Unmasking the daily lies: VPN has security holes, be aware

The lie: A virtual private network (VPN) connection is very secure. Why it is a lie: VPN encrypts your traffic. But someone could hack

The lie:

A virtual private network (VPN) connection is very secure.

Why it is a lie:

VPN encrypts your traffic. But someone could hack into your VPN username and password and access it, and therefore your traffic and all personally indefinable information. Also, your VPN service provider has access to your internet protocol address, URLs you visit, the amount of time you spend connected online, your browsing patterns, data, etc are visible to your provider. A VPN may protect you against your ISP from seeing your traffic, but not from the VPN owner. That is why many governments now use VPN as an attack vector to profile and collect data from you.

The solution:

Use trusted VPN providers. And practice basic cyber hygiene at a user level. The TOR browser is #1 on the list of trusted providers. But I hasten to add, it is not user friendly because its primary focus is security and not ease of use or functionality.

Insight in detail – the basics of VPN and how they work

How do you transport a VIP on a road used by the public? Or how do you move a VIP safety through an airport which many other people use to their destinations?

The solution is to have a team of highly trained force, like the VIP guards, and have a special arrangement of the cars transporting the president or VIP in a way that there are lead cars (to clear the road ahead so that the ‘public’ and of course potential adversaries are cleared for the VIP, then more lead cars, and depending on the risk profile assessment, camouflage the VIP).

The same strategy is used at airports. Either VIP charters own plane or is fast-tracked for immigration using exclusive VIP counters. Not all men are equal.

The same story happens when it comes to your Internet access.

Browsing the website means making a connection from your personal computer or mobile phone to some other server on the Internet. It could be Facebook, Twitter, WhatsApp, or YouTube. Your computer is the source. The other server you are accessing to read content is the destination. The Internet is a public road.

Your ISP is the traffic police along the way. They can decide to stop you for a normal check. Hold you for long or even deny you access past the checkpoint. Also, if you live in Uganda, you see the road to Uganda State House Plot  #1,  opposite Sheraton Hotel. Access to that road is denied to the general public. That checkpoint is like your internet service provider (ISP) for example MTN blocking your access to a specific site like Facebook or whatever. But not everyone is denied access. Once in a while, the IGP or a Minister will come and upon being checked, be let through. The President convoy just comes and they open. No need to be checked.

That is how the VPNs work. Some traffic like yours is checked. For others, they are just let through. So, before you cry wolf that you are being blocked or social media is blocked, remember that some other people could be accessing business as usual. That is life!

When it comes to VPN, the most secure ones are the ones you buy and own. A person chattering their plane is more secure than one using a public one!  It is like instead of using a public road, like Jinja highway, you use a road specifically built for you. But as you can imagine, private ownership of everything you need is not possible, let alone affordable even for developed countries. So, VIPs use public roads but are moved in a secure convoy with lead cars which is like a “VPN”.

For example, companies that want their staff to access internal services outside the local area network must do so through a VPN. The traffic must go through the Internet (a public road), but the company owned VPN helps secure the traffic such that only staff with the username and password to access the VPN can see the traffic. It is like only cars within the Presidential convoys know whether the President is in or not, and in which car, etc.

If you cannot own the VPN, you can hire one.

And that is where the public VPNs come in. Because setting up a VPN environment is expensive, many people use it as a service from companies that are involved in the security business. Of late, due to increasing internet censorship, suppression of free speech, and clamping people down, and in Uganda the introduction of Over The Top (OTT) taxes as a way of generating revenue from the public, many people started using VPN. And we see increasingly many companies going into the business of selling VPN as a service.

There are several business models different companies use. The most popular are the:

i) free premium version with adverts,

ii) free VPN with limited features or capped monthly data traffic,

iii) free VPN to collect user patters for intelligence, and of course,

iv) free VPN to promote internet freedoms by NGOs which are funded by donors and or wellwishers.

As you may guess, the business model defines how a company ‘monetizes’ its idea to make money. You can easily tell which business model provides users with higher security. If you see ads popping up on the VPN you use, it is unlikely to be very secure. Because ads are run in a way that only relevant content you are likely to click pops up. That means, the VPN service provider collects some data about your online browsing to bring up relevant ads so you click and they make money! Nevertheless, below are deeper insights to make this clear.

i) free premium version with adverts. Here you can access a VPN app from various online mobile or desktop app stores for use. Some VPNs require you to register, others do not. Recently, the app store requires anyone who uploads an app to state whether they collect information from the users or not, and what they use the information collected for.

