security in other ways.  Soghoian, ACLU’s principal technologist, made the case for paid security services to keep consumers’ data encrypted.

Snowden opened with remarks at SXSW by explaining why he chose to address the technology sector at SXSW rather than more policy-oriented audiences:

When we think about what is happening at the NSA for the past decade, the result has been an adversarial internet.  It’s a sort of global free-fire zone for governments that is nothing that we ever asked for. It is not what we want. It is something that we need to protect against. We think about the policies that have been advanced the sort of erosion of fourth amendment protections the proactive seizure of communications... There is a policy response that needs to occur. There is also a technical response that needs to occur. It is the [technology] development community that can really craft the solutions and make sure we are safe.

Snowden highlights the centrality of cybersecurity and privacy in geopolitics today.  In the 21st Century, civil and international conflicts have extensive technological underbellies, foregrounded in the conflict or unquestionably influencing the tenure of the conflict under the mainstream radar.  Observers of the recent conflict between Russia and the Ukraine have been eager to see, for instance, if Russia will employ cyber warfare tactics against the Ukraine they used against Georgia in 2008

The conversation moved from international cybersecurity to individual privacy considerations.  The ACLU’s Soghoian talked at length about the need to bridge the gap between user-friendliness and optimal security.  Soghoian observed that many widely-used tools developed by large companies do not provide optimal levels of security for users (especially by default), and tools developed by smaller companies that are more secure are often too difficult to use for everyday users.  Snowden agreed saying that we do not want the standard for cybersecurity being opt-in. 

Soghoian summarized the security landscape by saying, “If you want a secure online backup service you are going to have to pay for it. If you want a secure voice or video communications product you are going to have to pay for it.”  He explained, too, that consumers cannot rely on free solutions to their security concerns.  Soghoian explained, “You [don’t] have to pay thousands of dollars a year, but you have to pay something so that company has a sustainable business model that doesn't revolve around collecting and monetizing your data.”

Wide-scale changes are needed to improve the ways consumers are currently under-protected or directly violated by government and non-government parties.  As the discussion highlighted, those changes require action from a variety of different actors.  Legislative and regulatory changes can help restrict governments’ access to citizens’ data but also work to further protect countries from outside cyber-attacks.  The technology sector and proactive consumers can do in the meantime is protect their customers and protect themselves from harm by using the most secure tools possible and investing in high-security services (like those provided by SumRando). 

The ACLU and Snowden discussed what many of us know about technology today: As omnipresent and intertwined technology has become by choice and by default, privacy remains a less of a priority than it should be with most consumers.  As Soghoian points out, most technology users rely on technology developers for security protections without knowing there are additional services that could protect them but also without knowing how to evaluate which services can provide consumers adequate security.  Without more widespread change in government and popular technology, informed consumers must rely on high-quality products that actively protect their security online.