Steve's Views Rotating Header Image

July, 2022:

VPNs, safe and unsafe use

I’m following a security investigator (Brian Krebs) who is one of the very top ones in the biz. He recently posted an article on VPN services and one in particular named 911. It occurred to me that others might not realize the liability these VPN services poses and who might be behind them and you might want to warn your loved ones in turn. A comment and definition on VPNs and some additional warnings and workarounds by me at the bottom.

Brian Krebs wraps up his article with these words (link below):

Beware of “free” or super low-cost VPN services. Proper VPN services are not cheap to operate, so the revenue for the service has to come from somewhere. And there are countless “free” VPN services that are anything but, as we’ve seen with 911.

In general, the rule of thumb for transacting online is that if you’re not the paying customer, then you and/or your devices are probably the product that’s being sold to others. Many free VPN services will enlist users as VPN nodes for others to use, and some even offset costs by collecting and reselling data from their users.

All VPN providers claim to prioritize the privacy of their users, but many then go on to collect and store all manner of personal and financial data from those customers. Others are fairly opaque about their data collection and retention policies.

krebsonsecurity.com/2022/07/a-deep-dive-into-the-residential-proxy-service-911/

My comments, examples and workarounds on the security of VPNs

Virtual Private Network is a name given to a design which allows for traffic to travel between two network points and be encrypted.

By encrypting the content of the connection points, the communication can travel “safely” between the two points. (I say “safely” because there are a number of details which makes it safe or not.) 

(And it is a moving target, moving as decrypting encrypted communication is constantly getting better and better as computers get faster and faster and holes in encryption methods are found.)

It is all in the design. How is it designed? There are many many encryption methods, few are actually considered secure. 

It is an everyday thing whereby someone is delivering something they claim to be completely secure and they express how they go out of their way to be secure. 

Then you (a cryptologist) look into the implementation of some encryption method and discover that what they are using is out of date, or maybe never even was secure. 

Typically the “secure” tunnel is between your device and the service provider, and then they establish another connection between them and the other party. Meanwhile in the middle they have the communication entirely without encryption to do or not do whatever they decide.

To be secure the minimum requirement is that the tunnel runs between the two end points and is encrypted when passing through the service provider. For example, between my cell phone and yours. There is NO valid reason to be anything else but would be considered at best a poor design, at worst incompetent or with criminal intent.

Then we come to use a VPN, how is it being used.

Let’s say you have an office or home office, and you are on the road and like to be able to access your data at the office. You get a VPN service or some set up whereby you now have a VPN in place.

You leave on your trip and as you arrive at some location you now want to safely reach your data at the office. (In this example we are going to go with you having an actual secure connection.) 

If either device on either end also has internet access for browsing in particular, or with a cell phone where you have installed various handy apps, if anyone of those apps or locations you browse are hacked or include malware (code with evil intent), the perpetrator will now have a nice and secure connection into your home office. 

In other words if your remote device is hacked – then you are allowing hackers through the VPN into your office network with the same access as you have. (And there are many way of increasing access to administrator once someone has any user access.) 

The safest approach with using the internet is to be OK with anything that you put on it might end up available to all. (Including the ramifications if that happens.)

If you were to check applications you will find that they commonly ask for permissions far beyond what it needs. I never install those. 

For example a calculator that wants access to your contacts! Or your network. What valid reason would a calculator have accessing those?

Who puts a bunch of efforts in to designing, writing and releasing a program with no exchange? Many programmers do, from just being helpful and liking that others are using their creation. But also, many criminal intent can be traced to using the Free model to spread their malware.

(Stranger – Danger!)

What is more convenient, the feature the apps provides or getting dragged in to some criminal activity unwittingly, or discovering you owe a ton of money for a bank loan you never took? These are real ramifications, at best a bunch of wasted time and effort to sort out.

Hackers learn from what other hackers have done are getting more and more sophisticated, so much so that anyone from a teenager in his room to organized crime to country espionage is thriving. Mostly because people are ignorant about security and have low confront and misunderstoods of course.

For example Chinese law Requires Chinese to spy for them if asked…

Russian law enforcement have an unwritten rule not to go after Russian hackers as long as they don’t attack Russians… (One way they determine if you are Russian is by looking to see what languages your computer supports.)

If you find an app that looks to be the cat’s meow then do some research, not just how many are using it as that has nothing really to do with how secure it is, but search the terms [name of app] and the words “security issue”. 

That will generally tell a big tale. While you do so observe who are saying they are good or bad, many have single posters that never posts anywhere else because they are fake reviewers. Of course look at the domain name to see where it comes from.

For example someone suggested I contact them on WhatsApp. It immediately revealed that:
1) security researches recommended against it and, 
2) it comes from Facebook, 
3) WhatsApp out of the box want your contact list. 

Meanwhile Signal is an ideal option where it truly is safe encryption between the endpoints.

As our world has grown into a digital co-existing world where there is a tremendous amount of attention placed on it by Every Imaginable Player with whatever intent.

— 
Steve