Insights For Success

Strategy, Innovation, Leadership and Security

Confidentiality

Comparing NordVPN and ExpressVPN

GeneralEdward KiledjianComment
vpn-4056382.jpg

This is not a sponsored post, and none of the links are affiliate links?

Readers regularly ask me to compare NordVPN to ExpressVPN

  • "Can you compare NordVPN to ExpressVPN?"

  • "Is NordVPN better than ExpressVPN?"

  • "Is ExpressVPN faster than NordVPN?"

Both NordVPN and ExpressVPN are considered to be top of the line premium VPN services. Both offer similar premium services and functionality such as:

  • reliable connectivity

  • fast connection speed

  • well designed strong encryption

  • 30-day money back guarantee

  • 24/7 technical support

  • No log policy

  • Kill switch to prevent leaking of your true identity or location

If you want a VPN to watch geographically locked streaming services such as Hulu, Netflix, BBC then ExpressVPN is probably your preferred choice. ExpressVPN seems to be one of the only services that has not been blocked by the Netflix proxy filter. In addition to successfully working around the Netflix proxy filters, ExpressVPN offers the fastest performance; therefore you are less likely to get buffering or lag.

Although NordVPN has had some issues with various streaming services blocking them, the support team works quickly to work around these issues so you should have access to most of your shows most of the time. NordVPN isn't as fast as ExpressVPN but is close enough for most users. NordVPN now has more than 5,092 servers which is an amazing amount (more than ExpressVPN).

NordVPN also offers a feature called DoubleVPN. DoubleVPN is a technique called VPN chaining (called on ProtonVPN). The concept is that they encrypt all the traffic once (standard VPN functionality) and then pass it through a second VPN server (encrypting again) before finally exiting to the internet. SoubleVPN will improve your security posture but will reduce your connection speed.

Conclusion

In summary, ExpressVPN offers better and more reliable access to streaming services and faster VPN speeds. NordVPN is good but not as good as ExpressVPN. NordVPN's claim to fame is the price.

NordVPN offers one of the best VPN services available today at a price that is significantly cheaper than ExpressVPN (especially with a multi-year subscription).

NordVPN-3Year.PNG

With a 15 month ExpressVPN plan, the service costs $6.67 a month. On a 3-year plan with NordVPN, the monthly price is $2.99 (less than half).

Regardless of what service you choose, make sure you check for deals (which can discount as much as 50% sometimes).

Honest review or NordVPN

GeneralEdward KiledjianComment
442474-nordvpn-logo.png

Recently I started seeing more ads for the NordVPN service. It seems some of you may be in the same position as I've received several emails asking me for my opinion about them. 

After a careful review, here it is. NordVPN is best described as a good "one size fits all" VPN service. You pay one fixed price and get full access to their network endpoints (1000+ servers in 57 countries) and the full available speed.

TL;DR:NordVPN offers impressively fast VPN, good security and easy to use clients. 

You will find an impressive list of tutorials for dozens of different platforms from the usual (Windows, Mac, iPhone and Android) to Belking, Microtik and Arris routers. 

Protection

NordVPN promises that it is a no-log service. They use 2048-bit encryption; they run their DNS servers to minimize DNS leakage and have a "kill switch" that will block application internet access in case the VPN get's disconnected.

Validating their claims

Many providers promise a no-log service, but there is no way for consumers to validate this statement independently. I have chatted with their support and had no reason to doubt their claim. 

I have run my standard VPN tests on Windows and MacOS and can confirm that I did not detect any DNS, WebRTC or identity leakage. My most useful test was validating their kill switch functionality  (by manually killing the VPN process) and confirmed it worked

Multiple devices

NordVPN offers access to 6 devices simultaneously. If you connect multiple devices to the same endpoint, you will have to choose different VPN protocols for each (L2TP, PPTP, OpenVPN TCP and OpenVPN UDP). 

Price

I recommend you shop around for deals. Their "normal" promo is $79.00 for 2 years (a 72% discount). If you browse the web, you can find links with additional discounts of up to 77%. Here is the link I used below (not an affiliate link) 

nordvpn1.PNG

Conclusion

Overall NordVPN seems like a competitive offering with good security. 

Is TOR Private and Anonymous?

