TunnelBear completes industry’s first public security audit

TunnelBear has been my VPN service of choice for just over a year. I was excited to read that TunnelBear has undergone a public security audit by Germany-based penetration testing company Cure53. This gives confidence I’ve chosen the right VPN provider and that TunnelBear isn’t scraping and selling my browsing data.

TunnelBear Blog, 07 August 2017

Consumers and experts alike have good reason to question the security claims of the VPN industry. Over the last few years, many less reputable VPN companies have abused users’ trust by selling their bandwidth, their browsing data, offering poor security or even embedding malware.

Being within the industry, it’s been hard to watch. We knew TunnelBear was doing the right things. We were diligent about security. We deeply respected our users’ privacy. While we can’t restore trust in the industry, we realized we could go further in demonstrating to our customers why they can, and should, have trust in TunnelBear.​

Today, we’d like to announce TunnelBear has completed the Consumer VPN industry’s first 3rd party, public security audit. Our auditor, Cure53, has published their findings on their website and we’re content with the results.

However, the recent crisis of trust in the VPN industry showed us we needed to break the silence and share Cure53’s findings publicly. Today we’re sharing a complete public audit which contains both the results from last year and the results from the current audit.

You can read the full report on Cure53’s website.

1Password responds about local vaults

This is a follow-up to my article July 12, 2017. Dave Teara, in an agilebits blog post, has clarified that for now local vaults will continue to be supported.

blog.agilebits.com · by Dave Teare · July 13, 2017:

Many Mac users worry that the same fate awaits 1Password 6 for Mac, and that we will remove support for local vaults and force them to pay again.

This isn’t going to happen. First, it would be evil to take away something you’ve already paid for. And evil doesn’t make for a Happy 1Password Customer, which is the cornerstone for a Happy 1Password Maker. It’s simply not who we are.

For those who purchased 1Password 6 for Mac already, you’re perfectly fine the way you are and can continue rocking 1Password the way you have been. There’s no requirement to change anything as we will not be removing features or forcing you to subscribe. In fact we’re still selling licenses of 1Password 6 for Mac for those that really need them (you can find them today on the setup screen under More Options).

And you need not worry about 1Password 7 for Mac, either, as it will continue to support standalone vaults just like version 6 does today.

We know that not everyone is ready to make the jump yet, and as such, we will continue to support customers who are managing their own standalone vaults. 1Password 6 and even 1Password 7 will continue to support standalone vaults.

There’s a message in Dave’s closing statement:

But 1Password memberships are indeed awesome and are the best way to use 1Password, and as such, I am going to continue to nudge you over when ever I can.

1Password takes it on the chin over subscriptions and cloud vaults

There was a lot of buzz over the weekend about the future of 1Password when it emerged that the service’s new subscription-based model will push users to adopt a cloud-based password storage system over locally stored password vaults.

Lorenzo Franceschi-Bicchierai writing at Motherboard:

In the last few years, 1Password has become a favorite for hackers and security researchers who often recommend it above all other alternatives… Last weekend, though, several security researchers tweeted that 1Password was moving away from allowing people to pay for a one-time license and have local password vaults, in favor of its cloud-based alternative that requires a monthly subscription.

I moved from LastPass to 1Password in Oct 2015. Why? The main reason was local vault versus having my vault on the web.

I have to say. I wouldn’t be happy if I were being forced to move to a 1Password cloud subscription plan. If I were, I’d be pissed off enough to move back to LastPass. At this point, I’m not. From reading the forums and comments by Dave Teare we tech savvy users, who want control over our vault, will be able to continue using our local vault version of 1Password for the foreseeable future.

For new users, it’s going to be difficult to buy a license for the local vault version. I searched the 1Password website and saw no option to buy the standalone version. From reading the forums It sounds like the only way to do this is to write to 1Password and request it.

Cyberscoop:

Yet even with the statements provided to the public, the messaging has been mixed at best. On the product’s support forums, customers are regularly complaining that it’s become a huge challenge to buy and use the local vault version of 1Password while employees say such a request is now “complicated” and that they “want all new customers to use 1Password.com subscriptions as it is simpler to use by default.”

