Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'security'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 1,074 results

  1. protonvpn

    Proton VPN 1.0.4 Overview: ProtonVPN is designed from the ground up with a special emphasis on security and privacy, and features a number of innovations that we have made to harden VPN against compromises. ProtonVPN will eventually feature free and premium versions containing different features. For the beta period, you will be able to test the full-fledged premium version of ProtonVPN for free. Layers of Protection: Limitation / blocking access to the data / application Isolation and create a separate database / application Backup / important data Detecting and deleting viruses / malware. Proton Mail earlier announced beta VPN service for PLUS proton mail users. At this moment, Proton VPN offers 14 countries Australia Canada France Germany Hong Kong Iceland Japan Netherlands Singapore - New Spain Sweden Switzerland United Kingdom United States Standard Servers All of our servers are dedicated to ProtonVPN and feature high bandwidth connections Secure Core Servers Secure Core Servers add an additional layer of protection against VPN endpoint compromise. Learn More More Info: Official Product Homepage / Detailed Features: https://protonvpn.com/home Official Website: https://protonvpn.com/ Register/Signup: https://account.protonvpn.com/signup Login: https://account.protonvpn.com/login/ Pricing: https://protonvpn.com/pricing VPN Servers: https://protonvpn.com/vpn-servers Security: https://protonvpn.com/secure-vpn VPN Threat Model: https://protonvpn.com/blog/threat-model/ Transparency Report: https://protonvpn.com/blog/transparency-report/ About Us: https://protonvpn.com/about Blog: https://protonvpn.com/blog/ We are open for registration. You can follow ProtonVPN on social media to get the latest news and updates: Facebook: https://facebook.com/ProtonVPN Twitter: https://twitter.com/ProtonVPN Reddit: https://www.reddit.com/r/ProtonVPN/ We would love to hear your feedback on the beta and what we can do to improve ProtonVPN. In addition to the links above, you can also send your suggestions to [email protected] If you run into trouble with ProtonVPN, or have questions, you can search for answers or contact us via the ProtonVPN support site: https://protonvpn.com/support/ Screenshots: Downloads: Download: https://protonvpn.com/download/ Windows Client: https://protonvpn.com/download/ProtonVPN_win_v1.0.4.exe Clients for macOS, Linux, Android, and iOS are still under development, but it is still possible to use ProtonVPN with these operating systems using third-party OpenVPN clients. Setup guides can be found here: MacOS: https://protonvpn.com/support/mac-vpn-setup/ Linux: https://protonvpn.com/support/linux-vpn-setup/ Android: https://protonvpn.com/support/android-vpn-setup/ iOS: https://protonvpn.com/support/ios-vpn-setup/ VPN Servers and Country Code for Linux, Mac, Android and iOS: https://protonvpn.com/support/vpn-servers/ More Info - Articles & Reviews: Three years ago we launched ProtonMail. Today, we’re launching ProtonVPN. Encrypted email provider ProtonMail launches free VPN service to counter increasing online censorship ProtonVPN Swiss-Based VPN Launches
  2. Microsoft has made available Project Springfield as an Azure service preview called Microsoft Security Risk Detection (MSRD) for detecting code bugs and security vulnerabilities in Windows and Linux applications. While MSRD is advertised as a finder of security holes in code, it can be used to discover bugs too. It uses artificial intelligence to root out the causes of program crashes that might point to a security issue or a bug in the code. Microsoft has been using a part of the service on Windows, Office and other software since mid 2000s. The tool is also used by the Microsoft Security Development Lifecycle process which recommends testing at least those surface attacks that expose a data parser to untrusted data. Customers willing to run MSRD on their software are offered a VM where they upload the binaries of the application to be tested and input data seed files. MSRD uses white-box fuzzing based on the data seed files provided to test the program, and reports the possible vulnerabilities found, offering information to developers to reproduce the problem. (More information on Fuzzing Basics can be found on this documentation page.) MSRD can be used to fuzz the code of websites but with some limitations, not being able to discover cross-site scripting or request forgery vulnerabilities. Also, it can be used for managed code and Azure applications, but in the latter case the service won’t be able to access other Azure services as it usually happens with cloud applications. Applications running on Windows Server 2008 R2 and Red Hat Linux are currently supported, with Linux under preview. Microsoft is also working on adding support for Windows 10 and Windows Server 2016. Microsoft intends to offer the Security Risk Detection tool through Microsoft Services later this fall. Article source
  3. EMCO Malware Destroyer is a free personal antivirus tool that helps you to organize personal protection of your PC and perform regular fast malware scans. Unique malware scan engine allows you to spend only 10 seconds for complete PC analysis of over 10,000 real threat definitions, including viruses, trojans, worms and other malware types. Up-to-date malware database includes virus information provided by leading virus labs and thousands of users. Main Advantages: Extremely fast malware scan. Only a few seconds are required to perform complete PC scan to detect malware presence. Over 10,000 threats in database. Malware signatures database contains over ten thousand entries of real-world threats. Frequent signatures update. Malware signatures database is often updated to include information about latest threats. Users participation. Thousands of users participate in the database update by anonymously submitting information about their system, which helps to find latest threats and includes new signatures to update. Use it for FREE. Keep your PC protected from malware and other threats without spending your budget for it. ----- Home http://emcosoftware.com/malware-destroyer Download Setup https://storage.emcosoftware.com/download/malwaredestroyer/malwaredestroyersetup.exe http://emcosoftware.com/malware-destroyer/download Download .paf Portable Site: https://www.upload.ee Sharecode[?]: /files/7217793/MalwareDestroyerPortable_7.9.16.1030_English.paf.exe.html
  4. Printers, especially multi function styles, store some user data in them. This website tells you how to reset your printer and remove your data for most models of printers made. As the caveat on their website states Website
  5. This set of tools allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations. Note:There are multiple files available for this download.Once you click on the "Download" button, you will be prompted to select the files you need. File Name: LGPO.zip PolicyAnalyzer.zip Windows 10 Version 1507 Security Baseline.zip Windows 10 Version 1511 Security Baseline.zip Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip Windows Server 2012 R2 Security Baseline.zip Date Published: 6/30/2017 The Microsoft Security Configuration Toolkit enables enterprise security administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them via a Domain Controller or inject them directly into testbed hosts to test their effects. The Security Configuration Toolkit consists of two tools, Policy Analyzer and LGPO, and a set of configuration baselines for different releases of Windows. Policy Analyzer Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies and then highlight the differences between versions or sets of Group Policies. It can also compare GPOs against current local policy settings, local registry settings, and then export results to a Microsoft Excel spreadsheet. Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. It also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. LGPO LGPO is a tool for transferring Group Policy directly between a host’s registry and a GPO backup file, bypassing the Domain Controller. This gives administrators a simple way to verify the effects of their Group Policy settings directly. Security Baselines Microsoft also provides a set of downloadable security baselines, published both as spreadsheets and as GPO backups, for Windows releases Windows 10 version1507, 1511 and 1607, and Windows Server 2012 R2 and 2016. These baselines can be downloaded and used with Policy Analyzer and LGPO, and represent Microsoft’s guidance regarding recommended values for security-relevant Group Policy settings. Using the Toolkit and Baselines Download the toolkit (PolicyAnalyzer.zip and LGPO.zip) along with the baselines for the relevant Windows versions (see download instructions below). You can then use the tools to: Load an existing Group Policy Backup into Policy Analyzer, along with one or more downloaded baselines, for comparison; Make edits to the existing Group Policy Backup within Policy Analyzer, and save the revised version; Use LGPO to load the revised Backup into a host for testing; and Restore the revised backup as the new Group Policy for deployment. Frequently Asked Questions (FAQs) for SCM Users What is the relationship between the Security Configuration Toolkit and Microsoft Security Compliance Manager (SCM)? The Security Configuration Toolkit is replacing Microsoft Security Compliance Manager (SCM), which will no longer be supported. Does the new toolkit support SCM-format XML files? No, the toolkit only supports the formats created by the Windows GPO backup feature: .pol, .inf and .csv. It also creates files in its own internal .PolicyRules format. Will baselines for future versions of Windows be published as SCM-format XML files? No, starting with Windows 10 version 1703, baselines will only be published in the form of GPO backups, as well as in spreadsheet form. The SCM XML format will no longer be supported. Does the new toolkit support creation of System Center Configuration Manager (SCCM) DCM packs? No. A potential alternative is Desired State Configuration (DSC), a feature of the Windows Management Framework. A tool that supports conversion of GPO backups to DSC format can be found here. Does the new toolkit support creation of Security Content Automation Protocol (SCAP)-format policies? No. SCM only supported SCAP 1.0, and was not updated as SCAP evolved. The new toolkit likewise does not include SCAP support. Download Page
  6. Mine is extremely light, but undoubtedly powerful. Here is my setup: Defensewall ShadowDefender Keyscrambler Sandboxie (custom rules) (A2, SAS, MBAM used rarely, on demand)
