Where did this Survey App come from?

I came across a photo on Twitter last week that showed a letter that was sent to a person in the UK from a company called Ipsos MORI. They are a survey, research company over in the UK. The letter asked the individual to install an app on their smartphone or tablet and to participate in surveys for which they were going to get some payments. Now there is some privacy concern with this app.

The microphone? Why?

The first one is that it wants permission to access to microphone. To be able to record audio and they say they will wake up randomly and listen to what’s on in the background, to see if a particular television programme or radio programme is on. But it could record something else. <wink, wink, wink> You know what I mean. So there is that concern.

A root certificate? What’s that?

They also ask you to install a root certificate and most people don’t know what a root certificate is. Basically this will enable the survey company to be able to watch everything you’re doing on the internet. Every site you go to. Everything you log into. They will be able to capture your passwords, your user IDs, some things like that. They say they won’t use them, but they can. That is a real, significant risk. People will just click OK because the instructions tell them it’s ok to do so. Don’t install root certificates people, please.

Anything else wrong?

There’s also some VPN that’s installed. I’m not sure how bad that is that hasn’t been researched fully yet. But that’s still a little bit iffy.

So look, if you’re being asked to install an app and you are being paid money for it, check out the privacy implications. Talk to a professional about it to see are you being violated in anyway.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 057 Dodgy Survey App appeared first on L2 Cyber Security Solutions.

We don’t do VPN logs … often

BolehVPN clearly states on their main site that they have a No logs policy. There for all the world to see in green and white:

And yet, if you mosey on over to their privacy policy, that changes things:

This might seem a reasonable process to allow. After all nobody likes people who are abusing a service. However they are saying they turn on VPN logs to capture enough information to be able to identify a user and find out what they are up to that is causing the alleged abuse. Now bear with me on this one. It’s not as far fetched as you might think.

• What if the “abusive user” was actually law enforcement in a totalitarian regime?
• What if they had compromised BolehVPN’s servers and were trying to locate “rebel activists” within their borders?
• What if they start overloading the servers, prompting BolehVPN to initiate logging to identify the offenders?
• If the “rebel activists” were connected at that time, then law enforcement should be able to gain access to those logs and be able to identify them.

I’ll now toss in the GDPR aspect here. That privacy policy doesn’t specify what personal data is being logged, which would actually be a requirement for any EU resident using the BolehVPN service. So they would be in breach of the regulation here.

Careful wording

Some providers use very carefully chosen language. For example Astrill VPN says clearly on their main website page “No Logs kept” and then in their privacy policy they indicate that they have logging in place, but only while the connection is active. So the logs are not kept, but they still exist for the duration of the connection.

At least Astrill specify what data they have in the “temporary” log.

Excessive VPN Logs

Other providers are quite open about the information they log on you, but in some cases the amount of information they log is actually quite concerning. HideMyAss VPN keeps a record of the following for at least 30 days (though it could be longer):

For a company that sells a product that supposedly improves your online privacy, that is quite a lot of information about you that they are holding onto. The other concern here is that HideMyAss is a UK based company. The United Kingdom has in recent years passed what is known as the Snoopers Charter. This gave government ministers powers to access peoples personal data without there being a suspicion of law breaking.  Also the UK is a member of the Five Eyes Countries. These countries regularly ask for and are provided with intelligence about individuals, ostensibly for national security purposes.

With the amount of data logged by HideMyAss and easy access to it by the powers that be, you won’t be browsing the internet as privately as you may think. They have, in the past, handed over information to the US FBI about a hacker.

I’ve broken no laws. Why should I be concerned?

You may have broken no laws now. But what if the government introduced a law that you didn’t like and you could bypass this law by use of a VPN. You might value the fact that a good private VPN doesn’t give law enforcement enough data to convict you.

While this might be an unlikely scenario (though with the way things are going in the US right now, who knows), it probably isn’t something that should directly concern you. Flip this around though. There are countless people (e.g. journalists, human rights advocates), living in countries that are effectively police states, who are trying to get the truth out about what is happening in those countries and they absolutely need every bit of anonymity that they can get.

VPNs are absolutely essential to these type of people, but also for people who value their online privacy and security. I typically will never connect to a public Wi-Fi internet connection (e.g. in a coffee shop) as I simply do not trust how they have been set-up. I also cannot be certain that the access point to which I would connect is actually the one being provided, as an evil doer can have their Laptop “impersonate” (spoof) the coffee shop’s Wi-Fi and then record all of the data that is sent and received from my laptop.

Instead, I will typically use the hot-spot facility on my phone to connect to the internet. However if my signal is terrible and I really need to get on the internet, I will connect to the Wi-Fi, but then immediately establish a VPN connection, thus encrypting my connection and making all of the data meaningless to any bad guy intercepting my traffic.

The bottom line here is, if you value privacy, then get yourself a VPN that does not log any data about you or your activity on their service. You’ll have to read the privacy policies closely though to ensure that this is the case and that VPN logs are not recorded.

Let’s be careful out there.

The post VPN Logs. Should you be concerned? appeared first on L2 Cyber Security Solutions.

What’s this VPN thing anyway?

A VPN is (usually) a piece of software that is installed on your computer or mobile device which establishes a secure connection between that device and some other point on the internet. That could be your corporate network or a VPN provider’s network. The connection is fully encrypted, so all the data flowing between your device and the other end of the connection will be meaningless scrambled data. It will be useless to anybody that intercepts this data.

What is also very important is that the VPN hides the users identity/location by making your device appear to be located elsewhere on the internet, rather than where your internet provider shows you as being. It does this by assigning your connection a different address on the internet, also known as the Internet Protocol (IP) Address.

So what data does some provider’s VPN leak?

The simple tool provided by the security researcher Paolo Stagno can show your original IP address as well as your VPN provided IP address. Therefore a website can tell where you actually are on the internet rather than where your VPN provider is trying to show you as being from. So here is an example of where you have a VPN leak:

As you can see, in the lower half (Web RTC), your Internet Service Provider (ISP) provided IP address is shown, along with your actual internal address of your local home or office network.

Compare that now to a VPN connection where they are not allowing the data to be leaked:

Here we see only the VPN provider’s IP address and their internal network address. So somebody using this VPN would not be at risk from being identified and located on the internet. This is important to maintain privacy, as that is one of the main reasons for wanting to use a VPN in the first place.

If you would like to have a chat about some of the security services we can provide, then please either send an e-mail to info@L2CyberSecurity.com or call us on 087-436-2675.

The post Does Your VPN Leak Data? appeared first on L2 Cyber Security Solutions.