DE:CODED – Firewall speeds and VPN risks

Transcription

(Generated automatically)

Marc Briggs 0:02
Welcome to Series Two. I’m Marc and I’m here with Simon from SE Labs. If you want to know anything more about me and Simon, then you can listen to series one of decoded, we don’t need to go over old material. There’s a couple of things that we should talk about. Before we get into these episodes, though. The first thing is, when we started working on this series, the conflict in Ukraine was still in the future. We want to take this opportunity right at the very start to say that we fully support the people of Ukraine, and our thoughts and hopes are with them during this terrible time. The second thing that we should mention is that throughout this series, we’ve had interviewed with some amazing and talented guests. But these guests don’t always stay in one place. It’s very common for security people to move between companies throughout their careers. So if we say a guest work somewhere, what they did at the time when we spoke to them, and now on with the show.

Simon Edwards 1:04
Welcome to DE:CODED, providing in depth insight into cybersecurity. As your firewall as fast as you think these network security devices cost a lot, but they don’t always perform the way you might imagine. You can combine firewalls with other security products to extend your protection, then there’s a relatively new thing called XDR. What does it mean? And how does it work? And from a personal security point of view, we look into the sometimes shady world of personal VPNs. Do you need one, or should you actively avoid them?

Show Notes, including any links mentioned in the show are available at DecodedCyber.com.

Hollywood movies on hacking, which we covered in depth last series, often talk about firewalls and the breaching of the same. But in most cases, a firewall is just one part of a load of security measures. We could talk all day about firewalls and how they can be set up. But let’s start with the basics. A firewall is supposed to control what kind of information comes into a network. And what can leave. It doesn’t necessarily know the details of this information. A standard firewall wouldn’t know the difference between your personal shopping list and a confidential spreadsheet. But it can spot types of traffic, email, voice over IP, and web traffic. They’re all examples of things a firewall can allow, block or prioritize differently.

And while it’s working hard to manage all of this traffic is probably trying to spot and block attacks to malware and exploits. For example, this requires a lot of brain power. And as firewalls can only have so much processing ability, something has to give when things get too busy. When you buy a large and expensive enterprise firewall, or even a little one for a small business, you’ll want to check that it will be powerful enough to handle the traffic you expect today. And in the coming months. Even cheap firewalls cost a lot. So you don’t want to upgrade too often. And how do you know that the firewall you’re going to buy is up to the job. Brian Monkman used to be a security tester at ICSA labs. And now heads up the network testing organization NetSecOPEN. He focuses on ensuring that firewall performance tests are fair and comparable. Brian, first things first, you know, we can get into really technical details about how to test network security appliances, and that kind of thing. But at the very basic level, how would you judge the speed of a firewall? Is it as straightforward as just running lots of data through it, and seeing how much it can handle?

Brian Monkman 3:52
No, not at all. There’s there’s an extraordinary number of variables to consider. I mean, the speeds and feeds is definitely, definitely one of the things to consider. But that really isn’t the complete picture. You need to consider the type of traffic that is going going through the firewall. And I’ll take take, for example, a healthcare entity, a firewall that’s handling traffic that’s related to healthcare, they’re going to have a very different traffic profile than, say, a financial institution or an educational institution. And so it’s really quite important to take all of that sort of thing into consideration. But that said, there will be some basic things that you’ll take a look at, regardless of what sort of enterprise the firewall is, is protecting.

Simon Edwards 4:45
So if I was running a healthcare organization, you know, would I be looking out for adverts for firewalls particularly suited to my kind of organization?

Brian Monkman 4:55
Not necessarily because most of the firewalls out there today in fact, quite frankly, I would be extremely surprised if if it was anything other than all the firewalls out there can be configured to address the needs of specific enterprises. So you could get a firewall from vendor a, working for your being set up in an environment of a large financial institution. And the same same vendors firewall could be used in a healthcare entity. Okay, so I go out there and I, I can choose from any of the main brands, and so long as I’ve got enough expertise, I can probably tease enough performance out of it. Correct. Did you know that’s, that’s a reasonable assumption to make, of course, there’s going to be caveats, but But yeah, there’s always always those. So let’s say that we go shopping, and I need a 10 gigabit per second firewall, because that sounds like a big number

is that the only number that matters are the other details on a data sheet somewhere I should be paying attention to, you should be be paying attention to a number of different things in the standard that our organization has developed, we look at, we look at, I would say around around 10 considerations, or what we call KPIs to take a look at. So we the first thing we take into consideration is the application mix. Profile. That’s that’s important. So when you say an application mix, what’s in this context? What is an application? Well, the traffic profile for for the enterprise? So in going back to health care, financial, you know, that sort of thing, education? Are we talking about protocols? Or are we talking about something more detailed than that?

