The Red Hat Shares newsletter helps IT leaders navigate the complicated world of IT―the open source way.

_The Red Hat Shares newsletter helps IT leaders navigate the complicated world of IT―the open source way._

FROM THE EDITOR

**Securing your edge infrastructure**

Edge security is becoming increasingly important as more organizations turn to edge computing to benefit from the flexibility of hybrid cloud computing and deliver faster, more reliable services at a lower cost.

When we surveyed IT decision makers in 2021 for our 2022 Global Tech Outlook report about what emerging technologies they were most likely to consider using in the next year, or are currently using, 28% said edge computing (up from 25% in 2020). Furthermore, a July 2022 report from 451 Research reveals that "large organizations will significantly expand edge computing infrastructure in two years."1

In edge computing, an increase in data and processing outside the traditional datacenter creates potential risk to organizations. Reduced physical security, a limited compute footprint, lower cost expectations and remote management are often compounded by a lack of IT personnel. These issues combine to create relaxed standards for security and policy and expand the attack surface.

However, there are ways edge resources can improve security. For example, IDC says "63% of organizations report using edge resources to enhance cybersecurity through monitoring networks." IDC also says "replicating data \[using edge resources\] across multiple locations" can "reduce \[the\] impact of ransomware attacks."2

Red Hat provides trusted open source software that helps organizations implement a layered security approach across infrastructure, the application stack and the life cycle for better security on site, in cloud environments or at edge sites.

In this issue of Red Hat Shares, learn about security considerations for edge implementations, key edge security issues for CIOs, how Red Hat helped a customer reduce its edge deployment time while enhancing its infrastructure security and more. Plus, just for fun, we threw in a video from our "In the Clouds" series about how edge computing is being used to solve problems on the International Space Station.

1.  451 Research. "Security tops the priorities for edge computing infrastructure – Highlights from VotE: Edge Infrastructure & Services," 25 July 2022. 
2.  Huang, Cathy, and Jennifer Cooke. "Securing the Edge: How Edge Is Architected Will Determine How Security Is Designed." IDC, Feb. 2022.

**5 security considerations for edge implementations**

Learn about some of the primary security threats edge deployments face and how Red Hat technologies can help mitigate them.

**Edge computing: 4 key security issues for CIOs to prioritize**

The Enterprisers Project suggests considering the expert advice in this article to address security concerns before implementing an edge computing strategy.

_You may also be interested in "Beat these common edge computing challenges."_

**A deep dive on edge and security**

Global analyst firm Futurum Research addresses common edge computing security challenges, Red Hat’s approach to security at the edge and more.

**Boost security, flexibility, and scale at the edge with Red Hat Enterprise Linux**

Find out how Red Hat Enterprise Linux can help you extend your datacenter capabilities to the edge with confidence.

_You may also be interested in "What’s new in Red Hat Enterprise Linux 9 for edge computing."_

CUSTOMER SPOTLIGHT

**Edge computing flexibility enables critical defense and security advantages**

See how Red Hat helped Mamram―the Israel Defense Forces’ central computing system unit―reduce its edge deployment time from weeks to hours while enhancing its infrastructure security and compliance.

**In the Clouds: Edge Computing in Space**

In this episode of our video series, IBM Distinguished Engineer and CTO Space Tech Naeem Altaf explains how, together with NASA, cloud and edge computing services and technologies are being used to solve problems on the International Space Station.

_You may also be interested in "Edge computing in action: Space."_

**AnsibleFest: Shape the present and future of automation**

Oct. 18-19, 2022

Chicago, Illinois

Get discounted pricing through Oct. 17.

_Did you miss our special July edition recapping Red Hat Summit 2022? Check it out. Or browse all past issues of Red Hat Shares._

_Questions or comments about Red Hat Shares? It’s your turn to share. Email us._

Red Hat Shares ― Edge computing: Security

Chipolo ONE Bluetooth tracker (2020) Chipolo iOS app version 4.13.0 is vulnerable to Incorrect Access Control. Chipolo devices suffer from access revocation evasion attacks once the malicious sharee obtains the access credentials.

**Vulnerability Description**

Chipolo's access sharing functionality has a vulnerability. A trusted owner can remotely share Chipolo access to another user, who may be a potential attacker. The attacker's mobile phone operating system is untrusted and the attacker can extract the Chipolo authentication secret from the mobile app, and possibly reuse it to control the Chipolo device even after the trusted owner has revoked the attacker's access from the server side.

