McAfee, a security giant that offers anti-virus protection and other security services, has acquired TunnelBear, a Canadian VPN service provider. TunnelBear will be integrated into McAfee’s own Safe Connect VPN service, while it will still continue developing its own products.
McAfee is not the first big security company to purchase a VPN in order to increase the range of their security products and to ride the wave of growing popularity of VPNs. AVG has acquired Privax (parent company of HideMyAss VPN), and Symantec (which also owns Norton Anti-Virus) has bought SurfEasy VPN from Opera Software.
However, many TunnelBear users expressed their concerns about an independent VPN being purchased by security giant and said they would switch to another VPN provider. Many are questioning what will happen to their private data held by TunnelBear. One of the issues raised in forums was the fact that TunnelBear had collected money from National Research Council of Canada, meaning it might have been already inclined to sell user information. As for McAfee, it was previously owned by Intel, which is very interested in private data and still keeps a part of its shares in the company.
VPN Providers Comment on the Acquisition
“We are glad that independent VPNs – that probably started as small tech startups – are now getting the recognition and are wanted by the world’s largest security companies,”said Marty P. Kamden, CMO of NordVPN. “It’s very likely that many other VPNs will be purchased by large companies in the future. While this is a positive development, on the other hand, trustworthy independent VPNs seem to be more flexible when it comes to security and privacy protection. Moreover, when choosing a VPN provider, users are putting their trust towards that one specific company. And trust is not something you can simply transfer from company to company without users’ consent.”
Another VPN service provider, SaferVPN, confirmed they had had a few offers to sell their company, but refused as selling out to a bigger corporation would go against their values. SaferVPN also believes that independent VPNs are more reliable. “We definitely believe that full dedication to customers’ privacy can only be maintained at an independent VPN company. With a larger company there are more attack vectors that can be exploited to steal user data, and more risks to customers’ privacy,” said Yura Sherman, Product Manager at SaferVPN.
VPN Unlimited confirmed that larger companies might influence any process in the company they acquire. “The recent example with Onavo Protect, which was acquired by Facebook in 2013, shows that sometimes privacy is not the primary aim for the VPN launch,” said Vasiliy Ivanov, CEO at KeepSolid, the company of VPN Unlimited
Many stand-alone VPNs have their headquarters in countries where governments do not have the right to access users’ logs. As an example, NordVPN is based in Panama, which allows the company to collect no logs and keep user data completely private. McAfee is located in California, the U.S., which means its VPN user information might be subject to investigation based on U.S. court orders. Some VPN providers prefer EU as a more secure location than the U.S.
“We think that independent providers will be able to provide better privacy. A larger company is usually subject to more than one jurisdiction and the privacy related laws are different. In our opinion, the European VPN providers (that will fully implement GDPR) should be the first option (at least) for European Union clients. This will ensure them that the data collected is minimal when an account is created or an order is placed,” said Dan Gurghian, Managing Partner at ibVPN.
“The idea of a VPN – which is supposed to encrypt all users’ communications into a secure tunnel, not seen by any third parties – loses its meaning when a VPN might be legally bound to start collecting and sharing its users’information. Even if governments do not intrude into privacy, there are third parties interested in private data – it could be Intel, research organizations or advertisers,” said Marty P. Kamden of NordVPN. “Therefore, Internet users need to have more choice. Some might want to go with a large security company, like McAfee, since it’s a familiar name on the market. Thanks to McAfee, many people will be trying VPN for the first time. Other users, however, need more privacy guarantees and would rather choose an established VPN provider that promises a certain level of privacy and continues to offer independent service.”
Overall, surveyed VPNs agreed that staying independent guarantees more privacy and security for their users. Though Simon Specka, Co-Founder of ZenMate said there shouldn’t be a black and white distinction between independent organizations and large companies. “It’s not possible to say that a smaller organization is “better” or “worse” – a company’s quality is dependent on the shareholding that has the controlling majority,” he said.
In the end, it will be up to users to decide whether they want to stick with independent VPNs or to go with a larger security company, but the level of concern shows many still prefer independent companies.
GrayKey, The Device That Unlocks ANY iPhone Is Spotted In The Wild
Posted in Commentary with tags Apple on March 16, 2018 by itnerdIn an interesting scoop, MalwareBytes managed somehow to get pictures of GrayKey. This is the device that I told you about that unlocks any iPhone. How it does it work? Here’s a rundown:
Two iPhones can be connected at one time, and are connected for about two minutes. After that, they are disconnected from the device, but are not yet cracked. Some time later, the phones will display a black screen with the passcode, among other information. The exact length of time varies, taking about two hours in the observations of our source. It can take up to three days or longer for six-digit passcodes, according to Grayshift documents, and the time needed for longer passphrases is not mentioned. Even disabled phones can be unlocked, according to Grayshift.
After the device is unlocked, the full contents of the filesystem are downloaded to the GrayKey device. From there, they can be accessed through a web-based interface on a connected computer, and downloaded for analysis. The full, unencrypted contents of the keychain are also available for download.
MalwareBytes saw this in action with an iOS 11.2.5 device which is slightly behind the current release of iOS which is 11.2.6. MalwareBytes assumes it is using some sort of jailbreaking process which seems like a reasonable assumption. That means that this is something that Apple can potentially address in a software update, once they somehow acquire this box so that they can see how it works. Which you know will happen one way or another. That begs the question, if Apple develops countermeasures to this, how long would it take for the GrayShift to adapt and be able to crack iPhones again?
Now there’s two flavors of this device:
The GrayKey device itself comes in two “flavors.” The first, a $15,000 option, requires Internet connectivity to work. It is strictly geofenced, meaning that once it is set up, it cannot be used on any other network.
However, there is also a $30,000 option. At this price, the device requires no Internet connection whatsoever and has no limit to the number of unlocks. It will work for as long as it works; presumably, until Apple fixes whatever vulnerabilities the device relies on, at which time updated phones would no longer be unlockable.
The offline model does require token-based two-factor authentication as a replacement for geofencing for ensuring security. However, as people often write passwords on stickies and put them on their monitors, it’s probably too much to hope that the token will be kept in a separate location when the GrayKey is not being used. Most likely, it will be stored nearby for easy access.
And that’s the one thing that is a concern. If the more upscale model got into the wrong hands, it could become a huge problem as no iPhone would be safe. Also, it’s assumed that this is being sold to law enforcement as the price points are more than affordable. But rogue nations who oppress their citizens could also be buyers as well. That’s kind of concerning. But I don’t see GrayShift, the company behind this telling the world who the buyers of this product happen to be.
I’m going to sit back and watch the fireworks that this box creates. The fact that it even exists and seems to work is going to get a whole lot of attention from a lot of interested parties. And that will create ripple effects for all to feel.
1 Comment »