There are some excellent, well-tested virtual private networks we recommend you try. But if you're exploring the competitive market of VPNs on your own, you're likely to find some shoddy VPNs companies that scatter hints of their dubiousness everywhere they go. Learning to identify a few of these red flags can save you hours of research and a hefty annual subscription cost for supposedly getting connected to the internet more securely.

Is the price too good to be true? Has the company been caught keeping logs? How are your connection speeds?

To save you time, here are a few of the biggest red flags to watch out for when taking your new VPN out for a test drive. And on the flip side, here are three things to look for in a VPN.

Read more: Best iPhone VPN of 2022

There's no such thing as a free lunch. Maintaining the hardware and expertise needed for large VPN networks isn't cheap. As a VPN customer, you either pay for a premium service with your dollars, or you pay for free services with your usage data when it's collected by the free VPN and bargained away to advertisers or malicious actors.

As recently as August 2019, 90% of apps flagged as potentially unsafe in Top10VPN's investigation into free VPN ownership still posed a privacy risk to users. Free VPNs can also leave you open to quiet malware installation, pop-up ad barrages and brutally slow internet speeds.

Read more: Best Free VPN 2022: Try These Risk-Free Services for a Privacy Boost

If a VPN is caught keeping or sharing user activity logs, I won't recommend it. While most VPN services claim they don't track or keep logs of user activity, that claim can sometimes be impossible to verify. In other instances, the claim falls apart publicly when a VPN company hands over internet records to law enforcement.

The latter has happened in a few cases. EarthVPN, Hide My Ass VPN and PureVPN have all been clocked by privacy advocates for handing over logs to authorities, as hasIPVanish.

To be clear, it is entirely possible to be grateful for the arrest of reprehensible scumbags while ardently advocating for consumer privacy interests. My beef isn't with any VPN company helping cops catch a child abuser via usage logs; it's with any VPN company that lies to its customers about doing so. The lie that helps law enforcement in the US catch a legitimate criminal is the same lie that helps law enforcement in China arrest a person watching footage of the 1989 Tiananmen Square protests.

Ideally, the VPN you choose should have undergone -- and published the results of -- an independent third-party audit of its operations, including its use of activity logs.

Read more: All the VPN Terms You Need to Know

Now playing: Watch this: Top 5 Reasons to Use a VPN

2:42

Another red flag to watch for when choosing a VPN is shoddy encryption standards. Users should expect AES-256 encryption or better from VPN services. Nearly every web browser and app already uses AES, often touted as "military-grade" encryption, after it was adopted by the US government in 2002. If your VPN only offers PPTP and L2TP encryption, look elsewhere.

While you're snooping around for encryption details, keep an eye out for one of our favorite phrases, "Perfect Forward Secrecy." Those three little words can have a hefty impact on your privacy: If one of your VPN's servers is ever breached, Perfect Forward Secrecy ensures that any keys used to decrypt private internet traffic quickly become useless -- giving you more security.

Read more: How We Evaluate and Review VPNs

With just a little bit of elbow grease, any moderately skilled internet jerk can throw together a service that looks like a VPN but is actually little more than a proxy service reselling your internet bandwidth. Not only can that slow your internet speed, it could potentially leave you on the legal hook for whatever they do with that resold bandwidth.

Hola's case was the most famous. The company was caught in 2015 quietly stealing users' bandwidth and reselling it to whatever group wanted to deploy its user base as a botnet. Hola CEO Ofer Vilenski admitted it'd been had, but contended this harvesting of bandwidth was typical for this type of technology.

Read more:How to Set up a VPN on our iPhone or Android Phone: Yes, You Need One

"We assumed that by stating that Hola is a (peer-to-peer) network, it was clear that people were sharing their bandwidth with the community network in return for their free service," he wrote.

Nearly all VPNs slow your browsing speed, some by as much as half. But a brutal crawl can be a sign of something worse than a simple lack of servers. So if being pressed into service as part of a botnet isn't your cup of tea, double-check those suspiciously slow speeds and the reputation of the VPN you're paying for.

For more VPN buying advice, here's how to pick the right VPN for your work-from-home setup. Plus, why we don't recommend US-based VPNs, and three things a VPN can't help you with.

See the original post here:
Beware, That VPN May Not Be What You Think It Is - CNET

Blog

September 06, 2022

Computer data exists in different states at different times: data in transit (information flowing through a network); data in use (active data that is being accessed and manipulated by a computer program); and data-at-rest, known as DAR, or data that is physically housed in a storage device like a solid-state drive. Many cybersecurity solutions focus on securing data in transit and data in use, but neglect securing DAR.

President Bidens Executive Order on Improving the Nations Cybersecurity, enacted on May 12, 2021, directs all branches of the federal government to improve their resilience to cybersecurity threats. This order directly calls out the need to secure data-at-rest (DAR) with encryption and multi-factor authentication (MFA).

MFA requires a user to provide multiple pieces of evidence that combine to verify a users identity. Depending on the application, MFA may be required at login or perhaps when trying to access an application or even a particular folder or file. MFA combines two or more independent credentials: what the user knows (password, for example), what the user has (an authentication app, for example), and what the user is (biometric palm vein scan, for example). Since most MFA implementations use two factors, its often called two-factor authentication, or 2FA.

There are five important considerations when protecting your data with MFA.

1. Understand the sensitivity of your data:First, note that not all data is subject to the same levels of protection. In the U.S., since all federal departments are part of the executive branch, the data-classification system is governed by executive order rather than by law. As of 2009, information may currently be classified at one of three levels: confidential, secret, and top secret. Subsequent executive orders may change these classifications and the levels of protection associated with each classification.

2. Use self-encrypting drives:Sensitive data needs to be encrypted, executive orders notwithstanding. Self-encrypting drives (SEDs) encrypt data as its written to the drive, which has a self-contained drive encryption key (DEK). The key and encryption process are transparent to users.

SEDs encrypt everything on the drive, which is called full-disk encryption (FDE), including operating system (OS), applications, and data. On-drive encryption is called hardware FDE (HWFDE) and uses an embedded encryption engine (EE), which should provide 256-bit AES encryption.

An SED should adhere to the TCG Opal standard, a secure standard for managing encryption and decryption in the SED. SEDs are often certified to Federal Information Processing Standards (FIPS), developed by the National Institute of Standards and Technology (NIST). For example, a FIPS 140-2 L2 certification assures that the SEDs EE has been properly designed and secured; the L2 ensures that there is visible evidence of any attempt to physically tamper with the drive.

The National Information Assurance Partnership (NIAP) is responsible for the U.S. implementation of the Common Criteria (CC), an international standard (ISO/IEC 15408) for IT product security certification. CC is a framework that forms the basis for a government-driven certification scheme required by federal agencies and critical infrastructure.

3. Employ pre-boot authentication:A designated security officer or administrator will define the user roles and identity management used to authenticate access to the SED. The password security that forms part of an OS is notoriously weak and subject to hacking, so the first level of authorization acquisition (AA) should occur prior to the booting of the OS, in which case it is known as pre-boot authentication (PBA).

Each user should have an individually assigned password, which authorizes the SED to use its cryptographic key to unlock the data. The security officer should have the ability to add new users and revoke access to existing users. When a users access is revoked, that user wont even be able to boot the OS.

A more robust PBA implementation will include MFA.

4. Multi-factor authentication methods:In addition to a username/password, MFA requires another form of authentication. One approach is to use a security dongle, such as a YubiKey, containing a license key or some other cryptographic protection mechanism that the user plugs into a device USB port. The U.S. Department of Defense (DoD), including civilian employees and contractor personnel, uses a smartcard called the common access card (CAC), in which case the computer must be equipped with a physical card reader.

Other MFA methods include applications, often on smartphones, that provide a one-time code synced to the device or system asking for authentication. Also taking advantage of the ubiquity of smartphones is an SMS-based system that will include a one-time code in a text message.

5. Provide the ability to destroy the data:There are various scenarios in which it may be necessary to destroy any data stored on the SED. A benign case is when an organization decides to upgrade its computers and/or drives, transfer computers and/or drives within the organization, or dispose of or recycle the computers and/or drives outside the organization. A worst-case scenario is when an unauthorized entity gains control of the drive with the intent of accessing the data.

