The VPN Illusion

in news •  7 years ago  (edited)

    Today I bring you a hotly guarded topic, and this may be the first article that I hesitate writing. There is a huge community of the internet that swear by VPN's and their protective  attributes. Many defend their VPNs to the death, and I don't blame them. On the surface it seems like a great way to defend against some of the biggest actors. The ability to be “invisible” or behind a “proxy” is appealing to many. The sad reality is that anything that offers 100% is security lying to you. We have been shown time and time again how systems are vulnerable. Another fact is that VPNs are NOT a full-proof form of protection. They may be a good smoke-screen for low level hackers or scammers but against actors with resources they do not stand a chance. Through leaks from the Equation Group(NSA) we see that they have no issue breaking VPN protections. Not only can agencies break VPNs but nations can now shut down entire VPN services. This was shown by China's forceful reaction to one of their most popular VPN's.

       “A VPN theoretically creates a secure tunnel between two points on the Internet. All data is channeled through that tunnel, protected by cryptography. When it comes to the level of privacy offered here, virtual is the right word, too. This is because the NSA operates a large-scale VPN exploitation project to crack large numbers of connections, allowing it to intercept the data exchanged inside the VPN -- including, for example, the Greek government's use of VPNs. The team responsible for the exploitation of those Greek VPN communications consisted of 12 people, according to an NSA document SPIEGEL has seen.” - http://www.spiegel.de
       “GreenVPN sent a notice to customers that it would stop service from July 1 after “receiving a notice from regulatory departments,” without elaborating on those demands. VPNs work by routing internet traffic to servers in another location, such as the U.S., that is beyond the reach of Chinese filters.” - https://www.bloomberg.com

       When nations can shut down a VPN service provider what is there to do? Yes you could connect to a VPN not in China from then on but you now leave more footprints behind. Personally, VPNs (If you don't know what you're doing) are a tagging system for agencies. All they need to do is attack the centralized point i.e. the VPN provider to hand over everything or risk going to prison. Some companies stayed loyal during these battles and were sent to prison while other VPNs turned over information about their clients.

       “British virtual private network company Hide My Ass has said that it turned over logs on a suspected LulzSec member to the FBI in response to a UK court order.” - http://www.zdnet.com
       “According to an NSA document dating from late 2009, the agency was processing 1,000 requests an hour to decrypt VPN connections. This number was expected to increase to 100,000 per hour by the end of 2011. The aim was for the system to be able to completely process "at least 20 percent" of these requests, meaning the data traffic would have to be decrypted and reinjected. In other words, by the end of 2011, the NSA's plans called for simultaneously surveilling 20,000 supposedly secure VPN communications per hour.” - http://www.spiegel.de

       VPNs have become increasingly popular recently due to most of these providers accepting BTC and/or other cryptos.  This has been great for the VPN market but this also caused many new VPN models and providers to rush in on the new market. Many providers are not battle hardened with experience and all we have to rely on is their word. Some VPNs have been tested and fought off many encounters that threaten their existence. With the ever evolving threats that are in the wild many VPN providers were forced to evolve their defenses as well. One new protective feature which should have been default was the “logging” scandal. Many VPNs were found to be logging everything. This was an obvious security risk which is why many VPNs started to offer no logging additions. There are still VPNs out in the market that log everything, so if you're using a VPN please inform yourself. 

      '...Nevertheless, they ordered PIA to hand over its logs. “A subpoena was sent to London Trust Media and the only information they could provide is that the cluster of IP addresses being used was from the east coast of the United States,” the FBI’s complaint reads.“However, London Trust did provide that they accept payment for their services through credit card with a vendor company of Stripe and/or Amazon. They also accept forms of payment online through PayPal, Bitpay, Bit Coin, Cash You, Ripple, Ok Pay, and Pay Garden.”In the event the FBI was unable to link McWaters to any payment to the company. However, they did find a payment to another provider.”' - https://torrentfreak.com

       It would be assumed that if you were in the market for a VPN you would look into these sorts of things but there are VPN companies that log everything and tell you otherwise. Although, there is a market for people not worrying about that much protection. Most VPN users seem to just want to get away from their countries restrictions, and not hide from their government. There are instances where people are hunted by their government and need to use services like these and if they use the “wrong” VPN they will be compromised.

       “VPNs are popular in China because the government limits access to a raft of content, from news and video to politics and pornography that it deems to be undesirable. For many internet users, services that enable them to bypass the Great Firewall are the only way to access Facebook, Twitter and the websites of the New York Times. Long a legal gray area, VPNs are commonly used by businesses, universities, and news organizations – including state-run newspapers – in China.” - https://www.bloomberg.com   

       In conclusion, VPNs are decent for people that want to go past their government restrictions. But, if you're trying to hide from a government or use it because your life is in danger, they are not the best solution. Do the research if your life is in danger, take it into your own hands and try to rely on as little people as possible. There are other viable and tested solutions depending on what you want to do. One battle hardened solution is Tor and Tails. These programs can be used by anyone and are simple to use. If you have a critical need for them, then you need to understand how they work. I highly recommend looking into these programs even for your daily needs of staying “off the grid”. There are many ways to use these tools so keep that in mind. Also remember that even Tor is not full-proof and they state this fact themselves. Think of Tor, Tails, and VPNs as tools, not all tools will allow you to hammer a nail(Unless you're creative). Also never use these on a Windows OS if you're in a critical position. But, if you're that deep into the matrix then you should already understand these threats, otherwise you wouldn't survive. 

       “The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.” - https://www.torproject.org
       “Tor can't solve all anonymity problems. It focuses only on protecting the transport of data. You need to use protocol-specific support software if you don't want the sites you visit to see your identifying information.” - https://www.torproject.org 
       “Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere you go and on any computer but leaving no trace unless you ask it to explicitly. It is a complete operating system designed to be used from a DVD, USB stick, or SD card independently of the computer's original operating system.” - https://tails.boum.org
 


Tor: https://www.torproject.org/projects/torbrowser.html.en  

Tails: https://tails.boum.org/
 

Attacks on VPN     

NSA High Level Description on TURMOIL / APEX Programs on Attacking VPN

Explanation of the GALLANTWAVE that decrypts VPN Traffic within LONGHAUL     

Intro to the VPN Exploitation Process mentioning the protocols attacked - PPTP, IPSEC, SSL, SSH)     

Analytic Challenges from Active-Passive Integration when NSA attacks IPSEC VPNs     

Overview of the capabilities of the VALIANTSURF program     

MALIBU Architecture Overview to exploit VPN Communication     

POISENNUT Virtual Private Network Attack Orchestrator (VAO)     

NSA Presentation on the development of Attacks on VPN     

NSA Presentation on the Analysis and Contextualisation of data from VPN     

Description of existing projects on VPN decryption     

Explanation of the Transform Engine Emulator when attacking VPN     

Explanation of the POISENNUT Product and its role when attacking VPN     

Explanation of the TURMOIL GALLANTWAVE Program and its role when attacking VPN     

Processing of data from exploited VPN in the TURMOIL program     

Decryption of VPN Connections within the VALIANTSURF program     

Description on the processing of VPN data packets within the TURMOIL program     

Explanation on the SPIN9 program on end-to-end attacks on VPN 

(These were links to PDFs of the attacks in detail, I will not link them here due to them being TOP SECRET)   You can find out more here: http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html
 

P.S. Would love to hear about your opinions in the comments. 

Do you use a VPN? (You shouldn't tell anyone anyway)... 

Maybe answer this last question in your head...

Do you know if your VPN has logs on you?


Stay safe, 

  
 -Citizen 

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Excellent post and points here @citizen4
Really, lots of good stuff!
😉😏😎
It's a game that is constantly changing and lots of threat everywhere.

I think a lot of people will benefit from your content here.

I also dig the general theme and topics of your content. Stay well!

Keep it coming and Steem on 🐳

Thank you so much @itsmein3d

I'm so pleased that you enjoyed what I love. I can't put into words what it means to me.

The global threat is ever-evolving, we as a community must stay 10 steps ahead. Places like STEEM allow us to spread this information like wildfire. We must never let up.

Thanks again!

I think it is good that you underline what a VPN is NOT good for. Many people may not know this, but as you said at the beginning, they work fine for preserving one's anonymity from low-level actors.

I think the understanding that should be widespread is, that if you think you can protect yourself from high-level actors, then you are living in a fantasy world.

On the other hand, there are a variety of things (it seems, I am just trying to figure it out) that a beginner can do to secure themselves from the more pedestrian sorts of cyber crime.

I am doing a series here on Steemit where I am documenting my cyber security self-education starting with almost zero knowledge. Check it out!

Thanks!

  ·  7 years ago (edited)

Indeed, and it is an ever evolving field. I love it even though I may not be able to write the best code. One main thing we need to focus on is bringing the thought of security to a broader audience. Now that we know what we're dealing with (NSA leaks) and we should act on it. Crypto has also helped open the door to this type of discussion which I just absolutely love because these types of conversations were largely ignored in the past. There are no words for how excited I am to see new faces thinking about security! Welcome to the party! Thanks for the reply as well.

I am following you because I hope to build some contacts where these conversations can happen.

On the one hand, I am conservative. I would like to understand what is in play to protect critical infrastructure in any country from cyber attacks. On the other hand, I definitely want to be able to have meaningful conservations about these topics here on Steemit.

I am very much a beginner, but I am working every day on it. Hopefully, we can take some of this apart i nthe future. I will keep an eye on what you are posting.

Best wishes!

Sadly we don't have anything to protect critical infrastructure. All we can do is get ready for it, all our infrastructure can do is get contingency plans together.

I would really like to see what got you into such topics, was it crypto that helped bring these thoughts into focus or something else?

Thanks again!

It has always been something I found interesting. Then, I heard a Youtuber talking about the effects of cyber attacks on infrastructure. A few days later, Petya happened, which affected several hospitals. That made what the youtuber was saying much more vivid.

