OpenVPN 2.4 Has Been Launched - The Patch Notes

OpenVPN has been updated to version 2.4.0. It is the first major release of OpenVPN since 2.3.1 was launched over three years ago. This update contains a lot of fixes and new features, and this is a rundown of the most significant changes that are being made in this update.


General Changes - These include updates that improve compatibility or functionality of specific features in OpenVPN in 2.4.0.

Control Channel Encryption has been improved - TLS_Crypt has been updated to allow easier and more granular control of encryption of the control channel. This enables OpenVPN to better resist deep packet inspection techniques to block OpenVPN tunnels.

AEAD mode cipher support -

> read more

QuadRooter Vulnerability Affects 900 Million Android Smartphones with Qualcomm Processors

Checkpoint has disclosed 4 new attack vectors that impact the processors that are built into many popular Android smartphones. The vulnerability in the drivers shipped with the baseband processor (the processor that controls the actual wireless radio) allows a malicious app to escalate its privileges and take over the device, effectively giving the attacker full root control over the device.

Which devices are affected?

Many of the most popular Android phones, including:

The BlackPhone 1 and 2
The Google Nexus 5X, 6, and 6P
The Samsung Galaxy S7 and S7 Edge
The Oneplus One, 2 and 3
The HTC One, M9 and V10
The Blackberry Priv
The Sony Xperia Z Ultra
The Motorola Moto X

I have one of these devices. What can I do to protect myself?

> read more

What a Man-in-the-Middle Attack Looks Like -- Identifying MITM

Everyone knows that governments and criminals around the world are breaking into computers and stealing data. But no one really knows if they are actually a target of an attack. Sometimes your internet just "messes up" and you wonder why a page rendered strangely, or why portions of a page don't load, or where these strange cryptic errors are coming from.

The most common attack vectors for advanced attackers are the Man-in-the-Middle and Man-on-the-Side attacks. For the purposes of this article i'm going to cover the MITM attack.

When you browse the internet or use an internet enabled service, your data flows from you to your internet provider, and then is routed around through multiple services before it reaches it's destination, the server that is hosting your information.

> read more

OpenVPN 2.3.10 Released -- PolarSSL Updates

OpenVPN 2.3.10 has been released. It contains a few minor bug fixes, and support for PolarSSL 1.3. PolarSSL is an optional library offered as an alternative to OpenSSL for OpenVPN.

PolarSSL now goes under the name mbed TLS after PolarSSL was acquired by ARM, but a lot of developers still use the old name.

PolarSSL 1.3 support brings OpenVPN to the most current version of the library, giving it the latest security patches and support for the latest features. The latest version of PolarSSL is 1.3.9 which has a number of security fixes and performance optimizations.

PolarSSL is used in mobile versions of OpenVPN for Google Android and Apple iOS, so this update largely impacts those clients more than OpenVPN for Windows, OSX, or Linux. You can optionally use PolarSSL for all of these platforms, but OpenSSL is the default.

VikingVPN uses OpenSSL on all of its secure server infrastructure, and is largely unaffected by this update.

> read more

Security Through Threat Modelling -- How VikingVPN Enhances Security Through Harm Minimization

There's a lot of things to consider when you are thinking about security. No system is completely bulletproof. Until we have a breakthrough in computing that allows computers to behave reliably with software, bugs and vulnerabilities will exist. You have to think about what features your customers want, which ones are absolutely necessary, and what you can do without. Once narrowing down what you want to build, you have to think about how the system will work, and most importantly, how it will break.

Threat Modelling is the name of the exercise of looking at who wants to break into your systems, what your systems do, where they are vulnerable and what those vulnerabilities mean.

VikingVPN has taken on an aggressive threat model, assuming that sophisticated attackers want to break into our systems and that, even though we stringently adhere to OpSec and have a tight security model, there may be a zero day attack or overlooked configuration error that would lead to compromise.

> read more

Why VikingVPN Does Not Use Virtual Servers for the VPN Network

On many of our pages and public statements, we talk about steps that we take to increase the security of our VPN network. One of the features that we often mention is our use of "bare-metal" or dedicated servers only. This means that the servers that our VPN network operates on only have a single operating system installed, the one that is managing the VPN server.

Alternatively, a lot of other VPNs use virtualization such as cloud or virtual private servers. This means that a Hypervisor is managing multiple operating systems at the same time on one machine. The idea behind virtualization is that servers are often underutilized, and allowing multiple customers to share the same machine securely can allow hosting companies to get more customers per machine, and thus greater revenues. VPN providers use virtual machines to save money.

The problem is the assumption that this can be done securely.

> read more

Visualizing How You Are Being Tracked Using Mozilla Lightbeam

Everyone hears that they are being tracked online. They know that Facebook, Google, and Twitter track your activity in order to send you targeted ads, and that governments are tracking your activity for whatever purposes they desire. What most of us don't realize is the breadth and depth of the problem, and how visiting a single website can expose you to hundreds of different trackers.

Let's call this what it really is, surveillance. Whether it is a company, a web operator, a government, an internet provider, or a hacker, they are watching your activity. They are pulling any data they can from your browser and storing it away, often without your consent. Users have little to no agency in selecting whether they are tracked or not.

> read more

Truecrypt is Secure - It Has Passed the Final Audit

The disk encryption software Truecrypt, a popular tool that was endorsed by Edward Snowden, has passed a full source code security audit. This comes on the heels of the developers of the app mysteriously quitting the project and recommending that people use a questionable Microsoft solution.

The initial audit of the bootloader was performed by iSec who found only minor issues with the software that would not compromise security. The full report of the phase I audit is here:

The phase II audit was completed by NCC. The full report can be read here:

> read more

OpenSSL Updated -- New Security Vulnerabilities Disclosed -- FREAK and DoS

OpenSSL has received a major update to all branches, introducing versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

They have also released the new list of vulnerabilities that were closed by the new versions. This includes a "severe" rating DoS attack that can overload servers, and a "moderate" rating attack that can corrupt areas of server memory.

They also have reclassified the "FREAK" attack from its original "low" rating to "high" because additional research has shown that there is extensive legacy support for the EXPORT grade RSA keys hanging around in a huge number of apps. Export RSA keys (512-bit RSA) are too weak for 2015 standards and should not be used under any conditions. This is of grave concern because a large number of apps support this key length and OpenSSL had a vulnerability that would allow a man-in-the-middle to downgrade keys to export grade during negotiation. The impact of the attack is severe (loss of all privacy / faulty encryption) but it was originally believed to only be in very rare cases with some legacy software. As it turns out, there are a huge number of apps that support Export, making it a high severity vulnerability that is more widespread than previously thought.

> read more

Brace for Impact -- New OpenSSL Severe Security Advisory to Be Released Tomorrow Sept 19th

The OpenSSL team has released a statement that all versions of OpenSSL will receive an update tomorrow to patch an as-of-yet undisclosed vulnerability in OpenSSL.

The announcement here
states that the new versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf will fix a vulnerability that has a "high" severity rating.

As of this writing the vulnerability is undisclosed. We will be keeping an eye out for the release and be ready to implement countermeasures once the threat is known. VikingVPN is always committed to being the most secure VPN in the market, and we implement fixes and countermeasures against all known threats in the wild. We also implement a strong threat model to keep our systems safe from unknown threats, which has shielded us and our users against the last few major vulnerabilities in OpenSSL and OpenVPN alike.

> read more