Should We Worry That Hola Is Being Used For DDOS Attacks?
The Hola VPN's secure, anonymous browsing platform can be used for countless privacy breaches - but are peer-to-peer networks truly to blame?
Between all the web security breaches and <a href=http://www.escapistmagazine.com/news/view/139370-Edward-Snowden-PBS-Interview-Nova-Cyber-Warfare>NSA data-collecting happening these days, it's no wonder some users have turned to services like Hola or Tor. These clients were designed around anonymity and security, redirecting web traffic to conceal the location and IP addresses of users while protecting confidential information. That didn't sound bad for the privacy-minded, at least until Hola was confirmed as the source of a <a href=http://www.escapistmagazine.com/tag/view/ddos>DDOS attack on 8chan. This was followed by a report by the research group Adios, which outlined several security flaws within Hola that allowed its users initiate DDOS attacks. The report - which was promoted across 8chan - called for its users to uninstall the service since it posed too great a risk.
Okay. Let's break this down a bit.
First of all, we need to look at how Hola operates. The key issues revolve around Hola's peer-to-peer network. Once you're connected to Hola, the client routes all internet traffic through the IP addresses of other users before it reaches your local device. This process helps you maintain anonymity (since no one online sees your actual IP address) while accessing geographically region-locked websites (if there are IP addresses within the region).
From there, we can look at Hola's security concerns - and in fairness there are several. Adios' report correctly outlines that Hola's code allows for remote code execution and client-enabled tracking, something a secure VPN shouldn't allow. What's more, Hola's service was actually used to initiate a DDOS attack: The company sells network access through its Luminati offshoot, giving anyone access to an "almost unlimited number of real IPs" that can be used for DDOS and sending spam emails. These are issues that must be corrected - and in fact, Hola recently updated its client to address many of the stated problems.
But the report goes a step further by saying Hola's entire peer-to-peer network poses a major security risk - and uses child pornography to make its point. In its most dramatic example of why Hola is terrible, Adios states that if someone downloads child pornography through the client, your unaffiliated IP address might be the one which routes it. So while you're using Hola to support a "secure" internet, the police might instead show up at your door with some very telling questions about your browsing habits.
To be clear, these are all valid concerns - even the child pornography example, which could be cleared up easily with a standard computer search. (Nobody wants to be falsely accused of downloading child porn while police tear through their personal data.) But blame peer-to-peer networks on principle? Hola isn't risky because it's P2P; it's risky because it's not secure - and to be honest, that probably wasn't intentional on Hola's part.
It's worth remembering that in 2015, we use P2P networks all the freaking time. Do you play World of Warcraft? That download client routes your update through public IP addresses. Do you make calls on Skype? <a href=https://support.skype.com/en/faq/fa10983/what-are-p2p-communications>It uses a similar system to manage your calls. These aren't the days where questionable file-sharing applications like Kazaa come bundled with malware - everyone from Spotify to the <a href=https://groups.google.com/forum/#!topic/alt.politics.bush/Ne84rjhb6e0>US Department of Defense dabbles in peer-to-peer.
To be clear, there are absolutely legitimate concerns when securing P2P networks. But let's not act like Hola is alone with that problem - it's just the client that happens to have bigger security holes than most.
Source: Ars Technica
Permalink
Between all the web security breaches and <a href=http://www.escapistmagazine.com/news/view/139370-Edward-Snowden-PBS-Interview-Nova-Cyber-Warfare>NSA data-collecting happening these days, it's no wonder some users have turned to services like Hola or Tor. These clients were designed around anonymity and security, redirecting web traffic to conceal the location and IP addresses of users while protecting confidential information. That didn't sound bad for the privacy-minded, at least until Hola was confirmed as the source of a <a href=http://www.escapistmagazine.com/tag/view/ddos>DDOS attack on 8chan. This was followed by a report by the research group Adios, which outlined several security flaws within Hola that allowed its users initiate DDOS attacks. The report - which was promoted across 8chan - called for its users to uninstall the service since it posed too great a risk.
Okay. Let's break this down a bit.
First of all, we need to look at how Hola operates. The key issues revolve around Hola's peer-to-peer network. Once you're connected to Hola, the client routes all internet traffic through the IP addresses of other users before it reaches your local device. This process helps you maintain anonymity (since no one online sees your actual IP address) while accessing geographically region-locked websites (if there are IP addresses within the region).
From there, we can look at Hola's security concerns - and in fairness there are several. Adios' report correctly outlines that Hola's code allows for remote code execution and client-enabled tracking, something a secure VPN shouldn't allow. What's more, Hola's service was actually used to initiate a DDOS attack: The company sells network access through its Luminati offshoot, giving anyone access to an "almost unlimited number of real IPs" that can be used for DDOS and sending spam emails. These are issues that must be corrected - and in fact, Hola recently updated its client to address many of the stated problems.
But the report goes a step further by saying Hola's entire peer-to-peer network poses a major security risk - and uses child pornography to make its point. In its most dramatic example of why Hola is terrible, Adios states that if someone downloads child pornography through the client, your unaffiliated IP address might be the one which routes it. So while you're using Hola to support a "secure" internet, the police might instead show up at your door with some very telling questions about your browsing habits.
To be clear, these are all valid concerns - even the child pornography example, which could be cleared up easily with a standard computer search. (Nobody wants to be falsely accused of downloading child porn while police tear through their personal data.) But blame peer-to-peer networks on principle? Hola isn't risky because it's P2P; it's risky because it's not secure - and to be honest, that probably wasn't intentional on Hola's part.
It's worth remembering that in 2015, we use P2P networks all the freaking time. Do you play World of Warcraft? That download client routes your update through public IP addresses. Do you make calls on Skype? <a href=https://support.skype.com/en/faq/fa10983/what-are-p2p-communications>It uses a similar system to manage your calls. These aren't the days where questionable file-sharing applications like Kazaa come bundled with malware - everyone from Spotify to the <a href=https://groups.google.com/forum/#!topic/alt.politics.bush/Ne84rjhb6e0>US Department of Defense dabbles in peer-to-peer.
To be clear, there are absolutely legitimate concerns when securing P2P networks. But let's not act like Hola is alone with that problem - it's just the client that happens to have bigger security holes than most.
Source: Ars Technica
Permalink
