An anonymous reader quotes a report from The Register: Google in November will prohibit Android VPN apps in its Play store from interfering with or blocking advertising, a change that may pose problems for some privacy applications. The updated Google Play policy, announced last month, will take effect on November 1. It states that only apps using the Android VPNService base class, and that function primarily as VPNs, can open a secure device-level tunnel to a remote service. Such VPNs, however, cannot "manipulate ads that can impact apps monetization."

The rules appear to be intended to deter data-grabbing VPN services, such as Facebook's discontinued Onavo, and to prevent ad fraud. The T&Cs spell out that developers must declare the use of VPNservice in their apps' Google Play listing, must encrypt data from the device to the VPN endpoint, and must comply with Developer Program Policies, particularly those related to ad fraud, permissions, and malware.

Blokada, a Sweden-based maker of an ad-blocking VPN app, worries this rule will hinder at least the previous iteration of its software, v5, and other privacy-oriented software. "Google claims to be cracking down on apps that are using the VPN service to track user data or rerouting user traffic to earn money through ads," Reda Labdaoui, marketing and sales manager at Blokada, wrote last week in a a forum post. "However, these policy changes also apply to apps that use the service to filter traffic locally on the device." Labdaoui suggests Blokada v6, which launched in June, should not be affected because it does filtering in the cloud without violating Google's device policies. But other apps may not be so fortunate.

A security researcher says that Apple's iOS devices don't fully route all network traffic through VPNs as a user might expect, a potential security issue the device maker has known about for years. From a report: Michael Horowitz, a longtime computer security blogger and researcher, puts it plainly -- if contentiously -- in a continually updated blog post. "VPNs on iOS are broken," he says. Any third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic, Horowitz writes. But sessions and connections established before a VPN is activated do not terminate and, in Horowitz's findings with advanced router logging, can still send data outside the VPN tunnel while it's active.

In other words, you might expect a VPN client to kill existing connections before establishing a secure connection so they can be re-established inside the tunnel. But iOS VPNs can't seem to do this, Horowitz says, a finding that is backed up by a similar report from May 2020. "Data leaves the iOS device outside of the VPN tunnel," Horowitz writes. "This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6."

An anonymous reader quotes a report from BleepingComputer: Cisco confirmed today that the Yanluowang ransomware group breached its corporate network in late May and that the actor tried to extort them under the threat of leaking stolen files online. The company revealed that the attackers could only harvest and steal non-sensitive data from a Box folder linked to a compromised employee's account. "Cisco experienced a security incident on our corporate network in late May 2022, and we immediately took action to contain and eradicate the bad actors," a Cisco spokesperson told BleepingComputer. "Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations. On August 10 the bad actors published a list of files from this security incident to the dark web. We have also implemented additional measures to safeguard our systems and are sharing technical details to help protect the wider security community."

The Yanluowang threat actors gained access to Cisco's network using an employee's stolen credentials after hijacking the employee's personal Google account containing credentials synced from their browser. The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the Yanluowang gang that impersonated trusted support organizations. The threat actors finally tricked the victim into accepting one of the MFA notifications and gained access to the VPN in the context of the targeted user. Once they gained a foothold on the company's corporate network, Yanluowang operators spread laterally to Citrix servers and domain controllers.

"They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers," Cisco Talos said. After gaining domain admin, they used enumeration tools like ntdsutil, adfind, and secretsdump to collect more information and installed a series of payloads onto compromised systems, including a backdoor. Ultimately, Cisco detected and evicted them from its environment, but they continued trying to regain access over the following weeks. [...] Last week, the threat actor behind the Cisco hack emailed BleepingComputer a directory listing of files allegedly stolen during the attack. The threat actor claimed to have stolen 2.75GB of data, consisting of approximately 3,100 files. Many of these files are non-disclosure agreements, data dumps, and engineering drawings.

DNSFilter, a Washington, D.C.-based provider of DNS-based web content filtering and threat protection, has announced it's acquiring Guardian, a privacy-protecting firewall for iOS. Financial terms of the deal were not disclosed. From a report: Guardian was founded in 2013 by Will Strafach, a security researcher and former iPhone jailbreaker who in 2017 discovered that AccuWeather was secretly sending precise location data to a third-party company without a user's permission. The company's "smart firewall" iPhone app blocks apps from sharing users' personal information with third-parties, such as IP addresses and location data, by funneling data through an encrypted virtual private network (VPN). The startup, which claims to have so far blocked more than 5 billion data trackers and 1 billion location trackers, recently joined forces with Brave to integrate its firewall and VPN functionality into its eponymous non-tracking browser.

