Insights For Success

Strategy, Innovation, Leadership and Security

KeepSolid VPN Unlimited Review

GeneralEdward Kiledjian

VPN Unlimited is one of the most popular VPN services available and for good reason. It is fast, reliable and competitively priced (deal below).

VPN Unlimited is a USA based provider and offers termination in more than 30 countries (with multiple locations in most countries). VPN Unlimited has good platform support (Windows, Mac, iPhone, iPad, Android) and very well written clients.

Above is a screenshot of the protection menu option on their IOS client. When set to High security, they (in addition to VPN protection) automatically add anti-malware, tracking blocking and ad blocking.) All of this extra security is done at the network layer without the need to configure any additional applications or pay additional fees.

Like most VPN service providers, VPN Unlimited specifically mentions that they do not allow illegal torrenting via their service. They recognise that not all torrents are illegal and allow the use of the BitTorrent protocol on these VPN termination points: US-California 1, Canada-Ontario, Romania, Luxembourg, and France servers.

A question I get asked often is "Does VPN Unlimited support OpenVPN on iOS, iPhone or iPad?" The answer is Yes! As shown in the above screenshot. Additionally, they support a protocol they call KeepSolid Wise (similar to the Chameleon protocol on VyprVPN). KeepSolid Wise uses common ports (TCP 443/USP 33434) which help bypass firewall restrictions and packet shaping control for most environments. KeepSolid Wise is available on iOS, Android, MacOS, Linux and Windows clients.

I setup VPN Unlimited on a Windows machine configured for maximum privacy. I then ran a battery of tests to determine how well it protected my privacy.

  • does not leak DNS queries when in VPN mode (go here to test)
  • does hide your actual IP address (go here to test)
  • does not leak IP or DNS information via JAVA or Flash ( Go here to test)
  • protecting P2P traffic. Although I do not condone or encourage the use of P2P tools to steal protected media, there are dozens of legitimate uses for P2P technology. It is important to ensure your VPN product protects you while using P2P and VyprVPN did. You go to this site and the find the Torrent Address Detection. You download their magnet link into your P2P client of choice then activate the test. If it shows your real IP or DNS, you are not protected. You should only see your VPN address here.
  • VPN Unlimited is not subject to WebRTC leaks when in VPN mode (go here to test

VPN Unlimited seems well written and does offer good protection.

Deal

VPN Unlimited is currently running a couple of specials that are worth considering (I bought the unlimited plan):

  • KeepSolid VPN Unlimited lifetime subscription for only $49.99 (for 5 devices)
  • KeepSolid VPN Unlimited 3-year subscription for only $29.99 (for 5 devices)
  • Add their Infinity Plan (aka 5 additional device licenses) for $14.99  but you must own one of the above subscriptions

Conclusion

The best summary I can give you is that VPN Unlimited has a permanent stop on the first page of my iPhone and I use it regularly. 

VPN Unlimited has decent privacy policies but isn't the super secret spy-proof identity protection service. If you want to protect your connection while out and about, VPN Unlimited is cheap, fast and reliable. If you want a super secret identity protecting connection then create your own VPN service on AWS or Azure using one of the pre-made scripts.

Questions

Does KeepSolid Wise work in China?

China severely controls encryption and in some cases slows down encrypted connections making them barely usable. A friend recently travelled to mainland China and reported that VPN Unlimited (with KeepSolid Wise UDP) worked flawlessly.

Does KeepSolid VPN Unlimited support video streaming?

Some of the cheaper VPN providers limit the quality of video from streaming sites because these stress the technical infrastructure of the provider. VPN Unlimited supports streaming video on all termination points but also makes available streaming optimized termination points which are specifically designed to work "better" with sites like Youtube, Dailymotion, Vimeo and more.

Does KeepSolid VPN limit connection speed?

There are dozens of factors that contribute to your overall internet speed but VPN Unlimited does not have tiered pricing based on speed and does not limit connection speed in any way. On most clients, they even show the workload on each termination point which means you can choose one with the least amount of current load (which should lead to better performance).

Does VPN Unlimited support Chromebooks?