Using standard operating system-based delete functions to remove files and folders is not sufficient because experienced hackers can still retrieve some or all the data. SEDs that are used to store confidential data should support special hardware functions to perform secure erase (write zeroes into every area where data is stored on the drive) and crypto erase (wipe any cryptographic keys stored on the drive, thereby rendering any encrypted data stored on the drive unreadable and useless to a bad actor).

To address the worst-case scenario, the organizations designated security officer should have the ability to define erase procedures to be automatically initiated by the drive itself; for example, failing AA a specified number of times should cause the drive to self-erase.

In the case of a SED equipped with appropriate PBA, any data stored on the disk will essentially be invisible until AA has taken place, thereby preventing bad actors from cloning the drive to circumvent the restricted number of permitted attempts at AA.

To sum up

Some organizations mistakenly assume that employing MFA such as fingerprint scans or facial recognition after the OS has booted offers a high level of confidence. However, once the OS has booted, any data on its drives is exposed to sophisticated hackers or potentially nation-state bad actors.

The highest levels of confidence and security are achieved by using MFA as part of a PBA environment implemented using HWFDE realized on a FIPS + CC certified and validated SED. (Figure 1.)

[Figure 1|An example of a secure solid-state drive, part of the Citadel family of secure data storage. Photo courtesy CDSG.]

CDSG directorof marketing Chris Kruell leads the sphere of marketing activities, including corporate branding, corporate and marketing communications, product marketing, marketing programs, and marketing strategy. Chris previously was VPofmarketing at ERP-Link and hardware startup Lightfleet. He was a marketing director at Sun Microsystems andheldseveral marketing positions in the high-tech industry. Chris holds a BSdegree from Cornell University and an MA degree from Hamline University.

CDSG (CRU Data Security Group) https://cdsg.com/

Follow this link:
GUEST BLOG: Five steps to take when securing your data with multi-factor authentication - Military Embedded Systems

Do you remember those invisible ink sets you used to be able to buy out of magazines and comic books back in the day?

Theyd (sort of) work for a day or two and then that would be the end of it. It was a novelty for kids.

But thanks to scientists at the University of Texas, sending secret messages in the molecular code of ink might be something that well all be doing sooner than later.

A new study from the Texas researchers focuses on an example of steganography that is an encrypted message-within-a-message. Professor Eric Anslyn is a big fan ofThe Wizard of Ozand he encrypted the book by L. Frank Baum and sent it to a colleague.

And for this experiment, it was all about the ink. Anslyn explained that his team used a special kind of polymer and encoded a 256-character key to encrypt and decrypt the book.

The study says, To store 256 bits of information, we chose to encode a cipher key in hexadecimal (base-16) in a mixture of eight 10-mer [oligourethanes]. Eight of the 10 monomers encode information In base-16, each monomer provides a storage density of 4 bits per monomer, thus 32 bits per 10-mer, and overall, 256 bits in the sample.

The team then mixed these oligourethanes with soot, isopropanol, and glycerol, and they had an ink they could use for their project.

Anslyn said, The most important scientific breakthrough was the use of mass tags that allow us to sequence eight oligourethanes simultaneously. This is the real advance in the field. The encryption key was just a single application that can be envisioned.

Pretty exciting stuff, dont you think?

Read more from the original source:
You May Be Able to Send Secret Messages in the Molecular Code of Ink Someday - Twisted Sifter

Continuing to address security issues that emerged during the early days of the COVID-19 pandemic, Zoom Video Communications Inc. has added support for customer-provided encryption to its popular videoconferencing service.

Zoom Customer Managed Key is aimed primarily at customers in heavily regulated industries like healthcare and financial services. It comes on the heels of increased encryption support that was built into version 5.0 of its platform, which was announced in April. That release added Advanced Encryption Standard 256-bit Galois/Counter Mode, a type of encryption that is known for both security and performance.

All cloud platforms and many software-as-a-service providers support encryption but most require that keys be stored in the hosted cloud. That isnt sufficient for some firms, though, and support for customer keys has become a point of differentiation for security-focused services. In rolling out its Cloud for Financial Services in 2019, IBM Corp. promoted bring your own key encryption as a core feature that distinguishes its platform from other public clouds.