Yes, you’re talking about protocols, but it can be a little bit a little bit more detailed than that as well. You know, for example, wouldn’t be unusual at all, for an educational institution to want to use a video streaming service, you know, one of the commercial ones out there. And so that’s a myriad of different protocols, and, you know, different traffic, you know, type of traffic requests, and so on. So, it’s more than just simple HTTP, DNS SMTP, that sort of thing. It’s it becomes, it becomes complex fairly, fairly quickly. Right. So if we were if we were setting up a secure network for a sales team, we might assume that they’ll want to make phone calls, so maybe sip, or even so even more specific, like Skype, that’s the kind of thing you mean. Yeah, yeah. It’s, that’s the sort of thing that we would, that we would include in the in a traffic profile or application mix, right. And a financial institution would probably want to be able to shift financial transactions with more priority than maybe email. Yeah, yeah. And that’s definitely one way of looking at it. And we’re only just getting started in the specifics of the application, you know, mixes themselves because it is extremely difficult to get parity between the various test tools out there. So we’re one thing to buy firewall, and we’re going to Cisco’s website and Palo Alto is website, we’re looking downloading all these these spreadsheets and these, these data sheets, and we’re seeing 10 gigabytes per second here. And we’re seeing the bits and bobs. Do I mean, do the statistics that we see or the marketing claims that we see in those data sheets? Do they go down to that level of detail? Sometimes?

It all it all depends on who the target audience for the data sheet is? The first question anybody who’s reading a datasheet should be asking is, what is the configuration of the firewall itself? Are all the security controls necessary to deal with the traffic on or as often is the case, you know, are some some of the security controls turned off in order to improve, improve performance? You know, what we do here? Here, when it comes to the standard is our approach to testing is fundamentally different from that in that

you decide what sort of security profile you want to set up on the product that’s being tested. Then once the security profile protocols have been addressed in the security policy, you verify that the product the firewall is operating as you would expect. And then at that point, you lock the configuration you know, make no changes. So all the traffic that is coming through the firewall and being

handled by the firewall, we’ll have to go through the various policy engines that were set up prior to testing to does that mean when you see the headline figure of 10 gigabits per second? That’s maybe the figure you could achieve without actually the security settings turned on? Possibly, yes. Not, but not in every case at all, it all depends on, on how the vendors decide that they want to represent it. A lot of the vendors who actually have the

security policy turned on will document that in their data sheet, they may not go into voluminous detail that but they’ll provide a pointer to how the project was configured. During as a result of these

where the numbers are coming from and what what you’re actually looking looking at. But that’s that’s one of the fundamental challenges of NetSecOPEN is to get the test tool vendors, the labs and the security product vendors together and have everybody agree to what a reasonable standard

Simon Edwards 11:09
should be in order to provide apples to apples comparisons between products. Yeah, so And we’ve seen that so we look at test data sheets, and we do testing and in some cases, you’ve just got that 10 gigabit per second headline figure. And in other cases, they will say, well, it’s in real life, it’s going to be half that with security settings on. And in some cases, they even go to more specific detail and say, Well, if you’ve got a lot of encrypted traffic, you know, SSL, the whole padlock in the browser thing, then it’s going to be even slower. So there’s this whole range of transparency and lack of and claims and counterclaims going on. I’ve seen that. Yes. So when we come to look at reviews of firewalls, you can take the marketing claims from the vendors as truth. Or you can, I guess, test it yourself, how would a big organization professionally testify? Well, to make sure that it was suitable for their own purposes? Well,

Brian Monkman 12:08
so the first thing that I would suggest they do is that they

shortlist the products that they want to take a look at based on certifications against. NetSecOPEN requirements. Of course, that’s a shameless

shameless plug. But that’s, that’s definitely a good a good place to start. And since the standard that we’ve developed is open and public and available to everybody, you know, anybody with with a certain amount of competence can certainly, you know, reproduce the testing. In addition to that, any products that have gone through the NetSecOPEN certification, the configurations of those products are available for anyone that would like them.

Second thing to do is to use standardized test tools. So in in our case, you know, we have a few test tool vendors that are that participate in the program. And, you know, there’s some of the products that have been verified as being able to produce comparable results have been accredited by NetSecOPEN. The beauty about that is it provides everybody a common starting point. And so an enterprise is going to take a look at data sheets. And so a well, and say that, well, this doesn’t really perfectly fit what I want, but it’s a reasonable starting point. So then you could take that reasonable starting point, get a get a dot and modify, make modifications to the test tool that you’ve acquired. And, you know, to suit your own environments and, and, you know, run run tests again. And it does has a device on the test, or I think we also talk about systems on the test these days, aren’t we? This is true, it’s the acronyms seem to be all over the place sometimes.

Simon Edwards 14:04
So at the moment other than NetSecOPEN you because you guys are doing the standard by which other testers I guess should aspire to follow our their law, lots of different unbiased reports that people can go out and download publicly at the moment.

Brian Monkman 14:20
There are other reports available to download publicly. I do know of, of a number of of labs that produce reports. Sometimes they charge for them. They’re behind a paywall other times that are freely available, the difference between tests labs, that you know, as the exists today, and what we’re trying to do is the open and transparent nature of it, because you you don’t really know how

how test requirements have been developed in a lot of tests law

abs, whereas, you know, we we’re not only open and transparent, the standard that we’ve developed has been contributed to the IETF benchmark Working Group and is going to be part of the public domain. So

it’s, it’s, there’s our goal here is has been to been as open and transparent as we possibly can. And that’s an often overused term open and transparent. But, you know, our goal here is that if anyone was to come to us and ask us specific questions, well, how did you come up with this or come up with that, we would be able to tell them.

