The new norm has been undertaken by most of the employees, enterprise VPN servers have now become paramount to a company's backbone, and their security and availability must be the focus for IT managers. But without proper policies in place, this can have dire security implications. According to the latest report coming from vpnMentor, seven VPN (Virtual Private Network) in total have leaked 1.2TB user information.
Paul Ducklin, Principal Research Scientist at Sophos, emphasizes on why and how organizations can use VPN connections securely. VPNs are all the rage these days, because they’re supposed to boost the user’s privacy and stop the user from being tracked. Most VPNs have a free app one can download, but one typically needs a paid subscription to make it work or to unlock premium services. The app will scramble all the network traffic between their device and the company’s servers, and unscramble it and release it onto the internet from there – perhaps even in a different country – which does indeed disguise the true source of your data packets, and therefore makes the user harder to trace.
The user’s traffic is private from surveillance as it traverses the public network, because VPNs use encryption to shield the raw network packets from being sniffed out, but their traffic is not anonymous once they are inside the virtual castle of the company network. In short, the VPN itself knows who the user is and sees what they get up to, even if the routers through which their encrypted VPN packets travel do not.
According to a report published last week by VPNMentor (note: VPNMentor earns affiliate revenue from links to and coupons for selected VPN companies that it recommends), its researchers stumbled across copious user logs from seven VPNs operating out of Hong Kong.
(VPNMentor named the affected services as follows: UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN.)
Further digging suggests that these seven products were all rebranded from one main provider – software and IT services are often sold in this way, with the same (or very similar) code and back-end systems forming the core of offerings from several different licensees.
According to VPNMentor, about 1 billion database entries relating to approximately 20 million users (so that’s an average of 50 items per user) were exposed, including various data fields including: Activity logs, PII (names, emails, home address), cleartext passwords, Bitcoin payment information, support messages, personal device information, tech specs, account info, direct Paypal API links.
So not only did these VPNs collect data that they ought not to have retained at all, such as plaintext passwords, but they inadvertently exposed it publicly. Furthermore, VPNMentor claims that “according to their respective websites, every VPN [on the list] provides military-grade security features and zero logs policies to reinforce their users’ information security.” Or, it would seem, don’t follow “zero logs” processes at all.
The answer to: Is VPN necessary when at home is,
* No VPN makes user anonymous or magically changes their identity when they use it. Websites they visit will not see their true network location but remember that they are still the same person behind the browser.
* Turning on a VPN is like switching to a new ISP (internet service provider). VPN provider still sees all the raw network traffic, and knows where it originates, just like one’s ISP does. Remember, however, that user’s VPN Company may be subject to different laws than their regular ISP.
* If the user is storing data in the cloud, never leave it open to everyone unless they explicitly intend it to be public. Remember: lock data down by default; don’t share what promised to keep private; and don’t even think of retaining data that one promised to throw away permanently after use.
* Consider using a cloud management tool such as Sopirhos Cloud Optix to keep track of which of the user’s cloud assets are supposed to be where. Cloud storage is quick and easy to set up for short-term purposes, but correspondingly easy to forget about afterwards. Don’t let the crooks be the first to find out if the users make a mistake.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.