This Week in Security: TunnelBear and IoT Locks

TunnelBear Publishes Audit

TunnelBear, the privacy and security-focused VPN service provider, has undergone a third-party audit that it is making public. Beginning in the winter of 2016, Cure53 performed infrastructure audits of TunnelBear apps, servers, and clients.

The first stage was a 30-day review of everything from the accessible API to clients, uncovering some critical and high priority vulnerabilities. Six months later, Cure53 returned for an 8-day review of fixes and a general rereview of the infrastructure, finding no critical vulnerabilities and a single high priority vulnerability that was swiftly fixed.

It’s great to see a provider seeking third-party audits and making them public. VPN providers are positioned to easily and quietly spy on users to exploit their data, just by the nature of the services they provide.

However, the audit’s focus on security leaves evaluation of marketing claims by the wayside. For example, the short technical summary pdf that is available doesn’t mention or verify TunnelBear’s “no logging” claim at all.

Hopefully, transparent evaluation of such claims occurs in future audits, and other VPN providers would do well to follow TunnelBear’s example in not only conducting independent audits, but making them public as well. While using an untrusted VPN provider is certainly not recommended, there are some things you can do to reduce a VPN provider’s visibility into your traffic:

  • Enforce using SSL/TLS whenever possible with HTTPS Everywhere, or similar browser extensions.
  • Use applications that provide end-to-end encryption to protect content.
  • Consider using Tor to protect web traffic generally from VPN provider access.

When IoT Locks Spontaneously Break…

The world of the Internet of Things (IoT) is known for goofy gadgets and practical tools that, almost as a rule, are both insecure and connected to the Internet. Securely developing, producing, and maintaining these devices is certainly no small task, (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Research and Intelligence Team. Read the original post at: