Tag Archives: Security

Technology

5 Ways Your VPN Is Not as Private as You Think It Is

2 Comments

Virtual Private Networks are a vital element of your online security. While you may be confident in your home or work network security, there is no way to use public Wi-Fi safely without a VPN.

But setting up a VPN comes with a very important trust issue — that no one is able to find out what websites you’re accessing. This is as vital for keeping your bank details private as it is for concealing other personal online activity — and the nature of secure transactions and data encryption means that you cannot have one without the other.

However, not all VPNs are as secure as you might think. While they might offer a range of all-important, impressive-sounding security bells and whistles, the truth is that few of them — if any — offer a truly private experience. Here’s why.

1. Complete Anonymity Is a Lie

How much are you paying in VPN subscriptions? $100 a year? More? All for that guarantee that your privacy is being maintained — that you are anonymous online.

muo-security-vpn-privacy-diagram

Well, we’ve got news for you. You’re not anonymous. While your VPN provider may well be promising that their service is anonymous, with no logging, there is no way that you can verify this. Indeed, it’s quite a leap of faith, under the circumstances.

“…you have absolutely no way to know for sure how safe a ‘No logs’ claim really is. Trusting your life to a no logs VPN service it is like gambling with your life in the Russian roulette.”

Wipe Your Data

What is most important from a VPN provider — anonymity, or transparency? We reckon finding a VPN that you can trust trumps any fake notion of anonymity and the avoidance of keeping logs. The trick is finding a VPN that truly appreciates your anonymity and privacy, and we’re afraid that such networks are in very short supply.

2. Anonymity Does Not Equal Privacy

Some VPNs provide tools to control your privacy. Such features can be used to manage access to your personal data, but they don’t eradicate all data that can be used to identify you.

Even if you were to combine a VPN with Tor and encrypted messaging, you still would not be completely anonymous; all of these tools can be forced or subverted to track, should you become a “Person of Interest” to the authorities. While your activity would remain private, thanks to encryption, the fact that you were online, engaged in some form of exchange, would be recorded.

As Edward Snowden stated:

“…basic steps will encrypt your hardware and … your network communications [making] you…far, far more hardened than the average user – it becomes very difficult for any sort of a mass surveillance. You will still be vulnerable to targeted surveillance. If there is a warrant against you, if the NSA is after you, they are still going to get you.”

3. The “No Logging” Myth

VPNs vie for your attention and hard earned cashed by enticing you with the promise of not logging your activities. This “no logging” selling point is hugely attractive, but is, sadly a myth. Even with our selection of the best VPN services.

Let’s set this straight now: you cannot run a server without logs. Without logs, a VPN provider would be unable to handle DNS requests, prevent abuse, troubleshoot connections, or limit VPN accounts based on the subscription type you’ve chosen, such as putting a cap on the amount of data you can use.

With many occurrences of VPNs advertising a “no logging” service subsequently handing data over to law enforcement agencies, it should be quite obvious that “no logging” either doesn’t mean what you think it does, or has become a de facto advertising term in the VPN sector that we should more or less ignore. Those VPNs that don’t require a sign-up and can only share the information that they collect? They’re low quality, unreliable services that often make browsing the web privately less fun than a dental operation.

Concerned about your VPN’s use of logs? Find a reference on their website that shows exactly what information they do retain, and use this to make a decision as to whether the service is for you. If the VPN doesn’t provide any information as to how they handle logging and what information is retained, it’s time to move on.

4. Check the Privacy Policy

Information about logging will typically be found on the VPN’s Privacy Policy page, but that’s not the only reason to check the policy. Very often, marketing information starkly conflicts with the minutiae.

muo-security-vpn-privacy-policy

In almost every case, your IP address, username, operating system, and times of connection and disconnection from the service are the very minimum that is collected by the VPN’s logging system. Doesn’t sound particularly anonymous, does it? So much information can be gleaned from this skeletal collection of facts.

5. Rented Cloud Servers Necessitate the Use of Logging

There are, it seems, two types of VPN: those that use their own servers, and those that rely on cloud solutions. As we’ve already seen, it is very difficult to run a server without using logs, and even tougher to run any subscription-based online account — if not impossible.

muo-security-vpn-privacy-server

With the vast majority of VPN providers using third party servers, it is virtually impossible for these services to run without logs being collected. While the VPNs themselves might not be creating logs, the servers they are renting do, by design of the hosting providers.

Here’s a great example: the EarthVPN customer who used the supposedly anonymous service to make a bomb threat. He was apprehended after Dutch police obtained a court order to seize the server from a third party datacenter, where they found the person’s IP address logged (no doubt as part of the datacenter’s strategy to combat DDOS attacks).

The Surprising Shortcomings of VPNs

Whether you’re using a VPN to do some secure online shopping from the comfort of a comfy chair and latte in your local café, or attempting to avoid detection of your torrenting activity, the fact remains that no VPN service is as secure as you believe it is.

Image Credits: Undercover agents by Phovoir via Shutterstock, arka38 via Shutterstock.com, rawpixel.com via Shutterstock.com, Dmitry Kalinovsky via Shutterstock.com

This article originally appeared on Makeuseof

Technology

How to safely share passwords with others who need them

Leave a comment

It’s easy to poke fun at companies that treat sensitive information recklessly, sending or receiving plaintext passwords via unencrypted email or chat, or storing customer information in ways that are far from secure. But it can be a logistical nightmare to let multiple remote employees log into a shared account in a secure fashion.