Simon Edwards 15:38
And what we find as well as being transparent is, as a tester, anyway, is a very good way to show your competence. And what we find is very large organizations kind of global 500 level, they will look at reports, but they won’t base a buying decision on a report that I’ve published about a particular firewall. Even if I agree with two or three other test labs, what they will do is they will judge us as testers. And then if they’re about to spend a million or more pounds or dollars or whatever, on firewalls, they’ll probably engage with the tester to do some work for them privately, because they’ve got very specific needs. And every test is always based on some assumptions about what people are going to want.

Brian Monkman 16:22
Correct? Yeah, there are very few enterprises that have the resources available to them to do a lot of the detailed testing that they would want. So when you when you do see one of these third party tests, and you Brian yourself, you decide you’re going to judge it and work out if it’s valuable or not, what are the kind of some of the criteria you might use to, to form an opinion?

Well, first off, I’ll look at their test, the test methodology, and how how much detail they’ve they’re prepared to provide.

Second, I’ll

look at the weather whether or not they’ve set themselves up to be

governed by any sort of standards, in order to ensure that the tests that they conduct are not only open and transparent, but are reproducible because one of the biggest variables out there is that you could take the same product,

same test tool, the same testing requirements, and come up with different results, depending on who’s who’s actually doing the testing. So one of you know that that’s an important consideration as well, transparency. And as you said earlier, being able to reproduce results is very important. We not only provide test reports and certification reports publicly and at no charge. We also provide, as I said before, the configuration files for the device that was tested, and also a configuration information for the test tool that was used. Right. So this, this goes back to what we’re saying at the beginning, if if you don’t have the config, then you really don’t know what’s going on, you could say this device runs at eight gigabits per second. But then when you look at the config, everything’s turned off, so there’s not really very much security going on.

Right.

Simon Edwards 18:24
Security Products rarely work straight out of the box the way you need them to. There is configuration involved. And a useful test will tell you a lot about how it was conducted, possibly including how the product was configured, or products plural. because rarely do security products sit on their own in an organization. If you’ve been hearing the buzzword XDR, you’ll know that the security industry is looking to connect lots of different security solutions together. In our previous episode, Christian from Microsoft talked about integrating a variety of protection technology, letting email services and others speak to each other. This helps investigations is XDR, or extended detection and response, simply an intelligent wiring together of firewalls, endpoint protection and cloud services, or is there something more to it? Chad Skipper is VMware is global security technologist. He’s been at Symantec silence, Dell and Cisco. So if anyone knows how security fits together, he should chat. We have EPP EDR MDR IPS ng FWS and now XDR. WTH does that all mean?

Chad Skipper 19:43
Yeah. So let’s, let’s go back a few years right Simon, do you mind?

Simon Edwards 19:47
No, please.

Chad Skipper 19:48
So I mean, you and I were back around, you know, all the way from the original antivirus days, but in 2014 2015 we began to see this EPP this endpoint protection plot formed and we began to see the advancements of endpoint detection and response. And so from from there, right, the reason that we are beginning to see what is called extended detection response is because the visibility that we get into the endpoint is great, that’s on a process perspective, right. But this is about extending visibility beyond the endpoint, right? So our lack of visibility here is a driver, also a driver to extend the detection response beyond the endpoint to things like edge, right? Network detection and response between the containers between the VMs on all the clouds is because the threat detection, that we really need to begin to further detect those events, threats within the organizations. And we know that those events, threats can occur for many different ways of initial access. So we need to have that visibility into all of those extended telemetry, it’s about connecting the blind spots, right? This is going to cure the incomplete and slow process, we hope by extending the tech detection capabilities beyond the endpoint to include other telemetry out there. And it’s just going to increase the fidelity. The goal here, I think of XDR is, is ultimately to prevent and, or right, reduce that dwell time within within the customer’s environment. So speaking most simply by providing as much context as possible to an attack that will help defenders work out what’s gone on, and maybe what they could do next. Yeah, so the sock team enabled by, you know, multiple, high fidelity telemetry feeds, that, you know, an ecosystem X er solution can provide, can play that pivotal role in giving them visibility into what I think needs to happen into every packet and every process, right? Yes. So you’ve got you’ve got an endpoint, you’ve got a laptop running, for example, with a, an endpoint agent on it, and it sees something, something happens, but it doesn’t know where that thing necessarily came from. But if you’re monitoring the network as well, you can put all the pieces of the jigsaw together, correct across the MITRE ATT&CK framework, right? So all the way from initial access to where they begin to discover enumerate, right? Even lateral movement, right? We know, from a network perspective, you can see that adversaries are using common ports and protocols. So you need network telemetry to understand how they’re using RDP, SMB, you know, those protocols living within the noise of your network to move laterally?

