Insights For Success

Strategy, Innovation, Leadership and Security

VPN

Free VPNs in the App Store: Why You Should Avoid Them and Protect Your Privacy

GeneralEdward Kiledjian

TL;DR: Learn about the risks associated with free VPNs in the app store and why non-technical users should avoid them to protect their online privacy and security.

Due to their ability to protect online privacy and secure data transmitted over the internet, Virtual Private Networks (VPNs) have become increasingly popular among internet users in recent years. However, the popularity of VPNs has also resulted in a proliferation of free VPN services available on the app store, many of which claim to offer the same level of security as paid VPN services.

Even though a free VPN may seem attractive to non-technical users, the risks associated with these services should be considered. We will discuss why using a free VPN can be dangerous and provide examples to illustrate these risks in this blog post.

Malware and Spyware

With free VPNs, there is a risk of malware and spyware being bundled with the app. VPN providers may make money by selling user data or injecting advertisements into the browsing experience of their users. This can result in installing malicious software on the user's device, which can be used to gather sensitive information such as login credentials, bank details, and personal information.

Weak Encryption

The majority of VPNs use encryption to secure the user's data and prevent it from being intercepted by hackers or government agencies. However, free VPNs may use weak encryption algorithms or do not use any encryption at all, which means that the user's data is not adequately protected. As a result, data leaks can occur, and the privacy of the user may be compromised.

Limited Bandwidth and Slow Speeds

A free VPN provider may limit the bandwidth available to users, resulting in sluggish connection speeds and buffering when streaming content. In addition, it can be frustrating for users who wish to watch their favourite television shows or movies uninterrupted.

Logging and Selling User Data

In some cases, free VPNs may log user data, including browsing history and IP addresses, and sell this information to third parties for advertising. As a result, it can compromise the user's privacy and result in targeted advertising, spam emails, and even the theft of personal information.

Examples of Risky Free VPNs

Hola VPN

Hola VPN is a free VPN service that allows users to access blocked websites in their country. However, Hola VPN was accused of selling user bandwidth to third parties, which means that others may be able to use the device as a proxy server. As a result, the user's IP address can be used for illegal purposes.

Free VPN Hola Sells Users' Bandwidth, Puts Them at Risk

Hotspot Shield

Hotspot Shield is a free VPN service that claims to provide secure and private browsing. However, Hotspot Shield was accused of snooping on VPN users and selling data to advertisers.


Hotspot Shield accused of snooping on VPN users and selling data to advertisers

Cannot lock down data

Some free VPN providers may not have the money to protect and lock down your valuable data. This isn’t necessarily malicious or nefarious, but it still severely affects users.

Seven Hong Kong VPN providers accused of exposing private user data

Conclusion

Therefore, non-technical users should be cautious when using free VPNs available in the app store. Although some free VPNs may offer basic protection, they often come with risks that can compromise the privacy and security of the user. Instead, you should use a reputable paid VPN service that offers better encryption, unlimited bandwidth, and does not log user information.

#FreeVPNs #OnlinePrivacy #SecurityRisk #AppStore #VPNProtection #Malware #Spyware #WeakEncryption #BandwidthLimitations #DataLogging #IdentityTheft #PaidVPNs #OnlineSecurity

What is The Onion Router and is it secure

GeneralEdward Kiledjian

To provide its agents with a safe and secure means of communicating with each other without being tracked, the US Navy developed the TOR project. TOR stands for "The Onion Router." TOR sends your data via a network of nodes, or "onions," each of which encrypts your data before forwarding it to the next node. Consequently, it is challenging for anyone to trace your data back to you.

The TOR project is now managed by the TOR Foundation, a not-for-profit organization. TOR Foundation is devoted to researching and developing free and open-source software for privacy and anonymity. Individuals and organizations donate to the TOR Foundation, and governments and foundations provide grants.

TOR addresses are used to disguise your actual IP address and prevent tracking of your online activities. TOR addresses are composed of random letters and numbers, making them virtually impossible to guess. Your traffic is routed through the TOR network when you access a website using a TOR address, which makes it very difficult for anyone to determine your real IP address or track your online activities.

TOR is not just used by hackers and drug dealers but also by ordinary users. TOR may interest anyone who wishes to keep their online activities private. TOR is a very secure network, and the data is challenging to trace. There is much technology behind TOR, but it is a highly effective method of preserving the privacy of your data.

It is possible to deanonymize TOR users.

It is, however, a challenging task. The data transmitted through the TOR network is encrypted, and each node in the network only knows the IP address of the previous node and the next node. As a result, it is challenging to trace the data back to its original owner. Nevertheless, in rare instances, law enforcement has been able to deanonymize TOR users.

Law enforcement can deanonymize TOR users in several ways. An example of this is by exploiting vulnerabilities in the software that is used to access the TOR network. It is also possible to determine which nodes in the network are being used by the same user by traffic analysis. It is, however, challenging to deanonymize a large number of users using these methods.

