As involved as that process was, getting unauthorized code covertly installed into an official operating system and keeping it there for years would appear to be an even more complicated—and brazen—undertaking. This 2013 article published by Der Spiegel reported that an NSA operation known as FEEDTHROUGH worked against Juniper firewalls and gave the agency persistent backdoor access.
Source: “Unauthorized code” in Juniper firewalls decrypts encrypted VPN traffic | Ars Technica
In this video we demonstrate the vulnerability via the following steps:
- We present a regular Android device (in this case it is the popular Samsung S4 device). Behind it we display a screen with packet capturing tool, showing the traffic that flows through that computer.
- Now the user runs the malicious app and clicks on the Exploit button which takes advantage of the vulnerability in the phone’s system.
The exploit vector requires a user to do something.
VirnetX sued Cisco, Apple, NEC and others back in 2010, and it won over $368 million from Apple earlier this year. It also has separate litigation pending against Apple and Mitel Networks.
via Cisco beats patent holder VirnetX, which sought $258 million over VPN patent | Ars Technica.
China Unicom, one of the biggest telecoms providers in the country, is now killing connections where a VPN is detected, according to one company with a number of users in China.
via China tightens ‘Great Firewall’ internet control with new technology | Technology | guardian.co.uk.
GFW is not perfect, however. Some Chinese technical professionals can bypass it with a variety of methods and/or tools. An arms race between censorship and circumvention has been going on for years, and GFW has caused collateral damage along the way.
via Splinternet Behind the Great Firewall of China – ACM Queue.
VPN (virtual private network) and SSH (secure shell) are the most powerful and stable tools for bypassing all surveillance technologies, although the basic ideas are the same as with the aforementioned tools: proxies and encrypted channels. The only difference is that VPN and SSH depend on a private host (or virtual host) or an account outside of China, instead of open, free proxies. Only technical professionals are able to set up such hosts or accounts, and most of them are not free. Commercial or public VPN services will be blocked by IP address and/or domain names if they are popular enough. In fact, the domain names *vpn.* are all blocked (such as vpn.com, vpn.net, vpn.org, vpn.info, vpn.me, vpn.us, vpn.co).
Instead, Microsoft recommended that IT administrators add PEAP (Protected Extensible Authentication Protocol) to secure passwords for VPN sessions. A support document described how to configure servers and clients for PEAP.
via Microsoft warns of ‘man-in-the-middle’ VPN password hack – Computerworld.
GoTrusted is the leading provider of Internet security, identity protection and private browsing. GoTrusted turns any free public Wi-Fi into an encrypted and firewalled hotspot for your computer or device. Browse in private, unblock websites, view video from your home country, send and receive email, and use social media securely when on GoTrusted. Unlike other ‘ad-based’ privacy or proxy software, GoTrusted’s VPN service network is fast without security compromising ads. GoTrusted is easy to install and use, with no advanced computer knowledge or confusing settings required. With GoTrusted, know your privacy is always protected wherever you connect.
They can’t get the passcode into your cloud resources, and they don’t have the ability to generate the passcode. You don’t have to go that far, of course, but the point is that if there’s no local data on the device in normal use, there’s no local data on the device that can be stolen.
via Die, VPN! We’re all “telecommuters” now—and IT must adjust.
Here are a couple of interesting comments covering both sides of this issue:
I work in a large IT org in a large company. THis issue keeps creeping up all the time. I think most end users just really want access to email, ccontacts, calender and IM – this tends to cover at least 80% of the use cases. This can be done with a digital cert and loginid/password – without installing a VPN client. It took a while to convince the security group to do this. Full layer 3 routing access to the network should be for sensitive apps like SAP, etc. Sadly though most IT departments will continue to drive that square peg into that round hole.Hey, IPV6 will solve all our problems. LoL 🙂