  7. While Rendition Infosec commends Eugene Kaspersky’s move of transparency for a code audit, this won’t really ensure security. Eugene Kaspersky has also offered to testify in front of Congress, but it seems doubtful that his testimony would sway many people on this. What about a code audit? And a code audit is not really the issue here. For one thing, a source code audit occurs at a point in time. What we see today may not be the code used to build the product tomorrow. No matter what we see in the source, Kaspersky will have to add code over time to update features. That’s how software engineering works. Suppose they then offer to send updated source code for audit. That’s great, but who is really auditing it? This becomes a full time job. Also, backdoors in code are particularly difficult to detect and can be extremely carefully obfuscated to make them resistant to static code analysis. There are other problems with a code audit as well and we shouldn’t equate a code audit with true security. The compiled code may contain backdoors not in the originally compiled source. These are non-trivial to detect and require a whole different set of specialized skills to find (the person performing the analysis must understand programming AND reverse engineering). Reverse engineering is an order of magnitude harder than code auditing, but if doubts exist about a foreign government influencing the software, this is practically required. A final problem is that an antivirus program like Kaspersky is effectively a kernel mode rootkit with remote update functionality. The remote update functionality is important. With remote update functionality, even if someone audits the code the best possible outcome would be “no backdoors were found, but Kaspersky could install malware on or completely disable any machine it is running on at will.” While any software that implements auto-update functionality could conceivably install a malicious update (as we saw with MeDoc being used to deploy the NotPetya cyberattack against Ukraine). Reverse engineering would now need to be performed not once, but on a regular basis to identify the inclusion of new backdoors built into updates. The difference between software like MeDoc and Kaspersky having auto-update functionality is that antivirus software is supposed to detect threats. Users are advised against running multiple antivirus software packages on their machines due to performance issues and potential conflicts between the AV vendors that may cause system instability. If another program’s auto-updates include malware, antivirus should catch it (eventually). In this case, the fear is that the antivirus is deploying the malware and therefore will ignore it. The very thing that is the last line of defense becomes the exploitation vector. Does this mean we shouldn’t use Kaspersky? Rendition is definitely not saying that. Read this post for nothing more than it is, an explanation of why a code audit and congressional testimony aren’t enough to allay fears. Eugene Kaspersky understands the futility of his offers better than most. It is likely that his offer is a publicity stunt more than anything else. That said, it remains an open question whether Kaspersky software is truly a threat to DoD. Russia is internalizing some of its software, in part due to security concerns. Maybe DoD should do the same. In any case, the “proof” offered by the Senate for this action is far from conclusive. It is hardly convincing to say “Eugene Kaspersky was trained by Russian intelligence therefore his software is open to influence from the Russian government.” Any number of US companies could be blackballed from participating in the global software market using the same standard as the Senate is currently basing . While there is no standard for the level of proof required in a case like this, it is probably safe to say that what has been offered so far falls short. The intent of this post is not to say Kaspersky software is bad, Rendition has no formal opinion on that one way or the other. It is simply to offer education to Rendition’s clients and the public about why a software source code audit isn’t a feasible to allay the fears stated by the Senate. Rendition encourages a thorough discussion on the topic with appropriate levels of disclosure to back claims that Kaspersky software poses a bonafide threat to DoD networks. Source
  8. Epic is a privacy-centric web browser developed by Hidden Reflex and based on Chromium source code. It is dubbed as the first web browser from India. Features & More Info: Homepage: https://www.epicbrowser.com/ Download Page: https://epicbrowser.com/thank_you.php Download: Win-EXE (1.7 MB): https://winepic-cbe.kxcdn.com/Release/58.0.3029.110/EpicSetup.exe OS X-dmg (92.2 MB): https://macepic-cbe.kxcdn.com/2462/sign/Epic.dmg OS X-dmg (103 MB): https://macepic-cbe.kxcdn.com/Epic_53.0.2785.143.dmg Win-ZIP (1.5 MB): https://winepic-cbe.kxcdn.com/Release/58.0.3029.110/EpicSetup.zip OS X-ZIP (87.5 MB): https://macepic-cbe.kxcdn.com/Epic.zip
  9. NOD32 Antivirus & ESET Smart Security v8.0.319.0 English Silent Note: Credits to Cerberus (Scripting Help) ESET NOD32 Antivirus: 32Bit (Size: 70.6 MB) Site: http://www.mirrorcreator.com Sharecode[?]: /files/1RCBMOLD/ESET_NOD32_Antivirus_v8.0.319.0_32Bit.zip_links 64Bit (Size: 79.9 MB) Site: http://www.mirrorcreator.com Sharecode[?]: /files/07MFNOKR/ESET_NOD32_Antivirus_v8.0.319.0_64Bit.zip_links ESET Smart Security 32Bit (Size: 77.7 MB) Site: http://www.mirrorcreator.com Sharecode[?]: /files/OLZAEFQI/ESET_Smart_Security_v8.0.319.0_32Bit.zip_links 64Bit (Size: 88 MB) Site: http://www.mirrorcreator.com Sharecode[?]: /files/17IRIU9W/ESET_Smart_Security_v8.0.319.0_64Bit.zip_links ESET NOD32 Antivirus & ESET Internet Security & ESET Smart Security v10.1.210.0 English Repack Note: A Video To See How Repack Work Credit to @alfreire inno setup help ESET NOD32 Antivirus: 32Bit (Size: 96.2 MB) Site: http://www.mirrorcreator.com Sharecode[?]: /files/1RIKZKFB/ESET_NOD32_Antivirus_v10.1.210.0_32Bit_Repack.zip_links 64Bit (Size: 99.2 MB) Site: http://www.mirrorcreator.com Sharecode[?]: /files/PCNKM6RX/ESET_NOD32_Antivirus_v10.1.210.0_64Bit_Repack.zip_links ESET Internet Security 32Bit (Size: 103 MB) Site: http://www.mirrorcreator.com Sharecode[?]: /files/WMQQXZO7/ESET_Internet_Security_v10.1.210.0_32Bit_Repack.zip_links 64Bit (Size: 107 MB) Site: http://www.mirrorcreator.com Sharecode[?]: /files/0YHTQABB/ESET_Internet_Security_v10.1.210.0_64Bit_Repack.zip_links ESET Smart Security 32Bit (Size: 104 MB) Site: http://www.mirrorcreator.com Sharecode[?]: /files/0XJALO6E/ESET_Smart_Security_v10.1.210.0_32Bit_Repack.zip_links 64Bit (Size: 108 MB) Site: http://www.mirrorcreator.com Sharecode[?]: /files/0HSYKKCH/ESET_Smart_Security_v10.1.210.0_64Bit_Repack.zip_links Additional info for v10:
  10. The 2017 Online Trust Audit & Honor Roll report shows that 65% of major US banks failed web security and privacy tests. The research is produced by the Online Trust Alliance, and recognises excellence in security and privacy practices. According to the report, it is alarming that over 60% of the largest banks and Federal Government sites received failing grades in one or more category. “The security oversights and inadequate privacy policies observed reflect the need to add resources in these areas.” “These missteps often reflect a lack of ongoing security discipline, failure to take a user-centric view on privacy, and not embracing data stewardship and responsible privacy principles.” The Honor Roll Sites had to receive a composite score of 80% or better and a score of at least 60 in each of the three main categories to make the Honor Roll. Consumer Protection (DNS, Domain and Brand Protection). Site, Server, Application and Infrastructure Security. Privacy, Transparency and Disclosures. The percentage of banks which made the Honor Roll dropped by more than half to 27% over the past year. Article source
  11. Steganos Online Shield VPN - 1 Year[365 Days] 2GB / 5GB / Unlimited* Per Month Promo by PC Pro Pals, this is not a new product from Steganos. It is the same old Online Shield 365. Now, it is just re-launched as Online Shield VPN. Actual Cost of OnlineShield VPN - 1 Year - $49.95. With Discount - $24.97 or $14.97. Now, you can get this for FREE - No Ads. NOTE: Limited Bandwidth - 2GB / 5GB / Unlimited* Per Month; 3 Devices; No Support; Personal Use Only. *Update: Some users are able to get Unlimited Bandwidth on at-least 1 key while using different browsers for 2 or multiple requests with different emails. Encryption Comparison between Steganos VPN Products: OkayFreedom VPN - 128-bit blowfish OnlineShield VPN - 256-bit AES More Info from TorrentFreak: https://torrentfreak.com/anonymous-vpn-providers-2016-edition2#steganos Links: Offer: https://www.steganos.com/specials/?m=pcpro0317&p=sos or https://www.steganos.com/specials/pcpro0317/sos Steps: Just click on any of the above links and enter your email. If you don't want to receive newsletters from Steganos Team, Uncheck the option. Now. Click on "Seriennummer anfordern". Check your mail and store the key. Tip: Note: Limited Period Offer. Current Status: Open. Downloads: Online Installer - Size: 2.6MB: https://file.steganos.com/software/downloader/steganos/sosintdle.exe Full Installer[Latest version]: https://file.steganos.com/software/sosint.exe - Size: 37.2MB (or) https://file.steganos.com/update/sosint.exe - Size: 37.2MB (or) https://file.steganos.com/software/wrappers/pcpro0317/sosintwr.exe - Size: 37.4MB (or) https://file.steganos.com/software/wrappers/auslogics0117/sosintwr.exe - Size: 37.4MB (or) https://file.steganos.com/software/wrappers/pcformatpl0217/sosintwr.exe - Size: 35.4MB - Link not working. Use any of the above/below links (or) https://file.steganos.com/software/wrappers/downloadmixcom1216/sosintwr.exe - Size: 37.4MB (or) https://file.steganos.com/software/wrappers/pcgo0117/sosintwr.exe - Size: 35.4MB (or) https://file.steganos.com/software/wrappers/chip1116/sosintwr.exe - Size: 35.4MB (or) https://file.steganos.com/software/wrappers/chip/sosintwr.exe - Size: 35.4MB (or) https://file.steganos.com/software/wrappers/steganos/sosintwr.exe - Size: 35.4MB - Link not working. Use any of the above links Other Downloads: Android App iOS App Support/FAQ: https://www.steganos.com/service