To prevent being deanonymized, there are a few steps you can take. First, ensure that you use the TOR software's most recent version. Additionally, you may use a VPN or other anonymizing service in addition to TOR. By doing this, law enforcement will have difficulty deanonymizing you. Last but not least, you should be careful when sharing information online. Be careful not to post anything that could identify you, and be cautious about the websites you visit.

TOR is constantly evolving, and new features are continually being added.

What are the most significant drawbacks of TOR?

One of the most significant disadvantages of TOR is its slow speed. In addition, since your data is being routed through multiple nodes, each node must encrypt and decrypt your data. Furthermore, TOR is sometimes blocked by websites and Internet service providers. Some internet content may be difficult to access as a result.

What makes Tor more secure than a traditional VPN?

Since TOR uses a series of nodes, or "onions," to encrypt your data, it is more secure than a traditional VPN. Consequently, no single individual or entity has access to your entire flow. Tracing individual traffic on the TOR network back to a single individual is challenging. In contrast, a VPN operator sees all your traffic since it passes through their system.

What is the relationship between TOR and the Darknet/Darkweb?

The TOR network is not synonymous with the Darknet. TOR can be used for both legal and illegal purposes. Darknet is a small portion of the internet that can only be accessed through special software, such as TOR, and is frequently used for criminal purposes.

In addition to Tor, what other networks offer privacy and anonymity?

In addition to TOR, a few other networks provide similar levels of privacy and anonymity. These types of networks include I2P, Freenet, and ZeroNet. Despite this, TOR is by far the most popular and widely used of these networks.

Keywords: TOR, anonymity, online privacy, Darknet, VPN, I2P, Freenet, ZeroNet.

VPNs don't protect your privacy

GeneralEdward Kiledjian

A podcast is a great way to consume a large amount of new information in a short period of time. Every week, I listen to dozens of podcasts that cover topics such as tech, security, news, economics, psychology, and more. In the past year, I have been bombarded with host read advertisements sponsored by NordVPN and ExpressVPN. Many of these hosts are reading copy that is unreliable at best or purposefully misleading at worst.

This article aims to clarify misinformation regarding privacy improvements directly related to VPNs.

TL;DR: A VPN alone does not provide adequate privacy

The following article is intended for a general audience. Professionals in Information Security can devise solutions that incorporate VPNs to provide the level of privacy and security required by their customers (based on the customer's specific risk profile).

More Details

If you are not paying for a product or service, then you are that product. You should never utilize a free VPN service. Operating a VPN service is expensive, so they must recoup their costs somewhere (and they will probably make a large profit selling your information to data brokers).

The downside of a VPN is there are dozens of ways it can fail you, but you should understand that you are shifting all of your traffic through the VPN (which means if they are breached or decide to sell your data, they may have access to everything). Perhaps you do not want your large ISP to be able to see your Internet traffic, but would an unnamed VPN provider be any better?

The truth is that while many companies claim to operate on a zero-log basis, there is no way for a user to determine this for certain. Several providers have failed to meet their zero-log promises, resulting in a user being profiled or arrested.

Tracking you

Dozens of hosts are simply reading ad copy provided by the advertiser, and I have heard similar ads on dozens of other podcasts.

The first question is a valid one: would you prefer your ISP to view all of your traffic or the VPN provider. Despite the fact that most people dislike their services with the passion of a thousand suns, at least you have an understanding of what they are doing. I would trust only a few VPN services more than my Internet service provider.

The majority of websites now utilize HTTPS/TLS, which creates an encrypted tunnel between a user and a website. As an example, if you are using HTTPS/TLS to access Facebook (which is now the default), your ISP will know you visited Facebook and how long you spent there, but they cannot see what you did nor can they inject traffic info that flow or modify it in any way.

The other fallacy is that information brokers or large social media sites require your IP address in order to track you. VPNs do conceal your origin IP address, but very few trackers still rely on it to identify you. In addition, they take into account other factors, such as the operating system, plug-ins, display size, and resolution. Any website that has a Facebook-like button shares traffic information with Facebook. Any site using Google Analytics shares information with Google.

Use the EFF's Cover your Tracks website to find out how identifiable you are.

Alternatives

Option 1 - Apple PrivateRelay

Rather than using a general-purpose VPN, most users would be better served by configuring their browser security and using Apple's PrivateRelay (it's not perfect, but it's more secure than VPNs for the average user).

Option 2 - TOR

Tor remains the best alternative for someone that wants maximum privacy. TOR is free, open-source and trustless. It will be slower and you won’t be able to stream music or videos but it a good tool for someone looking to augment their privacy on the internet.

Option 3 - Break censorship

You may wish to consider using the censorship-busting VPN service called Psiphon if you are in an environment that uses technical controls to support its censorship efforts.

Conclusion

As soon as your packets hit the VPN provider's boundary gateway, the provider strips all encryption and then retransmits your data based on the technology available on the site (where you are browsing). HTTPS/TLS will be secure, HTTP/FTP will be insecure.

