Finding the right VPN isn’t so simple

Never has some imperfect corporate memory been so public before now. In recent testimony before Congress, the CEO of Colonial Pipeline admitted they had forgotten about an old VPN connection that the hackers had found and exploited. “It was an oversight,” he said. I was amazed at this revelation. Yes, we all forget about things, but this was a biggie. You might recall that a few years ago Avast had an unauthorized access to an unused VPN account.

This reminded me of my own “oversight.” Turns out I had created a second user of my password manager, something that I had setup years ago and never used. This username didn’t have the appropriate password and multi-factor protections. Even within my small company, it is easy to lose track of things.

But being forgetful is just one of several different VPN problems. If you are going shopping for a VPN, you need to consider this. Some VPNs have very good digital memories and are keeping track of your digital movements, even though they claim not to log or store your data. This could be caused by the vendors who are deliberately harvesting their customers’ data. If you aren’t paying for your VPN, chances are good that is how your VPN vendor is making money.

There is another issue, that some VPNs aren’t very well constructed and contain coding errors or make use of sub-standard encryption protocol implementations. This happened several years ago, when hackers found their way into NordVPN, TorGuard and VikingVPNs. PulseSecure VPN has had its share of problems for several years, including a recent hack that enabled back doors.

Some VPNs have the potential for leaking DNS data and IP addresses of their users. Last year, a series of reports were published (one by VPNcrew, the other by VPNmentor), that demonstrated that potentially 20M users have had their private data leaked in this way.  Not helping matters is that some of the VPNs deliberately hide their corporate ownership details to disguise the fact that they have shady origins.

So how to fix this? First, find out if your VPN vendor has paid for an independent audit. McAfee’s TunnelBear, for example, does regular security audits of their code and publishes the results. My VPN of choice is ProtonVPN, which also publishes its audit results and takes things a step further by publishing its source code too. There are other open-source VPNs too.

Second, you should understand the testing rubics that the major computer publications use in their VPN ratings. If you are ready for a deeper dive, here is a detailed explanation of how rigorous your tests need to be and suggestions for testing tools. There are various tests including the DNS Leak Test and the IPLeak test. If you want to do these tests yourself, compare the output when not using any VPN to what they show when you turn on the VPN.

And you might want to review your own infosec posture, and track down “forgotten” accounts that you have created that have fallen by the wayside. You never know what you might find.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.