**CVE Number**

CVE-2022-37193

**Credits**

Xin'an Zhou, UC Riverside; Jiale Guan, Indiana University Bloomington; Luyi Xing, Indiana University Bloomington; Zhiyun Qian, UC Riverside.

CVE-2022-37193: CCS22MaaGIoT/ChipoloONE.md at main · zhouxinan/CCS22MaaGIoT

Online Birth Certificate Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

**Online Birth Certificate Management System 1.0 Cross Site Scripting**

Posted Sep 27, 2022

Authored by Yousef Alraddadi

Online Birth Certificate Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 7e9852e1ba3b10ed9809857eace8d6e330d1f9d7306d8b2d80c0851d85229f86

Download | Favorite | View

**Online Birth Certificate Management System 1.0 Cross Site Scripting**

    # Exploit Title: Online Birth Certificate Management System - Stored Cross-Site Scripting (XSS)# Google Dork: N/A# Date: 2022-9-27# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15683/online-birth-certificate-management-system-php-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/OBCMS.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :1) Log in to the application after register new userUsername: testPassword: 123452) Navigate to Birth Reg Form and Click on Add Details.3) add full name payload => <script>alert(document.cookie);</script>4) and all field enter payload only Contact Number enter number

**File Tags**

*   ActiveX (932)
*   Advisory (78,276)
*   Arbitrary (15,276)
*   BBS (2,859)
*   Bypass (1,598)
*   CGI (1,013)
*   Code Execution (6,771)
*   Conference (671)
*   Cracker (799)
*   CSRF (3,277)
*   DoS (22,065)
*   Encryption (2,340)
*   Exploit (50,129)
*   File Inclusion (4,160)
*   File Upload (945)
*   Firewall (821)
*   Info Disclosure (2,565)
*   Intrusion Detection (861)
*   Java (2,823)
*   JavaScript (808)
*   Kernel (6,156)
*   Local (14,093)
*   Magazine (586)
*   Overflow (12,252)
*   Perl (1,413)
*   PHP (5,057)
*   Proof of Concept (2,284)
*   Protocol (3,350)
*   Python (1,406)
*   Remote (29,862)
*   Root (3,466)
*   Ruby (581)
*   Scanner (1,630)
*   Security Tool (7,737)
*   Shell (3,077)
*   Shellcode (1,203)
*   Sniffer (883)
*   Spoof (2,123)
*   SQL Injection (16,057)
*   TCP (2,369)
*   Trojan (682)
*   UDP (872)
*   Virus (660)
*   Vulnerability (30,657)
*   Web (9,114)
*   Whitepaper (3,723)
*   x86 (943)
*   XSS (17,396)
*   Other

**File Archives**

*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   Older

**Systems**

*   AIX (426)
*   Apple (1,899)
*   BSD (369)
*   CentOS (55)
*   Cisco (1,915)
*   Debian (5,948)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,207)
*   HPUX (878)
*   iOS (323)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (42,923)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (478)
*   RedHat (12,009)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,027)
*   UNIX (9,115)
*   UnixWare (185)
*   Windows (6,473)
*   Other

Online Birth Certificate Management System 1.0 Cross Site Scripting

Using its "Exmatter" tool to corrupt rather than encrypt files signals a new direction for financially motivated cybercrime activity, researchers say.

Malware wielded by BlackCat/ALPHV is putting a new spin on the ransomware game by deleting and destroying an organization's data rather than merely encrypting it. The development provides a glimpse of the direction in which financially motivated cyberattacks likely are heading, according to researchers.  

Researchers from security firms Cyderes and Stairwell have observed a .NET exfiltration tool being deployed in relation to BlackCat/ALPHV ransomware called Exmatter that searches for specific file types from selected directories, uploads them to attacker-controlled servers, and then corrupts and destroy the files. The only way to retrieve the data is by purchasing the exfiltrated files back from the gang.

"Data destruction is rumored to be where ransomware is going to go, but we haven’t actually seen it in the wild," according to a blog post published recently on the Cyderes website. Exmatter could signify that the switch is happening, demonstrating that threat actors are actively in the process of staging and developing such capability, researchers said.

Cyderes researchers performed an initial assessment of Exmatter, then Stairwell's Threat Research Team discovered "partially-implemented data destruction functionality" after analyzing the malware, according to a companion blog post.

