Beware: Most Mobile VPNs Aren’t as Safe as They Seem
February 8, 2017 | Lily Hay Newman, Wired
Press
“The economics didn’t make much sense because when you start looking at these applications, most of them are free but maintaining online infrastructure is actually very expensive,” says Narseo Vallina-Rodriguez a researcher at the International Computer Science Institute who worked on the study.
Enterprise firewalls are man-in-the-middling HTTPS sessions like crazy, and weakening security
February 8, 2017 | Cory Doctorow, Boing Boing
The researchers found that the prevalence of these man-in-the-middle attacks is at least an order of magnitude higher than previously believed, and the methods that firewall vendors use to compromise HTTPS often leaves users open to spying and code-injection. Firefox is slightly more secure than rival browsers.
Is Trump Tweeting From a 'Secure' Smartphone? The White House Won't Say
February 3, 2017 | Sam Sanders, NPR, Heard on All Things Considered
"Donald Trump for the longest time has been using a insecure Android phone that by all reports is so easy to compromise, it would not meet the security requirements of a teenager," says Nicholas Weaver.
Obama’s cybersecurity legacy: Good intentions, good efforts, limited results
January 31, 2017 | Taylor Amerding, CSO
Nicholas Weaver, a senior staff researcher at the International Computer Science Institute, in a post on Lawfare, declared that the president’s insistence on continuing to use an insecure Android device is, “asking for a disaster (and) should cause real panic".
Most free Android VPNs leak data and many don’t even use encryption, says study
January 31, 2017 | James Vincent, The Verge
“To me, the shocking fact was that people trust this kind of technology,” Vallina-Rodriguez told The Verge. He said in using these apps, individuals are just handing over their internet connections, and if the company handling this data isn’t trustworthy, they can get up to all sorts of mischief.
Majority of Android VPNs can’t be trusted to make users more secure
January 31, 2017 | Dan Goodin, Ars Technica
"Our results show that—in spite of the promises for privacy, security, and anonymity given by the majority of VPN apps—millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps... Despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on user's privacy and security remains terra incognita even for tech-savvy users."
Many Android VPN-enabled apps do not protect user traffic
January 30, 2017 | Juha Saarinen, ITNews
Over two-thirds of the VPN-enabled apps promise to enhance online privacy and security, yet three quarters of the programs tested use third-party user tracking libraries, and 82 percent request permission to access sensitive data including accounts and text messages.
Many Android VPN Apps Breaking Privacy Promises
January 30, 2017 | Michael Mimoso, Threatpost
“Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage,” said researchers Muhammad Ikram, Narseo Vallina-Rodriguez, Suranga Seneviratne, Mohamed Ali Kaafar and Vern Paxson.
Trump’s cybersecurity practices have been a ‘Sad!’ sight
January 30, 2017 | Seung Y. Lee, SF Examiner
Weaver continues ... "Security experts were rightly aghast to learn that Secretary Hillary Clinton kept her BlackBerry in her secure office in the State Department. This is far worse.”
CSIRO: Most Mobile VPNs Aren't Secure
January 27, 2017 | Campbell Simpson, Gizmodo
Research scientists Dali Kaafar, Suranga Seneviratne and Muhammad Ikram from Data61 contributed to the report alongside Narseo Vallina-Rodriguez from ICSI and Vern Paxson from UC Berkeley. The report, which examined 283 apps from the Google Play Store that use Android's integrated virtual private network permission, found some pretty stark results: 18 per cent of apps don't encrypt any of the traffic that travels through them, and a full 84 per cent didn't disguise DNS traffic or support IPv6 tunnelling — more secure than the widely used IPv4.