heresa Payton, CEO of Fortalice Solutions, is one of the most influential experts on cybersecurity and IT strategy in the United States. She is an authority on Internet security, data breaches and fraud mitigation.
She served as the first female chief information officer at the White House, overseeing IT operations for President George W. Bush and his staff.
With the U.S. midterm elections fast approaching, both Payton’s observations about the current cybersecurity threat level and her advice about shoring up the nation’s defenses carry special weight.
In this exclusive interview, she also shares her views on social networking, privacy, and the changing playing field for women who aspire to leadership roles in technology.
TechNewsWorld: What is the chief cyberthreat to the upcoming midterm elections?
Theresa Payton: My biggest worry and concern is that citizens will not trust election results and that the election process will lose legitimacy. We know that the Department of Homeland Security, working with state election officials, have raced against the clock to secure voting systems. Our U.S. intelligence agencies have repeatedly been on the record stating there is no evidence that cybercriminals modified or deleted any votes in 2016.
The next area of concern is for the communications, contacts, and digital campaigns of candidates being broken into and doxed. While the news focuses on securing the votes and the voter databases of the midterm elections, there is not a lot of attention on whether or not campaigns take threats targeting their campaigns seriously. Nothing would hit closer to home for a candidate than if their election was hacked and they lost — or won.
“Cyber” is certainly a buzzword, but it’s not a word without meaning. With the onslaught of breaches, candidates should be laser-focused on cybersecurity.
TNW: What should federal officials do to shore up election security? What should state and local governments do? Where does the buck stop?
Payton: It’s crucial that elected officials on the left and right not politicize an issue in the short term that will have grave long-term consequences for national security.
Defensively, we need to harden our election infrastructure at the local level. This is the responsibility of the Department of Homeland Security.
DHS needs to continue to work at the local level with state election officials, but also to provide much more robust cybersecurity capabilities for protection and detection at the campaign level.
We also need to be sure that the intelligence and homeland security community is effectively sharing information and tools, techniques and tactics.
TNW: How serious are concerns that election interference might be caused by tampering with back-end election systems? What can federal agencies do to address the problems of outdated voting equipment, inadequate election-verification procedures, and other potential vulnerabilities? Is there an argument to be made for some level of mandatory federal oversight of state and local voter systems?
Payton: There are grave concerns about election interference and the race to secure them, globally, is under way. The idea that voter databases could be seeded with falsified data or modified has been around for decades, but the technical know-how and motive has caught up with that idea. Election officials in a race towards automation and efficiency may have helped criminals along, but it’s not too late if we act now.
Today, there are entire countries totally relying on electronic voting: Brazil, since 2000, has employed electronic voting machines, and in 2010 had 135 million electronic voters. India had 380 million electronic voters for its Parliament election in 2004.
It is easy to see why electronic voting is the wave of the future and how the United States could model its own voting system after these countries. It’s faster, cheaper and more accessible for those with disabilities. Also, would you miss the experience of, or the reporting of, the every-election-day headline of “Long Lines at the Polls Today”? Probably not. That is certainly less painful than a recount though.
We are headed towards electronic voting as the sole system we use despite these facts:
- “The U.S. intelligence community developed substantial evidence that state websites or voter registration systems in seven states were compromised by Russian-backed covert operatives prior to the 2016 election — but never told the states involved, according to multiple U.S. officials,” NBC News reported earlier this year.
- Russia hacked the Democratic National Committee’s emails with the intention to “interfere with the U.S. election process,” according to the director of national intelligence, James R. Clapper Jr., and the Department of Homeland Security.
- As far as we know, despite the scans and alarm bells, no outside entity has changed any records in the registration database.
- Scams such as “text your vote” were more prevalent than ever, and will increase as electronic voting becomes more widespread.
The good news is our government took this very seriously. Prior to the midterm elections, the Department of Homeland Security offered state election officials “cyber hygiene scans” to remotely search for vulnerabilities in election systems. They also conducted threat briefings and onsite reviews, as well as released a memo of “best practices” — guidance how best to secure their voter databases.
Some have called for more federal oversight and moving towards a more restrictive security model, but the states own the voting process. Providing year-round briefings from DHS, FBI, CIA, and NSA would prove to be very helpful over time.
Also, we have to remember elections are decentralized. Sometimes there is security in obscurity. Each state in our country, plus the District of Columbia, run their own election operations, including voter databases. A hostile nation state could not feasibly wipe out each system with one wave of their magic wand.
How we vote, though, is just one-way our elections could be compromised. Another concern going forward must be disruption of Internet traffic, as we saw occurred just days before the last presidential election cycle on Oct. 21st, 2016, when the Mirai botnet crippled part of the Internet for hours.
A massive Distributed Denial of Service (DDoS) attacked a host server causing major disruptions to some of the most highly visited websites in the United States. The attack was in two waves, first on the East Coast and then on the West Coast.
As our country votes on Election Day in different time zones, and polling stations close at different times, the similarity is chilling.
However, we need everyone to turn out to vote. The focus on bolstering our election security defenses is reassuring. What we know is the warning signs are there. As we move towards the future, and focus on creating and protecting a new system to collect our votes, we need to protect the one we already have.
Two things you can be sure of after this year’s election: Eventually, every vote you cast in a United States election will be electronic, and one of those elections will be hacked. No doubt about it. But the recount in 2016 in Wisconsin reminds us all why we need a backup.
