90 Percent of All SSL VPN Use Insecure or Outdated Encryption

Information security firm High-Tech Bridge has conducted a study of SSL VPNs (Virtual Private Networks) and discovered that nine out of ten such servers don’t provide the security they should be offering, mainly because they are using insecure or outdated encryption.

An SSL VPN is different from a classic IPSec VPN because it can be used inside a standard Web browser without needing to install specific software on the client-side.

SSL VPNs are installed on servers, and clients connect to the VPN via their browsers alone. This connection between the user’s browser and the VPN server is encrypted with the SSL or TLS protocol.

Three-quarters of all SSL VPNs use untrusted certificates

Researchers from High-Tech Bridge say they analyzed 10,436 randomly selected SSL VPN servers and they found that most of them are extremely insecure.

They claim that 77% of all SSL VPNs use SSLv3 or SSLv2 to encrypt traffic. Both of these two versions of the SSL protocol are considered insecure today. These protocols are so insecure that international and national security standards, such as the PCI DSS and NIST SP 800-52 guidelines, have even gone as far as to prohibit their usage.

Regardless of their SSL version, 76% of all SSL VPN servers also used untrusted SSL certificates. These are SSL certificates that the server has not confirmed, and that attackers can mimic and thus launch MitM (Man-in-the-Middle) attacks on unsuspecting users.

High-Tech Bridge experts say that most of these untrusted certificates are because many SSL VPNs come with default pre-installed certificates that are rarely updated.

Some VPNs still use MD5 to sign certificates

Additionally, researchers also note that 74% of certificates are signed with SHA-1 signatures, and 5% with MD5 hashes, both considered outdated.

41% of all SSL VPNs also used insecure 1024 key lengths for their RSA certificates, even if, for the past years, any RSA key length below 2048 was considered to be highly insecure.

Even worse, one in ten SSL VPNs is still vulnerable to the two-year-old Heartbleed vulnerability, despite patches being available.

Out of all the tested SSL VPNs, researchers say that only 3% followed PCI DSS requirements. None managed to comply with NIST (National Institute of Standards and Technology) guidelines.

High-Tech Bridge is also providing a free tool that can tell users if their SSL VPN or HTTPS website is actually doing a good job of protecting them.

For the original story follow this link to Softpedia for more information.

Americans are wary about IoT privacy

Americans are in an “it depends” state when it comes to disclosing personal information over internet-connected devices, according to a new Pew Research Center study. The study proposed different scenarios to which 461 Americans expressed whether they believed being monitored by a device was acceptable, not acceptable, or depended on the situation. Pew Research Center found that some scenarios were acceptable to the majority of Americans, but the answers often came with caveats. For example, most consumers find a security camera in the office acceptable, but with restrictions; one person said, “It depends on whether I would be watched and filmed every minute of the day during everything I do.”

Here are the responses to the IoT-related scenarios the study presented:

• Office surveillance cameras: More than half (54%) of Americans believe that it’s acceptable for a surveillance camera in the workplace, making it the most acceptable of the six proposed scenarios. Another 21% answered “it depends,” while 24% said it would not be acceptable.

• Sharing health information with your doctor: 52% of Americans believe it’s acceptable for their doctor to utilize a website to manage patient records and schedule appointments, 20% answered “it depends,” and 26% thought it was not acceptable. This correlates with iTriage survey, which indicated that 76% of consumers feel comfortable transferring wearable health data to their practitioner. 

• Usage-based auto insurance: 37% of respondents answered it was acceptable for auto insurance companies to collect information via a UBI dongle, such as Progressive’s Snapshot, and offer discounts for safe driving. 45% said it was not acceptable, while 16% said “it depends.”

• Smart thermostat: 27% of respondents said it was acceptable for a smart thermostat in the house to track where the occupant is and share that data. More than half of respondents (55%) said it was not acceptable, and 17% answered “it depends.”

Through focus groups and open-ended answers, Pew narrowed down the top reasons consumers believe sharing information is unacceptable: Through focus groups and open-ended answers, Pew narrowed down the top reasons consumers believe sharing information is unacceptable:

1) The threat of scammers and hackers;
2) Being repeatedly marketed from companies collecting data;
3) They do not want to share their location;
4) They think it’s “creepy”;
5) The companies collecting the data have ulterior motives to use it.

Data privacy will continue to be a big trend as the Internet of Things market matures. Device makers should be transparent about the data being collected and what it’s used for. Further, they should ensure the devices and their associated data storage bases are secure.