  12. NordVPN, a popular virtual private network provider, has launched CyberSec, a new security feature as part of the NordVPN 6.4.5.0 client update. CyberSec is a new security component of the official NordVPN client designed to block malware, intrusive advertisement, and other threats. Customers of NordVPN who upgrade the client to the latest version will receive a popup when they run the client after update installation that informs them about the new CyberSec feature. Introducing CyberSec! From now on, NordVPN gives comprehensive protection from intrusive ads, malware, phishing attempts, DDoS attacks and other threats. NordVPN CyberSec CyberSec can best be described as a mechanism to control traffic. It resembles a content blocker but with the difference that it runs on the system level, and not as a browser extension. It is not the first feature of its kind; Private Internet Access' client for instance ships with a similar feature called MACE for some time now. So what does it do? Blocks advertisement -- This part of CyberSec blocks known advertisement sources from being loaded. Defends against malware -- It blocks known malware domains by using a blacklist approach. Blocks botnet abuse -- Promises to prevent that devices are used for DDoS attacks, even if they are already infected. NordVPN users can toggle the status of the feature in the client interface under Settings > General. It is listed as the first option on the general settings page and highlighted with a new tag right now on top of that. All you need to do to enable or disable it is to click on the slider next to it. The feature works automatically when you enable it, and all applications that you run on your system benefit from its functionality. Closing Words CyberSec looks on first glance like a great feature; it blocks advertisement and malicious content after all automatically on a system wide level. The feature suffers from the same usability issue however that Private Internet Access' MACE feature suffers from: lack of control. While you can enable and disable the feature, you have no say in what gets blocked and what does not get blocked. If there is a false positive, there is nothing you can do about it other than turn off CyberSec to access the resource. There is no whitelisting for sites that you value and trust, so that advertisement is displayed, and no option to check the blocklists to verify what gets blocked and what does not get blocked. Additionally, there is also no option to put resources on the blocklist to block them permanently when you are connected to NordVPN. So, should you enable CyberSec then if you are a NordVPN customer? It depends. The hands-free approach has its advantages, as anyone may use it without knowing anything about blocking content on the Internet. The downside is the lack of control, especially no option to verify what gets blocked, or add or remove resources from the blocklists. A better approach would be in my opinion to separate the protective options, e.g. let users decide if they want to block malware, ads or DDoS abuse separately, and provide control and whitelisting / blacklisting functionality on top of that. Article source Introducing CyberSec: New Security Upgrade From NordVPN
  13. The Internet used to be a safe place when it was first launched. Fast forward 30 years later to present day, the situation has dramatically changed. To put is plain and simple: malware is everywhere. Antivirus and antimalware solutions are now compulsory in order to avoid getting your computer infected with malicious code. Unfortunately, the number of malware attacks have intensified lately, affecting users worldwide. The WannaCry, Petya and GoldenEye ransomware are only three of the most infamous ransomware attacks that made hundreds of thousands of victims in recent months. If you want to keep up to date with the latest malware attacks, you can use dedicated malware tracker maps. These tools rely on massive threat intelligence networks to depict malware attacks in real time, including information about the malware type, origin of the attack and its victims. Cyber threat real time maps Norse Corp malware map Norse Corp is the world’s largest threat intelligence network, relying on over eight million sensors to collect data. Its malware tracker map helps you stay informed, offering you real-time visibility into global cyber attacks. The Norse online malware map allows you to filter the results by geolocalisation and protocols. You can track malware attacks from a specific region of the globe, or watch attacks unfolding all over the planet. You’d never guess the scale of active malware attacks until you’ve analyzed a real-time malware tracking map. There are literally tens of thousands of attacks taking place every second. You can check out the live Norse Corp malware tracking map here. Kaspersky cyberthreat real-time map Kaspersky Lab, one of world’s leading antivirus providers, also offers users a real-time malware map. Kaspersky’s map features an interactive Earth globe that allows you select a specific country and see detailed information about the number of ongoing malware attacks. The tool also offers statistics about the frequency of attacks for that country. If you’re looking for a more general perspective on the ongoing malware attacks, you can click outside the globe to watch all the attacks unfold. Kaspersky’s malware map also feature a buzz section, where you can find out more information about the most severe malware attacks that took place recently. You can also add the map to your website via the dedicated widget. You can check out Kaspersky cyberthreat real-time map here. FireEye Cyber Threat Map FireEye’s cyber threat map offers users a general view on the most severe malware attacks taking place at a given moment. The company also provides visitors with statistics about the top target countries over the last 30 days, the top 5 reported industries, as well as the number of attacks reported on a given day. You can check out FireEye’s real-time cyber threat map here. CheckPoint’s live cyber attack map CheckPoint’s real-time cyber threat map lists the malware attacks detected at a given moment, including information about the attack type, the attacking country and the target country. In the upper left-hand pane, you can see statistics about the number of attacks reported on the current day and the day before, top target countries and top attacking countries. You can check out CheckPoint’s cyber threat map here. Fortinet cyber attack map Fortinet’s malware attack map is an interactive tool that offers you both general and country-specific information. The map shows animated ongoing attacks, as well as information about the type and severity of the attacks. To view specific statistics about the incoming and outgoing attacks for a particular country, simply select that country on the map and click on the details bar. You can check out Fortinet’s cyber threat map here. The malware attack maps listed above offer you real-time information about ongoing cyber attacks. However, they do not protect you from malware. Article source
  14. Eighty-three organisations and experts from the Five Eyes countries have called on ministers responsible for security to respect the right to use and develop strong encryption. In a statement, the group called on the ministers to "commit to pursuing any additional dialogue in a transparent forum with meaningful public participation". The statement came in the wake of a meeting of ministers from the five countries — the US, the UK, Canada, Australia and New Zealand — in Ottawa this week to discuss recent terrorist incidents and discuss means to "thwart" the use of encryption by terrorists. The group said that the ministers had, in a joint communique, "committed to exploring shared solutions to the perceived impediment posed by encryption to investigative objectives". "While the challenges of modern-day security are real, such proposals threaten the integrity and security of general purpose communications tools relied upon by international commerce, the free press, governments, human rights advocates, and individuals around the world," the statement said. "Last year, many of us joined several hundred leading civil society organisations, companies, and prominent individuals calling on world leaders to protect the development of strong cryptography. "This protection demands an unequivocal rejection of laws, policies, or other mandates or practices — including secret agreements with companies — that limit access to or undermine encryption and other secure communications tools and technologies. "Today, we reiterate that call with renewed urgency. We ask you to protect the security of your citizens, your economies, and your governments by supporting the development and use of secure communications tools and technologies, by rejecting policies that would prevent or undermine the use of strong encryption, and by urging other world leaders to do the same." The group said that attempts to create backdoors in encrypted applications or software were short-sighted and counter-productive. They said that if there were restrictions to access of encryption products in Five Eyes countries, anybody who wanted such tools would obtain them in other countries or on the blackmarket. "We urge you, as leaders in the global community, to remember that encryption is a critical tool of general use. It is neither the cause nor the enabler of crime or terrorism. As a technology, encryption does far more good than harm," the statement said. "We therefore ask you to prioritise the safety and security of individuals by working to strengthen the integrity of communications and systems. As an initial step we ask that you continue any engagement on this topic in a multi-stakeholder forum that promotes public participation and affirms the protection of human rights." Electronic Frontiers Australia executive officer Jon Lawrence said encryption was a necessary and critical tool enabling individual privacy, a free media, online commerce and the operations of organisations, including government agencies. "Undermining encryption therefore represents a serious threat to national security in its own right, as well as threatening basic human rights and the enormous economic and social benefits that the digital revolution has brought for people across the globe," he added. Article source
  15. A majority of the top 1 million websites earn an “F” letter grade when it comes to adopting defensive security technology that protect visitors from XSS vulnerabilities, man-in-the-middle attacks, and cookie hijacking. The failing grades come from a comprehensive analysis published this week by the Mozilla Foundation using its Mozilla Observatory tool. According to a scan of Alexa ranked top 1 million websites, a paltry 0.013 percent of sites received an “A+” grade compared to 93.45 percent earning an “F”. The Observatory tool, launched last year, tests websites and grades their defensive posture based on 13 security-related features ranging from the use of encryption (HTTPS), exposure to XSS attacks based on the use of X-XSS-Protection (XXSSP) and use of Public Key Pinning which prevents a site’s use of fraudulent certificates. The silver-lining to the bad grades is that in the year since the Observatory tool began grading sites, security has improved. Compared to scans conducted between April 2016 and June 2017 the percentage of sites earning a “B” have jumped 142 percent and those earning a “C” have increased 90 percent. “It’s very hard if you’re just someone running a website to make it secure,” said April King, staff security engineer at Mozilla and developer of the Observatory tool. “There are so many different security standards. The documentation for those standards are scattered all over the place. There are not a lot of single resources that are telling you straight-up what you need to do.” King said she is encouraged at the pace of improvement when it comes to specific defensive tools. For example, the percentage of sites that support HTTPS has grown 36 percent in the past year. “The number might seem small, but it represents over 119,000 top websites,” she told Threatpost. Other security wins include a 125 percent increase in the number of sites that have adopted Content Security Policy (CSP), a browser feature that fends off Cross Site Scripting (XSS) and data injection attacks. Another win has been a 117 percent increase in adoption of Subresource Integrity (SRI), a verification feature that ensures when a browser fetches resources from third parties, such as a content delivery network, the content is not manipulated in transit. However, despite triple-digit growth in both CSP and SRI adoption, still less than one percent of sites still have adopted these security features. King concedes that achieving a secure website configuration, using all the available technologies developed in recent years by browser makers, is not easy. “I’m extremely optimistic. With tools that are free and easy to use, like Observatory, we can begin to see a common framework for building websites. This type of tool is pushing awareness back into the tool chain and making it very easy for people to implement,” King said. King likens Observatory to Qualys SSL Labs’ SSL Server Test, a free tool that analyses the configuration of SSL web servers. Observatory goes way beyond checking a website’s TLS implementation and checks for 13 different web security mechanisms. The scoring system is based on a 0 to 100 point scheme. Scores don’t just check for the presence of any given technology, but the correct implementation as well. Observatory is a tough grader, King said, because it’s designed to be a teaching tool to help administrators across the industry “become aware of the myriad technologies that standard bodies and browser companies have designed and implemented to improve the safety of the internet’s citizens.” “The fact that so many new sites have started using these technologies recently is a strong sign that we are beginning to succeed in that mission,” she said. Article source
