Insights For Success

Strategy, Innovation, Leadership and Security

cybersecurity

Comparing NordVPN and ExpressVPN

GeneralEdward KiledjianComment
vpn-4056382.jpg

This is not a sponsored post, and none of the links are affiliate links?

Readers regularly ask me to compare NordVPN to ExpressVPN

  • "Can you compare NordVPN to ExpressVPN?"

  • "Is NordVPN better than ExpressVPN?"

  • "Is ExpressVPN faster than NordVPN?"

Both NordVPN and ExpressVPN are considered to be top of the line premium VPN services. Both offer similar premium services and functionality such as:

  • reliable connectivity

  • fast connection speed

  • well designed strong encryption

  • 30-day money back guarantee

  • 24/7 technical support

  • No log policy

  • Kill switch to prevent leaking of your true identity or location

If you want a VPN to watch geographically locked streaming services such as Hulu, Netflix, BBC then ExpressVPN is probably your preferred choice. ExpressVPN seems to be one of the only services that has not been blocked by the Netflix proxy filter. In addition to successfully working around the Netflix proxy filters, ExpressVPN offers the fastest performance; therefore you are less likely to get buffering or lag.

Although NordVPN has had some issues with various streaming services blocking them, the support team works quickly to work around these issues so you should have access to most of your shows most of the time. NordVPN isn't as fast as ExpressVPN but is close enough for most users. NordVPN now has more than 5,092 servers which is an amazing amount (more than ExpressVPN).

NordVPN also offers a feature called DoubleVPN. DoubleVPN is a technique called VPN chaining (called on ProtonVPN). The concept is that they encrypt all the traffic once (standard VPN functionality) and then pass it through a second VPN server (encrypting again) before finally exiting to the internet. SoubleVPN will improve your security posture but will reduce your connection speed.

Conclusion

In summary, ExpressVPN offers better and more reliable access to streaming services and faster VPN speeds. NordVPN is good but not as good as ExpressVPN. NordVPN's claim to fame is the price.

NordVPN offers one of the best VPN services available today at a price that is significantly cheaper than ExpressVPN (especially with a multi-year subscription).

NordVPN-3Year.PNG

With a 15 month ExpressVPN plan, the service costs $6.67 a month. On a 3-year plan with NordVPN, the monthly price is $2.99 (less than half).

Regardless of what service you choose, make sure you check for deals (which can discount as much as 50% sometimes).

Want to be a cyber super spy, try the Shin Bet intelligence challenge

GeneralEdward KiledjianComment
sergiu-nista-265785-unsplash.jpg

Shin Bet (also known as Shabak) is the Israeli Security Agency, and they are looking for technologically savvy intelligence agents. To discover these rough diamonds, they have created a new online challenge website called the "Shabak Challenge."

You can access this challenge website here. Visitors are challenged to identify a group of terrorists known as “White September”. The introduction on the page says

White September (WS) is a group of arch-terrorists. They are connected to the global Jihadist movement, and are funded by Iran and Hezbollah. Several weeks ago, they used the darknet to declare their intentions of carrying out a mega terror attack in Israel. They nicknamed the operation “Israeli September 11th”. These people are highly sophisticated and utterly merciless.

According to Channel 2, 150,000 would be analysts (from Russia, France, USA, the UK, Turkey, Iraq, etc) have already visited the site but only 2 have successfully completed the challenge. The challenge requires familiarity with advanced hardware and software technologies.

Here is a Youtube ad for the Security Service

Continuous authentication is the future

GeneralEdward KiledjianComment
eye-2771174.jpg

User authentication is one of the most important and fundamental building blocks of security. Authentication is built on username, password, token, biometrics or any combination of these. Regardless of the model, authentication is performed when the user starts his/her interaction with the target system.

What do you do if you require a higher level of authentication? What if you need to make sure the user interacting with your system is always whom they say they are. This is where the concept of continuous authentication comes in. We started to see this concept implemented for the mass-market with the Apple Watch and Apple Pay. You authenticate Apple Pay once and as long as the watch stays on your wrist (validated with a pulse), you do not need to re-authenticate. Apple pay can be sure that the person wanting to make a payment is the user that authenticated originally.