Simon Edwards 22:40
Absolutely. So it’s interesting, you bring up MITRE. So for those listening who don’t know, the MITRE ATT&CK framework is a way of it’s a way of describing how the full attack chain can work. So it’s very useful for testing because you can say, well, we want to begin the attack the same way that this particular bad guy did. And then we’re going to do the same things that they did all the way through to the end, which would be stealing or damaging data, or whatever. So the MITRE ATT&CK framework is good for tests, but charge if you’ve got a combination of network appliances, endpoint agents and cloud services, that can be very complicated to test, couldn’t it?

Chad Skipper 23:17
Absolutely. You know, everybody has a different ecosystem, right? They use, you know, tools and network security appliances and endpoint agents and those cloud services in a very different way you ask a customer, they deploy them in different ways. So testing those naturally, you know, what I’ve seen, and in the experiences, you know, those have their own labs in which they create their own architecture or duplicate their own architecture, and begin to test but it becomes very complicated, as well as, you know, when you begin testing with real malware, right, when you begin to, you know, exploit what you know, known as your own vulnerabilities, and understanding the efficacy of the products and which are detecting or responding to those types of things. So, testing all of those in combination very, very difficult testing even one right, it can be difficult as well. Absolutely.

Simon Edwards 24:16
Testing realistically is crucial to assessing any security product protects DRS potentially far reaching view across a whole network means that realistic testing has never been more important. We’ll look further into full attack chain testing later in the series. But for now, let’s explore a different kind of network security. The sort that the TV adverts if you still watch TV, would have you installing on your smartphone. VPN software offers to protect your privacy. But is there really a threat on public Wi Fi these days? If you’ve secured your devices using all the usual advice, Luis corones works at security company Avast, which provides a range of products, including antivirus and VPN apps. Luis, What would someone do if you connect to their network unprotected by a VPN?

Luis Corrons 25:12
Yeah. Well, I mean, if you’re going to connect to a public Wi Fi network, for example, first you never know who is there, right? So anyone I mean, like, if there is like a black hat hacker, messing around, he goes, see, wherever you are doing on the internet, does it mean that he can see I don’t know, if you go to Gmail, we’ll be seeing your email address and your password. Now, that doesn’t mean that because that kind of traffic is is encrypted, right. But not all traffic is encrypted. But not everything is about username or passwords. There are also cookies going around. And we have seen attacks where cookies are taken to take over sessions in emails and social media and other kinds of places. It is true that it’s different nowadays than it was like, I don’t know, two or three, four years ago, where most connections in the internet were. Were not integrated. Nowadays they are. But still, they can see where you’ve gotten to. Yeah, I mean, Google. Google made that happen, didn’t they when Chrome Yep, stopped, stopped working with unencrypted websites? Yeah, that was a big step. There is a reason why some governments in the world don’t allow their citizens to use VPNs, like in China. So they VPN has to work otherwise, the Chinese government will encourage you to use in a VPN or not. Well, that’s an interesting point that you bring up there that they do work. But then we don’t really know how they work often who’s running them? Because some of the people that operate in the VPN world, some of those companies, they seem to be quite shady, don’t they? Yeah. That’s one of the critical points. And one, that’s actually one of our main concerns with VPN apps. Because on the app, okay, I do this to be protected, right? So I’m using this VPN service, which means that whoever is running that service is actually seen wherever you’re doing, right? If you don’t know who that is, or if you don’t know, if it can be trusted, then it’s, you are better off with a VPN, right? There are a number of companies like security companies that offer the VPN, okay? I mean, if you are running their antivirus on your computer, you trust them. So having a VPN, that’s fine. I mean, like, they already know everything. If you have them installed on your computer. If you just had a noncorporate. And there were some shady ones. We’ve seen people or companies that used to do some other business on the internet, which were barely legal. And now they are like buying VPN companies. And then you wonder, okay, why are they doing this? Okay. VPN is perfect business. So it’s a Yeah, but maybe they want to get access to that traffic to make a profit out of it. And they actually have access to that.

Simon Edwards 28:21
Well, a VPN service that’s free, I always think is a massive red flag. Why would someone give me a free service for me to put all of my internet traffic through their systems?

Luis Corrons 28:32
Yeah, yeah, definitely. I mean, like, it’s not like, it’s not something that says that you can give for free to everyone, right? Yeah.

Simon Edwards 28:39
So I’m sure I’m sure that even the ones you pay for can abuse your information!

Luis Corrons 28:43
Everyone can abuse the information. That’s also true.

Simon Edwards 28:48
we can fool ourselves with making the right decision by spending 40 euros a month or a year or one?

Luis Corrons 28:53
Yeah, no, I mean, but if they are not getting any money from you, then where are they getting the money from?

Simon Edwards 29:01
Daniel Cuthbert, is the Global Head of cybersecurity research at a very large international bank. He has a long history of penetration testing, and other security consulting roles, many of which she can’t talk about. Dan, what do you make of the Wi Fi threat? Should people be using VPNs today?