  16. Just for show: 11 theatrical security measures that don't make your systems safer Theater of the absurd The term "security theater" was coined to describe the array of security measures at U.S. airports -- taking off shoes, patting down children and the elderly -- that project an image of toughness without making commercial aviation any safer. But the man who came up with the phrase is famous cybersecurity expert Bruce Schneier, and it could just as easily apply to a number of common tech security measures. We talked to an array of tech experts to discover what security technologies are often just for show. Splash screens Orlando Scott-Cowley, cybersecurity strategist at email security company Mimecast, is irritated by the many ordinary (and perfectly secure) online transactions that are given theatrical window dressing in the form of boastful splash screens. "There are quite a few websites that, post-login, display some sort of message similar to 'Securely getting your account details' or 'Setting up a secure connection,'" he says. "It’s such a shame and complete theater when it comes to security." (Sometimes these messages are displayed in Flash, and having a Flash-blocker installed can demonstrate just how pointless they are.) Antivirus software Most PC users probably consider antivirus protection to be a baseline part of a secure PC. But Ajit Sancheti, co-founder and CEO of Preempt, a still-in-stealth IT security company, thinks antivirus software are mostly theater. "It does very little to stop malware and ransomware, but does a lot to inconvenience users, especially from a performance standpoint," he says. "Along with with hardware performance degradation through OS updates, antivirus is quite likely the key reason for employee PC refresh cycles." Barry Shteiman, director of Labs at Exabeam, agrees. "Every company makes anti-malware/virus detection a top spend in its security budget," he says. "It's standard to have antivirus installed on every endpoint computer with a flashy icon in the task bar that essentially tells you, 'You are secure from malware!' Unfortunately, that is simply not true. Every piece of malware today, especially industrialized-crime driven ones, are building anti-antivirus tools as part of the payload, bypassing endpoint protection as if it wasn’t even there." Perimeter security Garry McCracken, vice president of technology at WinMagic, thinks that firewalls and perimeter security measures have a certain theatrical quality -- they're "something that everyone does, but it doesn’t make enterprises secure anymore," he says. "The gates have been stormed, and firewalls can no longer keep the bad guys out. Most big enterprises are in a constant state of breach, so new strategies and technologies are needed. Assume that your network is, or will be breached, detect it, minimize the impact and recover quickly." Instead of investing more money and resources in ever more elaborate perimeter defense, he advises that you work to "keep the 'blast radius' as small as possible (i.e., contain the damage any one breach can make) or backup every 10 minutes so the restore point can be very recent." Alert fatigue Nathan Burke, vice president of marketing at security incident response specialist at Hexadite, knows that too much data about potential threats can be overwhelming. "Installing multiple security products that produce an insane volume of alerts and then not doing anything with those alerts is IT security theater," he says. "There are far too many alerts for people to handle manually without automation. So security teams are hearing the alarms go off constantly, but they're only able to investigate 5% or less of the incidents that trigger them." Philip Lieberman, president of Lieberman Software, agrees. "Most companies ignore the alerts because there is such a high false alarm rate," he says. "And nobody activates immediate countermeasures because they're scared of the consequences of user wrath." Ignoring what your gear tells you Cedric Caldwell, solutions architect at IT consultancy Adapture, notes that many companies want to "say that they have met the security requirements to secure their environment and their network, where they have IPS, firewall, etc. But what do you do with that data once you have these devices on your network? Are you looking at data? Someone might implement a firewall and not pay attention to the hits on that firewall." "Big corporations are usually good about combing through data," he adds, "but I tend to see this on a smaller scale, at companies that don’t really have the manpower to do that. They check the box and buy the equipment, but they’re not actually taking the next step to say, 'OK, what is this thing really capturing?'" Password shenanigans For Dimitri Sirota, CEO and Co-founder enterprise privacy management platform at BigID, the most visible security theater is the security measure you encounter most often: passwords. "Passwords act as a front door lock to a house; get past the lock and you have free reign inside without other protections," he says. "For most people they are a weak link since users prefer easy to remember over hard to decipher." He feels a password that isn't just the first layer of a defense in depth is just theater. Nigel Stanley, practice director in cyber security at OpenSky, the IT consultancy arm of TÜV Rheinland, is particularly miffed at passwords that ostentatiously demand to be changed once a month. "Why 30 days?" he asks. "What happens at day 31 to create a security risk?" Security training by the numbers Stu Sjouwerman, founder and CEO at KnowBe4, thinks that security theater happens at the training level too. The example he gives is a company that “sends simulated phishing attacks, but only once every 90 days, and not preceded by interactive, engaging, web-based training that really explains the risks on the Internet. Result? Employees feeling hassled and no measurable decrease in phish-prone percentage." Tough talk OpenSky's Stanley sneers at the tendency of some security companies to sell their products with military-sounding adjectives, which may sound tough but don't actually represent more secure systems. "I include terms such as 'military-grade encryption,' 'flash to bang,' 'kill chain,' and 'detonate,'" he says. "WTF? Not descriptive, not helpful." Stonewalling J. Colin Petersen, president and CEO at J Digital Identity, thinks that when IT staff reject any and all user requests in the name of security, that's a kind of performance. "For instance," he says, "an end user might request access to a certain resource, and instead of figuring out a secure way to grant the user access, the IT professional will just stonewall and say something like 'Sorry, that compromises security and I can't allow that.'" Information sharing Shlomo Touboul, CEO at illusive networks, says that the tendency to share data about breaches you've experienced can amount to a performance as well. "When a new massive attack on a specific sector is discovered, other companies within that sector are immediately alerted. But this doesn't make them safer," he says. "Every enterprise has different attack vectors embedded in its network and nearly all are invisible to them but discovered and utilized by attackers. While sharing information about specific attacks might help patch some systems, they do nothing to expose hidden attack vectors, leaving enterprises feeling secure when they're not." Post-breach PR It's not just technical folks who get on stage in the wake of a breach, says Mimecast's Scott-Cowley. "The most heinous of crimes is the glib post-breach statement that 'we take security (of data/of our customers/of our service) seriously," he says. "This is trotted out by CEOs and PR departments in the press release they issue once someone has managed to breach their obviously very unserious security. Often they’ll use the phrase 'sophisticated and coordinated attack' as well, which to me is also complete nonsense. Those two phrases go hand in hand to cover up the fact that weak security was breached and hackers gained access to resources of data in the face of little or no resistance." Sometimes the play's the thing We'd be remiss, though, if we didn't offer a contrarian view from BigID's Sirota "Security theater isn’t all bad," he says. "It does act as a deterrent. Police forces in cities aren’t arresting people 24/7. However, their presence acts as a deterrent. You see the same effect with military forces. We’re not always fighting someone but running drills reminds enemies of capability." Sometimes, in other words, a weak password or firewall is still better than nothing at all. Source
  17. protonvpn

