PIA

[Raymond House]

I got the same e-mail from PIA but nothing on how to update for linux
users! ??

On Tue, Dec 1, 2015 at 12:04 PM, CrankyOldBugger <crankyoldbugger at gmail.com>
wrote:

> Yes, I would assume so.
>
> Here's the email I got from PIA:
>
> Dear Valued Customer,
>
> On November 17, we were privately notified of an IP address leak
> vulnerability affecting the port forwarding feature of our service.
> Essentially, anyone connecting to a forwarded port on any of our VPN
> gateways could have their real IP address leaked to an attacker
> specifically targeting a PIA user.
>
> Within 12 hours of the initial report, we developed and tested what we
> thought was a complete fix, and deployed it to all of our VPN gateways.
>
> On November 26, the researchers who discovered the vulnerability made it
> public and we quickly noticed that our service was still vulnerable to the
> IP address leak in certain cases, despite our initial fix. After further
> investigation, we also realized there was a separate but related issue on
> our desktop client. To fix this issue we are releasing updated VPN apps to
> prevent any leaks. We released v.52 on November 27.
>
> Protecting your privacy is our top priority and although exploiting this
> vulnerability is difficult and requires an attacker to specifically target
> you, we feel like we let you down with our initial response. Please accept
> our apologies, we are sorry.
>
> We highly recommend users update to v.52 (or later) of the client. To
> ensure all of our beloved users remain protected, we have pushed an update
> to existing clients. Please update immediately from the application or
> visit one of the following links:
>
> Windows:
> https://www.privateinternetaccess.com/installer/download_installer_win
> <http://email2.privateinternetaccess.com/wf/click?upn=1RUIlXMkBg9qBZM-2BaL-2FG04RtrRgWFop2cKNZWzOGkWSpJwh8lwXJrlxZrpZPaP4uJchRCqa-2FlA6z8gkYV0ztk5Qcj69-2FpvY0o5fKklMobgg-3D_fxo0A4hUnxl7ADgs4kSH7-2BRRYHs4OxPJvwfGIA04Mp2jfg3a-2FMonwe1uI5qW-2BJ-2BzPXkDVlmQiO3StGKTJVdALHJw6nvmK2qCXa6dd3E9PsF76lcxX72-2F3zxzoBMdvhzXjfL2Ri-2FONCP2tmdMKrti5EYI9aVN2E8lzpWbAhlLgIhmdgBA69zZ9Foa4g2VPZIDuheNPXsGksmAyoQb-2FGdaCFoPnukxsb0bIkfFTVCjqYVHBaMZpeCKqU-2FVFfTft4jP5Xd2C0l5XIBwMXpEfnKZ-2F9j3rQXuPEStrUc7F2VcAQEbyFsqxb-2FILW0dmq-2BFUTZPjdcWICx-2FMlCI7qlEXwGiNBb-2F-2ByE8GrSdhBL19lrTJpGQ3hc7cXzBEEf0rmn3pQ9smwTKF5O6lxUkqJAD1t-2BTuw-3D-3D>
>
> Mac:
> https://www.privateinternetaccess.com/installer/download_installer_osx
> <http://email2.privateinternetaccess.com/wf/click?upn=1RUIlXMkBg9qBZM-2BaL-2FG04RtrRgWFop2cKNZWzOGkWSpJwh8lwXJrlxZrpZPaP4uJchRCqa-2FlA6z8gkYV0ztk3TpQHRVE7BjlBJ38K02x-2FI-3D_fxo0A4hUnxl7ADgs4kSH7-2BRRYHs4OxPJvwfGIA04Mp2jfg3a-2FMonwe1uI5qW-2BJ-2BzPXkDVlmQiO3StGKTJVdALN46VwMbKGjycHF3gvnrLTNK5M7jG-2FWmBdhQpSYFpnxTONHXbQ2IOMWql5I0-2Byb7NST8b7gf67HAj1sHRUVZ1M2tMMqgPFHLP-2FeUmxrklCLdJeCEtXp4h6BeJ-2FEUzD4FiuGNa8g4Q62tGZtTflpo0ZX7WGaIY06zkaFSCWyvjwMg1p18D1OA4p4ryZoi37mtpgnvM4s6Xk5laFoOZtfdN3jjssLngK8gX149SRwWi8NsaY41gSv09ROywhab9OQH2jmL8jy-2Bks1KW-2BHCsZ43ebMO54-2BWrCkpIRKPhL7-2F7ZQNE-2Bw-2BQUMk92LQ6zdH3FjG-2Bw-3D-3D>
>
> Technical Facts:
>
> The vulnerability relies on the fact that a direct route exists between
> the VPN client and server. If the client accesses a forwarded port on the
> VPN server that is maliciously set up by an attacker, the client will use
> the direct route using the user's default route, bypassing the VPN
> entirely.
>
> Our initial fix was to block VPN clients from accessing forwarded ports on
> the same server at the VPN gateway firewall level, but we soon discovered a