GeneralEdward KiledjianComment
japan-956073.jpg

One of the most frequently asked questions I receive from readers (from this blog, Twitter and LinkedIn) is "Should I consider TOR private and anonymous?" 

This question is interesting with fervent activists on each side [of the issue]. On one side are TOR proponents extolling the virtues of the platform and explaining how it will save humanity from the scourge of privacy-invading networks. On the other side of the discussion are conspiracy theorists that claim TOR is nothing more than an NSA honeypot (a data collection tool). 

Like most important topics, the truth is never as clean as we would like it. The truth is that TOR is a little bit of this and a little bit of that. Let's dive straight in. 

Who started TOR?

Conspiracy theorists love highlighting the fact that the United States Navy developed TOR. So the first question we need to tackle is regarding this origin statement.

The core privacy functionality of the TOR network, the onion routing, was developed by United State Naval research laboratory employees named Paul Syverson, Michael G Reed and Favid Goldschlag. The purpose of the technology was to protect US intelligence communication. 

The TOR Project was launched in September 2002 by Paul Syverson,  Roger Dingldine and Nick Mathewson. In 2004, the Naval Research Laboratory released the TOR code under a free license, and the EFF (Electronic Frontier Foundation) began funding the initiative. The Tor project we know and love today was started in December 2006 as a 501(c)(3) non-profit organization with support from the US International Broadcast Bureau, Internews, Human Rights Watch, the University of Cambridge, Google and  Stichting NLnet.

It is true that the majority of the funding for the free and open source project came from the US government. 

Does the government control TOR entry and exit nodes?

When talking about TOR privacy and confidentiality, there are 2 distinct question most astute users ask:

  1. Can someone "see into" my traffic?
  2. Can someone tie TOR traffic back to me? 

The first theory I read about consistently was that world governments (particularly the 14 Eyes Countries) control the majority of the TOR Exit nodes thus can "see into the traffic." Looking strictly at the Exit node piece, governments have no deterministic way of knowing where a suspects traffic will exit from the network. As long as they don't control all of the TOR Exit nodes (which we believe they do not), they can't be sure the suspect traffic will flow through their nodes. Additionally, if the site you are visiting is using cheap and easy to implement security (like TLS) then even if the government controls the exit node, they won't be able to "see inside the traffic." Traffic that joins the TOR network to access a TOR hidden service never exits the network so it wouldn't even pass through an Exit node.

What if a government controls both the Entry node and Exit node you use? Assuming you are using TOR to browse the "normal" internet then you will hit an exit node. If the government(s) control enough of the entry and exit nodes, they can use statistical correlation tie traffic back to you. 

If you are browsing a site with well-designed security, they still would not be able to see "inside your traffic" but would know that you originated the traffic flow (aka collect metadata). 

It is important to remember that the TOR Project isn't just idly sitting on the sidelines watching the government violate its technology. They are actively working to harden the platform and work tirelessly to make it more secure every day. Some of the techniques used by the TOR platform include:

  • Switching TOR circuits regularly and unpredictably. Thus making long-term data mining more difficult. 
  • Ensuring that the TOR nodes used are as randomized as possible. Thus making predictability of route near impossible.
  • and more 

Has the TOR browser been hacked?

The answer is yes but hold on before you install the TOR browser from your computer. I would submit that almost every commercial or free software has exploitable bugs that would compromise a users privacy and confidentiality. The question isn't whether a product has these types of exploitable bugs but rather what the software "vendor" does about them. The TOR project has been an incredibly honourable steward of the TOR platform. They quickly patch any discovered vulnerability. 

The other "trick" for the extra paranoid is to switch the security level in the TOR Browser to high. This will break some sites, but you want strong security don't you? 

torb1.PNG

Can I be tracked using the TOR Browser?

I wrote an article in 2016 talking about browser fingerprinting techniques and referred readers to the EFF's Panopticlick site to test this on their own devices. Browser Fingerprinting is a technique that leverages information your browser gladly provides to sites to uniquely identify you and then track you as you browse the web. 

To illustrate the power or browser fingerprinting, I ran the Ponopticlick site on my "normal use" machine using different browsers. 