To read more of this article and the original story follow this link to Business Insider.

This World Map Shows Every Device Connected To The Internet

A striking map created by John Matherly at search engine Shodan shows significant disparities in internet access across the world.

The graphic maps every device that’s directly connected to the internet. We first noticed it when geopolitical expert Ian Bremmer tweeted it.

Some of the dark spots on the map could be attributed to low population density in those areas, but by looking at the map it’s clear that internet access isn’t equal across the world.

The different colors indicate the density of devices — blue indicates fewer devices and red indicates more devices at a given location.

As you can see from the map, the US and Europe have very high levels of internet connectivity, with the exception of the less-populated areas of the western US. Africa is mostly an internet blackout, and Asia has much less internet connectivity than Europe and the US despite having very dense population centers in some areas.

Matherly told Business Insider how he put the map together (at least for a tech guy):

The way it was performed is fairly straightforward:

1. Use a stateless scanner to send a Ping request to every public IPv4 address

2. Keep track of which IPs responded with a Pong

3. Find out where the IP is physically located using a GeoIP library (i.e. translates from x.x.x.x -> latitude/ longitude)

4. Draw the map

Steps 1-3 took about 5 hours and the final step took 12 hours. This is possible because nowadays we have the technology (stateless scanning) to very efficiently talk to millions of devices on the Internet at once.

Source: Business Insider

Charter Users In St. Louis Get Sudden Speed Boost

A magical and wonderful thing has happened to some customers who have Charter Internet service After restarting their cable modems for some reason or another, they found that their home internet connections had received a speed boost. It was a big one, boosting real-life speeds from about 30 mbps to 100 mbps.

Reports of the speed boost cropped up on DSLReports on a thread about a planned speed boost elsewhere. St. Louis residents shared their good fortune with the world.

Confusingly, Charter does offer a 100 mbps service tier to customers. As Legit Reviews points out, these speedsters received a speed boost from 100 to 120 mbps, but is that enough to continue paying for the upgrade?

If you’re a Charter customer in that area, try power cycling your modem to find out whether you get the update, too. You may find a pleasant surprise.

The question is: why? Sure, St. Louis is in the same state as Google Fiber rollout site Kansas City, but it’s a long drive and a heck of a commute.

Source: Consumerist

More online Americans say they’ve experienced a personal data breach

As news of large-scale data breaches and vulnerabilities grows, new findings from the Pew Research Center suggest that growing numbers of online Americans have had important personal information stolen and many have had an account compromised.

Findings from a January 2014 survey show that:

• 18% of online adults have had important personal information stolen such as their Social Security Number, credit card, or bank account information. That’s an increase from the 11% who reported personal information theft in July 2013.

• 21% of online adults said they had an email or social networking account compromised or taken over without their permission. The same number reported this experience in a July 2013 survey.

Last week’s discovery of the Heartbleed security flaw is the latest in a long string of bad news about the vulnerabilities of digital data. The bug, which affects a widely-used encryption technology that is intended to protect online transactions and accounts, went undetected for more than two years. Security researchers are unsure whether or not hackers have been exploiting the problem, but the scope of the problem is estimated to affect up to 66% of active sites on the Internet.

In December, Target announced that credit and debit card information for 40 million of its customers had been compromised. Shortly thereafter, the retailer reported that an even larger share of its customers may have had personal information like email and mailing addresses stolen. In January, Nieman Marcus reported the theft of 1.1 million credit and debit cards by hackers who had invaded its systems with malware.

The consequences of these flaws and breaches may add insult to injury for those who have already experienced some kind of personal information theft. And research suggests that young adults and younger baby boomers may have been especially hard hit in the second half of 2013.

In our survey last year, we found that 7% of online adults ages 18-29 were aware that they had important personal information stolen such as their Social Security Number, credit card or bank account information. The latest survey finds that 15% of young adults have experienced this kind of personal information theft. Similarly, those ages 50-64 became significantly more likely to report that they had personal information stolen; while 11% said they had this experience in July, that figure jumped to 20% in January. Increases among other age groups were not statistically significant.

As online Americans have become ever more engaged with online life, their concerns about the amount of personal information available about them online have shifted as well. When we look at how broad measures of concern among adults have changed over the past five years, we find that internet users have become more worried about the amount of personal information available about them online—50% reported this concern in January 2014, up from 33% in 2009.

