VPN
The latest news and reviews of VPNs.
Latest
DARPA-backed Power Pwn is power strip by day, superhero hack machine by night
Call the Power Pwn the champion of white hat hacking. Underneath that Clark Kent power strip exterior, there's a Superman of full-scale breach testing that can push the limits of just about any company network, whether it takes 3G, Ethernet or WiFi to get there. Pwnie Express' stealthy sequel to the Pwn Plug ships with a Debian 6 instance of Linux whose handy hacking tools are as easy to launch as they are tough to detect. There's just one step needed to create a snoop-friendly Evil AP WiFi hotspot, and the box dodges around low-level NAC/802.1x/RADIUS network authentication without any help; in the same breath, it can easily leap into stealth mode and keeps an ongoing encrypted link to give do-gooders a real challenge. The hacker doesn't even need to be in the same ZIP code to crack a firewall or VPN -- the 3G link lets the Power Pwn take bash command-line instructions through SMS messages and doles out some of its feedback the same way. While the $1,295 device can theoretically be used for nefarious purposes, DARPA's blessing (and funding) should help keep the Power Pwn safely in the hands of security pros and thwart more than a few dastardly villains looking for weak networks.
Samsung Galaxy S III gets enterprise-friendly version in the US, wears a Pebble Blue business suit
When Samsung launches its all-out blitz on the US with the Galaxy S III, it'll be targeting boardrooms as well as pockets: the Android 4.0 flagship will be the company's first American phone certified for its SAFE (Samsung Approved for Enterprise) program. Regardless of the carrier, the American Galaxy S III will handle 256-bit AES encryption as well as offer better support for Exchange, remote management and VPNs than what you'd normally find coming from a Google-powered device. Samsung describes it as a way to "defragment" Android for companies that want consistent guarantees of how the OS will behave in the office, and the firm is confident enough that it's offering trade-in discounts for those who want to swap an older device for the secure phone, whether or not it's part of a corporate deal. SAFE-ready examples should be arriving by July and could save you from having to bring an ancient company-supplied phone on summer vacation.
Good Technology debuts 'first secure browser' for enterprise Android deployments
Good Technology is touting the latest addition to its Good Mobile Access (GMA) Android software suite, a secure browser. The company's GMA offering gives corporate foot soldiers armed with a smartphone access to secure intranet resources without having to initiate a VPN session -- while simultaneously allowing IT folks to manage mobile ingress. By bringing a browser into the fold, Good's software will allow employees to access databases, resources and collaboration tools without ever having to leave the safe confines of GMA's sandbox. The software maker is targeting outfits with a bring-your-own-device policy in place (and war chests large enough to install the necessary back-end infrastructure). If you're interested in learning more, the full release awaits your review after the break.
US Cyber Command completes major cyber attack simulation, seems pleased with the results
The US Cyber Command is barely out of its infancy, but it's already crossed one milestone off its to-do list, with the successful completion of its first major test run. The exercise, known as Cyber Flag, was carried out over the course of a single week at Nellis Air Force Base in Nevada, where some 300 experts put their defense skills to the test. According to Col. Rivers J. Johnson, the participants were divided into two teams: "good guys," and "bad guys." The latter were delegated with the task of infiltrating the Cyber Command's networks, while the former were charged with defending the mock cyberattack and keeping the government's VPN free of malware. The idea, according to the agency, was to simulate a real-world attack on the Department of Defense, in order to better evaluate the Command's acumen. "There were a variety of scenarios based on what we think an adversary would do in real world events and real world time," Johnson explained. "It was a great exercise." The Colonel acknowledged that the good guys weren't able to defend against all of the attacks, but pointed out that the vast majority were recognized and mitigated "in a timely manner." All told, Cyber Flag was deemed a success, with NSA Director and Cyber Command chief Gen. Keith Alexander adding that it "exceeded" his own expectations.
Hotspot Shield adds iOS connection protection with inexpensive VPN
If you're a security-conscious web surfer -- or an international traveler who likes to maintain access to US-based video streaming or voice services -- you may already be one of the millions of users of AnchorFree's Hotspot Shield, one of the leading consumer virtual private network (VPN) services. VPNs have been a mainstay of distributed corporate workforces for years, but recently they've gained traction with everyday folk as well. This week, the company launched an iOS app that streamlines the connection process and adds bandwidth-saving compression on top of that, with a modest $9.99 yearly fee. The principles of a VPN are pretty straightforward. Normally, when you connect your computer to an unfamiliar network (wired or wireless), all your traffic back and forth is readily visible to anyone sitting on the same network segment; in the case of a public hotspot in a coffee shop, library or hotel, you might be sharing way more than you mean to. While many websites guard against snoopers by digitally protecting the login process with SSL encryption (that's the "S" in https://, indicating that the conversation between you and the remote site is protected), even that may not be enough to cover the bases. Last year, the Firesheep extension for Firefox demonstrated quite convincingly that on 'open' WiFi networks, even a secure web login might not be secure if the site drops the SSL encryption after the login process is done. VPNs protect against Firesheep and other eavesdropping as a side effect of their original intended purpose: creating a secure 'tunnel' between corporate or institutional networks and machines on outside networks like the Internet. The 'virtual private' part of VPN means that when you launch a VPN client, your computer is setting up an end-to-end encrypted connection with another computer someplace else, so you can access resources on that computer's remote network (printers, servers and such). All the traffic between point A and point B is incomprehensible to any other computers on those network segments, and assuming your VPN client is set up to route all your traffic through the remote server, you're protected from prying eyes at the next Starbucks table. While you might take a slight network performance hit from running a VPN, there are benefits beyond the security improvements. Since your tunnel is carrying all the Internet traffic to and from your machine, your VPN is acting like a network ventriloquist; it makes your 'voice' appear to be coming from somewhere else (in this case, the location of the remote VPN host). The advantages of this relocation range from the entertaining -- enabling sites like Hulu or Netflix to work for non-US users, or unlocking access to social sites like Facebook or MySpace from academic/business networks that block them -- to life-and-death, change-history important. If you're living in a country where control of the Internet is used as a tool of political repression, the opportunity to get access to the outside world via a VPN may make a huge difference. There's already a VPN client connection tool built into both iOS and OS X, so you're free to use most available VPN services with your Mac or your iPhone/iPad. The relevant acronyms are IPSec, PPTP and L2TP over IPSec; if your VPN host supports one of these protocols, you should be fine. You can check with your employer or school IT department to see if you already have VPN access that you can use for free. Going with a service like Hotspot Shield, however, means you don't need to think about that alphabet soup when you want to connect securely. Hotspot Shield's desktop offering is known for being dead easy to set up and use, so no surprise that the iOS app would aim for the same simplicity. Pick your plan (free seven-day trial, $0.99 monthly or $9.99 annual) and connect -- you can also adjust the image compression level that the app will apply to your browsing sessions, saving you room on your data plan in similar fashion to Onavo's app. The app runs gracefully in the background, protecting all your traffic (the app press release even cites iMessage exchanges as being guarded, but those already are covered by TLS encryption). If you're concerned about your mobile network security while using possibly un-guarded apps or websites, or you need to virtually relocate your connection, the seven-day trial of Hotspot Shield may be just the thing for you.
China tightens grip on VPN access amid pro-democracy protests, Gmail users also affected
If you've been struggling to get your dose of Facebook or Twitter in China recently, then you're probably one of the many Internet users who've had their VPN access -- either free or paid for -- blocked over the last two weeks or so. That's right, the notorious Great Firewall of China is still alive and well, and leaving proxy servers aside, VPN is pretty much the only way for keen netizens to access websites that are deemed too sensitive for their eyes; or to "leap over the wall," as they say. Alas, the recent pro-democracy protests didn't exactly do these guys any favor -- for one, their organizers used Twitter along with an overseas human rights website to gather protesters, and with the National People's Congress meetings that were about to take place (and wrapped up last night), it was no surprise that the government went tough on this little bypassing trick. To make matters worse, PC World is reporting that Gmail users are also affected by slow or limited access, despite the service previously being free from China's blacklist. We reached out to a handful of major VPN service providers, and they all confirmed a significant increase in the amount of blockage -- possibly by having their servers' PPTP IP addresses blocked -- over the last two weeks. One company even spotted the Chinese government subscribing to its paid service, only to work its way into the network to locate the company's PPTP server list, and then put them behind the firewall. Fortunately for some, the better-off companies had backup servers to rapidly resolve the problem, whereas the cheaper and free services were unable to dodge the bullet. This just goes to show that sometimes you get what you pay for. That said, with practically unlimited human hacking power at its disposal, it doesn't take much for the firewall to shut down everything heading its way. For the sake of our friends and expats there, let's just hope that the government will take things down a notch as soon as the storm calms.
Samsung working with Sybase and Cisco to make Galaxy S II enterprise-friendly
BlackBerry may be the go-to enterprise smartphone platform, but Samsung is positioning its newly unveiled Galaxy S II as new contenders for the crown. To get there, Samsung's working with Sybase to bring far more advanced security to the handsets than stock Android offers, including control of individual applications and ports and also allowing for remote administration -- including admin-pushed app updates. Samsung also talked up the phone's Exchange compatibility and, with help from Cisco, the phone offers WebEx compatibility, VPN support, and VOIP calling. Know what this means? Your next corporate phone just got a lot more interesting.
How to guard yourself and your Mac from Firesheep and Wi-Fi snooping
The prevalence of free/cheap and open Wi-Fi networks in coffee shops, airports, offices and hotels is a great boon to the traveling Mac or iPad user; it makes connectivity and remote work much easier than it used to be. Unfortunately, since most of those networks don't employ WEP or WPA passwords to secure the connection between device and hotspot, every byte and packet that's transmitted back and forth is visible to all the computers on the wireless LAN, all the time. While certain sites and services use full-time browser encryption (the ones that have URLs beginning with https:// and that show a lock in the browser status bar), many only encrypt the login session to hide your username and password from prying eyes. This, as it turns out, is the digital equivalent of locking the door but leaving the windows wide open. Firesheep is a Firefox extension which makes it trivially easy to impersonate someone to the websites they log in to while on the same open Wi-Fi network. It kicks in when you login to a website (usually in a secure fashion, via HTTPS) and then the site redirects you to a non-secured page after login. Most sites that operate this way will save your login information in a browser cookie, which can be 'sniffed' by a nogoodnik on the same network segment; that's what Firesheep does automatically. With the cookie in hand, it's simple to present it to the remote site and proceed to do bad things with the logged-in account. Bad things could range from sending fake Twitter or Facebook messages all the way up to, potentially, buying things on ecommerce sites. That process is known as "HTTP session hijacking" (informally, "sidejacking") and has been a known problem for several years, but many sites have not changed to protect their users. Firesheep has made this process of sidejacking very easy, and a reported 104,000+ people have downloaded it. It is important to realize that the security problem exists for users of all browsers. Firesheep is available only for Firefox, but that's just the exploit side; it will gladly harvest cookies from Safari, Chrome, IE or anything else. Unfortunately, you've got to assume that any unencrypted site you go to while on an open Wi-Fi network is susceptible to compromise by this attack. Read on for some suggested ways to combat this security challenge. Photo by adactio | flickr cc
iPhone OS 4.0: Enterprise Features
Apple has posted an outline of what it believes to be the key enterprise features of iPhone OS 4.0. Third-party multitasking, enhanced security and mobile device management are among the marquee features. As a former IT director, I'm drawn in by mobile device management (MDM). Setting up individual pieces of hardware is a time-consuming hassle. New MDM APIs let developers integrate features like wireless configuration and update, remote wipes and policy compliance (no games, please!) into their apps. Additionally, wireless app distribution lets managers then install those apps over Wi-Fi and 3G. Apple also touts the unified email inbox and SSL VPN support along with pre-existing features like Exchange support. Still, there will be users who feel that the iPhone is a plaything when compared to the all-business Blackberry. May they enjoy their plastic QWERTY keyboards and multi-tasking prowess for years to come.
Ask TUAW: Silencing iPhone notifications, remote control a PC, printing over the internet, and more
Welcome back to Ask TUAW, our weekly troubleshooting Q&A column. This week we've got questions about controlling a PC over the internet, silencing iPhone email notifications at night, replacing a MacBook Pro SuperDrive with a hard drive, printing over the internet, setting iCal as the default calendar, and more. As always, your suggestions and questions are welcome. Leave your questions for next week in the comments section at the end of this post. When asking a question, please include which machine you're using and what version of Mac OS X is installed on it (we'll assume you're running Snow Leopard on an Intel Mac if you don't specify). And now, on to the questions.
LogMeIn to Mac users: No Hamachi² for you!
I'm not a fan of setting up Virtual Private Networks (VPNs). In fact, I've had so many issues with VPNs in the past that I now subcontract that work to a fellow geek who seems to have a knack for understanding the various settings. That's why I have been following Hamachi with great interest for the past several years.Hamachi is described in the Wikipedia as "a zero-configuration virtual private network (VPN) shareware application capable of establishing direct links between computers that are behind NAT firewalls without requiring reconfiguration (in most cases); in other words, it establishes a connection over the Internet that very closely emulates the connection that would exist if the computers were connected over a local area network."LogMeIn, a commercial firm that produces both free and subscription services for controlling other machines, sent out an email to customers on Thursday touting Hamachi², their implementation of Hamachi. LogMeIn has been deeply involved in Hamachi development, so the announcement was expected. What I didn't expect to see was that they've left both Mac and Linux users out in the cold. I quickly jotted off an email to LogMeIn and received this response: "Mac is not currently supported, we do plan on adding support for other platforms but do not have an ETA at this time." For quite a while, there was an open source project called "Hamachi X," but it's no longer supported. Another developer took on the task of creating a Mac OS X and Linux Hamachi client called Hamachi Sidekick, which is a GUI to a command-line Hamachi tool. Unfortunately, LogMeIn also pulled the Mac OS X command-line interface (CLI) version of Hamachi, so there's no way to even try the CLI tool or Hamachi Sidekick now.LogMeIn may tout Hamachi² as "a VPN that just works," but for Mac users, it just doesn't work.
Securing your iPhone web traffic with Hotspot Shield
Have you ever wondered whether the wifi data you send and receive with your iPhone or iPod touch at the local coffee shop or airport is secure? Well, I bet if you hadn't wondered that before, you are now. It's easy to forget that inside that cute little handheld device live the guts of an actual computer, and likely a lot of personal data. Depending on your surfing habits, you could be sending and receiving personal information in a non-secure way over public wifi. If you're concerned about your data's safety, consider using Anchorfree's Hotspot Shield free VPN service. Hotspot Shield has been a great way to lock down your laptop's wifi for a long time now, and just recently they have released instructions on how to take advantage of their service on an iPhone / iPod touch. Pleasantly, the service does not require that a program be downloaded to your device, but rather takes advantage of the iPhone and iPod touch's built-in VPN functionality. My only gripe with Hotspot Shield is that it can sometimes be challenging to get the VPN to successfully connect. Anchorfree recommends performing a quick reboot of your device to get your connection going, but in my experience even that can be a hit-or-miss scenario. But it's still better than letting that creepy guy that keeps hitting on the barista peruse my http requests. 'Cause I'm not paranoid, but I'm sure that's what he's doing.
Friday Favorite: ShareTool
Another Friday Favorite, our weekly opportunity to get all sloppy over our most-loved applications. If you have an always-on Mac at home, a decent upstream connection and another Mac anywhere outside of your home network, you might find ShareTool to be as useful as I do. It allows you -- with an amazing degree of simplicity -- to access your Bonjour services on a remote machine as if you were still within your home network. It does this over an SSH encrypted connection (and also automatically sets up a proxy for secure web-browsing over the tunnel). Yes, you can get some of these benefits with a simple SSH tunnel, or you could set up a VPN using HamachiX, but the simple fact that ShareTool "Just Works" makes it my favorite choice for everything from screen sharing to iTunes streaming. I use ShareTool on a Mac Mini, with an Airport Extreme Base Station on a connection that gets about 800k average upload speed. iTunes streaming is flawless, and remote drive access is as good or better than just using SFTP. Setup is as simple as choosing a port (defaults to 22, the standard SSH port) to share on and hitting "Share" on your home Mac. After that, you can set it to start at login, and begin sharing on launch. Then, on your remote machine, you just need to enter an IP or domain and the port, and the rest is automatic. You can select which Bonjour services to enable or just go for broke and enable everything. I've got a static IP these days, but services like No-IP and DynDNS work great if you have a dynamic IP address. ShareTool can even handle updating the dynamic IP service for you, so you don't have to run any daemons. ShareTool is provided by YazSoft, and a free trial is available for download on the main page. The pricing structure requires a license for every computer, and a pair of licenses costs $30USD (5 for $75USD). YazSoft provides free updates within a major version number (1.x customers get all 1.x updates for free). If you're looking for an easy way to keep your entire home network handy anywhere you go, it might be worth a try.
Dragontech's ioBox-1000, your own private network
Have you ever dreamt of having your own, self-contained network in your house or office? Have you ever wanted to take full control of every aspect of a network -- banning, blocking, adding, limiting and deleting whomever you choose? Well listen pal, your egomaniacal dreams are about to come true, thanks to the ioBox-1000, a "network appliance" from Hong Kong-based Dragontech. Designed to eliminate servers and "centralize" networks, the company's odd looking purple box does a little of everything. The system, which acts as a wireless router, firewall, and VPN, as well as a mail, FTP and printer server, can also house your own, quasi-unique domain names (blank.ioboxusers.com), and includes a p2p blocker for when you really want to put the kibosh on your worker's / children's fun. The mysterious Dragontech claims all this power can be yours for less than $5 a day, which, assuming they mean $4.99, is $1821.35 per year. Enjoy, root.
Shimo 1.0
VPNs are a staple of corporate life nowadays. They create a secure connection from your computer to your company's computers using a 'Virtual Private Network.' This allows you to access company documents via public networks in a secure fashion.Cisco is a big player in the VPN market, and luckily for us OS X users there is a Mac client that allows connections from Macs to Cisco VPN appliances. Sadly, it sucks. The interface isn't Mac like, and while it works it doesn't offer up any nice features like Keychain integration or automatic reconnects. Enter Shimo, from nexUmoja. This little program offers up an alternative UI to the Cisco client that adds a number of features including Keychain integration, Growl notifications, and auto reconnecting.All of this is great and as a user of Cicso's VPN client you would think I would use this without hesitation. Sadly, the whole point of VPNs is to make your communications more secure, and I simply don't trust a third party app sitting between my encrypted data and the Cisco VPN appliance. That's just me though, I'm slightly paranoid.
Ask TUAW: GPS, Hamachi, student questions, and more
Wednesday is Ask TUAW time! This week we tackle questions on GPS solutions on the Mac, zero-configuration VPN with Hamachi, dealing with a slow starting Mac, as well as a couple of student questions on taking notes and using the Summarize Service, As always, please leave your own comments, and ask more questions for next week either in the comments to this post or using the tip form. Now let's turn to the questions.
Take your PC anywhere with RingCube's MojoPac software
If your remote access setup just ain't cutting it, RingCube Technologies has developed software that allows your iPod, external HDD, USB drive, or other fancy form of storage to be utilized as a "private and portable PC." MojoPac manages to cram your Windows XP desktop, settings, accounts, and even programs and preferences onto any portable storage medium to be accessed as a virtual desktop. The software essentially relocates your data to an on-the-go device, while it borrows the resources from any other Windows XP computer you manage to locate. RingCube touts the software's ability to run "side-by-side" with the host PC, allowing you to work in both domains while keeping all of your private info secure; since all data transmissions reportedly occur on your MojoPac-equipped storage device, no traces of your work (in cache form or otherwise) are saved on the host PC. Of course, the utility of such a setup is greatly reliant on the speed of your storage device, so attempting to render a Photoshop document from a USB 1.1 thumb drive would likely create a fair amount of frustration. Nevertheless, satisfying your curiosity here won't cost a dime -- MojoPac is currently available for a free month-long trial, after which the "introductory price" is $29.99 for the initial license ($14.99 for add-ons), while the late bloomers will pay nearly double that.[Via SiliconValley]
One Time Password DisplayCard heightens transaction security
While we were a bit skeptical when Chase sent us one of their questionably-secure RFID-equipped "Blink" cards last year, we're gonna be all over a new technology from several companies that actually gives credit cards a heigtened level of security by generating a one-time passcode for each transaction, viewable on an embedded e-ink display. The OTP DisplayCard, as it's being called, was developed by InCard Technologies in conjunction with security firm nCryptone using technology from SiPix Imaging and SmartDisplayer, and is being targeted at financial institutions or at other companies as a replacement for the password-generating key fobs used to enable VPN access to their intranets. While the added security feature would come into play for both online and in-person transactions, it will probably be most useful for Internet purchases, making your credit card info almost worthless to identity thieves who can't get their hands on the card itself. Oh, and to answer the inevitable question: no, these cards will not be able to play Doom.[Via mobileread]
Setting up OS X as a VPN server
If you have spent any time in the corporate world you have probably heard of VPN. Virtual Private Networks are a way to securely connect to one network, say your work's network resources, from another place (like your home broadband connection). OS X server has a VPN server baked right in that allows both OS X clients and Windows clients to connect securely, but how do you set it up?Maclive.net has just posted a great article that explores setting up an OS X VPN server as well as connecting to that server from a Mac or a Windows box.