Dave Teare says, March 1, 2017 at 9:01 pm:

You asked “why not?” have both 1Password memberships and standalone licenses at the same time. Certainly you’re right that I don’t want to do anything to piss off our long time customers. And that’s exactly why we’re rolling out 1Password memberships exactly the way we are. You can purchase a standalone license today just like you could last week.

In defense of 1Password, I would agree that the cloud subscription model is far easier for the average non-techie user to setup and use.

Apple releases security updates for iPhone and Mac. Update now and be safe online.

On Monday Apple released security updates iOS 10.3.2 (for iPhone and iPad users), MacOS, and OS X. They also released updates for watchOS 3.2.2, iTunes, Safari, tvOS and iCloud for Windows 6.2.1.

Looking at the list of fixes it is clear that scores of security vulnerabilities have been addressed for iPhones, iPads and Macs.

US-CERT encourages users and administrators to apply the necessary updates.

Apple Says It Has Patched The Vulnerabilities Mentioned In The Wikileaks Dump Of CIA Cyber Tools

Yesterday Wikileaks leaked documents named Vault 7. Vault 7 details the government’s efforts to hack popular devices like iPhones, Android phones, and Samsung smart TVs. According to a Wikileaks Vault 7 press release the CIA has a special branch dedicated to attacks against the iPhone.

Despite iPhone’s minority share (14.5%) of the global smart phone market in 2016, a specialized unit in the CIA’s Mobile Development Branch produces malware to infest, control and exfiltrate data from iPhones and other Apple products running iOS, such as iPads. CIA’s arsenal includes numerous local and remote “zero days” developed by CIA or obtained from GCHQ, NSA, FBI or purchased from cyber arms contractors such as Baitshop. The disproportionate focus on iOS may be explained by the popularity of the iPhone among social, political, diplomatic and business elites.

Yesterday, Apple said in a statement provided to TechCrunch that most of the vulnerabilities detailed in the leaks have been patched.

“Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.”

I think this tweet puts the whole thing in perspective.

WhatsApp is rolling out Two-Step Verification security feature to all users

WhatsApp has rolled out two-step verification to all of its users this week. They announced it through an updated FAQ on their website.

Two-step verification is an optional feature that adds more security to your account. When you have two-step verification enabled, any attempt to verify your phone number on WhatsApp must be accompanied by the six-digit passcode that you created using this feature.

To enable two-step verification, open WhatsApp > Settings > Account > Two-step verification > Enable.

Upon enabling this feature, you can also optionally enter your email address. This email address will allow WhatsApp to send you a link via email to disable two-step verification in case you ever forget your six-digit passcode, and also to help safeguard your account. We do not verify this email address to confirm its accuracy. We highly recommend you provide an accurate email address so that you’re not locked out of your account if you forget your passcode.

WhatsApp is available as a free download on the App Store for iPhone.

The “Family Tree Now” Website Knows A Lot About You And It’s Creepy As Hell

A couple of weeks ago I saw a segment on the NBC Today Show about a website called Family Tree Now. I’d never heard of it. But it knew a lot about me.

Family Tree Now is a genealogy website that can be used to lookup almost anyone’s personal information. Addresses, family members, and known associates are free for anyone to find.

Check it out for yourself here. If you’re surprised at what you see you’ll most likely want to opt-out like I did.

Here’s how. Patrick Allen, writing for Lifehacker, offered up information on how to opt-out from Family Tree Now, Whitepages, Spokeo, and other popular free people search engines just like it. You’ll find his article here.

Apple releases security updates for iOS, macOS, and Safari

On Monday Apple issued security updates fixing security vulnerabilities in iOS, macOS, and Safari.

iOS 10.2.1 is an extremely important update with over a dozen vulnerabilities being fixed with varying degrees of severity. Some being serious. You’ll want to run this update at your earliest convenience. This is a free update and can be downloaded over-the-air from your device.

macOS Sierra 10.12.3 fixes a variety of vulnerabilities as well as an update to Safari. This is a free update and can be downloaded from the App Store.

If you have an Apple watch or tv there are also security updates for those devices.