"The use of data destruction by affiliate-level actors in lieu of ransomware-as-a-service (RaaS) deployment would mark a large shift in the data extortion landscape, and would signal the balkanization of financially-motivated intrusion actors currently working under the banners of RaaS affiliate programs," Stairwell threat researcher Daniel Mayer and Shelby Kaba, director of special operations at Cyderes, noted in the post.

The emergence of this new capability in Exmatter is a reminder of the rapidly evolving and increasingly sophisticated threat landscape as threat actors pivot to find more creative ways to criminalize their activity, notes one security expert.

"Contrary to popular belief, modern attacks are not always just about stealing data, but can be about destruction, disruption, data weaponization, disinformation, and/or propaganda," Rajiv Pimplaskar, CEO of secure communications provider Dispersive Holdings, tells Dark Reading.

These ever-evolving threats demand that enterprises also must sharpen their defenses and deploy advanced security solutions that harden their respective attack surfaces and obfuscate sensitive resources, which will make them difficult targets to attack in the first place, Pimplaskar adds.

**Previous Ties to BlackMatter**

The researchers' analysis of Exmatter is not the first time a tool of this name has been associated with BlackCat/ALPHV. That group — believed to be run by former members of various ransomware gangs, including those from now-defunct BlackMatter — used Exmatter to exfiltrate data from corporate victims last December and January, before deploying ransomware in a double extortion attack, researchers from Kaspersky reported previously.

In fact, Kaspersky used Exmatter, also known as Fendr, to link BlackCat/ALPHV activity with that of BlackMatter in the threat brief, which was published earlier this year.

The sample of Exmatter that Stairwell and Cyderes researchers examined is a .NET executable designed for data exfiltration using FTP, SFTP, and webDAV protocols, and contains functionality for corrupting the files on disk that have been exfiltrated, Mayer explained. That aligns with BlackMatter's tool of the same name.

**How the Exmatter Destructor Works**

Using a routine named "Sync," the malware iterates through the drives on the victim machine, generating a queue of files of certain and specific file extensions for exfiltration, unless they are located in a directory specified in the malware’s hardcoded blocklist.

Exmatter can exfiltrate queued files by uploading them to an attacker-controlled IP address, Mayer said.

"The exfiltrated files are written to a folder with the same name as the victim machine’s hostname on the actor-controlled server," he explained in the post.

The data-destruction process lies within a class defined within the sample named "Eraser" that is designed to execute concurrently with Sync, researchers said. As Sync uploads files to the actor-controlled server, it adds files that have been successfully copied to the remote server to a queue of files to be processed by Eraser, Mayer explained.

Eraser selects two files randomly from the queue and overwrites File 1 with a chunk of code that's taken from the beginning of the second file, a corruption technique that may be intended as an evasion tactic, he noted.

"The act of using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers," Mayer wrote, "as copying file data from one file to another is much more plausibly benign functionality compared to sequentially overwriting files with random data or encrypting them." Mayer wrote.

**Work in Progress**

There are a number of clues to indicate that Exmatter's data-corruption technique is a work in progress and thus still being developed by the ransomware group, the researchers noted.

One artifact in the sample that points to this is the fact that the second file’s chunk length, which is used to overwrite the first file, is randomly decided and could be as short as 1 byte long.

The data-destruction process also has no mechanism for removing files from the corruption queue, meaning that some files may be overwritten numerous times before the program terminates, while others may never have been selected at all, the researchers noted.

Moreover, the function that creates the instance of the Eraser class — aptly named "Erase" — does not appear to be fully implemented in the sample that researchers analyzed, as it does not decompile correctly, they said.

**Why Destroy Instead of Encrypt?**

Developing data-corruption and destruction capabilities in lieu of encrypting data has a number of benefits for ransomware actors, the researchers noted, especially as data exfiltration and double-extortion (i.e., threatening to leak stolen data) has become a rather common behavior of threat actors. This has made developing stable, secure, and fast ransomware to encrypt files redundant and costly compared to corrupting files and using the exfiltrated copies as the means of data recovery, they said.

Eliminating encryption altogether also can make the process faster for RaaS affiliates, avoiding scenarios in which they lose profits because victims find other ways to decrypt the data, the researchers noted.

"These factors culminate in a justifiable case for affiliates leaving the RaaS model to strike out on their own," Mayer observed, "replacing development-heavy ransomware with data destruction."

BlackCat/ALPHV Gang Adds Wiper Functionality as Ransomware Tactic

Categories: News
Categories: Privacy
Meta is being sued by a couple of its users for allegedly deliberately circumventing Apple's privacy features on the iPhone.



(Read more...)