    Proton VPN 1.0.3 Overview: ProtonVPN is designed from the ground up with a special emphasis on security and privacy, and features a number of innovations that we have made to harden VPN against compromises. ProtonVPN will eventually feature free and premium versions containing different features. For the beta period, you will be able to test the full-fledged premium version of ProtonVPN for free. Layers of Protection: Limitation / blocking access to the data / application Isolation and create a separate database / application Backup / important data Detecting and deleting viruses / malware. Proton Mail earlier announced beta VPN service for PLUS proton mail users. At this moment, Proton VPN offers 14 countries Australia Canada France Germany Hong Kong Iceland Japan Netherlands Singapore - New Spain Sweden Switzerland United Kingdom United States Standard Servers All of our servers are dedicated to ProtonVPN and feature high bandwidth connections Secure Core Servers Secure Core Servers add an additional layer of protection against VPN endpoint compromise. Learn More More Info: Official Product Homepage / Detailed Features: https://protonvpn.com/home Official Website: https://protonvpn.com/ Register/Signup: https://account.protonvpn.com/signup Login: https://account.protonvpn.com/login/ Pricing: https://protonvpn.com/pricing VPN Servers: https://protonvpn.com/vpn-servers Security: https://protonvpn.com/secure-vpn VPN Threat Model: https://protonvpn.com/blog/threat-model/ Transparency Report: https://protonvpn.com/blog/transparency-report/ About Us: https://protonvpn.com/about Blog: https://protonvpn.com/blog/ We are open for registration. You can follow ProtonVPN on social media to get the latest news and updates: Facebook: https://facebook.com/ProtonVPN Twitter: https://twitter.com/ProtonVPN Reddit: https://www.reddit.com/r/ProtonVPN/ We would love to hear your feedback on the beta and what we can do to improve ProtonVPN. In addition to the links above, you can also send your suggestions to [email protected] If you run into trouble with ProtonVPN, or have questions, you can search for answers or contact us via the ProtonVPN support site: https://protonvpn.com/support/ Screenshots: Downloads: Download: https://protonvpn.com/download/ Windows Client: https://protonvpn.com/download/ProtonVPN_win_v1.0.3.exe Clients for macOS, Linux, Android, and iOS are still under development, but it is still possible to use ProtonVPN with these operating systems using third-party OpenVPN clients. Setup guides can be found here: MacOS: https://protonvpn.com/support/mac-vpn-setup/ Linux: https://protonvpn.com/support/linux-vpn-setup/ Android: https://protonvpn.com/support/android-vpn-setup/ iOS: https://protonvpn.com/support/ios-vpn-setup/ VPN Servers and Country Code for Linux, Mac, Android and iOS: https://protonvpn.com/support/vpn-servers/ More Info - Articles & Reviews: Three years ago we launched ProtonMail. Today, we’re launching ProtonVPN. Encrypted email provider ProtonMail launches free VPN service to counter increasing online censorship ProtonVPN Swiss-Based VPN Launches
  18. ProtonVPN Swiss-Based VPN Launches ProtonVPN, a VPN service by the makers of the privacy focused ProtonMail email service, is out of beta testing and now available to the public. The creators of the Swiss-based VPN service promise the same level of trust, transparency, and communication that has been fundamental to the success of ProtonMail. ProtonVPN ships with four subscription plans, of which the first is entirely free. It is limited in regards to speed, devices that you may run it on simultaneously, and the number of countries you can connect to. It is not limited in terms of bandwidth however. The first paid plan, ProtonVPN Basic, is available for 4€ per month. It lets you connect to all servers, supports connections on two devices at the same time, and offers high speed. ProtonVPN has three speed tiers right now. Low for free accounts, high for basic accounts, and highest for the Plus and Visionary subscription. The two remaining plans, ProtonVPN Plus and Visionary, for €8 and €24 offer the highest speed, five or ten devices that you may connect from simultaneously, as well as extra features such as Plus servers reserved to these plans, Secure Core which adds extra protection against VPN compromise by routing through the Secure Core Network of ProtonVPN, and Tor Server support to send all traffic through Tor with a single click. The Visionary plan on top of that includes a ProtonMail email account on top of all that. Free users get an option to join a 7 day free trial of ProtonVPN Plus. Secure Core is an interesting option, as it routes traffic through multiple servers before it leaves the ProtonVPN network. This means that anyone monitoring the exit server won't be able to detect the IP address of ProtonVNP users, nor match browser activity to that IP address. Secure servers are located in Switzerland, Iceland and Sweden only. ProtonVPN encrypts all traffic with AES-256, uses 2048-bit RSA key exchange, and HMAC with SHA256 for message authentication. Other security related features that are supported include Forward Secrecy, use of OpenVPN and IKEv2 protocols only, a strict no logging policy, DNS leak prevention, and Kill switch support. ProtonVPN supports P2P traffic on top of that. ProtonVPN comes with clients for Android and iOS, Windows, Linux and Mac. Users of the service may also configure OpenVPN by downloading OpenVPN configuration files. ProtonVPN Windows client The ProtonVPN Windows client installs without issues. You need to supply your account credentials to start using it. It displays the current connection status, and the available locations you can connect to. Once you have established a connection with a click on a country, or one of the available servers, you see additional information in the interface. This includes the connected server, IP address, up and download speed, server load, a world map with information on the server location, and session information. As far as options are concerned: you can enable the VPN Kill Switch in the options, change the default protocol from UDP to TCP, and configure auto connect options. Another interesting feature of the ProtonVNP client for Windows is support for profiles. You can create profiles, and use these profiles to connect to specific servers quickly. This includes, connecting to the fastest available server of a country. Verdict ProtonVPN is one of the best, if not the best free VPN options right now, hands down. Since you are not limited in terms of bandwidth, you can use the free account all day and night long. That's good enough for all web browsing and low speed activities that you can run on your system. You should not expect to get enough bandwidth out of the free plan to stream in 4K or download very large files quickly, but that is to be expected of a free service. It remains to be seen how well the network will handle the onrush of new users who will certainly flock to the service now that it is out of beta and available to the public. ProtonVPN Plus and Visionary seem pricey, especially when compared to services that charge less for a lifetime subscription than ProtonVPN does for six months. Still, the extra privacy and security options are one of the best options that you have when it comes to maximum privacy on the Internet. Now You: Have you tried ProtonVPN? What's your take on the service? Source
  19. Three years ago we launched ProtonMail. Today, we’re launching ProtonVPN. We’re happy to announce that as of 12:00PM Geneva time today, ProtonVPN is now available to the general public. ProtonVPN is officially out of beta and we are allowing open signups for the first time. You can now directly get ProtonVPN by visiting https://protonvpn.com After more than 1 year of development, and four months of beta testing by over 10’000 members of the ProtonMail community, we’re finally making ProtonVPN available to everyone. And we really mean everyone, because consistent with our mission to make privacy and security accessible to every single person in the world, we’re also releasing ProtonVPN as a free VPN service. It has been a long and exciting journey to get here since our team first met at CERN in 2013. Back then, we had an ambitious vision to build an Internet that was free and could continue to reach its full potential as a tool for social progress. Indeed, that was the vision that inspired Tim Berners-Lee to create the World Wide Web at CERN in 1989. Since then, the Internet has met or even exceeded its promise in certain areas, but this has not come without a cost to society. While the Internet has done a great deal of good, over the course of this digital revolution, we have also lost control over our data, our most intimate secrets, and ultimately our privacy. In certain countries, the Internet has even become a tool for oppression and control, instead of the beacon of hope and freedom it once was. Back in 2013, we embarked on a journey to change this, by building the tools that could make privacy and security the default online. In 2014, on the 25th anniversary of the web, our efforts culminated with the release of ProtonMail, the world’s first end-to-end encrypted email service. Since then millions of people around the world have embraced our vision, and thanks to your support (and the numerous donations along the way), email is much safer today than it was several years ago. However, when considering the scope of all that we do online, email is just a small piece of the online world. That’s why we have decided to build ProtonVPN, to better protect the activists, journalists, and individuals who are currently using ProtonMail to secure their online lives. A VPN (Virtual Private Network) allows users to browse the web without being tracked, bypass online censorship blocks, and also increases security by passing all internet traffic through a strongly encrypted tunnel. The importance of VPNs for online security and privacy is increasing day by day. Back in April of this year, Obama-era FTC rules designed to protect the privacy of internet browsing history were rolled back. Fast forward to today, and attempts are being made to dismantle net neutrality in the US, and several European governments are now calling for increased online surveillance. Last but not least, for over 1.5 billion people around the world, the Internet does not live up to its promise of freedom of information. Instead, the Internet is a highly restricted and censored place, constantly under surveillance, where making a wrong move could lead to imprisonment or worse. We are also aware that as ProtonMail becomes a stronger force for digital freedom, the censorship of ProtonMail in certain countries is not a matter of if, but a matter of when. Earlier this year, we took the first steps to improve ProtonMail’s availability under censorship by launching an Onion site. With ProtonVPN, we can ensure the accessibility of not only ProtonMail, but all of the world’s digital knowledge and information. This is why we are committed to providing a free version of ProtonVPN. However, we have done more than make ProtonVPN free. We have also worked to make it the best VPN service ever created, by addressing many of the common pitfalls with VPNs. For example, ProtonVPN features a Secure Core architecture which routes traffic through multiple encrypted tunnels in multiple countries to better defend against network based attacks, and also features seamless integration with the Tor anonymity network. You can learn about all the steps we took to build a secure VPN here. Lastly, we’re building a VPN service that can be worthy of your trust. We understand that when it comes to VPNs, trust is paramount. Whether it is our transparent VPN threat model, our Swiss jurisdiction, our reputation, our relationship with the community, or the fact that you actually know who we are, we’re committed to building and operating ProtonVPN with the same level of transparency that has come to characterize ProtonMail. To all of you who have supported us over the years, thank you for your support. Unlike companies like Google and Facebook who abuse user privacy to sell advertisements, ProtonMail and ProtonVPN are entirely dependent on users upgrading to paid accounts to cover operating expenses. Without your support, these projects would not be able to thrive and grow. If you appreciate the security and privacy that ProtonVPN provides, and have the means to do so, please consider upgrading to a paid account. This allows us to support the millions around the world without these means. With your help, the revolution we have started with ProtonMail will continue, and we will reach the day where the Internet serves all of us equally, and reaches its full potential as a tool for freedom. Best Regards, The Proton Technologies Team You can find our launch press release here: Follow ProtonVPN on Social Media: Facebook: facebook.com/ProtonVPN Twitter: twitter.com/ProtonVPN Reddit: reddit.com/r/ProtonVPN To get a free ProtonVPN account, visit: protonvpn.com To get a free ProtonMail encrypted email account, visit: protonmail.com ProtonVPN Admin We are the scientists, engineers, and developers who build ProtonMail, the world's largest encrypted email service. We're now building ProtonVPN also to ensure that everybody can have access to free and secure internet. Source
