Update: Actually, Hola’s security issues aren’t even worse than feared

further research reveals holas security issues are even worse than feared vpnheader
Update 6/3/2015 1:23 PM: Hola has informed us that Vectra’s claims have been partially retracted by the security firm. Vectra has clarified that Hola is not a botnet, but rather can be used to enable a botnet. Further, it appears that attack samples cited earlier only indicate attempted attacks against Hola users, not attacks proven to be successful.

As a result of these changes, Vectra has rescinded its broad recommendation that users uninstall Hola. Instead, the firm says “we highly encourage organizations to determine if Hola is active in their network and decide whether the risks highlighted in this blog are acceptable.” You can read the full post detailing those risks here.

Original text: Last week the free VPN service Hola Unblocker was revealed by security researchers to be acting as a botnet and selling its free users’ bandwidth through a premium service called Luminati. The security concerns meant someone could possibly gain control of your computer or carry out man-in-the-middle attacks.

A second team of researchers at cybersecurity firm Vectra has now published its own findings into the unblocking service, which it calls “both intriguing and troubling.”

According to Vectra, Hola not only acts like a botnet but has allegedly been designed to be able to carry out a “targeted, human-driven cyber attack on the network in which an [sic] Hola user’s machine resides.”

The researchers found that the VPN features a built-in console, or zconsole, that remains active even when the user is not currently browsing via Hola, allowing a malicious actor to list and kill any running process or open a socket to any “IP address, device, guid, alias or Windows name.” They could also install more software on the user’s computer without her knowing, says the report, and potentially bypass antivirus checks.

“These capabilities enable a competent attacker to accomplish almost anything,” says Vectra. “This shifts the discussion away from a leaky and unscrupulous anonymity network, and instead forces us to acknowledge the possibility that an attacker could easily use Hola as a platform to launch a targeted attack within any network containing the Hola software.”

Furthermore, Vectra analyzed the protocol used by Hola with the VirusTotal tool, which scans for malware. The researchers found five different malware samples that had existed on Hola before the recent news broke. “Unsurprisingly, this means that bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys,” they wrote.

In response to the initial report from Adios, Hola!, who made the botnet claims against the VPN, Hola’s CEO Ofer Vilenski said on Monday that the company had patched two vulnerabilities identified in the report and that a vulnerability “has happened to everyone.”

Adios, Hola in its own reply said that it had in fact identified six vulnerabilities, not two, and rejected the claim that mistakes can happen. “As we have pointed out from the start, the security issues with Hola are of such a magnitude that it cannot be attributed to ‘oversight’; rather, it’s straight-out negligence,” they said. “They are not comparable to the others mentioned – they are much worse.”

The researchers have called for greater transparency from the Israeli company on its security issues. Vilenski added that Hola will launch a bug bounty program soon to identify any more vulnerabilities in the software.

Both Adios, Hola and Vectra are urging users to uninstall the program immediately. The plug-in or add-on has roughly 46 million users globally. Users of the service can route their traffic through other Hola users’ computers. The service is popular with people looking to access streaming sites like Netflix from countries where it has yet to launch.


Own an Asus computer? Malware might be hiding in your system

If you own an Asus computer, your system might have been infected by malware distributed from the tool you typically use to update the BIOS and install other security patches, according to a new report by cybersecurity firm Kaspersky Lab.

Worried about your online privacy? We tested the best VPN services

Browsing the web can be less secure than most users would hope. If that concerns you, a virtual private network — aka a VPN — is a decent solution. Check out a few of the best VPN services on the market.

HMD Global admits Nokia 7 Plus handsets sent user data to China

Nokia could be in some hot water. According to recent reports, Nokia 7 models may be secretly sending data to China without the user knowing about it. Nokia says that the issue was a software bug and that it has been fixed.

Browse safely and securely with Opera’s unlimited VPN on Android

Opera has added a new VPN to its Android browser, offering an easy way to keep your privacy and data locked up solid, and with no limits on usage or cost, you can keep it on all the time.

Is it worth spending more for the Surface Pro, or is the Surface Go good enough?

The Surface Go vs. Surface Pro — which is better? While the higher price tag of one might make you think it's an easy choice, a deeper dive into what each offers makes it a closer race than you might assume.

Amazon sale knocks $200 off the price of 13-inch MacBook Pro with Touch Bar

If you always wanted to buy a MacBook Pro but found it a bit too expensive, now is your chance to save. A base version of the 13-inch MacBook Pro with Touch Bar is currently on sale at Amazon for $1,600.

Hands-on with Microsoft Chromium Edge: A first look at the early release

We installed a preview of Edge Chromium, and there's now a lot that makes it feel Chrome, but there are also some similarities to the old Edge. So, is the new Chromium Edge the best browser ever? Here's a hands-on look.

Apple’s 4K 21.5-inch iMac is now $200 off if you pre-order it

Apple's new iMacs are now available and if you pre-order one from B&H you can get the midrange version for $200. That's a near 20-percent saving on one of the most competitive configurations.
Emerging Tech

Microsoft’s latest breakthrough could make DNA-based data centers possible

Could tomorrow's data centers possibly store information in the form of synthetic DNA? Researchers from Microsoft have successfully encoded the word "hello" into DNA and then back again.

The new Windows 10 File Explorer could look like this in 2020

Microsoft may update Windows 10's File Explorer to adopt Fluent Design principles in an upcoming 2020 update. A report suggests that we'll get our first glimpse at the new-look explorer in upcoming Windows Insider builds.

DisplayPort and HDMI both connect to screens, but here's how they're different

HDMI and DisplayPort are two of the most popular connectors for hooking up consoles, gaming PCs, TVs, and monitors, but which is best? To find out, we pitted HDMI vs. DisplayPort and compared their best and worst features.

Get a new 2018 Apple MacBook Air for $1,000 with Amazon’s latest sale

Online retailer Amazon is currently running a discount on select models of the MacBook Air 2018. You can bring one home starting at $1,000, a full $200 off the usual selling price.

In 2019, laptops are better than ever. Here are the best of the best

The best laptop should be one that checks all the boxes: Great battery life, beautiful design, and top-notch performance. Our picks for the best laptops you can buy do all that — and throw in some extra features while they're at it.

From hot rods to budget sleepers, our favorite desktops can handle anything

Are laptops overrated? Experience the power offered by the best desktop computers on the market today, whether you're in need of a budget solution or a fire-breathing, $4,000 premium gaming rig.