VPN Unlimited has a Google Chrome plugin (which works on Chromebooks) and allows you to protect your web browsing only. Obviously as a proxy, it is less secure and missing many of the additional features you expect from VPN Unlimited but it is a great way to browse quickly (securely) and a great option on a Chromebook that doesn't require Jedi level knowledge to implement. 

VyprVPN Review

GeneralEdward Kiledjian

VyprVPN owns and manages its own networks and servers. During my recent VPN testing shoot-out, VyprVPN consistently ranked as one of the fastest VPN providers out there. 

In addition to raw speed, they have an incredible list of supported clients from traditional PCs (Mac, Windows, Linux), to routers (DDWRT, OpenWRT, AsusWRT), smartphones (iPhone, Android, Blackphone, Network Attached Storage (QNAP, Synology), TVs and the Anonabox

Contrast this to other popular VPN solutions like UnlimitedVPN, which only supports a small number of custom made clients.

It's VPN clients are well designed with easy to use interfaces and useful features (kill switch, auto-connect, etc). A cool and useful feature is called Chameleon. They explain Chameleon as:

Our Chameleon technology uses the unmodified OpenVPN 256-bit protocol and scrambles the metadata to prevent DPI, VPN blocking and throttling.

The first important note is that the Chameleon protocol is not available for IOS due to Apple restrictions on the VPN function. I had the opportunity to test the Chameleon protocol on a Windows laptop from a corporate network with strong VPN restrictions, an ISP that throttles VPN traffic and from a country that severely slows (painfully) down VPN traffic. In all three of these situations, the Chameleon protocol delivered that it promised.

  • It punched through the heavily controlled corporate network
  • When used with the ISP that throttles "normal" VPN traffic, it managed to trick the provider and I was able to use a full speed connection
  • A friend travelling to a highly restrictive country compared VyprVPN to 3 other VPN providers and VyprVPN with the Chameleon protocol was the only one that seemed to operate at normal speed (aka didn't seem to be artificially slowed down)

With more and more internet traffic being encrypted, many companies, organisations and governments have turned to DNS based control tools. DNS is still an unencrypted means to determine web destinations. DNS be used to prevent a user from accessing certain types of sites (religious, political, pornography, etc) and to log web browsing habits. It can also be used to redirect your traffic (quickly without you even realizing it), to inject your session with malicious code and c compromise your device. VyprVPN offers their own self-managed private "no log" DNS solution to protect their customers from DNS snooping and control.

VyprVPN offers a clear and well-written privacy policy. Obviously you aren't anonymous but in summary, they retain " Each time a user connects to VyprVPN, we retain the following data for 30 days: the user's source IP address, the VyprVPN IP address used by the user, connection start and stop time and the total number of bytes used."

And they offer a wide range to termination locations.

VyprVPN and leaktests

I setup VyprVPN on a Windows machine configured for maximum privacy. I then ran a battery of tests to determine how well it protected my privacy.

  • does not leak DNS queries when in VPN mode (go here to test)
  • does hide your actual IP address (go here to test)
  • does not leak IP or DNS information via JAVA or Flash ( Go here to test)
  • protecting P2P traffic. Although I do not condone or encourage the use of P2P tools to steal protected media, there are dozens of legitimate uses for P2P technology. It is important to ensure your VPN product protects you while using P2P and VyprVPN did. You go to this site and the find the Torrent Address Detection. You download their magnet link into your P2P client of choice then activate the test. If it shows your real IP or DNS, you are not protected. You should only see your VPN address here.
  • VyprVPN is not subject to WebRTC leaks when in VPN mode (go here to test

VyprVPN seems well written and does offer good protection.

Beware of the unknown

The only information that we have about the service comes from VyprVPN themselves. Remember that none of the statements about privacy and logging have been reviewed by an independent third party.

They are a US company and therefore they are subject to US data collection laws including the infamous National Security Letter (NSL). 

The above caution statement isn't unique to VyprVPN. I am not aware of any consumer VPN services that have been independently audited but it is still an important factor to consider. 

Some users may want to use a non-US based VPN provider to ensure the company is beyond the legal reach of US laws. The one I am looking into right now is ProtonVPN (which I will be reviewing shortly).