Luckily, there are a few options to make this a little easier. Here’s a quick run-through of some of the best options.

LastPass

Like most password managers, LastPass lets users to log in with just one master password; the tool stores all of their other passwords. Among other things, this makes it easy to create long and complex passwords and to use different passwords for each login account.

In addition, LastPass’ enterprise accounts will let you share login data between individuals and across teams, with customizable permissions. That means that you can choose who has access to which folders, and make changes that are synced automatically. Enterprise accounts cost anywhere from $18 to $24 a year per user, depending on the number of users.

It’s also possible for a Premium account holder to share password information in a single file with up to five other LastPass users, which could be useful for tiny startups, partnerships, or people needing to share passwords with friends or family members. Premium accounts cost $12 a year, and only the main account holder needs to have one.

Because LastPass is cloud-based, it makes things easier for people logging into multiple computers, but has some drawbacks as well. For instance, you’ll be uploading your passwords—though not your master password—to the cloud, though in encrypted form.

In addition, “[a] third party service [like LastPass] will be able to see which sites you have an account on … not the password itself, but when you’re accessing each password,” says privacy and security researcher Runa Sandvik, technical advisor for Freedom of the Press Foundation.

KeePass and KeePassX

“Keepass and Keepass X may not be as pretty as all the other tools, but it is open source, it is free, and it works,” Sandvik says. This password manager is one you have on your computer, so no third party knows when you access different sites. However, you do need to make sure you’re backing up the database frequently. (Let’s just say that losing your database of passwords would be … bad.)

To share passwords with others, you need to create a database, enter the password, send the database to another person, and somehow securely send them the password to open the database. We’ll discuss that a little later.

OneLogin

OneLogin is another cloud-based option. OneLogin allows users to log into multiple cloud services using a single sign-on account. It can integrate with a company’s “active directory” of user accounts and permissions.

Another benefit is that OneLogin can integrate with a large variety of enterprise applications. Plans range from $2 to $8 a month; there’s a free version as well.

1Password 

1Password is a personal privacy manager tool that allows users to create several password vaults, and share a single password vault with a group of people who also have 1Password installed. However, you do need to use Dropbox to synchronize the data.

“That is a sharing solution is suitable for a family and a small team, but it’s not an enterprise solution or one for a big company,” says security adviser Per Thorseim, founder of the Passwords hacker conference. Licenses cost $49+.

SplashID Safe for Teams

SplashID is an enterprise product that allows large teams or companies to share passwords and other information with larger groups of people, such as entire departments or large companies. The IT team can create users and groups and permissions, so only people who need access to passwords can see them, or to review logs of records and usage.

Dashlane

Dashlane for Teams is yet another privacy tool that works on the company level. It syncs passwords within a team, which is helpful any time someone needs to change a password, as the change will get pushed out to all team members and their devices.

Dashlane also sends security alerts to users’ devices when an account may have been compromised. A security dashboard provides tips for making an account even more secure.

Licenses cost $39.99 a year for each user. There’s also a freemium version with very limited features.

Strip

Strip is another enterprise solution that has team password sharing. It allows synchronization over Dropbox, Google Drive, and local Wi-Fi, and creates local backups of data.

Don’t Forget Two-Factor Authentication

LastPass, 1Password, and Onelogin support two-factor authentication, which adds an extra step to checking a user’s identity when they log into a website. For instance, logging into the service require not just a password, but an authorization code that’s texted to a user’s phone.

Two-factor authentication is challenging to use with tools like Twitter if you have a distributed team, since a single phone number must be used, but there are often other options. Google, for example, allows users to generate backup codes, which can be shared with remote users who don’t have access to the mobile device to which the SMS code.

How To Safely Share Just One Password

Suppose you need to send someone just one password, and would rather not deal with the hassle of setting up shared-passworld tools. Or, similarly, say you sent someone a KeePass database, but then also need to send them a password so they can open it.

“The challenge is that even if you were to store a shared password, you’d still need a password to get into the database in the first place,” Sandvik explains. So what’s the easiest way to safely share that single password?

Options might include sending encrypted emails, which require a bit oftechnical know-how, or using encrypted phone or messaging apps. Open Whisper Systems’ RedPhone (Android) and Signal (iOS) apps are particularly user-friendly.

SnapPass is open-source software used at Pinterest that allows people to send a URL to someone that links to a password. It may require a bit of tinkering to set it up; it stores passwords in a Redis database on the user’s own computer system.

 “The URL leads to the password,” says web operations consultant Dave Dash, a former internal tools engineer at Pinterest who built SnapPass. He continued:

You can only click on it once and it expires after a few days. If I need to set up an account on any system for someone, I could send them the URL, and then they’d have the password and could then change it for added security.

Dash recommends that anyone setting this up make sure that the application and database aren’t publicly accessible. It’s also wise to limit the number of people who have access to the running application and its associated database.

Of course, there are non-technical solutions as well. You could, for instance, send a password through a different channel than the one used for login information—you could send one through email and another via chat, for instance.

This is the same concept that banks use when they send a debit card in one envelope and a temporary code in a separate one, and mail them out on different days, although of course it’s not foolproof. “That’s an option, but it assumes that NSA isn’t the entity you’re worried about,” Sandvik points out.

 If nothing else, just promise us you won’t store all of your passwords inplaintext in a directory called “passwords.”

Photo by Tit Bonač

This article appeared originally on readwrite.com