The post Facebook users sue Meta for allegedly building "secret workaround" to Apple privacy safeguards appeared first on Malwarebytes Labs.

Posted: September 27, 2022 by

Last week, two Facebook users filed a class-action complaint against Meta in San Francisco's federal court, alleging the company built a "secret workaround" to Apple's safeguards that protect iPhone users from tracking. Facebook circumvents Apple's privacy rules by opening in-app browsers within its apps instead of the iPhone's default browser. By doing this, the users further allege Meta violated state and federal laws regarding the unauthorized collection of personal data.

The suit came after Felix Krause (@KrauseFx), a data privacy researcher and former Google engineer, released a report in August 2022 about iOS privacy, featuring a tool he created himself called the InAppBrowser. It can check if an in-app browser injects JavaScript (JS) code, which could be problematic for iOS and Android users as this causes potential security and privacy risks to users.

In the case of Meta, this JS code is Meta Pixel.

"The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser," said Krause in his blog. "This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap."

Krause also included the following caveat: "**Important**: Just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious. There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used."

In an email interview with Bloomberg, a spokesperson from Meta said that Krause's allegations are "without merit" and it will defend itself.

"We have designed our in-app browser to respect users' privacy choices, including how data may be used for ads," the email statement said.

In February, Meta admitted that Apple's App Tracking Transparency (ATT) feature would decrease its ad revenue by $10B. This admission, according to CNBC, is "the most concrete data point so far on the impact to the advertising industry" in terms of Apple's privacy feature, which limits companies from accessing the data of iPhone users.

"This allows Meta to intercept, monitor, and record its users' interactions and communications with third parties, providing data to Meta that it aggregates, analyzes, and uses to boost its advertising revenue," the suit reads.

Facebook and Instagram weren't the only apps mentioned in Krause's report. TikTok, Snapchat, and Amazon were also mentioned.

**RELATED ARTICLES**

Facebook users sue Meta for allegedly building "secret workaround" to Apple privacy safeguards

As many as 75 apps on Google Play and 10 on Apple App Store have been discovered engaging in ad fraud as part of an ongoing campaign that commenced in 2019.
The latest iteration, dubbed Scylla by Online fraud-prevention firm HUMAN Security, follows similar attack waves in August 2019 and late 2020 that go by the codename Poseidon and Charybdis, respectively.
Prior to their removal from the app

As many as 75 apps on Google Play and 10 on Apple App Store have been discovered engaging in ad fraud as part of an ongoing campaign that commenced in 2019.

The latest iteration, dubbed **Scylla** by Online fraud-prevention firm HUMAN Security, follows similar attack waves in August 2019 and late 2020 that go by the codename Poseidon and Charybdis, respectively.

Prior to their removal from the app storefronts, the apps had been collectively installed more than 13 million times.

The original Poseidon operation comprised over 40 Android apps that were designed to display ads out of context or hidden from the view of the device user.

Charybdis, on the other hand, was an improvement over the former by making use of code obfuscation tactics to target advertising platforms.

Scylla presents the latest adaption of the scheme in that it expands beyond Android to make a foray into the iOS ecosystem for the first time, alongside relying on additional layers of code roundabout using the Allatori tool.

These apps, once installed, are engineered to commit different kinds of ad fraud, marking a significant step up in sophistication from previous variants.

These include spoofing popular apps such as streaming services to trick advertising SDKs into placing ads, serving out-of-context and "hidden" ads via off-screen WebViews, and generating fraudulent ad clicks to profit off ads.

"In layman's terms, the threat actors code their apps to pretend to be other apps for advertising purposes, often because the app they're pretending to be is worth more to an advertiser than the app would be by itself," the company said.

As always, users are advised to scrutinize apps prior to downloading them, and avoid third-party app stores on the web that could harbor malicious applications.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Experts Uncover 85 Apps with 13 Million Downloads Involved in Ad Fraud Scheme

Want to speak up against Big Tech, unjust data collection, and surveillance? Here's how to be an activist in your community and beyond.

Your Facebook is no longer a naked-to-the-public firehose of information about your family and social life. Your mobile phone is as do-not-track as you’re able to function under. You cover your webcam lens when it’s not in use.

In short, you’ve done what you can to mitigate the way the current world seeks to share and expose your personal information. It takes energy and knowledge to break away from the default settings of digital devices, social networks, and retailers seeking more, more, more information. But you’ve done it, at least what you can. You feel pretty good about safeguarding some (but not all) of your private data and being proactive about it.