  • My reference browser will be Google Chrome (same results with or without UBlock Origin): Your browser fingerprint appears to be unique among the 1,747,285 tested in the past 45 days. Currently, we estimate that your browser has a fingerprint that conveys at least 20.74 bits of identifying information.
  • The Brave "privacy" browser (default configuration): Your browser fingerprint appears to be unique among the 1,747,235 tested in the past 45 days. Currently, we estimate that your browser has a fingerprint that conveys at least 20.74 bits of identifying information.
  • Microsoft Edge (Win 10 latest update): Within our dataset of several million visitors tested in the past 45 days, only one in 218410.63 browsers have the same fingerprint as yours.
    Currently, we estimate that your browser has a fingerprint that conveys 17.74 bits of identifying information.
  • Microsoft Internet Explorer (Win 10 latest update): Your browser fingerprint appears to be unique among the 1,747,285 tested in the past 45 days. Currently, we estimate that your browser has a fingerprint that conveys at least 20.74 bits of identifying information.
  • Tor Browser with safest security option: Within our dataset of several million visitors tested in the past 45 days, one in 92.3 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 6.53 bits of identifying information.

So in safest mode, the TOR browser does dramatically reduce information leaking about your browser but the fact you are using a low popularity browser is in fact itself a tracking tool. The short answer to this question is that tracking is still possible.

Should I trust the TOR Browser?

I've addressed some of the most common questions I receive, but the only reason you read this article is for this one question alone. You want to know if the TOR browser is safe enough for you. 

Unfortunately for you, I'm a security professional, and I believe security is never black or white. The question of whether the TOR Browser is safe enough for you is the real question and that depends. 

It depends on the types of activities you are performing. 

On the low end of the spectrum is a general user that wants to use TOR to browse questionable websites from work without leaving traces in the company proxy logs or without being stopped by a URL filtering tool. For this type of user, the privacy and anonymity afforded by TOR are probably sufficient. It is unlikely that a nation state will target you for deanonymization and tracking. 

On the other end of the spectrum is a hardened criminal trying to sell nuclear secrets to the highest bidder. You would probably be classified as a high-value target by the global intelligence community, and thus they would use the full arsenal of tools to identify and track you. If you are a criminal mastermind hellbent on world domination, you probably need better tools than TOR. 

A tweet by Edward Snowden explains it best:

Security is a complex system of risk management and mitigating controls. There is no magic bullet where everyone is safe and anonymous all of the time. True security is a complex architecture of different technologies implemented in very particular ways, to achieve the protection level you desire or need. 

If you are browsing adult content from home and want some level of anonymity, TOR is perfect. 

If you want to browse it while at work, know that most companies have agents installed on your workstation to track your browsing regardless of the browser used. 

Therein lies the real risk. Whether you are using TOR or the end-to-end encrypted Signal messenger, the tools themselves are often secure.  However, if someone compromises either of the endpoints, you can still be de-anonymized. This is why true security must be done in layers.

Maybe you need to run a secure Operating System, like Qubes OS that routes its traffic through TOR (booted from read-only media and hash checked to ensure it has not been tampered with). Additionally, even if you have a safe and secure computer, operating system and connection, you must still be careful not to involuntary divulge clues about yourself when online, so security hygiene is also very critical. 

Security is though. Perfect security doesn't exist.

What makes a good Chief Information Security Officer (CISO)

GeneralEdward KiledjianComment
boss-2179948_1920.jpg

Only five years ago, the title of Chief Information Security Officer was likely awarded to an employee that had worked hard and was dedicated to the company. It was an honorific title often given as a reward. Times have changed and companies need a new breed of CISO.

The number, severity, and impacts of cyber threats are continually increasing. Companies now rely on complex highly integrated IT systems whose confidentiality, availability and integrity are paramount. 

The WannaCry ransomware was a good example of how poorly managed security can cripple an organization. The National Health Service in the United Kingdom had up to 70,000 infected devices and was forced to turn away non-emergency patients. (1)

The CISO is now a senior-level business executive who can directly impact the profitability and viability of an entire organization. Instead of being a technical specialist, the CISO must now be a seasoned business leader that can become a trusted advisor to other executives within the organization. 

CISOs can help maintain your brand value, help build relationships with various stakeholders, and are charged with protecting an organization's most important assets (the digital ones).

The job of a true modern CISO is getting harder by the day, and organizations need to ensure they have the best CISO they can find & afford, to guiding them. 

If we agree that the nature of the CISO's role has changed and that the modern CISO is a very different creature than his predecessor, what makes a good CISO?