Other users may choose to roll their own VPN solution (lifehacker instructions using the Algo script or you can use anyone of the other scripts that almost automate the creation of a private dedicated VPN instance you control like OpenVPN Road Warrior, streisand, etc.) 

Conclusion

VyprVPN is a fast service with a broad selection of clients and a decent privacy policy. If you are performing illegal activities or are a human rights activist in a questionable region, this probably isn't for you. If you are a "regular" user looking for a decent level or privacy when using the internet, then this is definitely something you should consider. 

For the casual user that only connects to a VPN when using public WIFI, you may want to look elsewhere because VyprVPN isn't cheap. A prepaid annual subscription costs $6,67 a month (or $12.95 paid monthly).A casual user can buy a lifetime subscription to UnlimitedVPN for $49.99 here or a 3-year subscription for $29.99 here.). 

I started testing ProtonVPN recently and will write a review shortly but their offering (plus level) is $8 a month prepaid for 1 year). VyprVPN offers the Chameleon protocol, more servers and their own DNS service (which ProtonVPN does not yet). 

So the price is on the higher end but is in no way the most expensive. For the very casual user, you could be better served by another provider, but for the more security conscious user or traveler, this is definitely a service to evaluate. 

How to protect your PC from infection

GeneralEdward Kiledjian

Think of all the valuable data your PC contains (pictures, files, invoices, contacts, etc). Now imagine losing all of that data Virus' are still a thing but you should be more worried about ransomware, worms and all of the other digital creepy crawlies roaming the net looking to make you their next victim.

Go read my article entitled "How to secure Windows 10".

Backup everything, then back it up again

In 2012, I wrote an article entitled "The best way to protect your data - images, music, documents". The main point is that you should always remember the 3-2-1 rule of backups:

  1. Have 3 copies of all of your important data (1 primary and 2 backups)
  2. Make sure your 2 backups are on separate media technologies (e.g.1 on a hard drive and the other in the cloud or 1 on a hard drive and the other on a tape backup)
  3. 1 of your backups should be offsite in a remote location that would not be impacted by a major disaster that hits your area (e.g. in the cloud).

The advantage of most cloud backups is that they support version control which means if you infect your files with ransomware, you can always go back to  a known good version. My backup strategy involves:

  1. 1 primary version of my data and a local hard drive backup
  2. 1 complete synchronization of my files on a fully encrypted trust no one online storage service
  3. 1 complete backup using a remote backup service (like backblaze or carbonite)

Update everything

WannaCry created an incredibly outcry in the tech world with thousands of companies getting infected in hundreds of countries. The truth is that an update published 2 months prior patched that vulnerability. Updating computers in large companies is complicated but your home PC shouldn't be.

You must must must update your operating system and applications regularly to stay protected.

The latest version of the operating systems from Microsoft, Apple and Ubuntu are all configured to auto-update themselves. In addition to the OS, make sure you periodically check for application updates.

If you use an Apple Macintosh computer, you may even want to use something like MacUpdate Desktop to constantly check if any of your installed apps have updates available.

Leave the built-in firewall on

Some "Security" apps turn off the built in firewall but it is critically important to ensure it is always on. On Windows, you can turn if on/off with these instructions. You can find information about the Apple Mac application firewall here

Use an antivirus

The question I get asked the most often is should I buy a third party antivirus for my home computer and my answer is no. Anytime you add a third party tool, you increase the attack vector therefore rely on what Microsoft bundles with Windows 10. You can follow these instructions to change the Windows Defender Antivirus cloud-protection level to 10.

In February I wrote an article entitled "Companies buying bitcoin to prepare for cyber extortion" and in there included this paragraph:

Companies have started to jump on the Ransomware protection bandwagon. An EDR &”next-generation AV” company called Cybereason offers a free product called RansomFree. They claim it protects against 99% of ransomware by monitoring how applications interact with files on your computer. Did I mention RansomFree is free? I haven’t used their product and thus can’t recommend it but it does seem to be useful and could really help the average consumer ensure they don’t end up getting victimized.