So what’s this nagging feeling in the back of your skull? Do you sometimes feel like you could be doing even more in the battle to protect citizens from the overreach of data scrapers and tech moguls who value monetization over individual rights?

It takes a lot of committed people to fight these battles in courtrooms, in the digital marketplace, and on the platforms themselves (Facebook, Twitter, and LinkedIn, among others) that have become battlegrounds for our data. You could be one of these people: an advocate for data privacy who is actively involved in helping protect us all.

Advocacy Near Home

Getting your own house in order in regards to privacy could mean literally getting your house in order. Setting up a VPN (virtual private network) service for your entire household, for instance, can offer your entire family a shield to prying eyes online, including threats from hackers, although finding a reputable one with strong data privacy policies that also won’t scoop up your data can itself be a challenge.

If you have kids old enough to join social networks (the legal age is 13 in the US), take the time to help them set up and understand their privacy settings, especially on social networks that have a poor track record on that front (such as Facebook and TikTok). The same goes for online game networks they might play on such as Nintendo Online or the PlayStation Network, not to mention popular games like _Roblox_ and _Minecraft_ (which is owned by Microsoft, who also operates Xbox Live, which also has social features).

Similarly, stay in the loop on new policies and legal changes that could affect the way companies handle your kids’ data. You should also learn how your kids’ school and school district handle issues such as data on school devices, software in schools, and surveillance cameras on campus.

You don’t want to be the person who posts hoaxes about how Facebook is going to use your photos and information, but spreading the word from legit sources to extended family and friends about good privacy hygiene is one way to raise awareness of the problems that exist. The United States Privacy Digest from the International Association of Privacy Professionals, The Hacker News, Privacy International, and—not to toot our own horn—WIRED’s own coverage of privacy issues are good places to get informed or search for specific stories around these topics.

Take Your Advocacy Public

The Electronic Frontier Foundation (or EFF) is a civil liberties nonprofit founded in the San Francisco Bay Area in 1990. It’s been carrying the torch for fighting threats to free speech and privacy ever since. The EFF says it has seen a recent “big uptick” in interest from people wanting to protect privacy on their phone; for instance, there are 100,000 views on a post about disabling Ad ID on iOS and Android devices. “We are clearly seeing that people are increasingly concerned about digital rights,” says Karen Gullo, analyst and senior media relations specialist at EFF. 

The organization offered WIRED a list of things you can do if you’d like to get more involved in advocating for data privacy.

To start with, find out where your local and state lawmakers stand on privacy and make your own voice heard. Call or email them, or speak up at town halls and other meetings. “Check with your local city council to see if they have a committee that is looking into data-privacy issues, or suggest that they form one,” says Karen Gullo, analyst and senior media relations specialist at EFF. “Ask for a citizen advocate to be part of that committee.”

You could also form your own committee, briefing those local officials on data policies and threats, and informing the public with talks at local libraries and other public locations. The EFF pointed to Oakland Privacy, a citizen’s coalition that succeeded in this kind of effort; the group helped get an ordinance passed requiring towns in its area to be transparent about surveillance technology.

The EFF is currently pushing the My Body, My Data Act, which would protect personal health care data related to reproductive rights. You can learn how to take action to support this act on the EFF’s website.

Similarly, the Electronic Frontier Association itself is comprised of grassroots digital-rights advocacy groups in cities and campuses across the country, and they may be looking for volunteers in your area. You can get involved with security training projects and educational events through an existing chapter, or by starting your own coalition.

How to Advocate for Data Privacy and Users' Rights

Centreon v20.10.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the esc_name (Escalation Name) parameter at Configuration/Notifications/Escalations. This vulnerability allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.

My name is Daniel França Lima, I’m a penetration tester Jr  and vulnerability researcher at Hakai Offensive Security. In order to help the hacking community, companies and also improve my skills, I periodically look for flaws in market applications with the goal of achieving responsible disclosure. 

Centreon is a system and network asset monitoring solution based on the Nagios standard, being open source, and allowing easy and effective installation and implementation, monitoring and performance management.

**Centreon partners**

When analyzing the application, it was possible to find a sql injection vulnerability in the esc\_name(Escalation Name) parameter located at “Configuration/Notifications/Escalations”.

**About SQL Injection:**

A SQL injection attack consists in manipulating SQL queries via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands. With this explanation in mind, we can move on to technical details.

When analyzing the requests, it was possible to notice that it was a blind-sql (a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response) more specifically a time-based attack in which the application’s response time is used. Below is a proof of concept.