With Customer Managed Key, users can opt to use their own encryption keys to encrypt such assets as cloud recordings, voicemails and calendar access, Zoom said. Encryption can be applied to meetings, webinars, voicemails, Microsoft Corp. Teams access tokens and archived sessions.Administrators can provision encryption keys directly within the Security tab on the Zoom administrative portal or get help from Zooms Global Servicesorganization.

The feature will incur an additional cost but Zoom didnt provide specifics.

Read this article:
Zoom adds 'bring your own key' encryption to its conferencing service - SiliconANGLE News

from the passing-the-buck-means-having-no-more-bucks-to-pass dept

Over the past few years, international law enforcement has been cracking down on encrypted device purveyors. Were not just talking about regular device encryption, which has been mainstream for several years now. These would be specialized manufacturers that appear to cater to those seeking more protection than the major providers offer services that ensure almost no communications/data originating from these phones can be obtained from third-party services.

The insinuation is that specialized devices are only of interest to criminals. And there is indeed some evidence backing up that insinuation. But plenty of non-criminals have reason to protect themselves from government surveillance, a fact that often goes ignored as criminal crackdowns continue.

Even if theres a honest market for something international law enforcement considers to be a racket (as in RICO), the market cannot seem to sustain the continuous scrutiny of law enforcement. Another purveyor of specialty phones catering to people who desire the utmost in security and privacy has decided resellers should bear the legal burden of offering its offerings. Heres Joseph Cox reporting for Motherboard:

Encrypted phone firm Ciphr, a company in an industry that caters to serious organized criminals, has made a radical change to how its product can be used and sold, signaling an attempt by the company to distance themselves from, or perhaps cut off, their problematic customers.

How do you cut off perhaps your (previously) most valued customers? Well, in this market, you force the resellers to assume all legal liability.

Now, it is shifting that responsibility away from itself to individual resellers of the devices. The message says that for resellers to continue with new sales or renewals of customers subscriptions, they will need to run their own MDM solution. This essentially puts the management of customers much more in the hands of the resellers and not Ciphr.

Offloading mobile device management (MDM) to third party resellers perhaps provides Ciphr with plausible deniability. If resellers want to have something to sell, theyll need to take direct control of device management to ensure end users dont install apps that might compromise security as well as controlling distribution of software updates and other necessities of cell phone service.

While this move may have ultimately provided Ciphr with plausible deniability when the feds came knocking, it immediately appears it wont be profitable for Ciphr. The offloading of device management to resellers appears to have severely harmed reseller desire for Ciphr phones, as Joseph Cox notes in his follow-up article.

Ciphr will cease operations at the end of the month, according to the message. The reason was that not enough resellers took up Ciphr on its plan to shift the responsibility for Mobile Device Management (MDM) away from the company itself to individual resellers.

Resellers appeared to enjoy their previous relationship with Ciphr, which allowed them to profit heavily from a demanding, but limited market. That relationship allowed Ciphr to absorb the legal liability while third parties cashed checks. Check cashing is still an option, but cashing checks now means a possible increase in legal liability. Obviously, Ciphrs biggest resellers arent on board with assuming additional legal risk.

Since theres no interest from downstream retailers in running their own device management systems, Ciphr could either sell directly to customers it has always tried to distance itself from or call it a day. It chose the latter option, which will likely end up being far less harmful to its profits than dealing with the outcome of raids, arrests, and criminal charges that may have been the end result of its continued existence.

And while it may be easy to cheer on the demise of another company that apparently catered to criminals, lets not forget every failure by device manufacturers like this one make it far easier for government entities to (falsely) claim secure devices and end-to-end encryption only benefit criminals. For that reason alone, we should be concerned about companies like these that shut down rather than offer products that could possibly fend off sustained attacks by state-sponsored hackers and make normal surveillance tools irrelevant.

Filed Under: criminals, encrypted phones, encryptionCompanies: ciphr

View post:
Encrypted Phone Provider Calls It Quits After Failing To Persuade Middlemen To Roll Their Own Device Management Systems - Techdirt