Saturday Shorts: VPNs
How They Work... And Don't
A Virtual Private Network (VPN) is basically a piece of software that tunnels your internet traffic from your device to a VPN server, then out to the internet. VPNs encrypt your data and prevent your Internet Service Provider [ISP] (and others) both from reading that data and from seeing where it goes onto the internet. The only thing the ISP knows is that encrypted traffic moved from your device to the VPN server. In short, you connect to your VPN, tell it the place or places you wish to go on the internet, and once it connects you to your desired destination it encrypts whatever information is exchanged between your device and the destination. As a practical example, say you wish to log into your social media account. You connect to the VPN. Then you type in the URL (website address) of your social media site (say, Pinterest.com). The VPN service creates an encrypted tunnel through which your data is transported. This way, once you reach Pinterest’s login page, your username and password are encrypted from end-to-end.
There are two primary benefits of using a VPN. The first is that your traffic is encrypted throughout your internet experience for as long as it can be. This reduces the chances that your data can be stolen through various packet-sniffing or Man in the Middle attacks, which are often used at public WiFi hubs. There are a lot of ways hackers conduct these attacks that are beyond the scope here, but you can see a summary of many examples here. The second benefit of using a VPN is that it hides your IP address from your destinations and your destination addresses from your ISP. IP address-sourcing can be used in many ways, some nefarious and some less so. Some governments, for example, blacklist sites that provide news about certain topics or are critical of government officials. This prevents users with IP addresses from within those countries from accessing these sites. Through this method, the government can prevent activists from using popular social media sites to broadcast their issues. VPNs also allow you to access services when in specific places where those services are blocked for other reasons. Most VPNs maintain servers around the world enabling your web traffic to appear to come from any country where the VPN hosts a server. Obscuring your IP through a VPN also limits how websites can track you, whether for commercial or insidious purposes.
VPNs, like all software, do not offer 100% privacy or safety. While VPNs shield the history of your web traffic from your ISP, many companies that host VPNs themselves track that information. Others claim that they do not maintain logs of their users. For users where this is critically important, such as activists in authoritarian countries, careful consideration should be paid to the VPN services they use. The types of logs kept may include usage of the VPN itself, such as the times you are connected, the device you connect from, data usage, or the IP address from which you connect. VPN providers might also keep traffic logs. Traffic logs may include browser history, files downloaded, message content, purchases or other internet activity. If a VPN service keeps these records, you can bet that governments or other entities might be able to access those logs through subpoenas or other processes. For those where anonymity is potentially life-saving, it is not enough to rely on VPN services’ claims about whether they keep logs.
In addition to potential tracking by VPN providers themselves, VPN software contains its own vulnerabilities, meaning it too can be hacked. One example is the Pulse Secure VPN hack. Pulse Secure VPN was used by many US government agencies and defense firms. Rated as a 10 out of 10 level of severity, attackers found an authentication bypass allowing them to perform file execution through the Pulse Secure Gateway. This enabled them to take control of the network operating vulnerable devices. In another VPN compromise, attackers retrieved 10 GB worth of data including login credentials and other personal information about users of several freely available VPNs. The attack vector here appears to have been the companies’ databases, where user IP addresses, email addresses, country of origin, usernames and other personal information were stored. In this case, the VPNs at issue were free, not especially well-designed, and kept a great deal of user information. But, even highly regarded VPNs suffer breaches from time to time. NordVPN, for instance, suffered a breach in 2018 when an attacker somehow acquired access to Nord’s server and thereby managed to obtain its private key. This gave the attacker access to traffic passing through the server, and the ability to decrypt (and therefore view) the traffic. The lesson here is that if anonymity is crucial to your safety, relying solely on a VPN is not enough.
Choosing a VPN requires a little bit of research, but as the saying goes, “you get what you pay for.” Free VPN services often use inferior protocols, store far more of your personal information that you will likely prefer (which, by selling it, is how they make money off of their “free” service), and don’t keep up with security on their server side. There are many factors that go into choosing a VPN, starting with what your goal actually is. When reviewing various VPN service providers, a key factor should be to determine what data is kept about you and your usage (insofar as that is possible). Does the service keep usage or traffic logs, or both? What other information does it keep? Does the jurisdiction in which it operates require retaining specific information? Next, what protocol does the VPN use? Currently popular protocols include IKEv2, OpenVPN, L2TP/IPSec, WireGuard, and SSTP. Some still use PPTP, but that protocol is outdated and weak. Make sure to take a look at the history of the VPN. Have there been breaches in the past? Were those breaches based on poor security or other reasons the VPN should have preemptively addressed? Did the VPN provider make efforts to mitigate the damage and take steps to prevent future breaches? The National Institute of Standards and Technologies keeps a database of known vulnerabilities. It provides a lot of detail about the methodology of attacks, the effects, and mitigation efforts needed to prevent further damage or compromise. You can search it for breaches related to VPNs, along with just about any other kind of software platform. See the database here.
VPNs provide a layer of security for users in the wild world that is the internet. Like all software, VPNs can be exploited and are not a perfect solution for anonymity or a fool-proof defense against attacks. Users should not ignore standard safety practices online simply by virtue of being connected to a VPN. Nevertheless, a good policy to incorporate when it comes to internet and device security is to apply a layered approach. When users can employ several measures at once, with overlapping capabilities, their security will inevitably be enhanced. VPNs are just one layer in this strategy.
***
I am a Certified Forensic Computer Examiner, Certified Crime Analyst, Certified Fraud Examiner, and Certified Financial Crimes Investigator with a Juris Doctor and a master’s degree in history. I spent 10 years working in the New York State Division of Criminal Justice as Senior Analyst and Investigator. Today, I teach Cybersecurity, Ethical Hacking, Digital Forensics, and Financial Crime Prevention and Investigation. I was a firefighter before I joined law enforcement and now I currently run a non-profit that uses mobile applications and other technologies to create Early Alert Systems for natural disasters for people living in remote or poor areas.
Find more about me on Instagram, Facebook, Twitter, LinkedIn, or Mastodon. Or visit my non-profit’s page here.
Visit the new Evidence Files Facebook page; Like, Follow or Share! Or, head over to the Evidence Files YouTube page and Subscribe!
For more on cybersecurity, see below.