It is also possible to exploit Cross-Site Scripting (XSS) in the same field explored for SQLi, thus making it possible to insert malicious javascript into the application..

**About Stored Cross-Site Scripting:**

In the same field mentioned earlier it was possible to find another vulnerability called Cross-Site Scripting (XSS). Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user’s data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application’s functionality and data.

**_Fixed versions:_**

– centreon-web-22.04.1

– centreon-web-21.10.8

– centreon-web-21.04.16

**_Time Line:_**

23-05 – Notified vendor.

24-05 – Vendor acknowledged disclosure.

04-08 – New versions of software released with patches

26-08 – Blog post release

CVE-2022-40044: Centreon SQLi and XSS Vulnerability

An HTTP response splitting attack in web application in ASUS RT-AX88U before v3.0.0.4.388.20558 allows an attacker to craft a specific URL that if an authenticated victim visits it, the URL will give access to the cloud storage of the attacker.

**Vulnerability type**

HTTP Response splitting (CVE-2021-41437)

**Vendor**

ASUS

**Affected product**

RT-AX88U

**Attack type**

Remote

**Affected components**

The AiCloud component of the current web app is vulnerable to an HTTP response splitting attack.

**Attack vector**

An attacker can craft a specific URL that if an authenticated victim visits it, the URL will give access to the cloud storage of the attacker.

**Patch**

Fixed from firmware v3.0.0.4.388.20558 (https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-Gaming-Routers/RT-AX88U/HelpDesk\_BIOS/)

CVE-2021-41437: easy-exploits/Web/ASUS/CVE-2021-41437 at main · efchatz/easy-exploits

It won’t solve all of your privacy problems, but a virtual private network can make you a less tempting target for hackers.

A virtual private network (VPN) is like a protective tunnel you can use to pass through a public network, protecting your data from outside eyes. Whether you're worried about hiding your browsing activity from your internet service provider so it doesn't sell your data to advertisers, or you want to stay safe on a public Wi-Fi hot spot to keep nearby digital snoops from capturing your passwords, a VPN can help protect you.

However, while a VPN will keep you safe at your local coffee shop, it comes with a cost. Using a VPN means your VPN provider will know everything about your browsing habits. This makes VPN providers a target for hackers. Be sure you even need one before you read on.

Picking the right VPN service is serious business. Most VPN providers say they keep no logs of their users' activity, but this is rarely verified. You're stuck taking companies at their word. For this reason, we've limited our testing to VPN providers that have been independently audited by security firms and have published the results.

To help you sort out when and why you might want a VPN, as well as why you might not, be sure to read through our complete guide to VPNs below. If you're sure you want to use a VPN, here are our top picks among commercial VPN providers.

_Updated September 2022: We've included some updated speed test results, included some new features from Surfshark, and noted our experiences paying for Mullvad with bitcoin._

_Special offer for Gear readers: Get a_ _**1-year subscription to**_ **WIRED** _**for $5 ($25 off)**__. This includes unlimited access to_ WIRED._com and our print magazine (if you'd like). Subscriptions help fund the work we do every day._

> If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more.

Best for Most People

**Surfshark VPN**

Surfshark wouldn't be my top pick if my life depended on my VPN, but for most of us that's not the case. If you just want a way to get around some geographical restrictions on content (aka access Netflix) and protect your traffic while using an open Wi-Fi hot spot, Surfshark is a good choice. It's secure, and it provides a great value for the money if you pay for two years up front.

Surfshark offers a kill switch that automatically stops your traffic if your VPN connection fails, and it supports multihop VPN connects, which means your traffic goes from your machine to a VPN server to another VPN server, and then to the destination server. This provides an extra layer of protection should the VPN itself be compromised, though there is a corresponding speed hit when using a multihop connection. The company also recently added support for manual Wireguard configuration. Most people will be fine sticking with Surfshark's apps, but if you're trying to connect your entire network to Surfshark directly through a router, the manual configuration will be welcome news.

In my testing over the years, Surfshark has consistently had some of the best speeds of any VPN I've used. Yes, it is slower than not using a VPN, but I have never had any problem streaming HD content through Surfshark. It's fast enough that in most cases you won't notice any speed degradation at all.