ZDNet reports: Microsoft is rolling out a new security default for Windows 11 that will go a long way to preventing ransomware attacks that begin with password-guessing attacks and compromised credentials. The new account security default on account credentials should help thwart ransomware attacks that are initiated after using compromised credentials or brute-force password attacks to access remote desktop protocol (RDP) endpoints, which are often exposed on the internet.

RDP remains the top method for initial access in ransomware deployments, with groups specializing in compromising RDP endpoints and selling them to others for access.

The new feature is rolling out to Windows 11 in a recent Insider test build, but the feature is also being backported to Windows 10 desktop and server, according to Dave Weston, vice president of OS Security and Enterprise at Microsoft. "Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks — this control will make brute forcing much harder which is awesome!," Weston tweeted.

Weston emphasized "default" because the policy is already an option in Windows 10 but isn't enabled by default. That's big news and is a parallel to Microsoft's default block on internet macros in Office on Windows devices, which is also a major avenue for malware attacks on Windows systems through email attachments and links.... The defaults will be visible in the Windows Local Computer Policy directory "Account Lockout Policy".

The default "account lockout duration" is 10 minutes; the "account lockout threshold" is set to a maximum of 10 invalid logon attempts; a setting to "allow administrator account lockout" is enabled; and the "reset account lockout counter after" setting is set to 10 minutes.

If you have been on Steam, the world's largest PC gaming platform, you might have noticed an anomaly on the chart of the top 20 most popular apps: Wallpaper Engine. The software is pretty cool -- it lets you download animated and interactive wallpapers for your machine's monitor -- but it's hard to explain why an obscure wallpaper app consistently ranks alongside global blockbuster franchises like Counter-Strike or Dota. From a report: The epiphany will come when you begin to read Wallpaper Engine's many reviews. More than 200,000 of them are written in Chinese, stretching from 2016 to 2022. And these reviews almost all talk about one thing: porn. Or more specifically, about using the software as a cloud drive and a video player for exchanging adult-only content.

Online porn is banned in China, so people there have to get creative to access it. Steam is one of the only popular global platforms still available in the country, and its community features, international high-speed servers, and increasingly hands-off approach when it comes to sexual content have made it an inevitable choice. Chinese users now make up at least 40% of Wallpaper Engine's global user base, MIT Technology Review estimates. Last year, users in China suddenly needed to use VPN services to access certain Steam services. As the reviews show, now they are afraid they may soon lose this rare community, either because of platform content moderation or the possibility that China might block Steam altogether.

Two members of the U.S. Congress urged America's Federal Trade Commission "to address deceptive practices in the Virtual Private Network industry," reports the Verge: With abortion becoming illegal or restricted in several states, more people are looking to conceal their messages and search history, as police can use this information to prosecute someone seeking the procedure. In their letter, Anna Eshoo (D-CA) and Senator Ron Wyden ask the FTC to clamp down on VPN providers that engage in deceptive advertising, or make false assertions about the range of their service's privacy. The lawmakers cite research from Consumer Reports that indicate 75 percent of the most popular VPNs "misrepresented their products" or made misleading claims that could give "abortion-seekers a false sense of security." Eshoo and Wyden also call attention to reports accusing various VPN services of misusing user data, as well as "a lack of practical tools or independent research to audit VPN providers' security claims...."

"We urge the Federal Trade Commission to take immediate action... to curtail abusive and deceptive data practices in companies providing VPN services to protect internet users seeking abortions." Eshoo and Wyden also ask that the FTC develop a brochure that informs anyone seeking an abortion about online privacy, as well as outlines the risks and benefits of using a VPN.

India will give VPN providers and cloud service operators an additional three months to comply with new rules that require they maintain names and addresses of their customers and their IP addresses, delivering some relief to firms as many scramble to follow the new guidelines and others explore exiting the South Asian market. From a report: The Indian Computer Emergency Response Team, the body appointed by the government to protect India's information infrastructure, said Monday evening it is extending the enforcement of the new rules to September 25. The rules, unveiled in late April, was set to go into effect Monday. Its announcement follows sharp criticism from VPN providers, many of which including Nord and ExpressVPN have announced their intentions to remove local servers in the country in recent weeks. [...] CERT's new directions require "virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations" to store customers' names, email addresses, IP addresses, know-your-customer records and financial transactions for a period of five years.

