An anonymous reader writes: A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN. The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the unsuspecting user's IP address. This issue persists even if the victim has disabled port forwarding. PP discovered that five out of nine prominent VPN providers that offer port forwarding were vulnerable to the attack.

New submitter mlts writes: As of now, I just leave E-mail in a 'received-2015' subfolder on my provider's server, adding a new folder yearly. With the rise of E-mail account intrusions (where even though I'm likely not a primary target, but it is a concern), what is a secure, but yet accessible way to archive E-mail? I'm far less worried about the FBI/NSA/Illuminati, as I am about having stuff divulged to all and sundry if a mass breach happens. A few alternative I've considered: 1) Running my own physical IMAP server. The server would run on a hypervisor (likely ESXi), have Dovecot limited to the VPN I use, and use other sane techniques to limit access. 2) Archive the E-mail files through a cloud provider, with a client encryption utility (EncFS, BoxCryptor, etc.) In this case, E-mail would be stored in a different file a week. 3) Move it to local storage on a virtual machine, and if access is needed, use LogMeIn or another remote access item to fire up Thunderbird to access it. What would be a recommended way to secure E-mail that sits around, for the long haul, but still have it accessible? Even if you're not specifically worried about it, keeping older email around on a provider's server opens you up to warrantless access by U.S. law enforcement officials.

An anonymous reader writes: The BBC has opened a new online store which lets viewers purchase TV programs that do not expire in its iPlayer streaming outlet after thirty days, but which apparently remain stored for streaming in the same style as Amazon's video purchases. The BBC claims the extensive archive inventory is available only to UK-based viewers, though its VPN-blocking attempts do not currently seem to prevent purchases from outside the country. Additionally the BBC's high-quality disc extras do not seem to have made the jump from disc to digital, signifying possible further decline for 'value added' features such as commentaries and documentaries in the future.

An anonymous reader writes: The Draft Investigatory Powers Bill presented by the UK Home Secretary Theresa May to Parliament today has caused controversy because it proposes new legislation to force UK ISPs to retain an abbreviated version of a user's internet history for a year, and would also oblige vendors such as Apple not to provide consumer-level encryption that the vendor cannot access itself in accordance with a court order. But perhaps the most surprising aspect of DIPA is that Virtual Private Networks are mentioned nowhere in its 299 pages, even though VPNs are a subject of great interest to Europe, Russia, Iran, China and the United States.

msm1267 writes: A challenge has been made against one of the conclusions in an academic paper on cryptographic weaknesses that may be the open door through which intelligence agencies are breaking encrypted connections. The paper, 'Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice,' claims that a massively resourced agency such as the NSA could build enough custom hardware that would crack the prime number used to derive an encryption key. Once enough information is known about the prime, breaking Diffie-Hellman connections that use that same prime is relatively trivial. In the paper, the team of 14 cryptographers and academics who wrote it claim that upwards of 66 percent of IPsec VPN connections can be passively decrypted in this manner. Paul Wouters, a founding member and core developer of the Libreswan Project, as well as a Red Hat associate, said that researchers are jumping to a conclusion because of the way they scanned and tested VPN servers, and that the number is likely too high.

itwbennett writes: Security researchers from Trend Micro have found evidence that the Pawn Storm cyberespionage group set up rogue VPN and SFTP servers to target Dutch Safety Board employees before and after the report on the crash of Malaysia Airlines Flight 17 (MH17) was finalized. It is likely that the rogue servers were set up with the goal of phishing login credentials from people involved in the MH17 crash investigation in order to obtain access to confidential information, the researchers said.