Surfshark is based in the British Virgin Islands, which, although technically a territory of Great Britain, is generally considered a safe haven and has no data-retention laws. What I don't like is that Surfshark is legally untested. The company has a zero-log policy, and you can (and should) opt out of the diagnostic crash reports in the app. Still, you're taking Surfshark at its word when it says it won't keep logs of your internet activity. Encouragingly, the company's browser extensions have undergone an independent security audit that didn't turn up any significant problems. 

Surfshark recently merged with NordVPN. So far we have not noticed any changes for its customers, but we will be keeping an eye on it going forward.

**Surfshark costs $2.50 per month if you buy two years up front, $4 per month if you buy one year up front.**

Best for Advanced Users

**Mullvad VPN**

Mullvad is based in Sweden and first came to my attention because of its early support for WireGuard, a faster protocol for tunneling VPN traffic.

Another thing I like is Mullvad's system for accepting cash payments. If you prefer to remain totally anonymous, you can generate a random account number, write that number down on a slip of paper, and mail it, along with cash, to Sweden. In theory, no one will be able to connect you to that account. (The truly paranoid will don a tinfoil hat, wear gloves, print from a public printer, and mail from a remote mailbox.) I have not tested the cash option, but I did recently extend my Mullvad subscription using bitcoin and it worked without a hitch.

Part of what I like about Mullvad is its down-to-earth approach that doesn't overhype with its marketing and helps users take additional steps to protect their privacy. For example, the company has an entire page showing you how to disable WebRTC in your web browser. As long as WebRTC is enabled (and it is by default in most browsers), websites can view your actual IP address even when you use a VPN.

Mullvad offers apps for every major platform, as well as routers. The applications are all open source, and you can check the code yourself on GitHub. The service has been independently audited as well. Advanced users can download configuration files and use them directly with OpenVPN or Wireguard.

In my testing, speeds were very good. I never encountered a situation where I couldn't get a fast connection. Over the years Mullvad has become the VPN I rely on day-to-day.

**Mullvad VPN costs 5 euros (around $6) per month, cash or charge.**

Best for VPN Newcomers

**TunnelBear VPN**

Choosing a VPN can be overwhelming. If you're tired of security mumbo jumbo and lock icons, TunnelBear might be the VPN for you. Its cute bear animations help demystify what VPNs do, how they work, and what they can offer you. Sometimes the easiest way to make technology more approachable is to put a friendly face on it.

Don't worry though, TunnelBear isn't all cute bear animations. It has the same security features as other VPN providers, like a no-logging policy and a clear privacy policy, and it's been independently audited.

In my testing, speeds with TunnelBear were competitive with the other options listed here. One of my favorite parts of TunnelBear is the free trial option, which makes it easy to test-drive it and see what your speeds are like without committing. TunnelBear has fewer geographic server locations than some of our other options, but unless you're traveling abroad or need to get around a specific geo-restriction, that shouldn't matter for most users.

**TunnelBear costs $3.33 per month if you buy one year up front****.**

Best for Circumventing Geographic Restrictions

**NordVPN**

NordVPN is one of the most popular VPNs around, thanks to a wide selection of servers and reasonable prices. It's also one of the most reliable ways I've found to circumvent location-based restrictions. I used it extensively while living in Mexico to get around Netflix's geographic restrictions. That said, this is a cat-and-mouse game; Netflix is always updating its server ban list, so NordVPN might not work in the future.

NordVPN is based out of Panama, which is not part of the Five Eyes, Nine Eyes, or 14 Eyes jurisdictions. That doesn't mean your government can't spy on you, but it does at least mean it will have to put in some extra legwork to do it (yes, that's about where we are these days). NordVPN has been audited a number of times, most recently in June of last year, when third-party auditor VerSprite found nothing amiss. As noted above, NordVPN and Surfshark recently announced a merger. Both will continue to operate as separate entities, but they are now a single company.

NordVPN also recently added a new service dubbed Threat Protection, which will block web-based trackers, phishing attempts, some ads, and malicious websites. I have not tested it extensively, and I personally rely on browser-based plug-ins to block threats like this. But if you're looking for an all-in-one solution, this might work.

I've never had an issue with speed using NordVPN, and the user interface of its apps is dead simple. Just click the country you want to use and the app will take care of connecting and configuring everything for you. If you want manual control, you can connect by using NordVPN's configuration files.

**NordVPN costs $5 per month if you buy one year up front. It also has frequent sales on a two-year deal that works out to about $3 a month.**

Best for High-Risk Use Cases

**Tor**

If you're in a situation where personal security is of the utmost importance, do not rely on a VPN. Use Tor (ideally through Tails) instead.

