VPN service provider, Hola, are not out of the woods yet. Accusations have been leveled at Hola executives that they falsely claimed to have patched the two security holes that they admitted to recently - researchers at Vectra have additionally claimed that Hola broke their vulnerability checker to avoid further detection whilst adding that there were four more vulnerabilities than Hola had admitted to. Vectra went on reveal:
“While
analyzing Hola, Vectra Threat Labs researchers found that in addition
to behaving like a botnet, Hola contains a variety of capabilities
that almost appear to be designed to enable a targeted, human-driven
cyber attack on the network in which an Hola user’s machine
resides,” the company writes.
“First, the Hola software can download and install any additional software without the user’s knowledge. This is because in addition to being signed with a valid code-signing certificate, once Hola has been installed, the software installs its own code-signing certificate on the user’s system.”
If the implications of that aren’t entirely clear, Vectra assists on that front too. On Windows machines, the certificate is added to the Trusted Publishers Certificate Store which allows *any code* to be installed and run with no notification given to the user. That is frightening.
Furthermore, Vectra found that Hola contains a built-in console (“zconsole”) that is not only constantly active but also has powerful functions including the ability to kill running processes, download a file and run it whilst bypassing anti-virus software, plus read and write content to any IP address or device.
“These capabilities enable a competent attacker to accomplish almost anything. This shifts the discussion away from a leaky and unscrupulous anonymity network, and instead forces us to acknowledge the possibility that an attacker could easily use Hola as a platform to launch a targeted attack within any network containing the Hola software,” Vectra says.
Users should be aware that there
are a number of safe VPN options
- internet privacy, by way of a decent VPN service, should not be
viewed as a luxury. Users should also be reminded that a 'free'
service provider is going to seek other revenue streams if it
cannot get users to pay directly for its product.
0 comments:
Post a Comment