  20. Summary I’ve discovered 4 important security vulnerabilities in OpenVPN. Interestingly, these were not found by the two recently completed audits of OpenVPN code. Below you’ll find mostly technical information about the vulnerabilities and about how I found them, but also some commentary on why commissioning code audits isn’t always the best way to find vulnerabilities. Here you can find the latest version of OpenVPN: https://openvpn.net/index.php/open-source/downloads.html This was a labor of love. Nobody paid me to do this. If you appreciate this effort, please donate BTC to 1D5vYkiLwRptKP1LCnt4V1TPUgk7cxvVtg. Introduction After a hardening of the OpenVPN code (as commissioned by the Dutch intelligence service AIVD) and two recent audits 1 2, I thought it was now time for some real action ;). Most of this issues were found through fuzzing. I hate admitting it, but my chops in the arcane art of reviewing code manually, acquired through grueling practice, are dwarfed by the fuzzer in one fell swoop; the mortal’s mind can only retain and comprehend so much information at a time, and for programs that perform long cycles of complex, deeply nested operations it is simply not feasible to expect a human to perform an encompassing and reliable verification. End users and companies who want to invest in validating the security of an application written in an “unsafe” language like C, such as those who crowd-funded the OpenVPN audit, should not request a manual source code audit, but rather task the experts with the goal of ensuring intended operation and finding vulnerabilities, using that strategy that provides the optimal yield for a given funding window. Upon first thought you’d assume both endeavors boil down to the same thing, but my fuzzing-based strategy is evidently more effective. What’s more, once a set of fuzzers has been written, these can be integrated into a continuous integration environment for permanent protection henceforth, whereas a code review only provides a “snapshot” security assessment of a particular software version. Manual reviews may still be part of the effort, but only there where automation (fuzzing) is not adequate. Some examples: verify cryptographic operations other application-level logic, like path traversal (though a fuzzer may help if you’re clever) determine the extent to which timing discrepancies divulge sensitive information determine the extent to which size of (encrypted) transmitted data divulges sensitive information (see also). Beyond the sphere of cryptanalysis, I think this is an underappreciated way of looking at security. applications that contain a lot of pointer comparisons (not a very good practice to begin with — OpenVPN is very clean in this regard, by the way) may require manual inspection to see if behavior relies on pointer values (example) can memory leaks (which may be considered a vulnerability themselves) can lead to more severe vulnerabilities? (eg. will memory corruption take place if the system is drained of memory?) can very large inputs (say megabytes, gigabytes, which would be very slow to fuzz) cause problems? does the software rely on the behavior of certain library versions/flavors? (eg. a libc function that behaves a certain way with glibc may behave differently with the BSD libc — I’ve tried making a case around the use of ctime() in OpenVPN) So doing a code audit to find memory vulnerabilities in a C program is a little like asking car wash employees to clean your car with a makeup brush. A very noble pursuit indeed, and if you manage to complete it, the overall results may be even better than automated water blasting, but unless you have infinite funds and time, resources are better spent on cleaning the exterior with a machine, vacuuming the interior followed by an evaluation of the overall cleanliness, and acting where necessary. Vulnerabilities Remote server crashes/double-free/memory leaks in certificate processing Reported to the OpenVPN security list on May 13. CVE-2017-7521 There are several issues in the extract_x509_extension() function in ssl_verify_openssl.c. This function is called if the user has used the ‘x509-username-field’ directive in their configuration. GENERAL_NAMES *extensions; int nid = OBJ_txt2nid(fieldname); extensions = (GENERAL_NAMES *)X509_get_ext_d2i(cert, nid, NULL, NULL); The first issue. The ‘fieldname’ variable is the value specified in the configuration file after the ‘x509-username-directive’. Different NID’s require different storage structures. That is to say, using a GENERAL_NAMES structure for every NID will result in spectacular crashes for some NIDs. ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5); if (strlen(buf) != name->d.ia5->length) { msg(D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero"); OPENSSL_free(buf); } else { strncpynt(out, buf, size); OPENSSL_free(buf); retval = true; } The second issue. The return value of ASN1_STRING_to_UTF8 is not checked. It may return failure, in which case buf retains its value. This code is executed in a loop (for every GENERAL_NAME encoded in the certificate). So let’s consider this scenario: First loop: ASN1_STRING_to_UTF8 succeeds, and buf is processed and freed in any of the following branches. Second loop: ASN1_STRING_to_UTF8 fails, and buf is processed (use-after-free) and freed (double-free) in any of the following branches. In spite of extensive fuzzing I could not trigger a single ASN1_STRING_to_UTF8 failure using OpenSSL 1.0.2l. It may or may not be possible with other versions of OpenSSL, LibreSSL, BoringSSL. This would NOT indicate a bug in those libraries — as an API, they are allowed to fail for any reason. The actual error is OpenVPN not checking the return value. But what makes this interesting is that at the end of this function, the following attempt is made to free the ‘extensions’ variable. sk_GENERAL_NAME_free(extensions); This is wrong. The correct way to do this is to call GENERAL_NAMES_free. This is because sk_GENERAL_NAME_free frees only the containing structure, whereas GENERAL_NAMES_free frees the structure AND its items. Hence, there is a remote memory leak here. If you look in the OpenSSL source code, one way through which ASN1_STRING_to_UTF8 can fail is if it cannot allocate sufficient memory. So the fact that an attacker can trigger a double-free IF the server has insufficient memory, combined with the fact that the attacker can arbitrarily drain the server of memory, makes it plausible that a remote double-free can be achieved. But if a double-free is inadequate to achieve remote code execution, there are probably other functions, whose behavior is wildly different under memory duress, that you can exploit. Furthermore, there are two more instances of ASN1_STRING_to_UTF8 in this file: (in the function extract_x509_field_ssl) tmp = ASN1_STRING_to_UTF8(&buf, asn1); if (tmp <= 0) { return FAILURE; } (in the function x509_setenv_track) if (ASN1_STRING_to_UTF8(&buf, val) > 0) { do_setenv_x509(es, xt->name, (char *)buf, depth); OPENSSL_free(buf); } (in the function x509_setenv) if (ASN1_STRING_to_UTF8(&buf, val) <= 0) { continue; } Here, the code assumes that a return value that is negative or zero indicates failure, and ‘buf’ is not initialized, and needs not to be freed. But in fact, this is ONLY the case if ASN1_STRING_to_UTF8 returns a negative value. A return value 0 simply means a string of length 0, but memory is nonetheless allocated, so there are memory leaks here as well. Remote (including MITM) client crash, data leak Reported to the OpenVPN security list on May 19. CVE-2017-7520 This only affects clients who use OpenVPN to connect to an NTLM version 2 proxy. ntlm_phase_3() in ntlm.c: if (( *((long *)&buf2[0x14]) & 0x00800000) == 0x00800000) /* Check for Target Information block */ { tib_len = buf2[0x28]; /* Get Target Information block size */ if (tib_len > 96) { tib_len = 96; } { char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */ memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */ } } ‘buf2’ is an array of type char (signed), which contains data sent by the peer (the proxy). ‘tib_len’ is of type int. First issue: remote crash. If buf[0x28] contains a value of 0x80 or higher, ‘tib_len’ will be negative; both variables are signed, after all. This will cause memcpy to crash. Second issue: data leak. buf[0x2c] is used as an index to the buf2 array. Because ‘buf2[0x2c]’ is a signed value, if it is >= 0x80, it will cause tib_ptr to point BEFORE ‘buf2’. Memory at this location is then copied to ntlmv2_blob, which is then sent to the peer. This constitutes a data leak. Because the user’s password is also stored on the stack (the variable ‘pwbuf’ in this function), this or other sensitive information to the peer in cleartext. These issues can be triggered by an actor in an active man-in-the-middle role. Remote (including MITM) client stack buffer corruption Reported to the OpenVPN security list on June 6. No CVE Patch: https://github.com/OpenVPN/openvpn/commit/69162924de3600bfe8ae9708a1d6e3f4515ef995 This is exceedingly unlikely to occur. The my_strupr function in ntlm.c is constructed as follows: unsigned char * my_strupr(unsigned char *str) { /* converts string to uppercase in place */ unsigned char *tmp = str; do { *str = toupper(*str); } while (*(++str)); return tmp; } From this code it is obvious that if a string of length 0 is passed, OOB read(s) and possibly write(s) will occur. In the case of a string of length 0, the null terminator is toupper()’ed, pointer is incremented, byte AFTER null terminator is evaluated, and if not null toupper()’ed, until a second NULL byte is seen. The function is invoked once: my_strupr((unsigned char *)strcpy(userdomain, username)); Exploitation can only be achieved if: NTLM version 2 is used. The user specified a username ending with a backslash. The (uninitialized) ‘username’ array constists entirely of non-null values. The stack layout is such that the ‘username’ array is followed by a pointer, or something else that, if toupper()’ed, could cause arbitrary code execution. This issue can be triggered by an actor in an active