Mullvad has taken the decision to completely remove the ability to create new subscriptions -- all in the name of storing less data about their users. TechRadar reports: "Subscriptions clearly offer a lot of convenience but as we've seen that convenience comes at a cost and we no longer think this is an acceptable trade-off. We care deeply about usability but when it comes down to it, privacy has to win," wrote the provider in a blog post.

This move is a step forward in Mullvad's commitment to its users' privacy. It's actually one of the few services not to ask for any email address or other personal information to create an account. However, when it came to recurring subscription, the provider was forced to retain record of payments in order to provide refunds, charge the user again after their initial period of cover or recover a missing account. Therefore, one-time payments appear to be the only solution.

"We are constantly looking for ways to reduce the amount of data we store while still providing a usable service. Nowhere is the tension between privacy and usability more apparent than in the area of payments." Mullvad's monthly fee has always been the same on every plan - around $5.50. This is very different than almost every other consumer VPN, but there's no need to stress about a price rise. What's more, those who currently have an active Mullvad subscription do not need to worry either. Their account will keep running as usual for at least six months, or until their subscription comes to the end of a term.

While he couldn't even ethically accept the million dollars, PC Magazine's senior security analyst Max Eddy writes that "how this happened in the first place is indicative of some of the information security industry's worst impulses. It doesn't have to be this way." Back in 2017, Telegram founder Pavel Durov and I had a disagreement... Durov tweeted about how the Signal secure messaging app had received money from the U.S. government. This is true; Signal received funds from the Open Technology Fund (OTF) — a nonprofit that previously was part of the US-backed Radio Free Asia. According to the OTF's website, it gave nearly $3 million to between 2013 and 2016. It's entirely legitimate to be suspicious of government funding (even if TOR, OpenVPN, and WireGuard also received OTF money), and even take a moral stand against recipients of money from governments you disagree with.

But Durov went far beyond that. He seemed to think this meant Signal was bought off by the feds and predicted that a backdoor would be found within five years.

That's quite an accusation to make, especially without real proof, and it made me mad. Not because people were mouthing off on Twitter — that seems to be that platform's primary function. It made me mad that companies ostensibly working to better people's lives by protecting their security and privacy were trying to drag each other down publicly. This is not new; the VPN industry is full of whisper campaigns and counter-accusations. I can't tell you how many conversations I've had with VPN vendors that start with "first off, everything you heard is a lie...." But generally the message from companies in this industry is one of cooperation and protecting everyone. It's a common theme to keynotes at the RSA Conference and Black Hat that the people who work in infosec have a higher calling to protect other people first and do business second.
And then this happened (on Twitter):


Max Eddy: It's one thing to point out funding and another to say that a "backdoor will be found within five years."

Pavel Durov: I am certain of what I'm saying and am willing to bet $1M (1:1) on it.


While Eddy didn't have a million dollars, "I knew there was no way I would lose. This would be the easiest million-dollar bet I ever make." I was confident Durov was wrong because Signal, like many companies, has made an effort toward transparency that I can have some confidence in. Signal has made its code available, has registered as a nonprofit, has a fairly comprehensive privacy policy, and has made abundantly clear that it has no information to provide in response to law enforcement requests. Signal's protocol is also used by competitors, such as WhatsApp and Facebook Messenger, which have surely done their homework when selecting a method for encrypting messages. Most recently, a document revealed that even the FBI has been frustrated in its attempts to get data from Signal (and Telegram, too).
It's been five years, and Eddy now writes that Signal "continues to be recommended by advocacy groups of all kinds as a safe and secure way to communicate..."

"Neither Durov nor Telegram responded to my attempts to contact them for this story."

An anonymous reader quotes a report from BleepingComputer: Cisco advises owners of end-of-life Small Business RV routers to upgrade to newer models after disclosing a remote code execution vulnerability that will not be patched. The vulnerability is tracked as CVE-2022-20825 and has a CVSS severity rating of 9.8 out of 10.0. According to a Cisco security advisory, the flaw exists due to insufficient user input validation of incoming HTTP packets on the impacted devices. An attacker could exploit it by sending a specially crafted request to the web-based management interface, resulting in command execution with root-level privileges.

The vulnerability impacts four Small Business RV Series models, namely the RV110W Wireless-N VPN Firewall, the RV130 VPN Router, the RV130W Wireless-N Multifunction VPN Router, and the RV215W Wireless-N VPN Router. This vulnerability only affects devices with the web-based remote management interface enabled on WAN connections. [...] Cisco states that they will not be releasing a security update to address CVE-2022-20825 as the devices are no longer supported. Furthermore, there are no mitigations available other than to turn off remote management on the WAN interface, which should be done regardless for better overall security. Users are advised to apply the configuration changes until they migrate to Cisco Small Business RV132W, RV160, or RV160W Routers, which the vendor actively supports.