> flaw in our desktop clients that made the fix incomplete. When the client
> disconnected, the direct route to the VPN gateway was not removed, thereby
> making users vulnerable even after they disconnected from the VPN.
> Beginning with v.52, we remove these "lingering" direct routes to the VPN
> gateway at disconnect time.
>
> Note: If you are connecting to our service with a native OpenVPN client,
> or PIA's Android or iOS apps, you do not need a client-side fix.
>
>
>
>
> Sincerely,
> Private Internet Access Team
> Subsidiary of London Trust Media Inc.
>
>
>
>
> On Tue, 1 Dec 2015 at 11:59 LP <linuxpusher2 at gmail.com> wrote:
>
>> Raymond said: "Hi all, PIA advises us that there was a IP address
>> vulnerability"
>> Was this part of the pop up update I received yesterday ?
>> Thanks
>>
>>
>>
>> On 1 December 2015 at 09:51, Raymond House <raymondh40 at gmail.com> wrote:
>>
>>> OK Daniel and Cranky, thanks for your inputs.I do have the little green
>>> guy at the top but on earlier version it did not work that way and yes I
>>> installed PIA the same way Cranky.On that earlier version I had to go
>>> through the manager to get it working. Anyway, I am doing all my searching
>>> now through "Framabee" and I will not resubscribe to PIA. Thanks.
>>>
>>> On Tue, Dec 1, 2015 at 8:36 AM, CrankyOldBugger <
>>> crankyoldbugger at gmail.com> wrote:
>>>
>>>> As I understand it, and I recommend that you get a second opinion, if
>>>> you have the little green man icon at the top then you're using the PIA
>>>> client, but if you connect by going through the Network Manager icon, then
>>>> selecting from the VPN list, that this is the OpenVPN client.
>>>>
>>>> The little green man part I'm sure of, the NM/VPN/OpenVPN part I'm 50%
>>>> sure.  So check that.
>>>>
>>>> I'm assuming that you installed your Linux client the same way I did,
>>>> by following
>>>> https://www.privateinternetaccess.com/pages/client-support/ubuntu-openvpn.
>>>> At some point in that process it does seem to want to install OpenVPN, so
>>>> we could be good to go, but I would investigate that further.
>>>>
>>>> I updated my little green man on my Windows machines, I haven't seen an
>>>> update for Linux yet.
>>>>
>>>> Still, PIA was possibly the first to offer a fix for this security
>>>> issue (even though the first fix didn't work), then they followed up with a
>>>> very explanatory letter saying that they were wrong and that we should do
>>>> Fix #2.  That gives me some comfort knowing that they're on the ball.
>>>>
>>>>
>>>> On Tue, 1 Dec 2015 at 05:06 Raymond House <raymondh40 at gmail.com> wrote:
>>>>
>>>>> Hi all, PIA advises us that there was a IP address vulnerability but
>>>>> at the end of the explanation they note that if we are connecting to their
>>>>> service with a native Open VPN client there is no client side fix
>>>>> required.How do I know if I'm connecting with a native OpenVPN client? Not
>>>>> sure what that means.Can anyone clear this up for me, thanks.
>>>>> --
>>>>> ubuntu-ca mailing list
>>>>> ubuntu-ca at lists.ubuntu.com
>>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>>>>>
>>>>
>>>> --
>>>> ubuntu-ca mailing list
>>>> ubuntu-ca at lists.ubuntu.com
>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>>>>
>>>>
>>>
>>> --
>>> ubuntu-ca mailing list
>>> ubuntu-ca at lists.ubuntu.com
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>>>
>>>
>> --
>> ubuntu-ca mailing list
>> ubuntu-ca at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>>
>
> --
> ubuntu-ca mailing list
> ubuntu-ca at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-ca/attachments/20151201/7285961b/attachment.html>