You can run something like RansomFree on your home PC in addition to the Windows antivirus. 

Upgrade the fleshware

The truth is that even the best most advanced technology can't prevent an infection if the user does something stupid. Often users are the weakest link the the corporate security chain and you are no different. 

Using good security hygiene will go a long way to protecting you. Basic tips:

  • never open an attachment from a user you do not know well or that you are not expecting
  • never click on a link embedded in an email
  • never install applications from untrusted sources (including torrents or anything pirated)
  • Remember that you can also get infected from a website so use Google Chrome with the the Ublock Origin plug-in

What to do if you get infected?

If a user's PC or Mac does get infected, their first thought is to find someone that can clean it. The truth is that once your PC is infected, it can' really be cleaned properly or trusted. At that point, you must do  a clean re-installation from a known clean source and then recover your files from a known good backup.

Some technical support companies will offer cleanup services but don't do it. Once your PC is infected, you don't know what else could be lurking in the background waiting to strike again. The best course of action is to start fresh.

Hopefully you have backups and everything will work out just fine. If you don't have backups and your files are encrypted by ransomware, you can always check out a free online site called No More Ransom Project and see if they offer a free decryptor for your ransomware. There are no guarantees your infection strain has a decryptor but it doesn't hurt to check.

 

Your cloud provider is making you a target

GeneralEdward Kiledjian

Phishing is a powerful and effective tool and a favorite in the threat actor arsenal. So what happens when your cloud provider gives threat actors a roadmap to steal from you?

A couple of weeks ago, Workday sent a security advisory to its customers regarding a phishing campaign targeting its customers. Although details of the attack campaign are light, here is what I believe is happening based on discussions on various darknet forums.

What was the Workday phishing attack model?

First, none of this is a weakness or vulnerability in Workday or any of its systems or processes. The threat actors send an email to employees, pretending to originate from a high ranking executive (CFO, CEO, SVP HR, etc.) and are asking, asking them to log into "Workday" to fix an issue. This fake Workday site harvests the credentials which then allow the threat actors to log in and change direct deposit accounts for employees thus stealing money. 

Based on reports I have seen, these emails are professionally written (so they do not contain the telltale signs of being a scam) and are currently not being caught by many large spam filtering services.

How did Workday facilitate this attack?

Like many SAAS and cloud service providers, Workday proudly displays a ling list of satisfied customers on its webpage. This marketing list basically becomes an attack plan for these threat actors by knowing exactly which customer to target with which SAAS provider name and which attach to use. 

Security is a balancing act. It always has been and always will be. Ultimate security means severely reduced usability and no marketing. More marketing and usability means less security.
 

Security is a balancing act

Marketing is tasked with growing the business and nothing helps more than social proof (aka showing others that have made the same decision you are thinking about). The fact Workday marketing is publishing hundreds of customer names on its website is aligned with their objective of supporting business growth. After all, why should marketing avoid using all of the tools available to it just to protect the business from some attack that may or may not occur?

Even if marketing hadn’t published an exhaustive list, they probably would publish a press release when a new big-name customer was signed. This means a determine attacker could build his own list of high-value targets. Right?

As an example, they published this press released in April entitled “Workday Continues Momentum in Canada.” This wonderful piece of marketing includes this section:

To be clear, this is not a Workday issue but a generalized cloud services provider issue. As an example, a service provider called CVM solutions has a customer search on its webpage:

 

Where does marketing end and security start? 

Stop making it easy

In addition to publishing a customer list, most Software As A Service (SAAS) companies publish a custom login page for each customer (which is usually pretty easy to find).

In Workday's case, you go here

Enter the customer name of a customer and find their login page

Again this is a common practice by many large SAAS providers. Even a giant like Microsoft does this for their Office 365 in the cloud offering. I searched the web for Microsoft Office 365 success stories and stumbled on blog post. 

So I know the American Cancer Society uses Office 365. I then need an email address to plug into the portal page so Microsoft switches me to their customized Office 365 login portal. In this case, I chose to use a service called Jigsaw.com (from Salesforce.com) and found the email address of their CEO.

Keep in mind that finding email addresses is easy. There are billions of them on the web. There are dozens of hacked site database dumps every week. This is trivial but I chose Data.com just to show it visually here.

You then are sent to the appropriate login page for authentication.

If you are a threat actor, you scrape this page, register a close-looking URL and then target all of the users of Cancer.org you can find (remember there are huge lists everywhere on the web and darknet if you know where to look).

Let's be real

Marketing is a business necessity and every company has an obligation to maximize its top line by leveraging everything it legally can. As a potential customer, I love hearing about other customers that have already chosen the product I am evaluating and learning how they leveraged it to improve their operations (Social Proof - Social Influence). If a vendor tells me that one of my main competitors chose their product and that it is contributing to their success, I really want to know more. How can I leverage their tool too?

If I am a threat actor and determined to phish a particular company, there are other means for me to collect the data I need. A popular technique is called Open Source Intelligence (OSINT for short) and the folks at Rapid7 provide a nice example here

Using OSINT techniques, they provide a list of customers that include SAAS providers in their publicly available SPF records.

So the question is how easy to we want to make it for threat actors? OSINT is intelligence gathered from public legal sources but it still requires a more sophisticated attacker. Publishing a list of customers on your website means even the most garden variety kiddy "attacker" can easily target your customer.

I've spent half my career on the consulting and services provider side and understand the hugely powerful tool of social proof. If I tell a small shop owner other small shops (like his/hers) are using a tool and have found it immensely useful, that is a huge motivator. People love seeing others like them making the same decisions. It validates their choices. 

The company I work for recently conducted product reviews for various security tools, and  having spoken to another large multinational customer was one of the reasons we chose that product. It validated our findings and also showed others (like us) made the same conclusions.

There is no real answer

I'm going to disappoint you and say there is no magical silver bullet . Obviously user awareness is critical, since most often, the human firewall is what will allow or prevent an attack. 

Companies have and will continue using customer names to convince the next prospect to jump on-board. Threat actors will always continue to be create and find news ways to do bad things to good companies.

I believe the only solution is to ensure marketing and security are talking regularly and openly about strategy and impact. It is only through tight collaboration built on mutual respect and trust, that companies can decide what the right balance is between public disclosure and security.

To a hammer, everything looks like a nail. To a security professional, everything looks like a security vulnerability, but it is important to remember that sales is the only reason you are around. Our job as security professionals, is to provide enough security to protect our customers and support our business objectives. 

Michael Moore launches Trumpileaks using strong encryption tools

GeneralEdward Kiledjian

Image by g4ll4is used under creative commons license

American politics is an extremely divisive issue and I will not be taking any sides in this debate. The purpose of this article isn't to promote any sides but rather to talk about how encrypted communication tools are being used.

Michael Moore launched a sub-page to his domain called Trumpileaks. The purpose is to give whistle blowers a "secure mechanism" to share information. 

The website recommends a bunch of encrypted messaging apps to share information via the web or by traditional mail. It recommends the use of Signal, Peerio, WhatsApp, Encrypted Email (Protonmail), traditional mail or general email if you just don't care.

These tools are very good for general secure communication but not if you are trying to "hide" from the american intelligence community. All of these tools leave a crumb trail of meta data which can be tracked back to you and the fact this isn't mentioned is irresponsible (my opinion).

What follows is not an exhaustive operational security guide (OPSEC) but just general recommendations.

Protecting your network access

The first thing you will want to do is protect your network identity, which would be used to narrow down a list of suspects when trying to identify you. 

Connect from free WIFI

The first recommendation is to use free open WIFI in a location away from your normal living areas (home, work, etc). Chose a place that is relatively far away like a coffee shop. Before using it to leak info, make sure you visit it looking for cameras in and around the area. When visiting it do not buy anything or leave any trail you were here. 

Remember that your cell phone is a beacon that broadcasts your location constantly and turning it off doesn't work. Either leave it behind or place it in a cell phone blocking Faraday cage bag (buy or make your own). You must block your signals before leaving your house.

I recommend going to your end location using public transit (since your car can get tracked via license plate or in-car navigation). Pay using anonymous transit tokens purchased with cash.

