Tag Archive for: ExpressVPN

ExpressVPN removes India-based servers, says Centre’s rules ‘overreaching’

/in



Virtual private network service provider ExpressVPN announced removal of all its India-based VPN servers, rejecting the directions given by the Indian Computer Emergency Response Team (CERT-In) and calling them “overreaching.”


In a statement, ExpressVPN said, “With a recent data law introduced in India requiring all VPN providers to store user information for at least five years, ExpressVPN has made the very straightforward decision to remove our India-based VPN servers.”


“Rest assured, our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India. These ‘virtual’ India servers will instead be physically located in Singapore and the UK,” the company added.


Calling the new rules “incompatible with the purpose of VPNs,” the company said, “ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom.”


“As a company focused on protecting privacy and freedom of expression online, we will continue to fight to keep users connected to the open and free internet with privacy and security, no matter where they are located.”


CERT-In’s new directions, issued in late April, said that service providers will have to store the names, IP addresses of its users, along with usage patterns and other data.


The government’s new rule met widespread criticism from most major VPN firms. Netherland-based Surfshank also said that it was exploring the possibility of legally challenging directions.


Reacting to the criticism, MoS IT Rajeev Chandrasekhar said that if VPN service providers do not want to follow the new directions, they are “free to leave India.”


In late May, Chandrasekhar said that the new directions would have no impact on business viability.


“There can be both good and bad work happening through the Internet. Safe and trusted platform we have come up with cyber security regulations. The only restriction is that VPN is misused for criminal activities, VPN operators will have to cooperate and produce the data of the person committing the…

Source…

ExpressVPN stands behind CIO named in UAE hacking scandal

/in


ExpressVPN said it plans to stand by its CIO after Daniel Gericke was named by the U.S. Department of Justice as one of three people who were fined for allegedly providing “hacking-related services” to the government of the United Arab Emirates.

In an announcement earlier this week, the DOJ said that Gericke, 40, Marc Baier, 49, and Ryan Adams, 34, would be paying out fines adding up to $1.68 million in a deferred prosecution agreement (DPA) that settles charges related to their work for an unnamed company that contracted with the UAE government to provide state-sponsored hacking services.

According to the DOJ’s complaint, the trio and their company had contracted with the UAE government between 2015 and 2019 to break into accounts owned by targeted individuals and companies under the brand name “DarkMatter.”

According to the complaint, the accounts were from an unnamed vendor of smartphones and operating systems. Some of those targeted were U.S. citizens or companies based in the U.S.

“These services included the provision of support, direction and supervision in the creation of sophisticated ‘zero-click’ computer hacking and intelligence gathering systems — i.e., one that could compromise a device without any action by the target,” the DOJ said.

“[DarkMatter] employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.”

As part of the deal, the three did not have to admit to any wrongdoing, but will have to pay the fines (Gericke’s share was $335,000) and agree to restrictions on “future activities and employment.”

We’ve known the key facts relating to Daniel’s employment history since before we hired him, as he disclosed them proactively and transparently with us from the start. In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users’ privacy and security.
ExpressVPNCorporate statement

In Gericke’s case, those restrictions do not…

Source…

ExpressVPN CIO Helped United Arab of Emirates Hack Into Phones, Computers

/in


The chief information officer for ExpressVPN once helped the United Arab of Emirates orchestrate a massive cyberspying campaign on computers across the globe. 

According to the Justice Department, ExpressVPN CIO Daniel Gericke and two others worked as hackers for hire for the UAE to develop “zero-click” attacks capable of breaking into internet accounts and devices, including those in the US.  

All three formerly worked for the US intelligence community. However, by offering their hacking expertise to a foreign country from 2016 to 2019, the trio broke US export controls, which required them to obtain a license from the State Department to provide such services. Reuters originally reported on the hire-for-hacking scheme with the UAE, and said the spying ensnared iPhones and internet accounts belonging to activists, political rivals, and even Americans.  

The cyberspying naturally raises questions about the security around ExpressVPN. However, the VPN service is sticking with Gericke, who ceased his work with the UAE once he joined ExpressVPN in December 2019.  

“We’ve known the key facts relating to Daniel’s employment history since before we hired him, as he disclosed them proactively and transparently with us from the start,” ExpressVPN wrote in a blog post on Wednesday. “In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users’ privacy and security.”

Despite breaking US laws with the hacking, the Justice Department is refraining from charging Gericke with a crime. Instead, he’s entered into an agreement that forbids him from ever conducting “computer network exploitation” operations on behalf of an employer ever again. He also agreed to pay a $335,000 fine. 

ExpressVPN adds that it constantly vets its VPN service for security. “Of course, we do not rely on trust in our employees alone to protect our users,” it wrote in Wednesday’s blog post. “We have robust systems and security controls in place in all our systems or products. We also engage and provide significant access to many independent third parties to conduct audits, security assessments, and penetration tests on our systems and…

Source…