Using the Tor network accomplishes some of the same things as a VPN, but it's a little bit different. Tor provides anonymity, meaning no one can figure out who you are, but not necessarily privacy. People still might be able to see what you're doing, they just won't know it's you doing it. (VPNs provide privacy because no one can see what you're doing while you're going out of a VPN tunnel, but you don't have anonymity because the VPN provider knows who you are.)

Tor is simple to set up. All you need to do is download the Tor browser, and it will connect you to the web. Once you're connected to the Tor network, you can browse the web as you normally would. Except everything will be slower. When using Tor, your request for a website hops around the Tor network, bouncing between servers, before emerging and connecting to the actual site you want to visit. This makes Tor slow, sometimes incredibly slow, but that's necessary to protect your anonymity. And yes, you can combine a VPN with Tor, though that's somewhat beyond the scope of this guide.

How We Picked

VPN providers like to claim they keep no logs, which means they know nothing about what you do using their services. There are a variety of reasons to be skeptical about this claim, namely because they have to have a user ID of some kind tied to a payment method, which means the potential exists to link your credit card number (and thus your identity) to your browsing activity.

For that reason, I mainly limited my testing to providers that have been subpoenaed for user data in the US or Europe and failed to produce the logs or have at least undergone a third-party security audit. While these criteria can't guarantee the providers aren't saving log data, this method of selection gives us a starting point for filtering through the hundreds of VPN providers. Unfortunately other factors also come into play, VPNs that once made our list—Like ExpressVPN—are sometimes sold to less reputable companies. In cases like ExpressVPN I chose to remove it mainly because I have no way to know if it remains trustworthy or not.

Using these criteria, I narrowed the field to the most popular, reputable VPN providers and began testing them over a variety of networks (4G, cable, FiOS, and plenty of painfully slow coffee shop networks) over the past nine months. I tested network speed and ease of use (how you connect), and I also considered available payment methods, how often connections dropped, and any slowdowns I encountered.

Why You Might Not Need a VPN

It's important to understand not just what a VPN can do, but also what it can't do. As noted above, VPNs act like a protective tunnel. A VPN shields you from people trying to snoop on your traffic while it's in transit between your computer and the website you're browsing or the service you're using.

Public networks that anyone can join—even if they have to use a password to connect—are easy hunting grounds for attackers who want to see your network data. If your data is being sent unencrypted—like if the website you're connecting to doesn't use the secure HTTPS method—the amount of information an attacker can gather from you can be disastrous. Web browsers make it easy to tell when your connection is secure. Just look for a green lock icon at the top of your screen next to the web address. These days, most websites connect using HTTPS, so you're probably fine. But if that green lock icon isn't there, as it sometimes isn't on school, library, and small business websites, anyone can view whatever data you're sending. Unless you're using a VPN, which hides all of your activity, even on unencrypted websites.

Just connecting to a VPN isn't enough. Be sure to check out our guide to using a VPN to make sure you have everything set up correctly.

A VPN also changes your IP address, which adds an additional layer of protection. By giving you a different IP address, a VPN can make it appear as though you're in a different physical location. So even if you're sitting in California, the website you're accessing will think you're in Canada, Hungary, Uruguay, or Thailand. Unfortunately, this method of obscuring your location is not airtight. Technology built into web browsers that's known as WebRTC can leak your true IP address even when you're using a VPN. If this is a concern, disable WebRTC in your browser before connecting to a VPN. Mullvad has instructions on how to disable WebRTC in most browsers.

It's debatable how much masking your IP address really helps protect your privacy in the first place. Your IP address is only one of many, many bits of data websites collect about you. If privacy is your concern, you're better off using web browsers (and extensions) that offer additional tools to protect your privacy. Mozilla Firefox has several of these tools available. Or if you want to get serious about it, use the ultra-private Tor browser as noted above.

To add to the confusion around VPNs, providers—even some I've recommended here, unfortunately—often engage in misleading marketing. Nearly every VPN service website I visited had some kind of red banner claiming I was “not protected,” even when I was using a VPN at the time. The problem is that I wasn't using _their_ VPN. More honest VPN providers, like Mullvad, tell you what's actually happening: “You're not protected _by Mullvad_.” Kudos to Mullvad for not using fear to sell subscriptions.

Either way, the important thing to remember is that using a VPN does not make you anonymous. While VPNs may not be able to do much to protect your privacy, they are an essential tool when it comes to protecting you from snoops trying to gather your unencrypted data sent over insecure networks.

Tag

#ios