Daniel Cuthbert 29:21
I think what we’ve seen since the early days of Wi Fi attacks, research stuff like myself and Glenn were doing with Snoopy Dino was doing with karma and did many others. Those days are definitely behind us. And for good reasons. We have back then you really did need a VPN because using a Wi Fi network. It was it was trivial to compromise clients and indeed gain access to data. But fast forward to 2022. And there have been some serious advances in mobile clients. That kind of makes for me personally, the need of a VPN less of a issue than it was a 2004 2010. What are the threats, the main threats that people faced some years ago, which don’t seem to be such a problem today? Two big things, I guess the first one was the lack of adoption of TLS. So a lot of sites did make use of plaintext. So which means you could do interception and gain access to credentials, I think we’ve seen a widespread adoption of TLS, which is great. And then secondly, the controls around how mobile devices and desktop devices connect to websites. So before it was trivial to do interception, it was trivial to do a man in the middle, that kind of style of attack. Whereas today, it’s actually very hard. And anybody who has set up some form of interception capability on modern networks trying to gain access to Facebook, or Twitter, or Gmail, or any of the modern sites, they will notice that it’s not easy at all. So that’s kind of where the big changes for me have happened.

Simon Edwards 31:03
What about things like cookie theft? Is that still a problem?

Daniel Cuthbert 31:08
It is a problem if the site itself is still operating. In a world where Britney Spears was this mega pop star doing really, and indeed, there are many out there still that do that. But it’s not as prevalent. It’s not a case of if I grab your cookie, I can log in from anywhere. Not like it used to be I’m not seeing it still doesn’t happen. But we’re not seeing the same level of polish that we did, you know, 20 years ago. And I guess it comes down to your threat model now, doesn’t it? If if you are an Uber, secret guy that everyone wants to spy on, then if you’re not using a VPN, they can’t see the information that you’re sending or receiving, but they can see the sites that you’re visiting, potentially. But most normal people, the fact that you’re visiting McDonald’s or Lloyds Bank, that’s not really a problem. No, and my big concern is the actual VPN providers, who are they? You know, what makes their security really good? Because, you know, just because you’re routing traffic through their infrastructure, nobody’s FTEs, step back, and when are they doing the right things? You know, can they be subverted? You know, are their inputs secure all these types of things? And who has influence over them to Yeah, you know, it’s just a case of what’s a VPN, it must be secure, uses cryptography.

So what, and you’re sending all of your traffic through this third party that you may or may not be paying? Yeah, and anybody who spun up large scale distributed systems will know that that stuff is not cheap. It really isn’t. And it requires an obscene amount of maintenance, and administration and looking at threats that come in and stopping those threats. And it’s, you know, you’ve got to ask the questions, these cheap VPN providers, how are they doing it so cheaply? Well, that’s an interesting point. So normally, when we think of VPN, we think it’s a way to pop out in another country to stream some content. But of course, it becomes like a proxy internet service provider. And with that, comes a some kind of responsibility for filtering out some of the threats. Yeah, I mean, you know, if you look at some of the regions where these VPNs are hosted, again, if you look at the the cost factor I just talked about now. And maybe that country is under control of giving access to data, you need to build that into your threat model. And between us (and everybody listening), I do think that notion of every should have a threat model, right? It’s the most complex and absurd thing you can expect. No, you shouldn’t have a threat model, right? That’s only something that parallel 1% security people have. But I think you need to rethink how you look at a VPN and go, hang on a minute, they get to see stuff that are supposedly stopping other people from seeing.

Simon Edwards 33:54
Back at the DE:CODED studio, Marc, and I have a think about what we’ve heard from the guys selling the VPNs and the other experts who are less sure that they’re needed.

Marc Briggs 34:06
What we really want to do is answer the question about do you need a VPN at home? The short answer really is no, but there’s a little bit more to it. It’s really less necessary at home than in public, because your home network will already include security protections. It’s got your username and your password to sign in, which provide a good layer layer of security protection. But many people still use a VPN at home to prevent some form of online tracking or to stream certain types of content. And we’ll talk about that in a little bit more detail out of the house. It’s a different matter on an unsecured public Wi Fi network. Hackers, criminals can easily intercept anything you send or receive. So while most of your internet traffic is pretty uninteresting, I would imagine

If it could include sensitive information like your bank account details, credit card numbers, your logon credentials to any website that you are visiting. And these attackers cast their net wide, which is why the free Internet Public Libraries, airports, coffee shops pose a real high risk. By comparison, your homework network is much safer, it’s much less likely that someone can walk in to your house or sit on your driveway and join your network. Plus, if you take all the steps to protect your home Wi Fi router properly, things like changing the default username and password which everyone should be doing. Using a VPN at home for protection against cyber criminals is probably not going to be one of your top priorities, I’d say. But let’s talk about how a VPN might be useful at home for some people. And it’s not so much a security matter, because I think we’ve covered that in terms of passwords and usernames and changing default settings. The use of a VPN at home really comes down to a matter of privacy rather than security. And it can help you protect from an unkind a number of types of privacy threats. Your online activity can be tracked to anytime you visit a website or you open an online application companies. Many companies now collect this information about you so they can improve their products. They show you targeted advertising based entirely on your online activity. Now a VPN, especially paired with a sort of an anti tracking tool perhaps can strengthen your anonymity, and how hide your specific activity against these trackers. And a VPN at home will not only add this extra layer of protection, but it also makes it harder for anyone to see exactly what you’re doing since they won’t be able to find your IP address. Keep in mind with a VPN sites can still track what you’re doing on their platform. So although you may be able to get to a site, once you’re on that site, it will be able to track your activity. And even when you go elsewhere and you remain on that site, they’ll still be able to monitor you. And that’s how companies like Google use your data and they learn a lot more about you than you might realize. But without a VPN your internet service provider has access to everything you do online. Besides monetizing your data, the your internet service provider might throttle your connectivity speeds if you’re downloading or streaming a lot. So hiding your internet activity in a private tunnel makes your ISP blind which may help you in some of these cases. And that’s one fact one of the most popular reasons to use a VPN at home is to access streaming content that’s not available when you’re traveling in certain countries. I know Simon, you’ve come across this issue specifically. Only recently.