So it seemed like a good moment to start my experiment in autonomous learning.

I have a question for you. Are there any cyber security news sources that you prefer? I think becoming cyber security literate should include knowing a few good sources to quickly stay up to date in what is happening on the ground so to speak.

  ·  7 years ago (edited)

That's great to hear. Interesting that an attack brought you into focus on this subject, I actually don't hear that often. You would think that's were most people hear about things like this. But, from personal experience, most get into this because they were at one time compromised by something. Which made them want to learn more so that it doesn't happen in the future or to their loved ones.

There are many sources I use. It really depends on what you're looking for specifically. https://news.ycombinator.com/ is kinda like the "Reddit" of these things. Where as Cryptome is a little bit more focused on the actual files of whatever they talk about. Keep in mind that many of these sites are watched by three-letter agencies. GHCQ watches EVERYTHING that connects to Cryptome. Also assume that if you download a PDF, you will be watched. To avoid these eyes is another subject entirely but I think it's good you know. There isn't really any legal risk that I know of but as we know with these agencies, all they really care about is saving data. This is in case you do something in the future, then they will be able to pull up everything you've download or done and ask you about why you downloaded or viewed a specific file.

I recommend finding your own way around and just start searching for things because it's the best way to learn. I also recommend searching these types of things through Startpage because they proxy your searches and them forward the search query to Google. This offers a light protection against Google's(NSA) prying eyes. But none of these protections really work on Windows or Intel tech. There is just so much, which is why I highly recommend to just follow your nose where every it goes!

That some great stuff for me to look at. Tomorrow, when my voting power is somewhat replenished, I will come back and upvote this.

Yeah... I am being super transparent about my interests because of the amount of surveillance. I want to work on understanding how to secure myself from low- to mid-level criminals mainly as an exercise. I can see that thinking beyond that is pure hubris.

Thanks for the suggestions!

The human element is the weakest link in any chain of security. Phishing emails is a simple example to this. One of the first steps in securing yourself is to try and see your past mistakes. Easy passwords, public info, etc.
Thinking beyond is not hubris in my eyes, it is what is needed now. The internet helps bring light to this darkness but many still have their eyes closed.

You're very welcome @stover.daniel
Thank you for asking questions.

Good stuff. resteemed, upvoted and recommended to others.

Thank you very much Thomasaquinasftw (:

Good article. Tor is not perfect either, but it is the best tool for surfing the web stealthy.

For sharing messages I will seriously consider training pidgeons for carrying encrypted pendrives.

Thank you @ropaga for the reply. It isn't full-proof and they state it themselves too.

The best way to be secure online is to not be online at all. This is a funny fact some are starting to realize. With all the threats being leaked, how can the technical illiterate be safe? Communities like these are what bring these conversations to the forefront. I'm blessed to have found STEEM and everyone in the crypto community is amazing.

Good article ,
But im not understanding about VPN,
What is VPN ?

"A Virtual Private Networks (VPN) allows you to connect to the internet via a server run by a VPN provider. All data traveling between your computer, phone or tablet, and this “VPN server” is securely encrypted." - https://www.bestvpn.com/vpns-beginners-need-know/

Hope this helps (:

Thanks for the reply and compliment!

@@ -1,12 +1,12 @@
Goo
-p
+d
post.%0A%0A

That is exactly what I was thinking.

I may be a victim of disinformation, it's difficult not to be, but I did read somewhere, sometime back, that the TOR was also a CIA operation. Would be natural for them to want to start something like the TOR. So I don't know about the TOR or any other one of these. A crying shame.

Also read that all the processing units sold in the USA had back doors built into the architecture, so that it does not matter what you do in the USA, they can get into your pc. This I picked up from some video on you tube in relation to wikileaks. I'm sorry I cant remember exactly the sources. I wonder if buying a computer in Mexico or Russia would solve the problem. Would be wise to do if possible, and not to buy in the US if you live here.

I don't want to spread useless fear, just reasonable caution.

Well, the internet was in-part created by DARPA. Which is why, when online, you have to assume you're being watched or can be watched. Things like Tor are open-source tools, so you must first know how to use them. The goal is not really to hide, It's to be apart of the herd. What tor does is make everyone look like the same sheep in that herd. It doesn't mean you can't be spotted out from the herd. Anyone can see tor connections and or where they might go but, seeing what the data is is difficult. This is why things like Bitcoin are here to stay because it works on everyone agreeing to not trust each other. The assumption within the blockchain is to trust no one. This is another attribute of decentralization. I hope my weird allegory didn't confuse you more. The CIA have very good weapons, but they don't have good hackers. All the CIA can do is hire hackers, but that is another subject.

Yes, this is true with Intel. You must see the threat to do something about it. There are people to this day that swear Windows doesn't spy on them. They even go as far to defend Windows and get physically angry when that reality is brought up. It's only because they haven't seen the threat. But, now that we have leaks, we see everything. And people enter the 5 steps of grief at their own pace.

Thanks for the reply! (: