Friday Digest #3: VPN Vulnerabilities, U.S. Surveillance & The Sound of Shutdowns
Hey, it’s Sam.
This week we’re focusing on new research published by my colleagues at Top10VPN. We’ve also included some of our favorite news stories from the week and a couple of really interesting new tools.
If there’s a news story or research you think we should include in next week’s newsletter, please get in touch at research@top10vpn.com
On Wednesday, my colleagues published our VPN Vulnerability Report 2023. The research used the American National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures system to examine threats posed to VPN products over the past three years.
The report reveals a 44% rise in VPN vulnerability disclosures in 2023, with a 54% increase in their severity.
My colleagues' findings are an important reminder that like any software, VPNs are prone to vulnerabilities. Given their critical role protecting sensitive data, it's vital any VPN vulnerability is patched as soon as possible.
The vast majority of products discussed in the report are enterprise VPNs, with Cisco, Zyxel and OpenVPN products the most affected over the three year period studied. It goes without saying that any exploit targeting unpatched versions of these products could have significant reputational and financial consequences for any businesses using them.
Our research highlights an alarming trend in VPN-related vulnerabilities in 2023. Not only has their frequency increased, so has their severity. It's essential that VPN providers patch vulnerabilities promptly, whilst users should keep both their systems and VPN software updated to reduce the risk of attack.
JP Jones, CTO Top10VPN.com
The report also provides a crucial overview of the threat landscape affecting VPN products that can't typically be made out from the drip-feed coverage of specific disclosures. The report's findings are open to interpretation but the overall increase in vulnerabilities could be explained by the global increase in remote work, which has increased VPN usage and given cybersecurity specialists a greater attack surface to probe and discover previously unknown vulnerabilities.
What's clear though, seeing as highly dangerous command execution and injection vulnerabilities have almost doubled year-over-year, is that enterprise VPN administrators in particular should be especially vigilant.
What we’re reading
Access Now: #KeepItOn in conflict: the human impact of internet shutdowns in Amhara region, Ethiopia
The reality of living through an internet shutdown is often overlooked, with those disconnected effectively silenced by their government. This report by Access Now is an important counterbalance, amplifying the voices of 11 people living through the ongoing restrictions in the Amhara region of Ethiopia.
The Record: Senate proposes surveillance bill without FBI warrant requirement
Section 702 of the Foreign Intelligence Surveillance Act is a controversial piece of legislation that allows the U.S. government to conduct targeted surveillance on people outside the United States. This week, a bipartisan group of U.S. Senators introduced a bill to extend the legislation by another 12 years. Importantly, the bill doesn’t require the FBI to obtain a warrant before tapping into NSA’s huge trove of data on U.S. citizens. It’s a concerning development that could lead to significant surveillance overreach with little judicial oversight.
The Guardian: Critics of Serbia’s government targeted with ‘military-grade spyware’
Researchers at Access Now, Amnesty International, Citizen Lab and the Share Foundation have found evidence that two pro-democracy activists in Serbia were targeted with invasive spyware. Luckily, the attempted attacks were unsuccessful as both individuals had the latest version of iOS running on their iPhones.
NCSC, UK Government: Guidelines for secure AI system development
The UK’s National Cyber Security Centre (NCSC) has published guidelines for the development of secure AI system. The guidelines cover four key areas of the development life cycle: design, development, deployment, and operation and maintenance. The guidelines advocate a 'secure by default' approach and have been endorsed by agencies from 18 countries.
TechCrunch: Okta admits hackers accessed data on all customers during recent breach
Okta, the U.S. access and identity management company, has admitted that a recent breach of its support systems impacted all of its customers, despite previously saying only 1% of customers had been affected. Its customers include 1Password, Cloudflare, OpenAI and T-Mobile, according to the company’s website and a press release from the company details the specific data that may have been stolen.
Tools of the Week
IODA: Markup Studio and Data Download!
The team at IODA have released two new features this week: the Markup Studio and a data download option. The Markup Studio allows users to annotate Internet disruption reports with text, arrows and shapes to add additional context or explain the cause of connectivity disruptions. Additionally, users can now download connectivity signals in CSV format, enabling them to create new visualizations or conduct analyses using IODA data.
Milad Nasr et al, Extracting Training Data from ChatGPT
This paper from Google researchers reveals a method to extract ChatGPT’s training data, highlighting a significant vulnerability in the model's design. Despite ChatGPT being designed to prevent the regurgitation of training data, the authors developed an attack that is capable of extracting data directly from the model's training set. The findings raise some serious privacy concerns and highlight the need for more robust testing and security measures in future AI models.
Arturo Filastò, The Sound of Internet Shutdowns
Discover what internet shutdowns sound like with this new tool made by OONI’s Arturo Filastò. Developed during a hackathon organised by OONI in collaboration with the Internet Society (ISOC), M-Lab, Censored Planet and IODA, the tool transforms IODA data into synthesized sounds. Check out what internet disruptions in Iran sound like in this example on YouTube and read more about the hackathon here.
Finally, if you missed Tor Project’s annual State of the Onion virtual event you can catch up on YouTube below. It includes updates from Tor’s teams and community, highlighting their work and the impact the team has made across the globe during the past year.