For the second time in roughly a year , D-Link has failed to act on warnings Vulnerability-related.DiscoverVulnerability from security researchers involving the company ’ s routers . The latest incident arose after Silesian University of Technology researcher Błazej Adamczyk contacted Vulnerability-related.DiscoverVulnerability D-Link last May about three vulnerabilities affecting Vulnerability-related.DiscoverVulnerability eight router models . Following the warning Vulnerability-related.DiscoverVulnerability , D-Link patched Vulnerability-related.PatchVulnerability two of the affected routers , but did not initially reveal Vulnerability-related.DiscoverVulnerability how it would proceed for the remaining six models . After further prompting Vulnerability-related.DiscoverVulnerability from Adamczyk , D-Link revealed Vulnerability-related.DiscoverVulnerability that the remaining six routers would not get Vulnerability-related.PatchVulnerability a security patch because they were considered end-of-life models , leaving affected owners out in the cold . “ The D-Link models affected Vulnerability-related.DiscoverVulnerability are the DWR-116 , DWR-140L , DWR-512 , DWR-640L , DWR-712 , DWR-912 , DWR-921 , and DWR-111 , six of which date from 2013 , with the DIR-640L first appearing Vulnerability-related.DiscoverVulnerability in 2012 and the DWR-111 in 2014 , ” Naked Security reported . Though these are not current models in D-Link ’ s portfolio , many of the listed models are still likely to be in use . As a result of this impasse , Adamczyk released details Vulnerability-related.DiscoverVulnerability about the security flaws , following responsible security protocols after giving D-Link notice and the opportunity to address Vulnerability-related.PatchVulnerability the issues . Of significance is that this is the second time in about a year that D-Link has failed to address Vulnerability-related.PatchVulnerability security vulnerabilities affecting Vulnerability-related.DiscoverVulnerability its products after being notified Vulnerability-related.DiscoverVulnerability by researchers . The security researcher noted Vulnerability-related.DiscoverVulnerability that the new flaw arose Vulnerability-related.DiscoverVulnerability after D-Link reported that it had fixed Vulnerability-related.PatchVulnerability a prior security flaw . Also known as “ directory traversal ” or “ dot dot slash ” attacks , these flaws allow a malicious attacker to gain access to system files with a simple HTTP request . Despite D-Link ’ s spotty history with supporting older router models , the manufacturer is not alone in leaving routers unpatched Vulnerability-related.PatchVulnerability . The American Consumer Institute reported Vulnerability-related.DiscoverVulnerability that of the 186 routers it had tested , 155 contained Vulnerability-related.DiscoverVulnerability firmware vulnerabilities . In total , ACI discovered Vulnerability-related.DiscoverVulnerability more than 32,000 known vulnerabilities in its study . “ Our analysis shows that , on average , routers contained Vulnerability-related.DiscoverVulnerability 12 critical vulnerabilities and 36 high-risk vulnerabilities , across the entire sample , ” ACI noted in its report . “ The most common vulnerabilities were medium-risk , with an average of 103 vulnerabilities per router. ” For shoppers who are in the market for a new router , it ’ s probably best to also check with the manufacturer to see what the supported lifespan of the router is . If the router is nearing its end of life , as in the case illustrated here , you may not get Vulnerability-related.PatchVulnerability patches , regardless of how serious a security vulnerability may be . If you have an older router , you may want to consider checking out our guide for the best router options before you decide to upgrade .

The extortion attempt Attack.Ransom took place on January 11 , the first day some Lloyds Bank customers experienced short-lived problems with accessing their online banking portals . Customers continued to report brief outages in the following two days . On the third day , on Friday , January 13 , Bleeping Computer received two separate tips , via email and Twitter , from two hackers that appeared to know each other . Hacker # 1 sent Bleeping Computer a link to a PasteBin page that contained a copy of an email the group allegedly sent to a high-ranking Lloyds Bank manager . The email , pictured below , contained a ransom demand Attack.Ransom disguised as a `` consultancy fee '' the group was asking Attack.Ransom to reveal Vulnerability-related.DiscoverVulnerability `` security issues '' that affected Vulnerability-related.DiscoverVulnerability Lloyd Bank 's online banking portals . The hackers were asking for Attack.Ransom 100 Bitcoin ( £75,000 / $ 94,000 ) . `` Once paid , the services will be back online , you will get a list of flaws related to both services , along with our disappearance , '' the email reads . A second hacker reached out via Twitter a few hours later and was surprised to find out that his colleague already shared the PasteBin link , confirming they knew each other . Hacker # 2 proceeded to provide a demo that allegedly showed they were behind the Lloyds Bank outages . The demo was specific with how hackers demonstrate they are behind DDoS attacks . Hacker # 2 asked your reporter and other journalists to access Lloyds Bank online portals before his attack , to prove the service was running , and during his attack , to show that he was the one causing the issues .

An alarming number of Android VPNs are providing a decidedly false sense of security to users , especially those living in areas where communication is censored or technology is crucial to the privacy and physical security . A study published recently identified a number of shortcomings common to high percentages of 238 mobile VPN apps analyzed by a handful of researchers . Users downloading and installing these apps expecting secure communication and connections to private networks are instead using apps that lack encryption , are infected with malware , intercept TLS traffic , track user activity , and manipulate HTTP traffic . “ Our experiments reveal Vulnerability-related.DiscoverVulnerability several instances of VPN apps that expose users to serious privacy and security vulnerabilities , such as use of insecure VPN tunneling protocols , as well as IPv6 and DNS traffic leakage , ” said researchers Muhammad Ikram , Narseo Vallina-Rodriguez , Suranga Seneviratne , Mohamed Ali Kaafar and Vern Paxson , representing Australia ’ s Commonwealth Scientific and Industrial Research Organization ( AU-CSIRO ) , the University of South Wales , and the International Computer Science Institute at the University of California at Berkeley . Their findings and methodology can be found in a paper : “ An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps ” . “ We also report on a number of apps actively performing TLS interception . Of particular concern are instances of apps that inject JavaScript programs for tracking , advertising , and for redirecting e-commerce traffic to external partners , ” they said . The researchers identified Vulnerability-related.DiscoverVulnerability a core weakness commonly abused in many of the apps called the BIND_VPN_SERVICE , native platform support for VPN clients introduced by Google in 2011 in Android 4.0 . BIND_VPN_SERVICE is used by developers in the creation of clients to intercept , manipulate and forward traffic to a remote proxy or VPN server , or to implement proxies in localhost , the researchers said . It ’ s a powerful Android service that can be easily abused , depending on intent . The paper describes how the Android VPN API exposes a network interface to a requesting app and routes traffic from a phone or tablet to the requesting app . Developers must declare access to the BIND_VPN_SERVICE in the AndroidManifest file , but to only one app at a time . The potential for abuse is high any time traffic is re-routed ; Android counters this with two warnings informing the user that a virtual network interface has been created and remains active .