Authentic8 Blog Category: Privacy

Showdown: VPN vs. Cloud Browser

In many companies, VPN has become a staple of the traditional IT security stack. Annually, mid-sized organizations (<5,000 employees) spend an average of $60 per user on VPN technology and maintenance. Not much longer though, it seems.

While VPN has been around for more than 20 years, it now looks as if its promises of secure and private web access have worn off - many of them unfulfilled. In the words of Patrick Sullivan, Global Director of Security at Akamai, we are witnessing The death of VPN.

In his article for SC Magazine, Sullivan proclaimed: “It’s time to say goodbye.”

Sullivan’s farewell to VPN sounds timely, and he is not alone. Organizations large and small have found a way to cut their VPN costs or eliminated them altogether. In the same step, they attained a level of secure and private web access that VPN has never been able to deliver. What happened?

How Companies Cut VPN Costs

They

VPN: A Big Misunderstanding?

Most VPN services fail to provide a level of data protection and anonymity that would pass professional-level muster. Part 3 of our VPN miniseries shows how confusion about this 20+ years old technology and its complexities has added new risks and threats.

*

In the first two posts, we focused on the “online privacy” promise of VPN, and on how misconceptions about VPN impact IT security and productivity in the enterprise in general.

In this post, we’ll address the most common misunderstandings about VPN and their ramifications one by one.

A VPN service creates a secure connection (often described as a “tunnel”) between two computers, say between an executive’s laptop at home or on the road and a company server.

This can provide protection, for example when going online via public WiFi networks or consumer-grade home broadband connections. Many services encrypt much of the data transmitted from point to point within the VPN. Others - and that’s the bad news

VPN for Secure and Private Web Access? Think Again.

Many believe a Virtual Private Network (VPN) will protect users against online privacy violations and web-borne exploits. But how far can you really trust VPN? A new report by Authentic8 provides answers that may surprise you.

*

VPN creates an encrypted data “tunnel” between the user’s computer and a secure server - on the corporate network, for example - that can also serve as a springboard to the web. Still, this secure tunnel is not sufficient. Over the more than 20 years that VPN has been around, its limitations have become obvious.

Yes, VPN can make connecting with networks and resources across the web more secure. What is often overlooked: VPN still allows web code to pass through to the locally installed web browser.

This opens the door for malware and spyware infiltration as well as data exfiltration, localization and de-anonymization by third parties. In last week’s blog post, we focused on the “online privacy” promise of VPN. We showed how

VPN & Privacy: What Nobody Told You

Large-scale privacy violations on the web have become commonplace. Social media platforms and app or service providers have been shelling out, some intentionally, others unintentionally, user data to third parties hand over fist.

While such incidents may have a numbing effect on some users, others take them as a reminder to seek better protection against surveillance and tracking threats on the internet. After all, service providers selling our data to third parties is not a new development. This post provides more in-depth background on how ISPs use VPN to spy on you.

Third parties taking advantage of VPN’s many flaws for nefarious purposes is so real that earlier this month, two U.S. senators (Ron Wyden and Marco Rubio) raised alarm in a bipartisan letter [PDF] to the director of the Department of Homeland Security’s new Cybersecurity and Infrastructure Security Agency (CISA), Christopher Krebs.

In the light of all this, what doesn’t cease to amaze me is how many

Quick Dissections: Collections 2 - 5

You’ve seen the headlines about a loot archive of stolen credentials called "Collection #1" that was leaked online in January. This collection contains 772,904,991 entries, one of the most significant credential leaks yet. The credentials are all stored within an email:cleartext_password format, making credential stuffing attacks relatively easy without having to worry about deciphering hashes.

As worrisome for potential targets as this can be, this post doesn’t deal with this particular pile of data (read Troy Hunt’s analysis of "Collection #1" leak here). Instead, I’ll take a closer look at why there’s a “#1” next to the collection name. While #1 is a massive heap of data, it’s only the tip of the proverbial iceberg. There are five collection archives in total, containing a total of 1TB worth of raw credential data waiting to be downloaded by attackers. So what’s in Collections 2 - 5?

What About Collections 2 - 5?