NordVPN, one of the most popular VPN providers, is the latest to confirm that it will be removing its servers in India ahead of the nation enacting new strict guidelines later this month. From a report: The Lithuania-based firm, which counts General Catalyst and Novator among its backers and is valued at $1.6 billion, said on Tuesday that it doesn't maintain any logs of its customers' data, strings of information that New Delhi will soon require VPN providers to share. "Moreover, we are committed to protecting the privacy of our customers. Therefore, we are no longer able to keep servers in India," a company spokesperson said.

The Indian Computer Emergency Response Team, the body appointed by the government to protect India's information infrastructure, unveiled cybersecurity guidelines in late April that will require "virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations" to store customers' names, email addresses, IP addresses, know-your-customer records and financial transactions for a period of five years. The new rules go into effect June 27. NordVPN's decision follows similar directions taken by ExpressVPN and SurfShark, both of which have removed servers in the country. It's unclear how popular VPN services are in India, but on their sites the aforementioned firms say they are used by millions of users worldwide.

ExpressVPN has removed its servers from India, becoming the first major virtual private network (VPN) provider to do so in the aftermath of the recent cybersecurity rules introduced by the country's cybersecurity agency. The rules require VPN providers to store user data for a period of five years. ExpressVPN said it "refuses to participate in the Indian government's attempts to limit internet freedom." The India Express reports: In a blog post, the British Virgin Island-based company said that with the introduction of the new cybersecurity rules by the Indian Computer Emergency Response Team (CERT-In), it has made a "very straightforward decision to remove our Indian-based VPN servers." While ExpressVPN is the first to pull its services from India, other VPN providers like NordVPN have also taken a similar stance.

The guidelines, released by CERT-In on April 26, asked VPN service providers along with data centers and cloud service providers, to store information such as names, e-mail IDs, contact numbers, and IP addresses (among other things) of their customers for a period of five years. The government said it wants these details to fight cybercrime, but the industry argues that privacy is the main selling points of VPN services, and such a move would be in breach of the privacy cover provided by VPN platforms.

ExpressVPN described the cybersecurity rules as "broad" and "overreaching." "The law is also overreaching and so broad as to open up the window for potential abuse. We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it," ExpressVPN said. It added that while CERT-In's rules are intended to fight cybercrime, they are "incompatible with the purpose of VPNs, which are designed to keep users' online activity private." Indian users of ExpressVPN will still be able to use its service via "virtual" India servers located in Singapore and the UK. "We will never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations," the company said.

An anonymous reader quotes a report from Ars Technica: Apple's Safari web browser has more than 1 billion users, according to an estimate by Atlas VPN. Only one other browser has more than a billion users, and that's Google's Chrome. But at nearly 3.4 billion, Chrome still leaves Safari in the dust. It's important to note that these numbers include mobile users, not just desktop users. Likely, Safari's status as the default browser for both the iPhone and iPad plays a much bigger role than its usage on the Mac. Still, it's impressive given that Safari is the only major web browser not available on Android, which is the world's most popular mobile operating system, or Windows, the most popular desktop OS. "The statistics are based on the GlobalStats browser market share percentage, which was then converted into numbers using the Internet World Stats internet user metric to retrieve the exact numbers," explains Atlas VPN in a blog post.

Swiss-based encrypted email provider ProtonMail today announced a restructuring of its privacy-first services, bringing them under a new unifying brand name: Proton. "Today, we are undertaking our biggest step forward in the movement for an internet that respects your privacy. The new, updated Proton offers one account, many services, and one privacy-by-default ecosystem. You can now enjoy unified protection with a modernized look and feel. Evolving into a unified Proton reflects our growth from an end-to-end encrypted email provider to an entire privacy ecosystem, allowing us to deliver even more benefits to the Proton community and make privacy accessible to everyone," the company said. MacRumors adds: Previously, users could only subscribe to each service the company offered individually. Going forward, the new Proton offers one account to access all the services offered in the company's privacy-by-default ecosystem, including Proton Mail, Proton VPN, Proton Calendar, and Proton Drive, all of which can be accessed from proton.me. All Proton services remain available as a free tier, with more advanced features and more storage available via paid plans. The free Proton tier includes up to 1GB of storage and one Proton email address, as well as access to Proton's encrypted Calendar and VPN services. Further reading: Proton Is Trying to Become Google -- Without Your Data.

