VPNs -

Systemic Shock

Too Far Gone
True & Honest Fan
kiwifarms.net
I don't trust any of these commercial VPNs. They have a lot of reason to mine your data as they tend to learn the most about who you really are.
 

3119967d0c

a... brain - @StarkRavingMad
True & Honest Fan
kiwifarms.net
Some weird possibly shit going on with NordVPN.


TL;DR: NordVPN may be using malware from a cousin company to gain illicit access to residential connections for VPN use.

Don't take this as incontrovertible truth, I haven't looked too deep into it, but fucked up if true. Anybody know more?
Nah, it's fucking excellent if true. This is either propaganda from the dodgy Israeli company that owns PIA, or just this guy talking nonsense.

NordVPN specifically denied that their "VPN clients are being used to turn our users into a botnet". The article provides not a shred of proof of any such allegations- instead, traffic may be, after going through the regular NordVPN servers, routed through residential internet connections via a service that has nothing to do with NordVPN and especially the VPN clients that users install on their computers.

It's all FUD. Routing traffic through residential IPs is a great way to further decrease the ability for the traditional enemies of the truth to track your internet activity. Now, when will they be offering this for bypassing 4chan blocks?
 

AnOminous

Really?
True & Honest Fan
Retired Staff
kiwifarms.net
Nah, it's fucking excellent if true. This is either propaganda from the dodgy Israeli company that owns PIA, or just this guy talking nonsense.

NordVPN specifically denied that their "VPN clients are being used to turn our users into a botnet".
Another Israeli company, Hola, did exactly this, having a peer to peer VPN that used bandwidth from its "free" customers without their knowledge and selling the bandwidth to their paying customers (Luminati).
 

3119967d0c

a... brain - @StarkRavingMad
True & Honest Fan
kiwifarms.net
Another Israeli company, Hola, did exactly this, having a peer to peer VPN that used bandwidth from its "free" customers without their knowledge and selling the bandwidth to their paying customers (Luminati).
Yeah, I looked into using this for stuff I didn't need to be private with, where the ability to get random residential IPs might be useful.

What I found was that all the free traffic just goes through a very limited number of dedicated servers. So you don't even get the advantage of using other people's residential IPs.

They're still engaging in these same practices- I believe they still don't even encrypt the traffic from your browser to their shitty proxy servers.
 

Lord of the Large Pants

Chicks dig giant robots.
kiwifarms.net
Some weird possibly shit going on with NordVPN.


TL;DR: NordVPN may be using malware from a cousin company to gain illicit access to residential connections for VPN use.

Don't take this as incontrovertible truth, I haven't looked too deep into it, but fucked up if true. Anybody know more?
Nah, it's fucking excellent if true. This is either propaganda from the dodgy Israeli company that owns PIA, or just this guy talking nonsense.

NordVPN specifically denied that their "VPN clients are being used to turn our users into a botnet". The article provides not a shred of proof of any such allegations- instead, traffic may be, after going through the regular NordVPN servers, routed through residential internet connections via a service that has nothing to do with NordVPN and especially the VPN clients that users install on their computers.

It's all FUD. Routing traffic through residential IPs is a great way to further decrease the ability for the traditional enemies of the truth to track your internet activity. Now, when will they be offering this for bypassing 4chan blocks?
Still, if what he's saying is true, NordVPN is routing through residential IPs by some shady-ass means, even if they're not DIRECTLY involved compromising those machines, yeah? Possibility 1: He's lying/wrong about the connections being routed through residential. Possibility 2: He's right. Well, how exactly are they routing through residential? Even if NordVPN itself isn't turning VPN connections into nodes (which I don't think he's claiming), SOMETHING is, right?

FULL DISCLOSURE: I use PIA but with recent events I'm looking pretty hard at Mullvad. I have no religion when it comes to VPNs.
 

3119967d0c

a... brain - @StarkRavingMad
True & Honest Fan
kiwifarms.net
Still, if what he's saying is true, NordVPN is routing through residential IPs by some shady-ass means, even if they're not DIRECTLY involved compromising those machines, yeah? Possibility 1: He's lying/wrong about the connections being routed through residential. Possibility 2: He's right. Well, how exactly are they routing through residential? Even if NordVPN itself isn't turning VPN connections into nodes (which I don't think he's claiming), SOMETHING is, right?
And? It sounds like NordVPN is giving you a privacy gain, without any downside for the NordVPN user (too bad for the people installing adware).

This mong with a Medium account is trying to conflate this with NordVPN users somehow being compromised by using NordVPN or their official clients.

There's some potential for there to be downsides to this, if this is done with HTTP traffic not just HTTPS (and it's probably only done with HTTPS traffic for only some specific criteria to avoid the Disney blocks), but if so why are you sending sensitive stuff over HTTP?
 