A VPN was originally designed to protect a company's data while its employees were working remotely. Consumer VPNs were a secondary market, and by default, VPNs are not designed to be log-free. Providers of VPN services must devise solutions in order to make their service more private by using technologies such as RAM-only servers, configuring the VPN to delete log files, etc. It is crucial that they have a sound architecture and that they deploy this architecture correctly without errors to protect your privacy.

Although VPNs remain useful in some situations, they are not the magic bullet that will allow the average (non-technical) user to become private. It is simply a tool that allows a tech professional to design an appropriate security program based on the risk profile of the user.

For the average user, the only good use of a VPN is to stream multimedia content that is geo-restricted (such as Netflix, Hulu, Peacock, etc.).

How to access tor sites without the tor browser

GeneralEdward Kiledjian

The last couple of articles I wrote referred readers to TOR (darknet/darkweb) sites. These sites are easy to identify because the terminating marker is .onion (instead of .com/.net/org).

The right way of accessing TOR sites is with the secure TOR browser designed and distributed by the TOR project. This purpose-built browser uses a hardened firefox to deliver maximum anonymity while browsing the "normal" web or tor sites.

There may be times when you are on a device that doesn't have the TOR browser and when speed is more important than privacy or security. In these situations, web-based services allow you to browse these tor (.onion) sites from a standard browser. That is the purpose of this blog article.

The following sites are web services that will allow you to access tor sites without using the tor browser (using a normal browser like Chrome, Firefox or Safari).

These services are called TOR gateways or TOR proxies. the TOR2WEB project was designed to allow users to access all onion services without using the TOR browser. The project site is here.

Remember that using these gateways means the gateway operator can see where you are going, and you lose all privacy and anonymity features of TOR.

To use use TOR2WEB gateways

Using most sites is very simple, you take your TOR address

Screen Shot 2021-03-06 at 5.47.52 PM.png

Here is the secushare onion service at http://secushare.cheettyiapsyciew.onion/

you append the gateways domain name to the end of the onion address. As an example, if you want to use the gateway called onion.ws you simply add .ws at the end of the URL like this

Screen Shot 2021-03-06 at 5.49.45 PM.png

http://secushare.cheettyiapsyciew.onion.ws

Some rare ones require you to remove the .onion at the end and replace it with their gateway url (e.g. like darkness.to) the above address would need to be

Screen Shot 2021-03-06 at 5.50.37 PM.png

http://secushare.cheettyiapsyciew.darknet.to

List of TOR2Web gateways

Be aware as free services, many of these sites are flaky and will periodically be down. Try another one or try later.

If you visit the main domain with your browser, most will provide instructions (in case you forget how to use them)

Screen Shot 2021-03-06 at 5.51.24 PM.png

New sites pop up everyday so if these sites don’t work for you, just search for tor2web gateway in your favourite search engine (startpage.com, duck.com, etc)

Warning

I mention above to only use these services when security and privacy aren’t a concern. You may be wondering why. Here is a list

Session leakage

This is the same risk you experience when using any VPN service. Because the service is the one routing you to your final destination, they see everywhere you go and everything you see. A malicious operator can log and record your entire session with all traffic send back and form (between you and the TOR service). Never enter login credentials (or anything personal) when using these gateways.

Service enumeration

When using the TOR browser with long random TOR URLs, your browsing is relatively private. When using these gateways, you are on the “normal” web and any dns server used by your browser will see the URL you are visiting (e.g. http://secushare.cheettyiapsyciew.darknet.to)

Assume any DNS in your configured DNS chain or the providers chain will know what URL you are trying to resolve through your TOR gateway service.

User correlation

When using these gateways, the gateway operator can log all of your publicly available user identifiers (IP address, browser, OS, fingerprint, etc) and then log that you visited X tor site.

Conclusion

Although these gateways aren’t considered secure, there is a use case for them and it is another tool in your online tools arsenal. If you use them knowing their limitations, you will be fine and they could save you a lot of frustration.

VPN Support coming to Linux apps on Chromebooks

GeneralEdward Kiledjian

It seems everyone has jumped on the VPN bandwagon these days. On Chromebooks, we can use VPN extensions, but these don't protect Android apps. We can use Android VPN apps, which protect the entire ChromeOS (including Android apps but not Linux apps).

So what happens today? Even if you have an Android VPN running, the Linux apps go our via your origin IP bypassing the VPN network adapter. If you need to use a VPN with the Linux container today on ChromeOS, you have to install a Linux VPN client in the container itself.

In Chrome 76, Google will finally fix this issue and app Linux traffic will also flow through the VPN (extension of Android app). You can test this today if you have the developer or Canary versions of ChromeOS installed on your Chromebook.

We expect ChromeOS 76 to be released to the Beta channel June 13-20 and to the stable channel around July 30.

Other cool features coming with the ChromeOS 76 release will be

  • "Picture In Picture" support for most video platforms

  • "Web Share Target Level 2" which will allow any installed application to receive a file share (using a manifest)