Opera brings back free VPN service to its Android browser

By Lisa Vaas

Opera announced on Wednesday that it’s added its free Virtual Private Network (VPN) service to its Android browser app …again.

The Norwegian browser maker offered a stand-alone, built-in VPN service before it was sold to a Chinese consortium, but it stopped working after the sale.

Now, it’s back: the latest, VPN-bearing, mobile browser version – Opera for Android 51 – is available now in the Google Play store or on Opera.com. The company hasn’t given any hints about whether it’s planning to bring the VPN to its iOS browser.

The VPN is free, unlike private VPN services for which you have to pay additional fees, Opera stressed. It’s also easy: users don’t have to sign in every time they want to use it; all you have to do is hit a switch.

What this is…

The Opera browser VPN will create a private and encrypted connection between Androids and a remote VPN server, using 256-bit encryption. It will shield users’ geographical locations, thus making it hard to track us, Opera says. That will hopefully provide a bit of relief from the apps that have been sucking our location data like so many leeches and selling it to third parties.

Read more at https://nakedsecurity.sophos.com/2019/03/21/opera-brings-back-free-vpn-service-to-its-android-browser/

FBI crackdown on DDoS-for-hire sites led to 85% slash in attack sizes

By Lisa Vaas

In December, the FBI seized the domains of 15 of the world’s biggest “booters” (websites that sell distributed denial-of-service, or DDoS, services) – a crackdown that’s led to an 85% decrease in the average size of DDoS attacks on a year-on-year basis, according to a new report.

According to NexusGuard’s DDoS Threat Report 2018 Q4, the number of DDoS attacks also fell by 10.99% when compared with attacks during the same time in 2017.

That’s thanks to the FBI taking down the booters that were allegedly responsible for what the DDoS security provider says was more than 200,000 DDoS attacks since 2014.

Besides the drop in overall activity, both the average and the maximum DDoS attack sizes also dropped like rocks – by 85.36% and 23.91%, according to NexusGuard’s analysis.

DDoS-for-hire sites sell high-bandwidth internet attack services under the guise of “stress testing.” One example is Lizard Squad, which, until its operators were busted in 2016, rented out its LizardStresser attack service. …an attack service that was, suitably enough, given a dose of its own medicine when it was hacked in 2015.

You might remember Lizard Squad as the Grinch who ruined gamers’ Christmas with a DDoS against the servers that power PlayStation and Xbox consoles – an attack it carried out for our own good.

Read more at https://nakedsecurity.sophos.com/2019/03/21/fbi-crackdown-on-ddos-for-hire-sites-led-to-85-slash-in-attack-sizes/

Researcher finds new way to sniff Windows BitLocker encryption keys

By John E Dunn

A researcher has published a new and relatively simple way that Windows BitLocker encryption keys can be sniffed in less secure configurations as they travel from Trusted Platform Modules (TPMs) during boot.

BitLocker is the full volume encryption system that has been shipped with higher-end versions of Windows since Vista, which in the case of Windows 10 requires running or upgrading to Pro, Enterprise or Education versions on a computer with a TPM 1.2 or 2.0 chip.

Inevitably, being the Windows encryption platform has made it a target for researchers looking for weaknesses in something many people use, of which the method published by Denis Andzakovic of Pulse Security last week is only the latest example.

The weakness he exploits is that in its most basic and insecure configuration, BitLocker boots encrypted drives without the user needing to enter a password or PIN other than their normal Windows login. Writes Andzakovic:

The idea behind this is that if the laptop is stolen, and the attacker does not know your login password, they cannot pull the drive and read the contents.

No login, no access to the computer’s encrypted drive. Simply removing the drive and putting it in another computer won’t work either because the encryption key is secured inside the old machine’s TPM.

Read more at https://nakedsecurity.sophos.com/2019/03/21/researcher-finds-new-way-to-sniff-windows-bitlocker-encryption-keys/

Google researcher discovers new type of Windows security weakness

By John E Dunn

Microsoft has said it plans to patch a new class of Windows security bug discovered by a Google Project Zero researcher despite finding no conclusive evidence that it poses a threat to users.

The unusual and complicated weakness appears to have been sitting unnoticed in Windows since as far back as XP and will be patched in the next version of Windows 10, currently named 19H1 (aka version 1903).

But if it’s not a clear threat, why patch it at all? For the answer to that, we need to explore the backstory.

According to Project Zero researcher James Forshaw, he first discovered what he assumed was a relatively straightforward kernel-mode drive Elevation of Privileges (EoP) issue in 2016, eventually fixed by Microsoft as CVE-2016-3219.

Following up a year later, however, he realized he’d stumbled upon a larger logic hole that might allow malware running in user mode (which limits privileges) to sneak privileges through the interaction of Microsoft and third-party kernel-mode drivers and the Windows I/O manager subsystem.

However, Forshaw was still unable to create a working proof-of-concept (many aspects of these deeper code interactions are difficult without proprietary knowledge), forcing him to contact Microsoft for help:

This led to meetings with various teams at Bluehat 2017 in Redmond where a plan was formed for Microsoft to use their source code access to discover the extent of this bug class in the Windows kernel and driver code base.

Read more at https://nakedsecurity.sophos.com/2019/03/20/google-researcher-discovers-new-type-of-windows-security-weakness/

Researchers fret over Netflix interactive TV traffic snooping

By Danny Bradbury

No sooner has Netflix made an interactive TV show than people are pulling apart its privacy implications and fretting about its potential to leak private information. Research published last week said that it is possible to deduce viewers’ choices from the platform’s interactive TV shows, like Bandersnatch.

After a couple of smaller projects, Bandersnatch was Netflix’s first big foray into interactive TV. Based in 1984, the episode in Charlie Brooker’s Black Mirror series lets the reader control the actions of a young video games programmer Stefan Butler, who idolizes established games programmer Colin Ritman. Throughout the episode, the viewer gets to control his actions, including seemingly innocuous choices such as which cereal to eat. The choices guide you down a range of paths concluding in one of several endings for the story.

It’s an idea that anyone who grew up on the Choose Your Own Adventure and Fighting Fantasy book series will warm to. Unlike the books, Netflix records your story choices digitally, and the researchers believe that could pose a privacy problem.

According to their paper, although Netflix uses end-to-end encryption to send those choices from your viewing device to its servers, communication flaws still make it possible to snoop on what you choose. The paper says:

Recent advancements in the domain of encrypted network traffic analysis make it possible to infer basic information about the preferences of Netflix viewers.

The researchers realized that viewers’ devices indicated their choices by sending a JSON file (JSON is a human-readable text file commonly used in cloud-based software queries). It would send one of two different JSON files for each choice, based on what the user chose. By working out the JSON file type and the point in the program when it was sent, they could work out the users’ choices.

Read more at https://nakedsecurity.sophos.com/2019/03/20/researchers-fret-over-netflix-interactive-tv-traffic-snooping/