AnOminous

Really?
True & Honest Fan
Retired Staff
kiwifarms.net
And? It sounds like NordVPN is giving you a privacy gain, without any downside for the NordVPN user (too bad for the people installing adware).
It says something about their integrity. If they'd steal from random people why wouldn't they fuck you over, too?
 

AnOminous

Really?
True & Honest Fan
Retired Staff
kiwifarms.net
If people install adware on their computers in exchange for some shitty software product, that's fair play.
I'm sure they'd have some similar bullshit justification for betraying me, too, so I just won't trust them. If you sign up for them knowing they're thieves and get fucked over, you deserve it, too, by that reasoning.
 
  • Agree
Reactions: Red Brutus

3119967d0c

a... brain - @StarkRavingMad
True & Honest Fan
kiwifarms.net
I'm sure they'd have some similar bullshit justification for betraying me, too, so I just won't trust them. If you sign up for them knowing they're thieves and get fucked over, you deserve it, too, by that reasoning.
It's a different operation.

If they need to get residential IPs to avoid content blocking, then they need to get residential IPs. It sounds like they got these from a company that does this in a pretty civilized way, with an addon that people voluntarily installed with some software that had nothing to do with privacy (a lot of the others just rely on botnets installing their software).

Would I like to see more information about what triggers routing through residential IPs so I can take advantage of it for non-Disney related activities, assuming this is possible? Absolutely.

Would I like to see VPN providers looking at alternative ways to route traffic through residential IPs? Sure. Maybe they could make it a premium service where paid a little more but if you didn't want to pay and were in a desirable region, you could choose to allow others to route traffic for certain services like Netflix, etc*, in exchange for credits to do the same yourself. But that seems like it would require a fair amount of investment and consumer buy in. They have a good solution for now.

* as there are obvious reasons not to allow people to post bomb threats against schools on 4chan from your own connection
 
  • Agree
Reactions: DanteAlighieri

AnOminous

Really?
True & Honest Fan
Retired Staff
kiwifarms.net
But that seems like it would require a fair amount of investment and consumer buy in.
It just takes a couple high profile end users going down for someone else's CP downloading for consumer buy in to disappear.
 

3119967d0c

a... brain - @StarkRavingMad
True & Honest Fan
kiwifarms.net
It just takes a couple high profile end users going down for someone else's CP downloading for consumer buy in to disappear.
Yeah, it definitely doesn't work if you let random anonymous people go through your residential connection to access anything, whether that be the successor of 8chan's /hebe/ under Frederick Brennan's management, or 4chan to post bomb threats, or...

I think you could make it work as long as it was solely for geogated sites where the user generally has to have an account tied to their credit card anyway, which is the issue NordVPN are addressing here, with some sort of system where effectively a bugman in the UK could trade his geogated BBC iPlayer access and whatever shows are geogated to the UK, with a bugman in the US whose connection gives him access to US Netflix and Disney shit.

This Disney lockdown that NordVPN is circumventing is only the start. The MPAA's front organization is specifically working to crack down on 'password sharing' and geogate avoidance, and they have British, European, and Canadian media corps on board- and even ISPs. The situation is only going to get worse for VPN providers relying on routing all their traffic through random VPSs in datacenters.
 

GrayWater

kiwifarms.net
Regarding the subject of PIA, here's a little tidbit. I cancelled my subscription last night and gave them my reason, that they've been snatched up by a company responsible for literally creating malware.
Earlier today I get an email reply back from Customer Support. Here's what they had to say:
PIA Customer Support said:
Thank you for reaching out to us here at PIA Customer Support.
To give you a bit of background: we have recently been acquired by Kape Technologies, a company listed on the London Stock Exchange. CyberGhost had also been acquired by Kape in 2017, so we are now part of the same group.
However, since we are and will remain independent, separate entities, we continue to remain competitors of CyberGhost, even after our acquisition.
And while I am not an expert on CyberGhost VPN, I can tell you that their Privacy Policy refers to their website (signing up, creating an account tied to an email address, purchasing a subscription, and so on.) The personal data they use to guarantee access to their products has nothing to do with their VPN servers.
They also have a strict no-logs policy. You can read more about it here: https://www.cyberghostvpn.com/en_US/no-logs-vpn
What’s more, CyberGhost VPN was the first in the industry ever to publish a Transparency Report. They’ve been keeping this tradition alive ever since 2011, with the newest iteration available here: https://www.cyberghostvpn.com/privacyhub/transparency-report-q2-q3/
I’d also like to add the fact they are legally obligated to inform all users about any change in their privacy policy, the same way we are.
I hope this answers your question, but do not hesitate to contact me if you need more details.