Simon Edwards 38:04
Yeah, I think getting access to streaming content is probably where most people will see some kind of value for using a VPN. There’s been quite a few TV adverts for VPN services recently. So I think more home users have become aware of what of such a thing as a VPN, although they may not necessarily have a need for it. But certainly, you know, I was I was in the States watching a movie on Netflix, for which I have a legitimate subscription. And when I came back, it pushed me off into a different movie altogether, because I was back in the UK. So I used a VPN to pretend to be in the States. And I could then resume and finish the movie. So that was quite useful. And they are quite high performance. So you can stream quite happy to a mobile device. For example. Although getting it set up with your Apple TV, I think we’d probably be a lot harder to do. I think the important thing though, for home users is to imagine that VPNs function is to encrypt your information as it flows across the Internet and what you said Marc earlier about the website, still being able to track you is absolutely spot on. They will be able to track you as you move between them, you’ll still see targeted advertising, what you’re really doing is hiding your internet behavior from your ISP. And you might think that that is super paranoid to want to do that. But there could be good reasons. So for example, it was a long time ago. But BT said that it was British Telecom at the time, experimented with a commercial company looking into targeted advertising. So without actually giving permission, everyone who use BT broadband at the time, they were being tracked and another company was going to use that information to serve advertising towards them and it was very specific targeted advertising, so it’s very, very creepy. So you may choose not to trust your ISP or they may block content that you want to get access to. One of the big classic examples is if you’re in China, they’ve got the special firewall in China, which blocks the citizens and that country from accessing certain kinds of news, for example, well, you might find the same thing with your home ISP, they may block certain kinds of content.

Marc Briggs 40:21
We’re talking about ISPs here. And we’ve, we’ve talked about them being the bad guy in some of these in some of these scenarios we’re talking about. But what we have to remember is that, although we might be hiding our activity and location from our ISP, by using a VPN, we are still exposing that information to whoever’s providing the VPN. So it is a balance of trust, who do we trust more, our ISP or our VPN providers, because at the end of the day, it’s a pick and choose between the two.

Simon Edwards 40:58
Yes, and I think that for the people who are trying to access content that they’re being blocked from so American, Netflix, for example, let’s say that, you know, that’s just the big elephant in the corner in pornography, for example. You might be at home in your, you might be staying with your parents, and they may have blocked sort of adult content, and you might want access to it. So a VPN would allow you to do that. So it’s not so much. You have to distrust your ISP, it’s more, you’re getting around some kind of access control that’s there. But then you are putting all of your eggs into that one basket of the VPN provider. If it’s a company that you think is credible, and inverted, commas trustworthy. I mean, tech companies don’t have a great reputation for having our best interests at heart. But if you do trust that, maybe you could say, Well, f secure they do a VPN, I trust F secure enough to use their VPN, over all the different ISPs and Wi Fi hotspots and things that I’m going to use in the course of my my year, but free VPNs really worry me because how is a company able to provide a big, fast, global networking infrastructure for free, just to be nice to me, and let me access porn or, or kind of political content that I want to get to. That does seem too good to be true. Not all of these VPN companies are good, some have got quite shady pasts, and some have been caught out, stealing and abusing information that they’ve caught from their so called clients. Before we summarize really what our conclusions are on on whether we need a VPN at home, which we have already given the answer to it’s probably know from a security perspective is in like in your house

Marc Briggs 42:45
in your house? Yes, we’ll talk about we’ll just go over some of the advantages because people do use VPNs, and people are paying money for them. We’ll go through those advantages. And then it’s up to the individual person, whether they decide whether a VPN is right at home is right for them or not. So the streaming content that we’ve spoken about, it is possible to stream content from different parts of the world using a VPN, because you just change your location. But be aware, this may not be legal in the country that you’re in. And equally, the a lot of the streaming content providers are becoming wise to this and are attempting to block it. But it is an advantage. Using a VPN will ease your fears about using public Wi Fi. But that’s a different matter. It’s not what we’re covering here, we’re talking about using VPN ‘s at home. And we would recommend using a VPN or when you’re on public Wi Fi

