Thursday 24 April 2014

Spring Cleaning: Why be 'SumRando' Online with a VPN?

SumRando. Free Proxy and VPN - Online but Under the Radar from SumRando on Vimeo.

People are more curious than ever about how to protect themselves online.  Think about recent events -- from censorship in Turkey this spring to the recent discovery of Heartbleed -- and ongoing concerns like surveillance by the NSA.  Even for those who only recently started to take note of internet privacy and cybersecurity, there is more than enough evidence that we need to protect ourselves in addition to advocating for stronger protections across the board for all users.

At SumRando, we pride ourselves in providing a dynamic, multi-site VPN for users across the globe.  We developed the video above in hopes of explaining the vision the SumRando community shares: All of us can and should protect our private information as we see fit.

Spread the Word
You might already be someone who takes these issues seriously, but let's face it: we all have a number of friends, family members, or work colleagues who still don't quite "get it."  Do them all a favor and share this video with the social media buttons below. Sharing this video might save you from having to explain VPNs while out for beers with friends, wanting to warn your family at a summer picnic or holiday dinner about security, and/or looking like "that" guy/girl in the office break room who shares tech advice.

Want to learn more?  Click here if you'd like to learn more about VPNs and ours in particular.  Click here if you're interested in learning more about our free and affordable SumRando VPN plans.

Monday 21 April 2014

OpenVPN Found Vulnerable to Heartbleed, SumRando Safe

Our users' privacy and security are what drive us here at SumRando.  And we were happy to report on this blog and through social media, the SumRando VPN has not been affected by the dreaded Heartbleed vulnerability that has rocked internet businesses and users. As the analysis of Heartbleed continues, details are emerging about how few HTTPS-enabled sites have taken action to protect themselves and their visitors and new ways to identify those sites susceptible to Heartbleed.  In the past several days, there has been recognition that the widely-used OpenVPN is exposed.  Evidence that OpenVPN has been affected by Heartbleed will likely signal to VPN users that they need to take additional measures to protect themselves.  While VPN users are typically more proactive consumers by seeking out such services, the news that a VPN service could be affected should cause concern.

Ars Technica reports that a VPN company successfully extracted keys from OpenVPN through OpenSSL.  Although OpenVPN had signaled the likelihood of exposure, it wasn’t until Wednesday that OpenVPN addressed the issue publiclySweden-based VPN Mullvad successfully extracted keys for the purpose of testing potential exposures with OpenVPN and warned that others with malicious intentions could inflict significant damage.  Mullvad will not be sharing their code because of potential damage it could do to those who have not already upgraded to protect against Heartbleed.

Here at SumRando, we are happy that our VPN has not been affected by Heartbleed. We immediately took action to ensure our VPN's security. We share our users' concerns about Heartbleed's impact on other trusted services, and we are happy to answer any questions you might have about Heartbleed as it relates to SumRando VPN. Feel free to comment below or send us an email directly at contact@sumrando.com.

Friday 18 April 2014

Still Worried About Heartbleed? Developers Offer HB Identifier

Heartbleed quickly went from whispers (or screams) within the cybersecurity world to a trending topic on Twitter and other social media as word spread that internet users needed to consider measures to protect themselves and their information from the security vulnerability.  Web platforms and products (including us at SumRando) released statements confirming that their operations were not affected by Heartbleed, while others warned that information could be vulnerable.

This week, Ars Technica is reporting that developers at Netcraft have developed a browser extension to help internet users identify sites potentially vulnerable to the Heartbleed bug.  This extension would allow users to identify websites that could have been susceptible in order to identify data that was potentially exposed.  

If providers have already identified whether or not they were affected (or should have), why do we need this identifier?  AT reports that far too few secure websites have updated their infrastructures to ensure their safety:

Figures Netcraft provided Wednesday show why people should be on the lookout for sites with potentially compromised keys. Of the 500,000 HTTPS-enabled sites the company estimates were vulnerable to Heartbleed, only 80,000 of them have revoked and replaced their old certificates. That means the vast majority of formerly vulnerable sites remain susceptible to spoofing attacks and in some cases passive eavesdropping even though the gaping Heartbleed hole may have been plugged.