Regards

Fritzi P.
Customer Support Agent
I did mention CyberGhost in my reasoning, but they didn't seem to address the Crossrider debacle I also mentioned. Not too surprised I guess, but still curious.
 

Lord of the Large Pants

Chicks dig giant robots.
kiwifarms.net
Anecdotal, but in the past few days, for the first time, Youtube has been throwing fits with PIA. It's a general "too many requests from your network" error, but y'know. Horse shit.

Mysterious.
 

a_lurker

kiwifarms.net
Some weird possibly shit going on with NordVPN.


TL;DR: NordVPN may be using malware from a cousin company to gain illicit access to residential connections for VPN use.

Don't take this as incontrovertible truth, I haven't looked too deep into it, but fucked up if true. Anybody know more?
I figure they'd probably have a specific route for dns requests for Disney+
 

Sam Losco

True & Honest Fan
kiwifarms.net
Regarding the subject of PIA, here's a little tidbit. I cancelled my subscription last night and gave them my reason, that they've been snatched up by a company responsible for literally creating malware.
Earlier today I get an email reply back from Customer Support. Here's what they had to say:


I did mention CyberGhost in my reasoning, but they didn't seem to address the Crossrider debacle I also mentioned. Not too surprised I guess, but still curious.
For still being competitors, that rep sure went to bat for them.
 

greengrilledcheese

Free, White, and 21
kiwifarms.net
I've been using Mullvad for the last week and it's working well for me. Having the option to mail cash as payment is nice. They only offer monthly payments which might be a negative to some, but I was paying PIA monthly in case I needed to drop them and move on (which seems to be a wise move).

All of the servers I tried (10+) have been fast with low latency.

The android app is pretty barebones, especially compared to the PIA one, but it works. I ended up using the WireGuard client because I needed to exclude a couple of apps from the VPN.

I'm satisfied so far.
 

Sam Losco

True & Honest Fan
kiwifarms.net
https://www.bleepingcomputer.com/news/security/new-linux-vulnerability-lets-attackers-hijack-vpn-connections/
https://archive.ph/GoizH

New Linux Vulnerability Lets Attackers Hijack VPN Connections

Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams.

They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard.

The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android.

A currently incomplete list of vulnerable operating systems and the init systems they came with is available below, with more to be added once they are tested and found to be affected:

• Ubuntu 19.10 (systemd)
• Fedora (systemd)
• Debian 10.2 (systemd)
• Arch 2019.05 (systemd)
• Manjaro 18.1.1 (systemd)
• Devuan (sysV init)
• MX Linux 19 (Mepis+antiX)
• Void Linux (runit)
• Slackware 14.2 (rc.d)
• Deepin (rc.d)
• FreeBSD (rc.d)
• OpenBSD (rc.d)

All VPN implementations are affected
This security flaw "allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website," according to William J. Tolley, Beau Kujath, and Jedidiah R. Crandall, Breakpointing Bad researchers at University of New Mexico.

"Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections," the researchers said.

Attacks exploiting CVE-2019-14899 work against OpenVPN, WireGuard, and IKEv2/IPSec, but the researchers are still testing their feasibility against Tor.

They also note that the VPN technology used does not seem to be of importance since the attacks worked during their tests even when the responses they got from targets were encrypted, given that the size of the packets and the number of packets sent was enough to find the type of data packets that were being delivered through the encrypted VPN tunnel.

This attack did not work against any Linux distribution we tested until the release of Ubuntu 19.10, and we noticed that the rp_filter settings were set to “loose” mode. We see that the default settings in sysctl.d/50-default.conf in the systemd repository were changed from “strict” to “loose” mode on November 28, 2018, so distributions using a version of systemd without modified configurations after this date are now vulnerable. Most Linux distributions we tested which use other init systems leave the value as 0, the default for the Linux kernel.

The researchers discovered that most of the Linux distros they tested were vulnerable to attacks exploiting this flaw. They also found that all distros that use systemd versions released after November 28, 2018, that come with Reverse Path filtering switched from Strict mode to Loose mode, are vulnerable.

Given this, all Linux distributions using a systemd version with default configurations after this date are vulnerable.

It's important to note though that, despite some distros with specific systemd versions being vulnerable, the flaw is known to impact a variety of init systems and it is not only related to systemd as shown by the list of affected OSs available above.

Furthermore, network security consultant Noel Kuntze said in a reply to the disclosure report that only route-based VPN implementations are impacted by this vulnerability.

An alleged Amazon Web Services employee also stated that the Amazon Linux distro and AWS VPN products are not affected by attacks exploiting this flaw.

Mitigation is possible
Mitigation is possible according to the researchers and it can be potentially achieved by turning reverse path filtering on, by using bogon filtering —filtering bogus (fake) IP addresses — or with the help of encrypted packet size and timing.