Simon Edwards 43:47
Well, I might have a different view on that on that people in the old days will tell you, you know, you go to San Francisco to a conference and you’ve got the hotels and you’ve got McDonald’s and you’ve got these open Wi Fi networks everywhere. And you probably would have been a bit bonkers not to have used a VPN in those circumstances because you’d log in to your email, you’d maybe log into your bank. And in those days, a lot of the websites that we logged into didn’t use encryption. So your bank almost certainly would you know, Pay Pal, for example, always had that padlock up in the in the browser screen. And one would hope that the mobile apps had the same level of protection, although we know people who tell us otherwise. So in those days, logging into email, your email accounts very important. Your password would leave your computer and go through that Wi Fi network in clear text so bad guys could read it. And you and I mark have both used equipment where we can sit in areas where there’s public Wi Fi, and get access even without the passwords. So it’s an it’s a cheap and relatively easy thing to do actually. So in those days, a VPN was quite sensible because it didn’t encrypted your traffic through that insecure network. But some time ago, Google decided that everything should use encryption. So the Chrome browser was made to essentially fail if you tried to visit a website that didn’t have the padlock. And so if you go to one of those sites, you get a black screen and it says, you know, this is a bit dangerous, are you sure you want to proceed, and there is a link to carry on, but it’s hidden quite low on the page, and it’s very small text, they really don’t want you to do that. So that put pressure on all these websites to get the padlock. Which means that these days, it’s actually quite rare to find a website that doesn’t encrypt the traffic between you and it. And I think that has made the the home security features of a VPN redundant. Now, I don’t think that in your on your laptop or your phone, you do need to use a VPN, when you’re out and about using public Wi Fi.

Marc Briggs 45:57
Okay, that’s fair enough, the padlock icon on websites, the HTTPS protection that provides is fair enough. And we see it quite often now. And we see the warnings when you’re trying to get to websites that don’t have that. But what happens if you are in Starbucks, for example, and you’re, you’re looking for the Starbucks free Wi Fi, but instead of logging into Starbucks free Wi Fi, you log into Starbucks Wi Fi free and impersonating access point. Yeah. So you’ve got a man in the middle attack? Is that? Is that still a concern?

Simon Edwards 46:41
I mean, there’s not ideal when that kind of thing happens. And what anyone with a control of those access points can do is to see where you’re going. So let’s say I caught you out in that way. And you logged into my special access point, I could work out which bank he used if you went to your bank, but I still wouldn’t see your password because it would be encrypted, would you have could you have a sort of key logger where we could do a man in the middle attack. So encryption isn’t invulnerable to this, there will be there are clever ways of doing it. But you’re kind of getting up into quite high end kind of nation state levels of surveillance at that point. And the way the technology works these days, I’d be surprised if you didn’t get some kind of complaint from your software saying, or I’m not sure about this certificate being asked to use Are you sure? And you know, a lot of people would go, Yeah, I am sure. And they’d click OK. And then they would be vulnerable to that kind of man in the middle attack. But if we’re talking about home users and not business people, I think that the risk is significantly lower today than it was. And I think people don’t care as much about this personal security on their devices, they take a lot of it for granted. So to expect them to use a VPN for the very, very minor increase in protection that they’d get, I think is unreasonable.

Marc Briggs 48:01
Okay, that’s fair enough.

Simon Edwards 48:04
You didn’t expect that.

Marc Briggs 48:06
No, I’m going back to the advantages after Simon scuppered, my comment about using public Wi Fi, we’ve talked about blocking websites, Simon talked about a particular scenario, but you may be at school or work or even abroad, and there may be blocks that have put in place, for whatever reason, it may be censorship, it may be for saving bandwidth, trying to increase productivity, or with your work to stop employees going on social media, and spending all the time doing that

Simon Edwards 48:39
GDPR as well. So when the rules in Europe came out about data privacy, a fair number of US based websites simply blocked access from Europe, because they didn’t want to go through the headache of complying with the law. So you must have seen that we try and get to a website, it just says sorry, you’re not in the States, you can’t see this content.

Marc Briggs 49:01
Yes. And of course, using a VPN would get around. Yes, these issues. Shopping deals actually is something that people use VPNs for, because the VPN cloak identity and keep companies and third parties from collecting data about your online activity, you potentially could actually save a little bit of money, shopping, things like flight tickets, hotel rooms, car rentals, those websites often have tracking activity, and they hike up your price. If you visited their site a number of times, they can also change their price depending on your location as well. So using a VPN combined with anti tracking features, something similar to that will enable you to compare prices and get the cheapest deal without you being unnecessarily penalized was for visiting the site multiple times tell you a funny story. Have you been done by this?

Simon Edwards 49:57
Well, I had to use a VPN to get around our are in banks security. So I was using a Wi Fi hotspot at a Travelodge in the UK. And for some reason the security system at our bank decided they didn’t like me connecting to it. So it locked me out of my account. And I couldn’t do something fairly important from the hotel. So I used a VPN, I gained access to the bank, again, did what I needed to do. And then about a week later, I got a phone call from their security team asking me about what had happened. And I owned up to using a VPN to bypass their blocking. And they were like, Okay, well, we understand. But please don’t do that. But I mean, how lame is that they’ve they’ve locked away a Wi Fi system that they don’t trust. And yet I could bounce off Bulgaria. And they’re absolutely fine with that.