Source: Pew Research Center

Report: U.S. ranks 31st in broadband speed tests

According to the latest numbers from Ookla’s Net Index, the United States ranks 31st among every other country for internet download speeds, and 42nd for upload speeds. The data was gathered from the average of the past 30 days of speed tests done on Seattle-based Ookla’s Speedtest.net site.

While that still puts the U.S. in the top 20 percent of countries, there’s a lot of room for improvement. As Internet-connected devices continue to drive economic growth, increasing broadband speeds to keep up with the rest of the world is key.
The expansion of fiber networks, including Google Fiber and Seattle’s effort to bring fiber connectivity to parts of the city brings the promise of improving the U.S.’s standings.

But overall, the U.S. is in a tough spot, because of its size compared to some of the other countries on the list. Bringing effective Internet infrastructure to a country that spans almost 3.8 million square miles is a much different challenge, compared to 4th place South Korea, which measures 38,691 square miles.

Click here for the graphic on internet connectivity for 186 countries in report.

Source: GeekWire

Which ISPs Are Providing The Speeds They Advertise?

Once again, the FCC has put a wide range of Internet service providers to the test to see whether or not they are delivering on the speeds they advertise to customers. And while it the majority of ISPs are not far off, with a few actually over-delivering, some still have a way to go.

The above chart doesn’t indicate which of the ISPs was fastest or slowest, merely how each ISP fared in delivering the speeds promised in its advertising to consumers. So while you can’t look at it and say that Cablevision provides a faster service than AT&T, you can use this info to decide how willing you are to accept a company’s advertising claims.

The chart at the bottom of this post shows in greater detail the actual sustained download speeds per tier per provider.

This is the first time that the FCC has included a satellite broadband provider in its Measuring Broadband report, and ViaSat, which we told you about when we got a hands-on demo at the 2012 Consumer Electronics Show, made a pretty good rookie showing. Not only did it deliver speeds faster than the advertised 12 mbps downstream that ViaSat advertises, it had the highest actual/advertised ratio of all the ISPs in the study.

“While latency for satellites necessarily remains much higher than for terrestrial services,” writes the FCC, “with the improvements afforded by the new technology we find that it will support many types of popular broadband services and applications.”

Here is the per-provider, per-tier breakdown of actual sustained download speeds:

You can check out the full test results and report Here.

Source: The Consumerist

Fast Fibre Broadband: A Community Shows The Way

How fast is your home broadband? 70 to 80 Mbps if you’re one of the few with the very fastest fibre broadband services? Perhaps 10Mbps if you’ve got an average connection, maybe under 2Mbps if you live some miles from your nearest exchange. So how would you fancy a 500Mbps download scheme?

That is what I’ve seen on Harry Ball’s quite ancient computer – not in the heart of London but in a village in rural Lancashire. Arkholme is hardly a teeming metropolis but Harry is one of the first local residents to be hooked up to the B4RN community broadband network.

After deciding that they were never likely to get a fast broadband connection from one of the major suppliers, a group of local people across this sparsely populated area decided that sitting around moaning about it was not an option. Instead they began a DIY effort, digging channels across the fields and laying fibre optic cables.

They have exploited all sorts of local expertise – from the Lancaster University professor who is an expert in computer networks to the farmer’s wife who has just retired from a career in IT support. The cooperation of local landowners has been vital – free access to fields has made it much cheaper to roll out the network. BT and other companies which have to dig up the country roads to lay fibre networks reckon it can cost as much as £10,000 to hook up one rural home – the people at B4RN reckon they can bring that down to around £1,000.

And people like Harry and Susan Ball are now entering the superfast broadband era. The retired couple told me they knew little about computers and had got used to the fact that it was almost impossible on their slow connection to watch video or use Skype. Now Harry is able to watch the iPlayer streaming in HD, and Susan has become a B4RN volunteer, helping to dig trenches for the fibre.

But, after raising half a million pounds from locals who bought shares on the promise of a fast connection, the project now needs to move to the next stage. In the Arkholme village hall this afternoon, B4RN is holding an open day, inviting anyone to drop in and test the broadband connection on their phones or computers.

The hope is that many will sign up to the £30 per month service, but that some will also buy shares in B4RN. Another £1.5m is needed if the full 265KM network is to be rolled out. That sounds ambitious – but having spent 24 hours watching the volunteers digging trenches, blowing fibre and learning a process called fusion splicing I can see they are a very determined bunch.