Also, some VPNs are available as browser engine extensions. For example, there are many Google Chrome VPN extensions that I have found handy during this time when installing apps is blocked.

Note that currently downloading Android apps from Google or Samsung stores has been blocked as well as the app store for IOS.  When I tested the free premium VPNs with adverts, many are run by underground cybercriminals who will require you to register, after which collect your personal information like email, user traffic and therefore sends targeted ads, as well as possibly sells your email to companies involved in sending spam emails. You must be alert with free things.

The only exception is top security companies like Avira, Kaspersky, Norton, Comodo, and more like these with a reputation and long security track record which are in the business and are fully accredited. You should start by vising their website and then try to download. If using a mobile phone, you are automatically directed to the right store to download the specific app. That is the only way to know the app is by the said company. Even Apple has an inbuilt VPN within an iPhone!

ii) free VPN with limited features or capped monthly data traffic. The explanations in i) above apply. Be careful. Make sure you check out their privacy standards and terms of use.

iii) free VPN to collect user patterns for intelligence, of course. Some countries have invested in cyber weaponry and cyber warfare. Today, due to their popularity as seen as ideal cyber weapons or attack vectors for phishing or data collections from the unsuspecting public. You download a VPN run by a government agency. And you start accessing the Internet via their VPN, yet they have access to all your browsing history, computer ID, online social media username and passwords, and much more, including installing spyware on your mobile phone or computer.  That is why you must be selective in the kind of VPN you use.

And the use of VPN as an attack vector for social engineering is not limited to African governments. No. On the contrary, this is a powerful tool by advanced countries. VPN is so lethal because people embrace it thinking that they are secure.

Look at it thing way: as you travel from your house, they inform you that you are a VIP and therefore need escort services, and you will be moved in a convoy. The catch is your convoy is not an official one. As you pass through an isolated area, one of the members of your convoys pulls a gun at you, and off you kick the bucket.  That is what spy VPN does. I could go on and on.

iv) free VPN to promote internet freedoms by NGOs which are funded by donors and or wellwishers. This is the most secure of all. But as you know, the more the security, the lower the user-friendliness. The top on the list is the TOR browser. I recommend you install this and start accessing all your online needs through it. Forget other browsers. TOR browser will never keep a cache of your online traffic, and of course, the connection is secure.

There is a catch though.

Because it does not keep a catch of your browsing history, you will be required to enter your username and password, each time you try to access it and post data. Some websites which are made to covertly collect data from you shall be disabled and could appear badly in the browser. But that is the cost of ultimate security. The more the security, the more the inconvenience, and developers therefore always look at having the ideal between the three – security, ease of use, and functionality.  With TOR Browser VPN, security is prioritized by over 90%, and so the other two suffer badly!

The Tor Project is a US 501(c)(3) non-profit organization advancing human rights and freedoms by creating and deploying free and open-source anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding. You can donate to keep this project running. And from Internet freedoms, for which I write my blog, I recommend you use this. It is free of charge for good and you are sure, you are safe.

Their business model is donations. Other people donate. And their work is to protect you. So not stealth data collection from you.

The challenge of the increasing use of VPN is makes online policing extremely difficult and distorts global market patterns and could cause Africa to lose out of the digital revolution. In the past, Google, Apple, Facebook, etc, and other top companies will use their Artificial Intelligence and Machine Learning engines to analyze data and examine the purchase patterns of people based on their internet protocols. However, with VPN, the IPs are masked. Since there are few open and free VPN providers with servers based in Africa, all the traffic is shown as if originating from Europe, United States, or Asia. Never Africa. If you check on your VPN now, it will show that it is connected to a server located in Europe, America, or Asia. To Amazon or Google, the top buyers of their products are in those countries.

That could affect the country’s prioritization for future investment. It looks small, but it is damn big in the long run.

I could go on and on.

If you have any other questions about cybersecurity and specifically VPN security, do ask me. I do lots of security research and will provide clarifications based on your questions. Thanks.

Copyright Mustapha B Mugisa, Mr. Strategy 2021. All rights reserved.

Share now
Related