Connect with us

Biz & IT

Google’s Project Fi gets an improved VPN service

Published

on

Google’s Project Fi wireless service is getting a major update today that introduces an optional always-on VPN service and a smarter way to switch between Wi-Fi and cellular connections.

By default, Fi already uses a VPN service to protect users when they connect to the roughly two million supported Wi-Fi hotspots. Now, Google is expanding this to cellular connections, as well. “When you enable our enhanced network, all of your mobile and Wi-Fi traffic will be encrypted and securely sent through our virtual private network (VPN) on every network you connect to, so you’ll have the peace of mind of knowing that others can’t see your online activity,” the team writes in today’s announcement.

Google notes that the VPN also shields all of your traffic from Google itself and that it isn’t tied to your Google account or phone number.

The VPN is part of what Google calls its “enhanced network” and the second part of this announcement is that this network now also allows for a faster switch between Wi-Fi and mobile networks. When you enable this — and both of these features are currently in beta and only available on Fi-compatible phones that run Android Pie — your phone will automatically detect when your Wi-Fi connection gets weaker and fill in those gaps with cellular data. The company says that in its testing, this new system reduces a user’s time without a working connection by up to 40 percent.

These new features will start rolling out to Fi users later this week. They are off by default, so you’ll have to head to the Fi Network Tools in the Project Fi app and turn them on to get started. One thing to keep in mind here: Google says your data usage will likely increase by about 10 percent when you use the VPN.

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Verizon’s Visible Wireless investigating hacked customer accounts

Published

on

Numerous Visible Wireless subscribers are reporting their accounts have been “hacked” this week. Visible runs on Verizon’s 5G and 4G LTE networks. Rather than being a Mobile Virtual Network Operator (MVNO), Visible is actually owned by Verizon.

Suspicions of a data breach at Visible started Monday when some customers saw random unauthorized purchases on their Visible accounts:

On the Visible subreddit, users have reported seeing unauthorized orders placed from their accounts, with a shipping address different from theirs:

Visible customer:
Enlarge / Visible customer: “Got hacked yesterday, order still shipped!!!”

Social media was flooded with similar reports of customers not receiving a response from Visible for days:

Credential stuffing likely the cause of hacked accounts

In an email sent out to customers and a public announcement posted yesterday, Visible shared what could be the cause of these hacks:

“We have learned of an incident wherein information on some member accounts was changed without their authorization. We are taking protective steps to secure all impacted accounts and prevent any further unauthorized access,” said Visible in an announcement. “Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts. If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username/password with those services.”

Rather than a data breach at Visible itself, the company’s wording makes it sound like customer credentials were obtained from a third-party leak or breached database and then used to access customer accounts—a practice known as credential stuffing. The company advises customers to reset passwords and security information and will prompt users to re-validate payment information before further purchases can be made.

But experts have cast doubts on theories that this incident stemmed from credential stuffing, considering Visible also admitted to “technical issues” on its chat platform, with the company briefly unable to make any changes to customer accounts just this week. Visible’s tweet mentioning this information was deleted by the company.

Did Visible know about the incident since last week?

Although a public statement from Visible arrived yesterday, the company had first acknowledged the issue on Twitter on October 8, if not earlier. Interestingly, a vague reason was provided at the time—order confirmation emails having been erroneously sent out by Visible. “We’re sorry for any confusion this may have caused! There was an error where this email was sent to members, please disregard it.”

Visible had initially responded vaguely to concerns on Oct 8.
Enlarge / Visible had initially responded vaguely to concerns on Oct 8.

One Visible customer reacted angrily to the delay: “This response is completely irresponsible, given the fact that you are currently under attack and are aware of MANY users that have had their accounts compromised.”

Despite the panic generated among hacked customers, at least, one can find relief in the fact that customers won’t be held liable for any unauthorized charges. “If there is a mistaken charge on your account, you will not be held accountable, and the charges will be reversed,” states the company as the investigation continues.

In addition to monitoring for suspicious transactions, Visible customers impacted by the incident should change their credentials, both on Visible websites and any other websites where they have used the same credentials.

Continue Reading

Biz & IT

US gov’t will slap contractors with civil lawsuits for hiding breaches

Published

on

In a groundbreaking initiative announced by the Department of Justice this week, federal contractors will be sued if they fail to report a cyber attack or data breaches. The newly introduced “Civil Cyber-Fraud Initiative” will leverage the existing False Claims Act to pursue contractors and grant recipients involved in what the DoJ calls “cybersecurity fraud.” Usually, the False Claims Act is used by the government to tackle civil lawsuits over false claims made in relation to federal funds and property connected with government programs.

Cyber contractors chose silence “for too long”

“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” states Deputy Attorney General Lisa O. Monaco, who is pioneering the initiative. “Well, that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards—because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”

The introduction of the Civil Cyber-Fraud Initiative is the “direct result” of the department’s ongoing thorough review of the cybersecurity landscape ordered by the deputy attorney general in May. The goal behind these review activities is to develop actionable recommendations that enhance and expand the DoJ’s efforts for combating cyber threats.

The launch of the Initiative aims to curb new and emerging cybersecurity threats to sensitive and critical systems by bringing together subject-matter experts from civil fraud, government procurement, and cybersecurity agencies.

The development comes at a time when cyberattacks are rampant, and advanced ransomware gangs repeatedly target critical infrastructures, such as the Colonial Pipeline and health care facilities.

Provisions of the act would protect whistleblowers

The Civil Cyber-Fraud Initiative will utilize the False Claims Act, aka the “Lincoln Law,” which serves as a litigative tool to the government when placing liability on those who defraud government programs.