man-in-the-middle role. Remote server crash (forced assertion failure) Reported to the OpenVPN security list on May 20. CVE-2017-7508 The OpenVPN server can be crashed by sending crafted data. mss_fixup_ipv6() in mss.c: if (buf_advance( &newbuf, 40 ) ) { struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf); if (tc->flags & OPENVPN_TCPH_SYN_MASK) { mss_fixup_dowork(&newbuf, (uint16_t) maxmss-20); } } in mss_fixup_dowork(): ASSERT(BLEN(buf) >= (int) sizeof(struct openvpn_tcphdr)); It is possible to construct a packet to the server such that this assertion will fail, and the server will stop. Crash mbed TLS/PolarSSL-based server Reported to the OpenVPN security list on May 22. CVE-2017-7522 This requires that the –x509-track configuration option has been set. It affects OpenVPN 2.4 (not 2.3) compiled with mbed TLS/PolarSSL as the cryptography backend. The crafted certificate must have been signed by the CA. When parsing the client certificate, asn1_buf_to_c_string() may be called (via x509_setenv_track -> do_setenv_name). It iterates over an ASN1 string as follows: for (i = 0; i < orig->len; ++i) { if (orig->p[i] == '\0') { return "ERROR: embedded null value"; } } If a null byte is found within this string (ASN1 allows this), the static string “ERROR: embedded null value” is returned. If no null byte is found, a heap-allocated string is returned. The static string becomes problematic if a while later string_mod() is called. This attempts to modify the string. This will typically cause a crash, because the static string is stored in a read-only memory region. Stack buffer overflow if long –tls-cipher is given Reported to the OpenVPN security list on May 12 No CVE Patch: https://github.com/OpenVPN/openvpn/commit/e6bf7e033d063535a4414a4cf49c8f367ecdbb4f An excessively long –tls-cipher option can cause stack buffer corruption. This can only affect the user if they load untrusted options. Not considered an actual vulnerability because untrusted options may execute arbitrary code via other option directives by design (see commit message). As a general rule, don’t load untrusted configuration files. (v)s(n)printf hardening Reported to the OpenVPN security list on May 23 This is not a vulnerability. It is a proposed hardening technique. My motivation can be read here: https://community.openvpn.net/openvpn/ticket/894 The gist is that vsnprintf and related functions (upon which OpenVPN heavily relies) can, in theory, fail. The reasons for this are entirely inherent to the libc’s internal logic, and behavior may differ from one libc to the other. It must be noted that it is exceedingly unlikely that these functions fail in practice. However, should this happen, this could create dangerous data leaks of sensitive data. My proposed patch remedies this and ensures no data is ever leaked. Other bugs Some other minor bugs, that don’t impact security, have been found: https://github.com/OpenVPN/openvpn/commits/master How I fuzzed OpenVPN Fuzzing OpenVPN has been an extensive effort. You can’t just chain the fuzzer to arbitary internal functions for various reasons: OpenVPN executes external programs like ipconfig and route to modify the system’s networking state. This is not acceptable within a fuzzing environment. Direct resource access (files, networking) occurs throughout the code. You certainly don’t want the fuzzer to end up writing random files and sending data to random IP’s. There are many ASSERT() statements throughout the code. These will cause a direct abort if the enclosed condition is false. This makes fuzzing impossible; you want the fuzzer to run for hours, not abort after 2 seconds. To work around the first problem, I modified the source code such that in fuzzing mode, everything leading up to the actual execve() is executed (processing of arguments to the external program), but the actual execve() call is commented out. It will return success or failure based on a bit in the fuzzer input data. To prevent access to resources, I implemented abstractions for libc functions. For example, recv() is now platform_recv(), and within platform_recv() I either call recv() directly (in non-fuzzing mode), or grab data from the fuzzer input data (in fuzzing mode). Similarly, through abstractions such as platform_read(), the application can open, read and write to files at will. The data that it expects is transparently pulled from the fuzzing input. To deal with the assertions, there is no other way than to comment them out (#ifndef FUZZING .. ASSERT(condition) .. #else if (condition) return; #endif), but only in certain cases. I leave them in place in situations where the assertion condition depends directly on untrusted data. As an example, say the application recv()’s data from the peer, and then does ASSERT(recvd_data[3] == 0x20). It is important to leave this ASSERT in; it implies that the client can force an abort() on the server (or vice-versa); this can be considered a security issue. But there are also ASSERTs that rely on variables within an internal data structure. I typically fill these data structures with fuzzer input. Rather than manually ensuring that these variables are valid and coherent with regard to the application’s logic, I simply change the ASSERTs that rely on this validity into ‘return’ where possible (and free objects, where applicable). I’ve used libFuzzer combined with AddressSanitizer (ASAN), UndefinedBehaviorSanitizer (UBSAN) and MemorySanitizer (MSAN). ASAN cannot be combined with MSAN, and moreover MSAN does not work with libFuzzer (due to the apparent use of uninitialized memory within libFuzzer itself). So the way to go is to generate a corpus with the fuzzer, and then execute each of the resulting inputs with a MSAN-enabled standalone version. There are various discrete components in OpenVPN that together constitute the application. There is an extensive suite of functions to deal with data buffers (buffer.c, buffer.h), an extensive option parser (options.c — parses the configuration file, command line arguments as well as commands pushed by server to client), a base64 encoder/decoder, etc. Thanks to this relative modularity in OpenVPN it has been possible to use and abuse these components as if they were an API with relatively little effort. My approach for testing all of these API-like components is as follows: (assume 3 functions to be tested) Get a number from the fuzzer input data in the range 0 – 2. Call either of the three functions based in the number Provide each function with parameters derived from the input data where dynamic parameters are required Repeat the above process a number of times (for example (for i = 0; i < 5; i++) { … }) This will cause an ever-permutating sequence of invocations. Essentially the coverage surface becomes (near-) absolute, that is to say, (almost) every conceivable way to use the API is a contender to be tested via this algorithm. This approach is especially useful to test the functions that operate on the same structure. If there exists any sequenced set of functions that would cause memory violations, this setup is bound to find it. Of course, the actual use of any group of functions within the application is only a small subset of all permutations and parameters that the fuzzer sets out to test, and any mishaps the fuzzer finds for very particular circumstances may not actually occur within the code. But it is nonetheless good to know, because: If you know that a certain sequence of calls and their parameters will lead to memory corruption, you can now perform a manual code analysis to see if this situation occurs. Corner-case API bugs that are not invoked now, may become manifest in the future once code (with calls to the API) is added that does trigger these bugs. In MSAN-enabled builds I serialize the output structure (if there is one) to /dev/null. For example, the options parser stores all its data in a struct options variable. MSAN does not immediately report the use of uninitialized data; it only does so if it is used in conditions that lead to branching (if (x) …) or when the data is used for I/O. Hence, by serializing this data to /dev/null (normally a no-op), I force MSAN to detect uninitialized data. In C, there is no automatic way to serialize nested data structures (struct A contains a pointer to struct B etc), so for some structures I had to manually make a serialization stack of functions. Limited fuzzing on a 32 bit platform has also been performed. This did not find any issues that do not occur on 64 bit. Article source
  21. Encrypted email provider ProtonMail launches free VPN service to counter increasing online censorship World’s largest secure email service has launched ProtonVPN for free to protect consumers against mass surveillance, censorship, and other online security threats. June 20th, 2017 Geneva, Switzerland ProtonMail, the world’s largest encrypted email provider, is announcing today the immediate worldwide release of ProtonVPN, an innovative new VPN service built in response to increasing online surveillance and threats to net neutrality. This is the first new product developed by Swiss security firm Proton Technologies AG since the introduction of ProtonMail 3 years ago. Since ProtonMail was first launched in May 2014 by a group of scientists who met at CERN and MIT, the service has become the preferred email provider for millions of people around the world. Users include businesses, individuals, activists and journalists drawn to the service’s strong end-to-end encryption, ease-of-use, and open source software. The team that created ProtonMail was motivated to create ProtonVPN to combat increased threats to online freedom. In the past six months alone, these threats have included the repeal of Obama-era rules designed to protect consumer internet browsing history, calls by Prime Minister Theresa May for increased online surveillance, and the recent attempts by the US FCC to dismantle net neutrality. This is not to mention the over 1.5 billion people around the world who live with censored Internet. “In the past year, we have seen more and more challenges against Internet freedom,” says ProtonMail Co-Founder Dr. Andy Yen, “now more than ever, we need robust tools for defending privacy, security, and freedom online.” A VPN (Virtual Private Network) allows users to browse the web without being tracked, bypass online censorship blocks, and also increases security by passing all internet traffic through a strongly encrypted tunnel. In order to make this technology more accessible, the Company will also provide a free version of the service. “The best way to ensure that encryption and privacy rights are not encroached upon is to get the tools into the hands of the public as soon as possible and widely distributing them,” says Yen, “This is why, as with ProtonMail, we’re committed to making a free version of ProtonVPN available to the world.” While VPNs have existed for many years, ProtonVPN draws upon the Company’s extensive security experience and introduces several important security innovations. ProtonVPN features a Secure Core architecture which routes traffic through multiple encrypted tunnels in multiple countries to better defend against network based attacks, and also features seamless integration with the Tor anonymity network. ProtonVPN operates under Swiss jurisdiction and is protected by some of the world’s strongest privacy laws. ProtonVPN also stands out for its transparency as it is perhaps the only VPN service on the market today that is developed by a team that is publicly known, with strong security and privacy credentials. “Strong encryption and privacy are a social and economic necessity. Not only does this technology protect activists and dissidents, it is also key to securing the world’s digital infrastructure,” says Yen, “Encrypted communications is the future and with ProtonVPN, we’re committed to making online privacy a reality again for all Internet users.” About Proton Technologies AG Proton Technologies AG is a security company headquartered in Geneva, Switzerland, near CERN where the founders met in 2013. We are researchers, scientists, and engineers brought together by a shared vision of protecting civil liberties, working to advance Internet security and privacy. Proton Technologies is a uniquely community-driven company. Initial funding came from an online crowdfunding campaign that raised $550,000 and set a record for a software technology project. Today, the innovative technologies that we are developing, such as ProtonMail and ProtonVPN, are used by millions of people around the world. For more information, please visit: Media Inquiries: [email protected] ProtonVPN Admin We are the scientists, engineers, and developers who build ProtonMail, the world's largest encrypted email service. We're now building ProtonVPN also to ensure that everybody can have access to free and secure internet. Source
