Huge privacy flaw in VPN systems

Huge privacy flaw in VPN systems

Since the slow introduction of internet monitoring systems around the world began, more and more people have attempted to preserve their privacy by signing up for VPN services like the Pirate Bay’s Ipredator and Pirate Party offering Relakks. But it turns out that there’s a gaping security flaw in these services that allows individual users to be identified.

The finding was announced at the Cipher conference in Sweden. The flaw is caused by a combination of IPv6, which is a new internet protocol due to replace the current IPv4, and PPTP (point-to-point tunneling protocol)-based VPN services, which are the most widely used. IPv6 is enabled on many computers, and you may well be using it without realizing.

The flaw means that the IP address of a user hiding behind a VPN can still be found, thanks to their connection broadcasting information that can be used to identify them. It’s also relatively easy to find a MAC address (which identifies a particular device) and a computer’s name on the network that it’s on.

It’s possible to re-hide yourself by switching IPv6 off and going back to IPv4, but that does mean losing the benefits that it offers. It’s most dangerous because many users aren’t aware of the issue, so it’s likely that administrators of VPN networks may end up having to warn their users, and offer instructions on how to turn off IPv6. It’s thought that the Swedish anti-piracy bureau could already be gathering data using the exploit.

One alternative to PPTP is OpenVPN and offers a number of advantages, especially as it’s free and open-source. It’s more secure than PPTP, and more stable too, though it doesn’t work on mobile devices natively and isn’t quite as easy to set up on a computer, especially older machines. OpenVPN also has the advantage that it’s often not blocked in countries where PPTP systems are blocked.

Of course, if you’re thinking of using a VPN, remember that you’re essentially giving a third party company access to all of your private information, rather than a government. At the end of the day, that could be a far larger security hole than anything else, so be careful who you trust with your data.

Read More http://www.wired.co.uk/news/archive/2010-06/18/huge-privacy-flaw-found-in-vpn-systems?page=all

Cloud security for e-healthcare

Cloud security model for e-Healthcare applications is a necessary factor for users in terms of privacy and for cloud service providers for legal purposes due to HIPAA.

Cloud Security (CS) is a very wide topic which has many shades. In this article I will discuss the often neglected part that is Forensic. By Definition “Forensic deals with Preservation, Acquisition and Provenance of digital evidences”.

Continue reading

Forensic challenges for Law enforcement in Cloud computing

With the adaption of Cloud computing (CC) specially in Governmental and Commercial sectors raised great concerns about security . On average the lack of trust on privacy and security in CC is one of showstopper  to its widespread usage.

One aspect of security which lacks further consideration in CC is Forensic. Mostly Forensic is used by either Law enforcement through guide (1) or by System owner after Incident occurs.

Why the Game in case of Forensic of cloud is more tough is the distributed nature of Cloud . What does it mean ?  let me first describe in brief what is Cloud computing ..  Continue reading

Fixed: HIGH Vulnerability in C library dynamic linker (CVE-2010-3847)

Securing, Monitoring Virtualization environments

Yes we need to fully use the hardware, one way is to divide into pieaces and eat them all . That is what means Virtualization.

In start you had one host machine , which means you have take care of their updates, logs, services etc. But if you launch 10 more Virtual machines on it , now you have to manage x10 times more . Plus the communication between hosts and vms.

This is quite tricky.. Several vendors have solutions for it , specifically as Cloud is in RAW term , virtualization magic . More management platform will pop up in future.

/Zeeshan