How does this extender work?  AT explains:

The extension works on the Chrome, Firefox, and Opera browsers. It's available here, and you can read Netcraft's description of it here. Once installed, it provides a bleeding heart icon and warning sign when users visit a site that remains susceptible to one or more of the risks posed by Heartbleed, the extremely critical bug that allows attackers to pluck sensitive data from the memory of vulnerable servers. Exposed data most often seems to include usernames and passwords, but it can also include taxpayer identification numbers and even the private encryption keys that are a website's crown jewels.

The Netcraft extension will alert users if an OpenSSL-powered site has yet to install an update that's immune to Heartbleed exploits. It also lets people know if sites that have updated OpenSSL are still using an HTTPS encryption certificate that has yet to be changed since OpenSSL was updated. That latter alert is crucial, since possession of a private encryption key makes it possible for attackers to impersonate HTTPS-protected sites with malicious sites that are almost impossible for most end users to detect. Out of an abundance of caution, all sites that were vulnerable to Heartbleed should assume their keys are now in the hands of malicious attackers.

To read more about this extension, check out yesterday’s post on Ars Technica.

Wednesday 9 April 2014

Change All Your Passwords: "Heartbleed" Bug Threatens Your Internet Safety

TechCrunch and other sources are confirming the severity of the OpenSSL bug known as "Heartbleed" that threatens to compromise internet users' safety.  All internet users are encouraged to change all of their existing passwords to protect their most sensitive information.

Codenomicon, a security company out of Finland, tested this potential vulnerability and advised that internet users take immediate action.  According to their analysis, up to 66% of the market share could be affected with open source web servers like Apache and nginx particularly vulnerable to the Heartbleed bug.

What should you do immediately?

Changing your passwords is inconvenient but easy; encourage those in your life who might not understand this threat as well to follow suit.  We would encourage our readers to share this and other stories about Heartbleed to help get the word out as soon as possible through social media and personal contact.  Like all issues related to internet privacy, the goal here is to protect as many people as possible, even if others don't fully understand what all is at stake.  If you are not going to change all of your passwords, consider changing at least your main/most sensitive online accounts (e.g. bank accounts, e-mail accounts, etc.).

Wait, what exactly is Heartbleed?

For the more tech-savvy:
Codenomicon provides a detailed (and more technical) explanation of Heartbleed's origin and potential threat at heartbleed.com:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
For the less tech-savvy:
For users looking for a less technical summary of this bug, Tumblr issued a statement to their users (who might be exposed), which provided a concise breakdown of the threat and actions to take.

A major vulnerability, known as “Heartbleed,” has been disclosed for the technology that powers encryption across the majority of the internet. That includes Tumblr.
We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.
But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.
This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.
Users who are less tech-savvy might also find the BBC's coverage of the bug helpful.

What can you do to help others?

We also encourage our readers to comment on this blog post, tweet at our Twitter handle (@SumRando), or comment on our Facebook posts if they have additional information to share.  We thank all of you in advance for your intel on this critical matter.

Sunday 6 April 2014

Brazil’s ‘Internet Constitution’ to Bolster Privacy, Protect Neutrality

To say countries and world leaders outside the U.S. have been mobilized in the wake of revelations about the NSA’s international and domestic surveillance efforts would be an understatement.  Among the United States’ most outspoken critics has been Brazilian President Dilma Rousseff.  In October, Brazil announced its plan to host an “international summit of government, industry, civil society, and academia” on internet governance in part due to failed negotiations with the U.S., to alter the NSA’s controversial provisions.  

Brazil made news this week by inching closer to passing what has been dubbed the country’s “Marco Civil da Internet” (Internet Constitution), which is focused on bolstering the country’s policies regarding internet privacy, freedom of expression, net neutrality, and cybersecurity. On Tuesday, Brazil’s lower chamber passed the legislation.  

According to Al Jazeera, the bill limits the collection and use of metadata and preserved net neutrality, the latter of which had recently been threatened by telecommunications companies. The long-debated bill could act as a model for other countries as it balances the oft-competing interests of individuals, government, and corporations “while ensuring that the Internet continues to be an open and decentralized network.”  The competing interests of individuals and corporations were on full display as the bill’s final contents have been hotly debated.  Corporations lobbied for the exclusion of net neutrality provisions, which would have stratified access to different types of Internet content.  

