Not a Product Endorsement: VPN



If you are in the market for a VPN product look no further than ExpressVPN, NordVPN or Surfshark.  Even though I use one of these products, the reason for mentioning them is that Zerodium is offering Windows security researchers up to $2.5m for zero-day vulnerabilities that relate to IP address leak and remote code execution.  In their post, they specifically excluded local privilege escalation. This implies that, to date, Zerodium has not managed to crack these functions.

What is a Zero-day vulnerability?

A zero-day vulnerability describes a vulnerability that was previously unknown to the security community. This means that anyone with this knowledge can compromise devices because no protection has been developed since no one is aware of the weakness.

What is a VPN?

 


A VPN from the three companies mentioned here allows a person to create a secure tunnel between their personal network and an endpoint belonging to the VPN companies. This tunnel is secure and any data flowing through the tunnel is encrypted. This means that communications cannot be eavesdropped. Another feature of VPNs is that the IP address of the person is not revealed; all traffic appears to originate from the VPN company. As these companies recycle their addresses, it becomes practically impossible to trace the communication back to the source.  Additional measures further protect the identity and communications of those wishing to remain anonymous.

Why would anyone need a VPN? Anyone who doesn’t want their online activity to be eavesdropped. For example, in the USA service providers can (and do) spy internet traffic of their clients. They sell the data to advertisers.



Others may use a VPN to view content that is geographically restricted. For example, you would like to view content provided by Netflix in a different country from your own.


Others use VPN because their lives depend on it. Journalists, activists, whistleblowers and citizens in oppressed regimes rely on VPN to communicate and find out information.  Some of these people know that if their activities are detected, their lives (and the lives of their families) will be impacted.

The way Zerodium’s shopping list was worded indicates that Zerodium and their clients are particularly interested in identifying who their target really is and what is their electronic activity.

An IP address leak vulnerability would allow a hacker to discover the network address of the victim. With a VPN they can only trace back to the IP address of the VPN company. A remote code execution hack could be used to install spyware such as keyloggers, screen grabbers, password stealers or other nefarious code on the target user’s computer. Once the Windows computer has been compromised, the hackers could hack other devices connected to the computer potentially discovering other individuals who interact with the targeted person.

Security Researcher Categories

When an ethical security researcher discovers a vulnerability they:

       Privately contact the company responsible for the software to inform them of the vulnerability

       Negotiate with the company a time window (typically 90 - 270 days)

       Before the time window expires the company would release a patch that addressed the vulnerability. Normally a CVE reference is assigned to the vulnerability.

       After the time window closes, the security researcher shares the vulnerability, how to reproduce it and the CVE reference it links to.

       If the company has a bug bounty program (many do), the security researcher would receive payment for having found and alerted the company.

 

Zerodium is a Washington DC based company that pays (unethical) security researchers for vulnerabilities. Zerodium does not make their client list publicly available, but after Israeli-based NSO Group suffered a data leak, Amnesty International reported that NSO Groups’ Pegasus software was used to identify at least 180 journalists in 20 countries between 2016 to June 2021[1]. According to Wikipedia[2]The software was used by countries such as Bahrain, USA, Saudi Arabia, Morocco, Palestine and India to hack phones of journalists and groups opposing the government. In Mexico, it was used by drug cartels and government officials in their pay to intimidate journalists.

Pegasus spyware would jailbreak an IOS or Android phone when the victim would follow a link received as a message. Once the phone is broken into, hackers gain full control of the device. The fiancée of slain Saudi Arabia journalist Jamal Khashoggi, his wife, son and other family members were all hacked using this software. His fiancée’s phone was broken into just four days before he was murdered.

Companies like Zerodium and NSO Group compete in this market for zero-day discoveries by paying higher fees compared to commercial companies. These companies have clients with deep pockets who are willing to shell out massive amounts for the ability to spy on their adversaries.

This model of buying security flaws to sell on for a profit is sleazy. Such companies use the age-old excuse that they vet their clients and that their clients are using the tools to fight heinous crimes such as child pornography and terrorist activity. Justifying their behaviour by looping in emotional and sensitive topics they hope to hide their true selves; they are mercenaries who are risking and killing others all to make a profit. According to Dave Lee writing on BBC News, unethical security researchers and these companies are nothing short of cyber arms dealers.[3]

 

 

[1] Amnesty International. (2021). Massive data leak reveals Israeli NSO spyware used to target activists, journalists, and political leaders. [online] Available at: https://www.amnesty.org/en/latest/press-release/2021/07/the-pegasus-project/.

[2] Wikipedia. (2021). Pegasus (spyware). [online] Available at: https://en.wikipedia.org/w/index.php?title=Pegasus_(spyware)&oldid=1054168070 [Accessed 9 Nov. 2021].

 

[3] Lee, D. (2016). Who are the hackers who cracked the iPhone? BBC News. [online] 26 Aug. Available at: https://www.bbc.com/news/technology-37192670 [Accessed 9 Nov. 2021].











Comments

  1. UnknownSunday, 30 January, 2022

    This comment has been removed by a blog administrator.

    ReplyDelete
  2. akbarSaturday, 05 February, 2022

    This comment has been removed by a blog administrator.

    ReplyDelete

Post a Comment

Popular posts from this blog

20150628 Giarratana Circular

Statistics Date: Jun 28, 2015 4:34 pm Distance: 15.21 km Duration: 2h:35m:36s Avg Speed: 5.87 km/h Max Speed: 7.40 km/h Min Altitude: 489 m Max Altitude: 594 m Ascent: 249 m Descent: 261 m Route Open route in new window: https://www.google.com/maps/d/edit?mid=z6HKMq7G_wEk.keh2K8cXD6Cc&usp=sharing Photos (Geotagged) Open photos in new Windows: https://plus.google.com/photos/105470926677245165774/albums/6166646868710719889
Read more

HOWTO setup OpenVPN server and client configuration files using EasyRSA

Image
Introduction OpenVPN allows client computers to tunnel into a server over a single UDP or TCP port securely. This HOWTO article is a step-by-step guide that explains how to create the server and client OpenVPN configuration files that makes this possible. In the process this article explains how to create the public key infrastructure (PKI) so that a client can securely communicate with the server. OpenSSL is the foundation for the security functionality of OpenVPN. For this tutorial you will need the following software: OpenVPN. You can download the latest version of OpenVPN from https://openvpn.net/index.php/open-source/downloads.html EasyRSA is the tool people use to create the Public Key Infrastructure (PKI) for OpenVPN. Download the latest release of EasyRSA from https://github.com/OpenVPN/easy-rsa/releases . There is not installation required. Extract the contents of the archive into a folder. OpenVPN is available on various platforms. The generation of the
Read more

How To Reset the firmware, wifi on GoPro Hero 3, 3+ and sync it with latest version of GoPro Quik

Image
Like others, I fished out my old Go Pro HERO 3+ and found that I could not link to it via WiFi because I had forgotten the password. A quick search on the internet and it seems that there are still many users of this good, albeit old Action Cam. Some had purchased one off eBay or from a second-hand shop while others, like me, found it in a drawer and decided to repurpose it. If the GoPro has not been used for a while it might not be on the latest firmware. Note that these models are no longer supported. The common thread is that without the Wi-Fi SSID and password, it isn't possible to control the camera from the phone using GoPro's Quik software. I referenced these sites: 1.  HERO3/3+ Information And Troubleshooting : This is an official GoPro Site from where you can download the camera firmware and update the camera Wi-Fi for the HERO 3 and HERO 3+. 2.  Software Update and Reset for GoPro Hero 3, 3+ and 4 : This is another source for firmware (covers more models) and there is
Read more