  22. Proton VPN 1.0.1 + 1.0.2 Final Overview: ProtonVPN is designed from the ground up with a special emphasis on security and privacy, and features a number of innovations that we have made to harden VPN against compromises. ProtonVPN will eventually feature free and premium versions containing different features. For the beta period, you will be able to test the full-fledged premium version of ProtonVPN for free. Layers of Protection: Limitation / blocking access to the data / application Isolation and create a separate database / application Backup / important data Detecting and deleting viruses / malware. Proton Mail earlier announced beta VPN service for PLUS proton mail users. At this moment, Proton VPN offers 14 countries Australia Canada France Germany Hong Kong Iceland Japan Netherlands Singapore - New Spain Sweden Switzerland United Kingdom United States Standard Servers All of our servers are dedicated to ProtonVPN and feature high bandwidth connections Secure Core Servers Secure Core Servers add an additional layer of protection against VPN endpoint compromise. Learn More More Info: Official Product Homepage / Detailed Features: https://protonvpn.com/home Official Website: https://protonvpn.com/ Register/Signup: https://account.protonvpn.com/signup Login: https://account.protonvpn.com/login/ Pricing: https://protonvpn.com/pricing VPN Servers: https://protonvpn.com/vpn-servers Security: https://protonvpn.com/secure-vpn VPN Threat Model: https://protonvpn.com/blog/threat-model/ Transparency Report: https://protonvpn.com/blog/transparency-report/ About Us: https://protonvpn.com/about Blog: https://protonvpn.com/blog/ We are open for registration. You can follow ProtonVPN on social media to get the latest news and updates: Facebook: https://facebook.com/ProtonVPN Twitter: https://twitter.com/ProtonVPN Reddit: https://www.reddit.com/r/ProtonVPN/ We would love to hear your feedback on the beta and what we can do to improve ProtonVPN. In addition to the links above, you can also send your suggestions to [email protected] If you run into trouble with ProtonVPN, or have questions, you can search for answers or contact us via the ProtonVPN support site: https://protonvpn.com/support/ Screenshots: Downloads: Download: https://protonvpn.com/download/ Windows Client: https://protonvpn.com/download/ProtonVPN_win_v1.0.1.exe Windows Client: https://protonvpn.com/download/ProtonVPN_win_v1.0.2.exe Clients for macOS, Linux, Android, and iOS are still under development, but it is still possible to use ProtonVPN with these operating systems using third-party OpenVPN clients. Setup guides can be found here: MacOS: https://protonvpn.com/support/mac-vpn-setup/ Linux: https://protonvpn.com/support/linux-vpn-setup/ Android: https://protonvpn.com/support/android-vpn-setup/ iOS: https://protonvpn.com/support/ios-vpn-setup/ VPN Servers and Country Code for Linux, Mac, Android and iOS: https://protonvpn.com/support/vpn-servers/ More Info - Articles & Reviews: Three years ago we launched ProtonMail. Today, we’re launching ProtonVPN. Encrypted email provider ProtonMail launches free VPN service to counter increasing online censorship ProtonVPN Swiss-Based VPN Launches
  23. Proton VPN 1.0.0 Beta/RC Overview: ProtonVPN is designed from the ground up with a special emphasis on security and privacy, and features a number of innovations that we have made to harden VPN against compromises. ProtonVPN will eventually feature free and premium versions containing different features. For the beta period, you will be able to test the full-fledged premium version of ProtonVPN for free. Layers of Protection: Limitation / blocking access to the data / application Isolation and create a separate database / application Backup / important data Detecting and deleting viruses / malware. Proton Mail announced beta VPN service for PLUS proton mail users. At this moment, Proton VPN offers 13 countries with 4/IP Australia Canada France Germany Hong Kong Iceland Japan Netherlands Spain Sweden Switzerland United Kingdom United States More Info: Official Product Homepage / Detailed Features: https://protonvpn.com/home Official Website: https://protonvpn.com/ Register/Signup: https://account.protonvpn.com/signup About Us: https://protonvpn.com/about Blog: https://protonvpn.com/blog/ ProtonVPN is still a work in progress, and we will be releasing more details over the next couple months about what makes ProtonVPN different. You can follow ProtonVPN on social media to get the latest news and updates: Facebook: https://facebook.com/ProtonVPN Twitter: https://twitter.com/ProtonVPN We would love to hear your feedback on the beta and what we can do to improve ProtonVPN. In addition to the links above, you can also send your suggestions to [email protected] If you run into trouble with ProtonVPN, or have questions, you can search for answers or contact us via the ProtonVPN support site: https://protonvpn.com/support/ Screenshots: Downloads: Stability Advisory: This is a "beta/RC" software release which contains known bugs. The stable release date is 20 June 2017. Download: https://protonvpn.com/download/ Windows Client: https://protonvpn.com/download/ProtonVPN_win_v1.0.0.exe Clients for macOS, Linux, Android, and iOS are still under development, but it is still possible to use ProtonVPN with these operating systems using third-party OpenVPN clients. Setup guides can be found here: MacOS: https://protonvpn.com/support/mac-vpn-setup/ Linux: https://protonvpn.com/support/linux-vpn-setup/ Android: https://protonvpn.com/support/android-vpn-setup/ iOS: https://protonvpn.com/support/ios-vpn-setup/ VPN Servers and Country Code for Linux, Mac, Android and iOS: https://protonvpn.com/support/vpn-servers/
  24. A recent survey suggests that the enterprise is more reliant than ever on open-source, but failing to manage and secure it effectively. The enterprise's use of open-source components to bolster its own software and systems is rising, but companies are failing to secure and manage it effectively, new research suggests. According to Black Duck's latest 2017 Open Source 360 Degree survey, "the effective management of open-source is not keeping pace with the increase in use." Released on Thursday, the survey, made up of 819 US and EMEA software developers, IT professionals, security experts, and systems architects, says that in the last year there has been a significant uptake in the use of open-source software with almost 60 percent of respondents saying their organizations make use of open-source community-based development. Cost savings, easy access, and no vendor lock-in systems, as well as the ability to customize code and fix bugs directly all factor into their use of open-source software, and according to 55 percent of those surveyed, open-source software also boosts business innovation. However, there are concerns with relying heavily on open-source components. According to the research, 66 percent of respondents worry about license risk and the loss of intellectual property through using open-source software. In total, 64 percent are also concerned about the exposure of internal applications to exploit through vulnerabilities in open-source code, and 71 percent believe that open-source usage may also expose external apps to exploit. In addition, 61 percent are concerned that development teams may not adhere to internal rules and practices when using open-source software. To make matters worse, only 15 percent of respondents said their organizations have automated processes in place to manage open-source use, and almost half admitted that their companies have no formal policies in place for selecting or approving open-source software -- which can cause major black spots for security professionals. Only 54 percent of survey respondents said they believed their organizations were in compliance with open-source licensing demands, only 55 percent said they kept informed of known security vulnerabilities, and 44 percent conform to internal open-source security policies. The majority of respondents believe a structured process for review and approval of open source use requests, as well as a white and blacklist of approved and banned open-source components are the most crucial elements of a successful open-source policy. "Companies are using a tremendous amount of open source for sound economic and productivity reasons, but today most companies are not effective in securing and managing it," said Lou Shipley, Black Duck CEO. "Today open-source comprises 80 percent to 90 percent of the code in a modern application and the application layer is a primary target for hackers." "This means that exploitation from known open source vulnerabilities represents the most significant application security risk most organisations face," Shipley added. The full results of the survey will be published on June 22. Back in April, Black Duck researchers discovered "significant cross-industry risks" in the use of open-source components within financial enterprise apps, with the majority of software containing unpatched open-source bugs and vulnerabilities -- some of which being over four years old. An average of 52 vulnerabilities was discovered per app. Article source
  25. Hi Guys I'm interested in what people consider a standard install required to protect your android devices. What Anti Virus, What Ad blocker and any other software people install when looking to secure an Android device. Having a Windows background you get told to keep your AV up-to date and apply security patches but what applies to the Android environment?