In deference to those same corporations, the bill eliminated a provision that would have required that corporations store data within Brazil.  Instead, the law stipulates that these companies must comply with relevant Brazilian law regardless of where data is stored.  Analysts such as those at TechCrunch are attributing the bill’s passage to the emergence of passionate, internet-based activists that launched a variety of “Save the Internet”-style campaigns.  Brazilian celebrities such as musician Gilberto Gil heightened the issue’s profile in the mainstream.

One of the key limitations critics have cited about the law is that issues of international jurisprudence (i.e. how this Internet Constitution would affect surveillance like that conducted by the NSA) remain unresolved.  Some of Rousseff’s allies bemoan the compromise that excluded the local data storage provision since it would have helped circumvent international intrusion, but supporters are hopeful that requiring that companies comply with Brazilian law can improve such an effort. 

Although the law continues to allow certain activities that limit privacy, many in the international community see this recent effort as a positive step forward.  Considering Rousseff’s outspoken world leadership against surveillance and for cybersecurity, including this year’s international summit, implementation of this law could inspire other countries to follow suit.  

Wednesday 2 April 2014

Three Lessons from Turkey’s Social Media Attack

As we reported recently, the Turkish government passed a law in early March to allow the Turkish Telecommunication Authority (TIB) to block access to designated websites within 4 hours of the initial request.  The country’s most prominent critic of social media, Prime Minister Recep Tayyip Erdogan, championed the law as he decried social media a menace. 

Erdogan recently elicited a firestorm of activity within Turkey and across the world when he ordered TIB to block access to Twitter across the country on March 20.  He was apparently following through on a promise he made during a political rally earlier that day, assuring supporters that he would eradicate social media from the country, including Twitter, Facebook, and YouTube.

The events unfolding in Turkey over the past several weeks and months act as reminders of how grave the consequences are when we allow freedom of expression to be threatened.  Regardless if you have been following the story or not, we can all be reminded of the following three lessons:

1. Destructive laws have consequences; President Gul underestimated that reality.

President Abdullah Gul, who approved the recent law attacking freedom of expression, publicly condemned Erdogan’s actions, calling the Twitter shutdown “unacceptable.”  He railed against the Prime Minister, saying that the law only protects instances in which websites were violating privacy, according to the BBC.  For observers of the country’s march toward such an impasse about freedom of expression, Gul’s surprise seemed puzzling.  How could he not have seen what was coming in that law he approved, when the law’s detractors had so clearly articulated its dangers?  Gul and other leaders distanced themselves from Erdogan’s actions, but it remains unclear if there will be longer-term political ramifications for the polarizing Prime Minister.

2. “Shutting down” social media reinforced its power and omnipresence.

The Twitter shutdown inflamed Erdogan’s opposition and generated international attention for the shutdown and the country’s largely problematic privacy laws.  Turkish internet users, more savvy than the TIB, circumvented the Twitter “block” by using alternative means to communicate with each other and the world.  Almost immediately after Erdogan’s orders were carried out by the Telecommunication Authority, Twitter users across the world starting using the hashtag #TurkeyBlockedTwitter (among other variations) to spread the word about Erdogan’s inflammatory actions.  Erodgan’s effort suffered at the mercy of the very qualities of social media he vilified: Providing an avenue to distribute sensitive information broadly and quickly organize anti-government demonstrations.  When President Gul eventually declared his condemnation of the event, he did so on Twitter first.  Twitter itself offered support to Turkish users by offering helpful tweets and then successfully filed petitions in Turkish court to challenge the blockage.

3. This story doesn't have an end, and Turkey’s hostile environment continues to worsen.

Just yesterday, the BBC reported that the Turkish government has continued to increase its social media censorship efforts.  Learning from their initial mistakes, the Turkish government is instructing internet service providers (ISPs) to block access to domain name servers such as Google, Level 3, and OpenDNS, and redirect users away from their desired destinations.  Considering Erdogan’s political party, Justice and Development Party (AK), performed well in this week’s local elections – elections he had personally framed as a referendum on his rule – it does not appear Turkish citizens can expect these restrictions to cease.  


What are your thoughts on the recent events unfolding in Turkey?  What other lessons can we learn from these developments?