Use an anonymous VPN

Once you have found a good location, you will need a VPN device like the Invizbox (review here or you can buy it here. Since you will use this once, I recommend buying one with 2 months of VPN access. Invizbox allows you to buy via Bitcoin so do that. Make sure you setup a non trackable one time use bitcoin wallet for this transaction and ship the device to a fake name/fake location (so it can't be tracked back to you). 

Set up the Invizbox a couple of days before using a secure machine (described later), at another anonymous WIFI location using fake information. 

Use a service like Fake Name generator to help you create your fake identity. 

When setting up your Invizbox Go, use their VPN service to connect to a location like Switzerland. but do not use their TOR service.

How to buy anonymous bitcoin

Cash is king but for some transactions you may need bitcoin. You can use a site like LocalBitcoins to find a local Bitcoin trader that will allow you to pay cash and stay anonymous. 

I am not endorsing this trader, I am providing this as an example only.

Keep transferred amounts small so as not to arouse law enforcement interest (less than $500 per transaction). Use a disposable cheap android phone to host your bitcoin wallet and load only 1 identity on it. 

Create a fake identity that cannot be traced back to you. Buy burner phones cash. 

Remember, making one mistake will cause your anonymity to fall.

Protecting your Operating System

Use a secure Operating System with TOR

Your computer can be compromised to leak your identity. Even without being compromised, it leaks your identity all the time. Not only do you leak data but the unique setup of your computer leaks your digital fingerprint to any site that wants to track you (article here). If you want to test this yourself, check out Panopticlick

Hopefully you now agree that traditional operating systems aren't secure enough for the purposes of anonymity. You will need an Amnesic Incognito Live System called TAILS. This is a free operating system that you boot from a USB key that is fresh everytime you use it and doesn't leave any forensic traces on the machine it was used on. 

Tails also routes all internet traffic through TOR or I2P (use TOR). So you will use the Invizbox Go to tunnel to Switzerland and then you will use Tails with TOR to get to the dark web.

Tails is built for privacy and has a specially designed browser to minimize tractability. Ensure you follow the instructions to double check the integrity of the file you download. You will then need 2 fresh USB keys to built the final Tails USB bootable system.

You will have to make sure you laptop is compatible.

Protecting your transmission

Secure email

If you are going to use email, then make it as secure and anonymous as possible. Use a free Potonmail account (review here) via TOR. 

Anonymize your style - Stylometry

Well funded threat actors and nation state intelligence are able to identify people using stylometry. This is a technology that analyzes your writing style and then uses this knowledge to de-anonymize your content on darknet sites. 

Think of stylometry as a digital fingerprint built against your writing style (how to evade stylometry) . You may also want to checkout the Anonymouth tool  from The Privacy, Security and Automation Lab (PSAL) Drexel University, Philadelphia PA. 

Using Anonymouth will allow you to engage online while minimizing the intelligence community's ability to perform stylometry on you.

Michael Moore should setup a TOR SecureDrop service

The best way to send information as a leaker is to use a TOR service hosting SecureDrop (create by internet privacy advocate Aaron Swartz). It is an encrypted dead drop used by journalists to collect info from whistle-blowers while protecting their identity. 

The Freedom of Press Foundation has taken over the project since Aaron's death and helps media organizations install and run the tool. the FPF is addressing all of the shortcomings of the original tool

Don't trust printed leaks

You may be thinking printing and mailing is the best option but it isn't. Many printers have a hidden feature which adds invisible identification to every printed page (see EFF article here). These "invisible" yellow dots allow intelligence agencies and police to track down which printer printed a document. Recently this technique was used to track down an NSA leaker when a picture of a leaked document was show by The Intercept and the NSA found out the document was printed on one of its documents.

If you are interested, you can read about this technique here

Conclusion

Simply following the basic instructions on the Trumpileaks website is irresponsible and dangerous. Ask yourself what would be the impact if the leak was tied back to you?  Are you willing to live with the consequences?

Even with strong knowledge and good security hygiene, perfect anonymity does not exist on the internet. If you are determined to leak, learn how to do it and take the above precautions but know there is always a risk you will be discovered.