Dangerous_Minds writes: Freezenet seems to be the first website to publish a full run-down of the final draft of the Intellectual Property chapter in the Trans-Pacific Partnership. The leak was published on Wikileaks earlier. The analysis seems to confirm what the EFF has said, saying that the chapter "confirms our worst fears about the agreement, and dashes the few hopes that we held out that its most onerous provisions wouldn't survive to the end of the negotiations." The analysis focuses mainly on copyright enforcement on the Internet and the impact the chapter would have on personal devices, VPN services, and ISPs. One noteworthy find by Freezenet is the inclusion of a "TPP Commission" which would decide when different countries are supposed to meet outside of the 10-year cycle, discussing "market circumstances" of "the development of new pharmaceutical products." What other roles the TPP Commission takes on is unclear given that it is not mentioned anywhere else in the chapter.

An anonymous reader writes: TorrentFreak reports that the European Parliament is approaching a vote on new telecom regulations that aim to implement net neutrality throughout EU member states. Unfortunately, the legislation hinges on a few key amendments, and experts are warning about the consequences should those amendments fail to pass. "These amendments will ensure that specific types of traffic aren't throttled around the clock, for example. The current language would allow ISPs to throttle BitTorrent traffic permanently if that would optimize overall 'transmission quality.' This is not a far-fetched argument, since torrent traffic can be quite demanding on a network." That's not the only concern: "Besides file-sharing traffic the proposed legislation also allows Internet providers to interfere with encrypted traffic, including VPN connections. Since encrypted traffic can't be classified though deep packet inspection, ISPs may choose to de-prioritize it altogether."

nickweller points out Ars Technica's report (based on news initially on Torrent Freak) that The BBC has begun to block VPN users from its iPlayer video streaming service. From the article: Naturally, VPN providers are already working on a fix for the block, with IPVanish already claiming it has found a way around it. Earlier this year, a GlobalWebIndex report claimed that up to 60 million people outside the UK had been accessing iPlayer. The BBC disputes this figure however, saying: "These figures simply aren’t plausible. All our evidence shows the vast majority of BBC iPlayer usage is in the UK. BBC iPlayer and the content on it is paid for by UK licence fee payers in the UK and we take appropriate steps to protect access to this content."

Jim Efaw writes: Hillary Clinton's home servers had more than just the e-mail ports open directly to the Internet. The Associated Press discovered, by using scanning results from 2012 "widely available online", that the clintonemail.com server also had the RDP port open; another machine on her network had the VNC port open, and another one had a web server open even though it didn't appear to be configured for a real site. Clinton previously said that her server featured "numerous safeguards," but hasn't explained what that means. Apparently, requiring a VPN wasn't one of them.

Mickeycaskill writes: Apple has pulled a number of applications from the App Store, most notably the "Been Choice" ad blocker, because of concerns the methods they employ to rid adverts could compromise sensitive user data. iOS 9 allows for the installation of applications that block adverts in Safari, but other apps like Been Choice go one step further and let users remove adverts from applications – including Apple News. Been Choice routes traffic through a VPN to filter out adverts in some applications, but it this technique has attracted the attention of Apple, which is concerned user data could be exposed. Apple says it is working with developers to get their apps back up and Been is refining its application for resubmission. In any case, Been says users must opt-in for in-app ad blocking and that no data is stored on its servers.

An anonymous reader writes: According to two unnamed Reuters sources the IP address of Lyft CTO Chris Lambert has been revealed by Uber's investigations to be associated with the accessing of a security key that was accidentally deposited on GitHub in 2014 and used to access 50,000 database records of Uber drivers later that year. However, bearing in mind that the breach was carried out through a fiercely protectionist Scandinavian VPN, and that Lambert was a Google software engineer before become CTO of a major technology company, it does seem surprising that he would have accessed such sensitive data with his own domestic IP address.