Continuous Authentication is a paradigm shift moving authentication from an event to a continuous risk management process.

Dynamic risk-based authentication means the system is continuously monitoring changes to environmental parameters and can decide the trustworthiness of users continually.

The shift to continuous authentication is inevitable. Not only will it make authentication more natural for the user but it will allow security administrators to implement much tighter security models.

As an example, if the user walks away from the computer, the system could notice and freeze the interactive session. Another example is a user working on a PC is tricked and launches malware. The system could be intelligent enough to know that a rogue process is attempting to masquerade as the user and block access.

Continuous authentication is to use the full array of modern technologies and others that have yet to be released. Parameters such as keyboard typing speed and style, how the user swipes on a touchscreen device, how the user moves the mouse, the camera input (from modern day cameras), gait analysis using the accelerometer in a smartphone or smartwatch, etc.

Although continuous authentication will be easy for users, expect it to be very complicated for developers. Expect this to be a burgeoning market in the coming years, something most security professionals have to start thinking about. We expect to start seeing serious mass market products around 2020-2021.

US bans use of Huawei technology through Defense Authorization Act

GeneralEdward KiledjianComment
Capture.PNG

US President Donald Trump has signed the Defense Authorization Act into law. Section 889 ( PROHIBITION ON CERTAIN TELECOMMUNICATIONS AND VIDEO SURVEILLANCE SERVICES OR EQUIPMENT) bans use by government agencies and contractors of Huawei or ZTE technologies. 

The language of the act is ambiguous and doesn't clearly list what technology is or isn't covered by the prohibition. 

procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system

ZTE and Huawei should not be used to access government systems that display personal data, therefore it is safe to assume that most agencies and contractors will purge their networks of systems designed or that use these technologies.

I have not yet seen an official response from either of the tech complanies.

Stay tuned. 

Microsoft takes aim at Google Chrome vulnerabilities

GeneralEdward KiledjianComment
frida-bredesen-317281.jpg

July 2014, Google launched it's project zero initiative to identify Zero-Day vulnerabilities in commercial software thus making computing generally more secure. 

Google's modus operandi is to inform affected vendors and give them 60 days to release patches. After the 60 day window, they go public even if a patch is not yet available. 

Our standing recommendation is that companies should fix critical vulnerabilities within 60 days — or, if a fix is not possible, they should notify the public about the risk and offer workarounds. We encourage researchers to publish their findings if reported issues will take longer to patch
— Google

There have been situations where Microsoft has not been able to release a public patch within that 60-day Window and obviously this has created a tense relationship between Google and Microsoft. 

Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.

You can read this Microsoft blog entry about their disappointment with google. not wanting to take the hit and move on, it looks like Microsoft security research has been looking for flaws in Google's products and found 2 bad ones. Realizing security is now a major differentiator, they decided to play Google's game and disclose the vulnerabilities after an elapsed wait time. 

Here is a sentence that takes a jab at Google's Chrome while praising their own Microsoft Edge security architecture :

This kind of attack drives our commitment to keep on making our products secure on all fronts. With Microsoft Edge, we continue to both improve the isolation technology and to make arbitrary code execution difficult to achieve in the first place. For their part, Google is working on a site isolation feature which, once complete, should make Chrome more resilient to this kind of RCE attack by guaranteeing that any given renderer process can only ever interact with a single origin

Microsoft justified the release of the detailed vulnerability information with this sentence:

it’s important to note that the source code for the fix was made available publicly on Github before being pushed to customers.

I think large well-funded companies should be doing general security research and helping improve the overall security of the entire ecosystem. I wish they could agree on a more friendly approach to vulnerability disclosure, not leaving their customers open and unprotected. This should not become a marketing tool but more of a commitment to societal improvement.

A guy can dream, can't he?