1 - Problem solvers

A modern-day CISO can solve complex rapidly changing problems under stress and high pressure. A CISO must enjoy solving complex puzzles while being able to juggle day-to-day tasks and driving the organization's long-term vision. The CISO must understand that every decision made today can have dramatic repercussions tomorrow. 

2- The CISO must be a people person

The modern CISO is often a front-line representative of the organization to shareholders, customers, partners, and regulators. They must have the ability to build strong relationships based on trust and respect. The CISO must have the ability to communicate complex security issues to stakeholders that may not understand even basic IT. The modern CISO must be a people person. The modern CISO must lead his team with fervor and engender commitment from the security team. 

3 - The CISO is a citizen of the world

Information flows without respective national boundaries, but companies are being asked to navigate complex global regulations that sometimes contradict each other. The only way a CISO can manage this increasingly complex regulatory environment is with non-traditional skills (for an IT person) that include law, business, compliance and governmental relations. 

4 - The CISO must be business minded

The CISO must make security decisions based on how it impacts the organization or enables the organization to perform its primary business functions. The CISO must weight security decisions against profitability, efficiency and must build a competitive advantage for the organization. A CISO must be obsessed with efficiency and must be resource conscious (people, time and money). Gone are the days when a CISO makes purely technical decisions based on technical need. 

5- CISOs tend to be workaholics

Even if work-life balance is all the rage, a CISO is always on call. Unfortunately, the bad guys never take a break and often neither does the CISO. It is common for a CISO to work long hours and weekends while guiding the organization to where it needs to go. The modern CISO is humble and respects the capabilities of his/her adversaries. A CISO must always be vigilant. A CISO is continually thinking about how he/she will keep the organization one step ahead of threat actors.

6 - Strong team building skills

CISOs work long and hard but so do their teams. A CISO must be self-confident enough to hire the highly skilled professionals the organization needs to succeed. I have met many CISOs who refused to hire employees that were more technically competent than them for fear of being replaced. This is the reflex of a "bad" CISO that doesn't understand his/her new role. A good CISO will hire the best resources he/she can find and them coach them to grow and become exceptional. The stronger the team, the better the CISO.

7 - Your CISO doesn't need to be certified 

Full disclosure, I do not currently hold any security certifications but I believe I can challenge anyone that does. The CISO is a business professional with security experience, not a security professional with business experience. 

You should rely on the proven track record.

Conclusion

The role of CISO is constantly changing, and the ideal candidate must also be constantly evolving.  I have been a security executive since 2001 and have seen the role of CISO morph from a backroom function performed by geeks, to a font of the house leader that can communicate with clients and regulators. The right CISO can drive business growth while the wrong one can sink your entire organization. 

Invest the time, energy and resources required to hire the right CISO for your company. If you have a CISO already, make sure he/she is the right one your organization needs right now. 

---------------------------------------------

(1) Ungoed-Thomas, Jon; Henry, Robin; Gadher, Dipesh (14 May 2017). "Cyber-attack guides promoted on YouTube"The Sunday Times. Retrieved 14 May2017.

Canadians can find out what data a company stores about them

GeneralEdward KiledjianComment
Data.png

The average consumer is starting to realize how much personal data companies collect about them. 

RELATEDHow Target knows you are pregnant through data analytics

Consumers should be concerned about what data is collected, how is is used and who it is shared with. 

Canadian privacy laws ( like Personal Information Protection and Electronic Documents Act) allow consumers to access their information (aka companies must respond to a request for personal information held by the company).

Principle 4.9: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
— PIPEDA

PIPEDA section 4.9 mandates that companies respond to Data Access Requests within 30 days of receipt. The information must be made available for free or at a reasonable cost.

Principle 4.9.4: An organization shall respond to an individual’s request within a reasonable time and at minimal or no cost to the individual.
— PIPEDA

Some companies use legally complex wording and vague statements in their privacy policies to hide the level of detail collected and to obfuscate how it is used. The Data Access Request allows any individual to understand (and see) what has been collected and what is being done with their information. 

What is a Data Access Request?

Toronto based Citizen Lab has created and operated a site called Access My Info. The site was created to simplify how Canadian's create and submit Data Access Requests using templates. 

AMI.PNG

Testing it

I will submit a couple of test requests and see how companies respond. If you are a Canadian, I encourage you to try this as well.