An anonymous reader writes with a report from The Stack that researchers have discovered a crucial security problem in the latest version of iOS 9: it breaks VPN connections to corporate servers. According to the linked piece, "The flaw was first detected in the iOS 9 beta, and has not been fixed in the released version. Neither has the bug been removed in the current iOS 9.1 beta." The workaround might not be what you want to hear, either, if you've happily upgraded to the latest version: it's to downgrade to iOS 8.4.1.

reifman writes: All six parts of my series introducing beginners to PGP encryption and network privacy are now freely available. I hope it's useful for Slashdot readers to share with their less-technical acquaintances. There's an introduction to PGP, a guide to email encryption on the desktop, smartphone and in the browser, an introduction to the emerging key sharing and authentication startup, Keybase.io, and an intro to VPNs. There's a lot more work for us to do in the ease of use of communications privacy but this helps people get started more with what's available today.

An anonymous reader writes: The FBI hacks computers. Specifics are scarce, and only a trickle of news has emerged from court filings and FOIA responses. But we know it happens. In a new law review article, a Stanford Ph.D. candidate and privacy expert pulls together what's been disclosed, and then matches it against established law. The results sure aren't pretty. FBI agents deceive judges, ignore time limits, don't tell computer owners after they've been hacked, and don't get 'super-warrants' for webcam snooping. Whatever you think of law enforcement hacking, it probably shouldn't be this lawless.

New submitter RavenLrD20k writes: I am a programmer by trade with a significant amount of training as a Network Administrator (AAS in Computer Networking). I have no problem with how to build three or four separate networks in each location and make them route over the internet. My weakness is in trying to setup a VPN for a secured two-way connection between location A and location B, both mixed OS environments, with the requirement that all of the internet traffic on B gets routed through A first. I've already looked at some boxed solutions, such as LogMeIn Hamachi, but there hasn't been much in the way of mixed environment support. This is a complicated one, so keep reading for more on what RavenLrD20k is trying to accomplish.

jan_jes writes: According to researchers at Queen Mary University of London, services used by hundreds of thousands of people in the UK to protect their identity on the web are vulnerable to leaks. The study of 14 popular VPN providers found that 11 of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using Apple's iOS, but were still vulnerable to leakage when using Google's Android. Similarly Russian researchers have exposed the breakthrough U.S. spying program few months back. The VPNs they tested certainly aren't confined to the UK; thanks to an anonymous submitter, here's the list of services tested: Hide My Ass, IPVanish, Astrill, ExpressVPN, StrongVPN, PureVPN, TorGuard, AirVPN, PrivateInternetAccess, VyprVPN, Tunnelbear, proXPN, Mullvad, and Hotspot Shield Elite.

angry tapir writes: A number of New Zealand Internet service providers will no longer offer their customers support for circumventing regional restrictions on accessing online video content. Major New Zealand media companies SKY, TVNZ, Lightbox and MediaWorks filed a lawsuit in April, arguing that skirting geoblocks violates the distribution rights of its media clients for the New Zealand market. The parties have reached an out-of-court settlement.

An anonymous reader writes: Controversial OS X 'clean-up utility' MacKeeper is being exploited by cybercriminals to diffuse Mac malware OSX/Agent-ANTU, according to the BAE cyber security unit. A single line of JavaScript on a malicious web-page is enough to hand over control of the user's system via MacKeeper. Lead security researcher Sergei Shevchenko said 'attackers might simply be 'spraying' their targets with the phishing emails hoping that some of them will have MacKeeper installed, thus allowing the malware to be delivered to their computers and executed,' The malware enables remote control over commands, uploads and downloads, and the setting of execution permissions, as well as granting access to details of VPN connections, user names, and lists of processes and statuses.

An anonymous reader writes: While debate swirls in Washington D.C. about new encryption laws, the consequences of the last crypto war is still being felt. Logjam vulnerabilities making headlines today is "a direct result of weakening cryptography legislation in the 1990s," researcher J. Alex Halderman said. "Thanks to Moore's law and improvements in cryptanalysis, the ability to break that crypto is something really anyone can do with open-source software. The backdoor might have seemed like a good idea at the time. Maybe the arguments 20 years ago convinced people this was going to be safe. History has shown otherwise. This is the second time in two months we've seen 90s era crypto blow up and put the safety of everyone on the internet in jeopardy."