Marc Briggs 50:47
So there are a number of benefits of using a VPN. But these costs money. And as we’ve said, we’ve pointed out that if you’re going to get a VPN, then it’s worth investing in a paid product from a company that you have some trust in, because it does cost to provide the service. And your data is more questionably being used from a free service than it is with a paid for service. I think a good rule would be to make sure you trust your VPN provider, at least as much as you trust your own internet service provider. Yeah, they’re just so it’s worth it is it you know, because you’re just, you’re just replacing one large tech company with another. There are some other disadvantages to using a VPN. Since the VPN connection means your web traffic is going through additional steps like the encryption and connection to another server, you could experience a decrease in your browsing speed. This is probably less relevant for more premium VPN services, which if you are going to use them, the ones that we would recommend they they’ve got other mitigation measures put in place designed to reduce any slowdown,

Simon Edwards 52:05
it would be surprising if a VPN didn’t generally slow down your traffic. The one exception that I can think of would be where you’ve got an ISP who’s throttling your internet because it doesn’t want you to saturate its network. So for example, you might be on an ISPs network and want to use something like Netflix. And they might be giving priority to their own media streaming service. So they might throttle Netflix stuff. And in that situation, using a VPN might give you a better experience. Yeah, but that’s because you’re getting past someone purposefully slowing down your traffic, which really sucks. But because of VPN uses encryption, if there’s nothing, no shenanigans like that going on with the ISP, you would always expect a VPN to be slower than not using a VPS more work for it to do Yeah. And it’s hopping through other systems on network more, more distance for the data to travel, if you want to put it that way. But also the data is being encrypted. So all these computers are using up processing cycles to handle it.

Marc Briggs 53:06
It would make sense to choose a VPN that doesn’t log the websites you’re visiting the apps you’re using, or any of the content that you’re consuming. And this is something to look out for. If you do pick a VPN, I’d love to know how you would verify that they don’t log? Oh, yes, it’s a marketing claim. But you just have again, it comes down to the trust of the company that you’re that you’re using. And there was a case of that while ago with protonmail, a secure email service where law enforcement got in touch with them and did get some kind of meta data off them.

Simon Edwards 53:42
And I suspect that if you were a VPN operator, and you genuinely didn’t log anything that came along, and then the local police or government came to you and said, I want you to track Simon. They’re going to do that for them. They will turn on logging if they’re asked to. So it comes down to the question, which is what this podcast is all about as it at home. Do I need a VPN? I think a home user no longer needs a VPN. It used to be part of a security toolkit that we would recommend most people have, but kind of didn’t expect many people would bother with. Now, I think it’s absolutely not a necessity. But it can be a useful tool for fun stuff in this country, at least for accessing content that might not be generally available T but it’s more a leisure utility than a security need.

Marc Briggs 54:36
Now, I’m probably a little bit more skeptical than you I certainly wouldn’t use a home VPN for the vast majority of the time but I’m still I’m still have the old school I remember being taught about or the man in the middle attacks at your local Starbucks and stuff like that. So generally, if I’m using a public Wi Fi in a library or an airport or If something like that, I’ll tend to use a VPN service that you can just put on. For a, you can just have it for a day or a few hours or something,

Simon Edwards 55:09
you’re probably more interesting than most normal people, though. Like, if you’re an absolute standard user, and someone sets up a man in the middle thing, what most people are doing won’t be of any interest to the bad guys for that level of technical capability. But as a business person working in the cybersecurity world, I would much rather hack someone like you than Mr. Miggins. Who’s going on holiday to Spain with his kids.

Marc Briggs 55:32
Yeah, yeah, exactly. The vast majority of people probably in Starbucks at us on social media anyway, so you could probably just go online and see what their posts like.

Simon Edwards 55:39
Can you imagine how boring is like social media is boring already. Imagine watching other people doing social media.

And now, just before we finish it Security Life Hack time. At the end of each episode, we give one or two special security tips that work for real people in the real world, for work and in their personal lives. This episode’s Life Hacker is VPN pioneer, unwanted software crusader and science fiction author, Dennis Batchelder.

Dennis Batchelder 56:12
This is Dennis from AppEsteem. Have you ever wanted to lend your phone to somebody but were hesitant because you didn’t want them to steal something from it or to see something that they shouldn’t? There is a great solution for that. Use the guest mode on your phone. If you have an Android device. It’s called Guest Mode. If you have an iPhone, it’s called Guided Access. Just search for turn it on. You’ll love it and it will save you!

Simon Edwards 56:36
Please subscribe. And if you enjoyed this episode, please send a link to just one of your close colleagues. We also have a free email newsletter. Sign up on our website, where you’ll also find this episode’s, show notes, and bonus episodes featuring full length interviews with our guests. Just visit DecodedCyber.com and that’s it. Thank you for listening, and we hope to see you again soon.

Feedback

Please send your comments, questions and concerns to [email protected].