As Barry Forde, the networking expert who is the chief executive of B4RN explained to me, fast broadband is not a luxury now, whether in the town or the country. “Farmers are being told they have to fill in forms online,” he says. “If you haven’t got broadband you are severely disadvantaged.”

And despite the £530m government money to bring fast broadband to rural Britain, many communities face a long wait to get connected. In the meantime, others may learn the lesson from B4RN – if you want it in a hurry, just get out and start digging.

FCC IT Healthcare Fund to Boost Broadband Connections

The Healthcare Connect Fund advances the FCC’s pilot work on broadband and health services with a particular focus on leveraging high-speed connectivity to widen telemedicine networks and boost access to specialists for patients who don’t live near major hospital centers.

The FCC promises that the new fund “will allow thousands of new providers across the country to share in the benefits of connectivity and dramatically cut costs for both hospitals and the Universal Service Fund,” the agency’s omnibus telecom subsidy program.

The agency will begin accepting applications for the fund in late summer.

The Healthcare Connect Fund comes as the latest step in the FCC’s ongoing work in the area of healthcare technology. Just last month, around the same time that it approved the order authorizing the new fund, the FCC began the hiring search for the new position of director of healthcare initiatives.

The FCC says that the new healthcare director will coordinate the FCC’s varied efforts to harness technology to improve care and drive down costs, overseeing the availability of wireless medical devices and working with hospitals and other medical facilities to ensure that they have sufficient broadband connectivity.

The director will also spearhead the FCC’s outreach on healthcare issues with members of the medical and telecommunication industries, as well as the relevant government agencies involved with healthcare technology. Additionally, the individual will work with in-house FCC experts to address a host of technical issues like harnessing spectrum to enable remote testing through the use of wireless devices, and oversee the development of the new Healthcare Connect Fund.

An outgrowth of the FCC’s Rural Healthcare pilot program launched in 2006, the Healthcare Connect Fund aims to simplify the eligibility requirements to ensure that hospitals serving patients in rural areas can secure funding to upgrade their bandwidth to support modern telemedicine applications.

Additionally, by restructuring the terms of the program for healthcare consortia, the FCC projects that the new fund could lower the cost of robust broadband healthcare networks by as much as half. The fund will also channel as much as $50 million over a three-year period to support high-speed broadband service at skilled nursing facilities.

The FCC cites Barton Memorial Hospital in South Lake Tahoe, Calif., as an example of how grant funding has broadened access to specialists. At that hospital, which has received Universal Service funding from the FCC, medical staffers “are using broadband to enable remote examination through a live IP video feed and a relatively inexpensive telemedicine cart.” That way, Barton can offer patients access to outside experts in areas such as cardiology, infectious disease and neurology, areas of practice in which the hospital has no in-house specialists.

The new fund seeks to expand those types of telemedicine offerings, as well as support for the exchange of electronic health records. The FCC says that it will cover 65 percent of the cost of a new broadband deployment or upgrade for successful grant applicants, leaving the remaining 35 percent to the healthcare provider.

The Healthcare Connect Fund will also encourage the development of state and regional consortia comprised of individual healthcare providers that can improve their bargaining position by banding together with other facilities. The FCC says that consortia must be primarily rural in their makeup in order to be eligible for funding.

Other providers eligible for the program include public or not-for-profit hospitals, rural health clinics, community health centers and educational institutions such as medical schools and teaching hospitals.

Via: Network World

Dish Network Planning Nationwide Satellite Broadband

A report by Bloomberg, states that Dish Network Corp. is prepping a nationwide broadband-Internet service using a satellite from EchoStar Corp. EchoStar Corp. According to three people familiar with the situation.

Dish and EchoStar will be able to handle about 2 million new customers for their internet service, according to one person. The EchoStar 17 satellite will be used, it launched into orbit July 5, and can support download speeds of 15 megabits per second. Though introductory nationwide packages will probably offer rates of 5 megabits per second so the system can take on more capacity.

This all the result of technological advances for the U.S. satellite industry, which can now use higher-frequency bands to offer faster broadband to more people. Dish already offers satellite broadband through a partnership with Carlsbad, California-based ViaSat Inc., though that only covers certain parts of the U.S.

This satellite broadband- internet service will mainly be for those who live in rural areas and who may not have access to cable broadband. Dish expects to formally offer the service in late September or early October.