Page 25 - 11Cyber
P. 25
blog.
(Continued from page 24)
BY-NC-SA 2.0 1 All photos and images are licensed as noted in the
Credits under a Creative Commons Attribution 2.0
13. "Day 76 of 365: kuchenne rewolucje" by Arek International License.
Olek (cropped) is licensed under CC BY 2.0
Creative Commons Attribution 2.0 International Li-
This work by Arthur Gresham is licensed under a cense. Creative Commons Attribution 2.0 International
Creative Commons Attribution 4.0 International Li- License.
cense.
As long as you attribute this article, you can use it
in part, or whole, for your newsletter, website, or
Cautionary Tale about Free VPNs
By Joel Ewing, President, Bella Vista Computer Club
One of the caveats in the VPN article in the March or whether that hardware is configured correctly to at
2021 Bits & Bytes, also mentioned at the March least make it as secure as possible. Because of the
General Meeting, was that free VPN services were limited number of users on one Wi-Fi network, the
not recommended. As if on cue, see the following motivation to expend much effort to hack that one net-
article recently published by Malwarebytes Labs on work is not high. But, if it shares an exposure common
"21 million free VPN users' data exposed." to many other Wi-Fi networks using similar hardware,
it could be at risk. Furthermore, the users have no
A hack of several free VPN services revealed that
not only were some services collecting user activity way of knowing the details of a particular public Wi-Fi
logs in contradiction of their advertised policy, but node, so it is wise to err on the side of caution. A VPN
some were also collecting email addresses, pass- service, on the other hand, may have hundreds of
words that were not encrypted, IP addresses, mo- thousands of users.
bile device models, and IDs. The possibility that a free VPN service may be engag-
ing in questionable behavior and be holding sensitive
The whole point of using a VPN with mobile devices
is to avoid exposing non-encrypted data when using user data on its servers makes it an extremely attrac-
a public Wi-Fi network; but if that data would have tive target for hackers and data thieves, who can justi-
been non-encrypted on a public Wi-Fi without VPN, fy spending much time and effort to break in. That
then with a VPN service, it is still exposed non- makes any collection of sensitive information by a
encrypted within the server of your remote VPN ser- VPN service a more serious concern. One of the sug-
vice. In addition, if the service also requires a spe- gestions made is that you should look for reviews of a
cial app to be installed on the mobile device, then VPN service by known and trusted organizations be-
that app will also see any nonencrypted data before fore deciding on a VPN service. One of the interesting
it is sent to the VPN service and potentially have things that this data leak revealed was that there were
access to other data on the mobile device. Thus, a several differentlynamed free VPN services that all
free VPN service is much more likely to be tempted appear to be run by the same company. These were
to exploit their access to non-encrypted data if that all supported by mobile apps that were gathering in-
is their only way to profit from the free service. appropriate data, combined with the attempt to dis-
guise the company's true identity, suggest that this
One of the reasons for distrusting the security of a was a deliberate attempt to engage in unethical be-
public Wi-Fi network is that you can never know havior. Caveat Utilitor
whether or not it is supported by secure hardware
Cyber Awareness Bulletin 25 October 2021