“The act includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursuing fraudulent conduct and to share in any recovery and protects whistleblowers who bring these violations and failures from retaliation,” explains the DoJ in a press release.

The initiative will hold entities, such as federal contractors or individuals, accountable when they put US cyber infrastructure at risk by knowingly “providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”

In summary, the Initiative is designed with the following objectives in mind:

  • Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
  • Holding contractors and grantees to their commitments to protect government information and infrastructure.
  • Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly used information technology products and services.
  • Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
  • Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
  • Improving overall cybersecurity practices that will benefit the government, private users, and the American public.

The timing of this announcement also coincides with the deputy attorney general’s creation of a “National Cryptocurrency Enforcement Team” designed to tackle complex investigations and criminal cases of cryptocurrency misuse. In particular, the team’s activities will focus on offenses committed by cryptocurrency exchanges and money-laundering operations.

What stands out, though, is that the Civil Cyber-Fraud Initiative would pursue those who were knowingly negligent in the implementation of a robust cybersecurity posture or knowingly misrepresented their cybersecurity practices—leaving room for plausible deniability.

Equally interesting is the fact that just two days ago, Senator Elizabeth Warren and Representative Deborah Ross proposed a new bill dubbed the “Ransom Disclosure Act.” The act would require ransomware victims to disclose details of any ransom amount paid within 48 hours of payment and to divulge “any known information about the entity demanding the ransom.”

Continue Reading

Biz & IT

Company that routes SMS for all major US carriers was hacked for five years

Published

on

Getty Images | d3sign

Syniverse, a company that routes hundreds of billions of text messages every year for hundreds of carriers including Verizon, T-Mobile, and AT&T, revealed to government regulators that a hacker gained unauthorized access to its databases for five years. Syniverse and carriers have not said whether the hacker had access to customers’ text messages.

A filing with the Securities and Exchange Commission last week said that “in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization. Promptly upon Syniverse’s detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals.”

Syniverse said that its “investigation revealed that the unauthorized access began in May 2016” and “that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (‘EDT’) environment was compromised for approximately 235 of its customers.”

Syniverse isn’t revealing more details

When contacted by Ars today, a Syniverse spokesperson provided a general statement that mostly repeats what’s in the SEC filing. Syniverse declined to answer our specific questions about whether text messages were exposed and about the impact on the major US carriers.

“Given the confidential nature of our relationship with our customers and a pending law enforcement investigation, we do not anticipate further public statements regarding this matter,” Syniverse said.

The SEC filing is a preliminary proxy statement related to a pending merger with a special purpose acquisition company that will make Syniverse a publicly traded firm. (The document was filed by M3-Brigade Acquisition II Corp., the blank-check company.) As is standard with SEC filings, the document discusses risk factors for investors, in this case including the security-related risk factors demonstrated by the Syniverse database hack.

Syniverse routes messages for 300 operators

Syniverse says its intercarrier messaging service processes over 740 billion messages each year for over 300 mobile operators worldwide. Though Syniverse likely isn’t a familiar name to most cell phone users, the company plays a key role in ensuring that text messages get to their destination.

We asked AT&T, Verizon, and T-Mobile today whether the hacker had access to people’s text messages, and we will update this article if we get any new information.

Syniverse’s importance in SMS was highlighted in November 2019 when a server failure caused over 168,000 messages to be delivered nearly nine months late. The messages were in a queue and left undelivered when a server failed on February 14, 2019, and finally reached their recipients in November when the server was reactivated.

Syniverse says it fixed vulnerabilities

Syniverse said in the SEC filing and its statement to Ars that it reset or deactivated the credentials of all EDT customers, “even if their credentials were not impacted by the incident.”

“Syniverse has notified all affected customers of this unauthorized access where contractually required, and Syniverse has concluded that no additional action, including any customer notification, is required at this time,” the SEC filing said. Syniverse told us that it also “implemented substantial additional measures to provide increased protection to our systems and customers” in response to the incident, but did not say what those measures are.

Syniverse is apparently confident that it has everything under control but told the SEC that it could still discover more problems resulting from the breach:

Syniverse did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity… While Syniverse believes it has identified and adequately remediated the vulnerabilities that led to the incidents described above, there can be no guarantee that Syniverse will not uncover evidence of exfiltration or misuse of its data or IT systems from the May 2021 Incident, or that it will not experience a future cyber-attack leading to such consequences. Any such exfiltration could lead to the public disclosure or misappropriation of customer data, Syniverse’s trade secrets or other intellectual property, personal information of its employees, sensitive information of its customers, suppliers and vendors, or material financial and other information related to its business.

Syniverse’s SEC filing was submitted on September 27 and discussed yesterday in an article in Vice’s Motherboard section. According to Vice, a “former Syniverse employee who worked on the EDT systems” said those systems contain information on all types of call records. Vice also quoted an employee of a phone company who said that a hacker could have gained access to the contents of SMS text messages.

Vice wrote:

Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected, but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver’s numbers, the location of the parties in the call, as well as the content of SMS text messages.

“Syniverse is a common exchange hub for carriers around the world passing billing info back and forth to each other,” the source, who asked to remain anonymous as they were not authorized to talk to the press, told Motherboard. “So it inevitably carries sensitive info like call records, data usage records, text messages, etc. […] The thing is—I don’t know exactly what was being exchanged in that environment. One would have to imagine though it easily could be customer records and [personal identifying information] given that Syniverse exchanges call records and other billing details between carriers.”

Continue Reading

Trending