VPNs are all the rage these days, because they’re supposed to increase your privacy and prevent them from tracking you.
In fact, “VPN” has become a word in itself, pronounced vee-pee-enIt is a crowded marketplace with companies advertising online, on television, and even in print media to compete for their consumers’ dollars.
Most VPNs have a free app that you can download, but you generally need a paid subscription to get it working or to unlock premium services.
The app will encrypt all network traffic between your device and the company’s servers, decrypt it, and launch it to the internet from there, maybe even in a different country, which really hides the true source of your data packets and, therefore, it makes you more difficult to track.
But the connection to privacy and, by association, to anonymity, comes from the fact that VPN is short for virtual private network, which has the word “private” right there in the name.
In truth, the “private” part of a VPN is not really about being anonymous or pretending to be someone else.
the P in VPN really only refers to the idea of using a public network to transmit traffic that in the old days would have crossed a private circuit or a leased line and therefore was considered and managed as part of your company’s LAN or local area network.
In fact, if you’ve ever used a corporate VPN, and in this era of coronavirus blocking, chances are, you will know that your corporate VPN makes you identify yourself exactly, perhaps with a password and a 2FA token. , so that the company knows who you are before connecting.
Your traffic is deprived of surveillance as it traverses the public network because VPNs use encryption to protect raw network packets, but your traffic is not anonymous once it is inside the virtual castle of the company network .
Soon, the VPN itself knows who you are and sees what you doEven if the routers through which your encrypted VPN packets travel do not.
And that’s a good thing, because it means you’re only sharing the company network with other people who are supposed to be there (that’s what you expect!) And who may be responsible for their behavior, rather than with a random group strange strangers
What about the records?
As we mentioned earlier, consumer VPNs can arrange to decrypt their traffic and display it on the public internet far from where you are, so they not only hide your physical location (which in fact improves your privacy), but also allow to disguise it. Your Country of Residence.
For many people, that is the main value of a personal VPN service: it allows them to avoid the censorship that ISPs can apply in their own country, and it also allows them to avoid the so-called geo-block that prevents them from watching TV shows and movies abroad. . or access other content limited by region.
But it also means that you have a lot of trust in the VPN provider, because that provider essentially becomes your new ISP, so you need to be aware of the extent to which surveillance is (or is not) followed and monitoring of laws in the various countries where you operate. .
Many VPNs tell you that they “don’t keep any logs” and therefore would have nothing on you that they could turn over to law enforcement even if they wanted to.
But many countries have legal mechanisms by which various authorities, without a court order, depending on the jurisdiction, can compel a service provider not only to start keeping records for specific individuals, but also to remain silent on the fact, in In other words, they have to keep records of your traffic, but they are gagged for letting you know in advance, and they can’t tell you even if you ask.
This legal peculiarity led to a trend, a few years ago, of the so-called “canaries of order”, who were like canaries in coal mines who signaled dangerous gases by falling unconscious and dropping their perches. Companies regularly posted notices on web pages or documents to say they were no currently under any kind of nausea order. The idea was that removing the “negative gag” notice, which would essentially be a legal requirement if a gag order were applied, would act as if the company had added a “positive gag” notice. Therefore, this would comply with the letter of the law, if not exactly its spirit. This type of legal sophistry is no longer widely used, especially since it turned out to be quite confusing.
Of course, some VPNs will assure you that this cannot happen to them (and therefore indirectly to you) because their companies are registered in countries where there are no such legal provisions.
But any VPN knows where it is and, at least to some extent, who it is while using the system, and may even need to keep the number of records in memory: ephemeral data, to use the jargon term, for part or all of each session, only for the service to work reliably.
What you should assume, therefore, is that they know everything about your traffic in order to handle it while online never stored anywhere permanent, either by accident or by design.
And history suggests that ephemeral data – things that should forever evaporate from memory once they are no longer needed and never written to disk or forwarded to another server – have a way of surviving when they shouldn’t.
After all, in recent memory, both Google and Facebook admitted that, sometimes, the passwords you had entered during the login process, data that was only supposed to be saved in RAM and deleted after validation, they had been accidentally shipped disabled in plain text and saved in log files on their respective systems.
Facebook discovered in 2019 that it had compromised hundreds of millions of passwords on the disk, and began searching and purging them; Google also admitted that it had been incorrectly saving some passwords, we don’t know how many, but we do know that the data dated back 14 years to 2005.
In other words, registering what cannot be registered is easy to do, even if you really set out not to, and even if you are two of the largest internet companies out there, with large, well-funded cybersecurity teams.
What happened this time
According to a report released last week by VPNMentor (note: VPNMentor earns affiliate revenue from links and coupons for selected VPN companies it recommends), its researchers stumbled upon abundant user records from seven VPNs operating from Hong Kong.
(VPNMentor named the affected services as follows: UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN).
Further digging suggests that these seven products were renamed from a single major vendor: IT software and services are often sold this way, with the same (or very similar) code and back-end systems that form the core of the offers from several different licensees.
As you probably guessed by now, this data was not supposed to be publicly accessible, but instead was exposed through a cloud database, ElasticSearch, in this case, which had not been configured correctly.
According to VPNMentor, about 1 billion database entries related to approximately 20 million users (i.e. an average of 50 items per user) were exposed, including various data fields including:
Activity logs, PII (names, emails, home address), clear text passwords, Bitcoin payment information, support messages, personal device information, technical specifications, account information, Paypal API direct links .
So these VPNs not only collected data that they shouldn’t have retained at all, such as plain text passwords, but inadvertently exposed it publicly.
Furthermore, VPNMentor claims that “[a]According to their respective websites, each VPN [on the list] provides military-grade security features and zero log policies to enhance the security of its users’ information. “
Or, apparently, don’t follow the “zero records” processes at all.
What to do?
The burning question here, especially with many of us working out of the office these days, is: “Do I need a VPN now that I’m working from home?”
We discussed this topic in our weekly video Naked Security Live, in April 2020, when the blockades began in the UK and the United States:
Watch directly on YouTube if the video doesn’t play here.
Don’t forget that you can use the gear icon to activate the subtitles.
.