India is pushing ahead with its new cybersecurity rules that will require cloud service providers and VPN operators to maintain names of their customers and their IP addresses and suggested firms unwilling to comply to pull out of the world's second largest internet market. From a report: The Indian Computer Emergency Response Team clarified on Wednesday that "virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations" shall follow the directive, called Cyber Security Directions, that requires them to store customers' names, email addresses, IP addresses, know your customer records, financial transactions for a period of five years. The new rules, which were unveiled late last month and go into effect late June, won't be applicable to corporate and enterprise VPNs, the government agency clarified. Several VPN providers have expressed worries about India's new cybersecurity rules. NordVPN, one of the most popular VPN operators, said earlier that it may remove its services from India if "no other options are left." Rajeev Chandrasekhar, the junior IT minister of India, said that VPN providers who wish to conceal who uses their services "will have to pull out."

VPN companies are squaring up for a fight with the Indian government over new rules designed to change how they operate in the country. Wired: On April 28, officials announced that virtual private network companies will be required to collect swathes of customer data -- and maintain it for five years or more -- under a new national directive. VPN providers have two months to accede to the rules and start collecting data. The justification from the country's Computer Emergency Response Team (CERT-In) is that it needs to be able to investigate potential cybercrime. But that doesn't wash with VPN providers, some of whom have said they may ignore the demands.

"This latest move by the Indian government to require VPN companies to hand over user personal data represents a worrying attempt to infringe on the digital rights of its citizens," says Harold Li, vice president of ExpressVPN. He adds that the company would never log user information or activity and that it will adjust its "operations and infrastructure to preserve this principle if and when necessary." Other VPN providers are also considering their options. Gytis Malinauskas, head of Surfshark's legal department, says the VPN provider couldn't currently comply with India's logging requirements because it uses RAM-only servers, which automatically overwrite user-related data. [...] ProtonVPN is similarly concerned, calling the move an erosion of civil liberties.

An anonymous reader quotes a report from XDA Developers: Microsoft is testing a VPN-like service for its Edge browser, adding a new layer of security and privacy to the browsing experience. A recently-discovered support page on Microsoft's website details the "Microsoft Edge Secure Network" feature, which provides data encryption and prevents online tracking, courtesy of Cloudflare. While it isn't available yet, even if you have the latest Dev channel build, the Microsoft Edge Secure Network feature appears to be similar in nature to Cloudflare's 1.1.1.1 service. This is essentially a proxy or VPN service, which encrypts your browsing data so that it's safe from prying eyes, including your ISP. It also keeps your location private, so you can use it to access geo-restricted websites, or content that's blocked in your country.

Microsoft Edge's Secure Network mode will require you to be signed into your Microsoft account, and that's because the browser keeps track of how much data you've used in this mode. You get 1GB of free data per month, and that's tied to your Microsoft account. Most VPN services aren't free, so this shouldn't come as a surprise. Cloudflare itself doesn't keep any personally-identifiable user data, and any data related to browsing sessions is deleted every 25 hours. Information related to your data usage is also deleted at the end of each monthly period.

Microsoft Edge could soon receive an integrated VPN service called the "Microsoft Edge Secure Network." The VPN (Virtual Private Network) service would work very similar to commercial VPN services, but it could be deeply integrated within the Microsoft Edge browser. From a report: The VPN service will be powered by Cloudflare. The company assures it permanently deletes the diagnostic and support data collected, every 25 hours.

Chess.com, writes in a blog post: Yesterday, Chess.com was banned by the Russian government agency Roscomnadzor, the "Federal Service for Supervision of Communications, Information Technology and Mass Media." Roscomnadzor is responsible for censorship within Russia, a busy occupation these days. Since the start of Russia's war against Ukraine on February 24th, Roscomnadzor has banned hundreds of sites including Facebook, Twitter, Instagram, Google News, BBC News, NPR, and Amnesty International. According to Roscomnadzor, their goal is to block two webpages: "On The Invasion of Ukraine" which outlines our policy and actions regarding the war on Ukraine and addresses FAQ and "Ukrainian Chess Players In Times Of War" which is a piece interviewing Ukrainian chess players on their circumstances and views during the early days of the war. Since Chess.com uses secure https webpages, Roscomnadzor is unable to ban these single pages and has banned the entire Chess.com site. Our members report that Chess.com's apps are unaffected. We happily encourage our Russian members to continue accessing our site using our apps or any of the many outstanding VPN services that are so essential in Russia.