These are the steps needed to run an attack designed to exploit this vulnerability and hijack a target's VPN connection:

1. Determining the VPN client’s virtual IP address
2. Using the virtual IP address to make inferences about active connections
3. Using the encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of the active connection to hijack the TCP session
The full procedure to reproduce the vulnerability on Linux distros is explained in detail within the disclosure report publicly available here.

The research team is planning to publish a paper with an in-depth analysis of this vulnerability and its implications but only after finding an adequate workaround.

---- End of Article ----​
 

3119967d0c

a... brain - @StarkRavingMad
True & Honest Fan
kiwifarms.net
https://www.bleepingcomputer.com/news/security/new-linux-vulnerability-lets-attackers-hijack-vpn-connections/
https://archive.ph/GoizH

New Linux Vulnerability Lets Attackers Hijack VPN Connections

Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams.

They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard.

The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android.

A currently incomplete list of vulnerable operating systems and the init systems they came with is available below, with more to be added once they are tested and found to be affected:

• Ubuntu 19.10 (systemd)
• Fedora (systemd)
• Debian 10.2 (systemd)
• Arch 2019.05 (systemd)
• Manjaro 18.1.1 (systemd)
• Devuan (sysV init)
• MX Linux 19 (Mepis+antiX)
• Void Linux (runit)
• Slackware 14.2 (rc.d)
• Deepin (rc.d)
• FreeBSD (rc.d)
• OpenBSD (rc.d)

All VPN implementations are affected
This security flaw "allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website," according to William J. Tolley, Beau Kujath, and Jedidiah R. Crandall, Breakpointing Bad researchers at University of New Mexico.

"Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections," the researchers said.

Attacks exploiting CVE-2019-14899 work against OpenVPN, WireGuard, and IKEv2/IPSec, but the researchers are still testing their feasibility against Tor.

They also note that the VPN technology used does not seem to be of importance since the attacks worked during their tests even when the responses they got from targets were encrypted, given that the size of the packets and the number of packets sent was enough to find the type of data packets that were being delivered through the encrypted VPN tunnel.

This attack did not work against any Linux distribution we tested until the release of Ubuntu 19.10, and we noticed that the rp_filter settings were set to “loose” mode. We see that the default settings in sysctl.d/50-default.conf in the systemd repository were changed from “strict” to “loose” mode on November 28, 2018, so distributions using a version of systemd without modified configurations after this date are now vulnerable. Most Linux distributions we tested which use other init systems leave the value as 0, the default for the Linux kernel.

The researchers discovered that most of the Linux distros they tested were vulnerable to attacks exploiting this flaw. They also found that all distros that use systemd versions released after November 28, 2018, that come with Reverse Path filtering switched from Strict mode to Loose mode, are vulnerable.

Given this, all Linux distributions using a systemd version with default configurations after this date are vulnerable.

It's important to note though that, despite some distros with specific systemd versions being vulnerable, the flaw is known to impact a variety of init systems and it is not only related to systemd as shown by the list of affected OSs available above.

Furthermore, network security consultant Noel Kuntze said in a reply to the disclosure report that only route-based VPN implementations are impacted by this vulnerability.

An alleged Amazon Web Services employee also stated that the Amazon Linux distro and AWS VPN products are not affected by attacks exploiting this flaw.

Mitigation is possible
Mitigation is possible according to the researchers and it can be potentially achieved by turning reverse path filtering on, by using bogon filtering —filtering bogus (fake) IP addresses — or with the help of encrypted packet size and timing.

These are the steps needed to run an attack designed to exploit this vulnerability and hijack a target's VPN connection:

1. Determining the VPN client’s virtual IP address
2. Using the virtual IP address to make inferences about active connections
3. Using the encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of the active connection to hijack the TCP session
The full procedure to reproduce the vulnerability on Linux distros is explained in detail within the disclosure report publicly available here.

The research team is planning to publish a paper with an in-depth analysis of this vulnerability and its implications but only after finding an adequate workaround.

---- End of Article ----​
Hmm. I can't profess to fully understand this, but there is this:
This attack did not work against any Linux distribution we tested until the release of Ubuntu 19.10, and we noticed that the rp_filter settings were set to “loose” mode. We see that the default settings in sysctl.d/50-default.conf in the systemd repository were changed from “strict” to “loose” mode on November 28, 2018, so distributions using a
version of systemd without modified configurations after this date are now vulnerable. Most Linux distributions we tested which use other init systems leave the value as 0, the default for the Linux kernel...

we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn't a reasonable solution, but this was how we discovered that the attack worked on Linux.
https://seclists.org/oss-sec/2019/q4/122

If you avoid using a VPN that routes IPv6 (there's very little reason to do so) and you don't use a distribution that has been infected by systemd malware, you are fine.
 
Tags
None