TNW: What are some ways candidates and campaigns can shore up their cybersecurity without draining their war chests? What are some of the practices they should implement in the very early days? A campaign that’s very secure ultimately might lose due to lack of visibility. How can campaigns strike the right balance?
Payton: Never before have campaigns collected so much essential information that would be lucrative to so many cybercriminals. Credit card numbers, bank account information, addresses, online identities. The assets go on and on, and cybercriminals are just like bank robbers in the old days: They follow the money.
That is why in today’s day and age, if you are on a campaign, whether it be state, national or local, you need to be as vigilant about protecting data as any business. Otherwise, you will lose your customers — also known as constituents and voters.
Anyone on a tight budget can follow these guidelines to protect their campaign assets:
- Make it as hard as possible on cybercriminals by separating donor information details onto a completely separate domain name with separate user IDs and passwords from the campaign. For example, your campaign domain might be VoteSallySue.com, but donor details would be stored at MustProtectDetails.com.
- Using that same practice, run all of your internal communications on a domain name that’s not the campaign name — i.e., email addresses should not be [email protected] but rather [email protected] Increase the level of protection for internal messages by using encrypted messaging platforms for internal communications, such as Signal or Threema.
- Also, be sure to encrypt all of your campaign’s donor data. We have yet to hear a report of a campaign’s donor data being hacked and used for identity theft, but we will — of that I am sure. It would be too lucrative not to try. Once it is hacked, it will be hard to restore confidence in your operation. Just ask any major retailer, bank or organization who has recently been hacked, and they will tell you. I don’t even need to use their names, you know the headlines.
- Train technology and campaign staff to spot spearphishing emails and scams. Oh, sure, you think everyone knows not to “click on that link,” but recent studies illustrate doing just that is the No. 1 cause of breaches among employees.
- Another safeguard that raises the bar in terms of security is implementing two-factor authentication wherever feasible. When you use a platform that employs two-factor authentication, don’t you feel safer? Possibly annoyed, as well, but certainly reassured that the extra step has been taken to secure your data. Don’t you want the electorate to feel the same way?
TNW: How well — or poorly — have Facebook, Twitter, Google and other tech companies addressed the problems that surfaced in 2016?
Payton: I was encouraged to hear that with less than three weeks to go for the U.S. mid-terms, that Facebook has stood up a war room to combat social media community manipulation as the world heads into elections this fall and winter.
They have also said they have war-gamed a number of scenarios to ensure their team is better prepared for elections around the globe. Much is at stake, so the fact that Facebook also integrated the apps they have acquired — such as WhatsApp and Instagram — into the mix of the war room is a great idea.
If I were to give them advice, I would suggest that another great step to take would be to create a way to physically embed representatives from law enforcement, other social media companies — including Twitter, Linkedin and Google — and to allow election officials around the globe to have a “red phone” access to the war room.
TNW: What are some of the most pressing cybersecurity problems facing social networks, apart from their use as political tools?
Payton: The ability to change their business and moderator models, in real time, to morph quickly to shut down fake personas, fake ads, and fake messaging promoting political espionage, even if it means higher expenses and loss of revenue. Social media companies have made a lot of progress since the 2016 presidential elections and claims of global-wide election meddling, but the criminals have changed tactics and it’s harder to spot them.
On the heels of the August 2018 news that Microsoft seized six domains that Russian Internet trolls planned to use for political espionage phishing attacks around the same time that Facebook deactivated 652 fake accounts and pages tied to misinformation campaigns, Alex Stamos, the former Facebook security chief, posted an essay in Lawfare, and stated that it was “too late to protect the 2018 elections.”
TNW: What role should the government play in protecting citizens’ privacy online?
Payton: As the Internet evolves, laws and regulations must change more rapidly to reflect societal issues and problems created by new types of behavior taking place online. Never before has the world had access to statements, pictures, video and criticism by millions of individuals who are not public figures.
The Internet provides us with places to document our lives, thoughts and preferences online, and then holds that material for an indefinite period of time — long after we might have outgrown our own postings.
It also provides places where we can criticize our bosses, local building contractors, or polluters.
This digital diary of our lives leaves tattered pages of our past that we may forget about because we cannot see them, but they could be collected, collated, and used to judge us or discriminate against us without due process. The government needs to think ahead and determine which laws need to be enacted to protect our right to opt in and out of privacy features and to own our digital lives and footprints.
TNW: What is your opinion of Europe’s “right to be forgotten” law? Do you think a similar law would make sense in the United States?
Payton: The European Union’s “right to be forgotten” sets an interesting precedent, not just for its member countries but for citizens around the world. It is too early to know what the long-term impacts of the EU’s decision to enforce a “right to be forgotten” with technology companies will be. However, it’s a safe bet the law will evolve and not disappear.
There are concerns that giving you or organizations more control of their Internet identity, under a “right to be forgotten” clause, could lead to [censorship] of the Internet. Free-speech advocates around the globe are concerned that the lack of court precedent and the gray areas of the EU law could lead to pressure for all tech companies to remove results across the globe, delinking news stories and other information upon an individual’s request.
A quick history lesson of how this law came about: A Spanish citizen filed a complaint with Spain’s Data Protection Agency and indicated that Google Spain and Google Inc. had violated his privacy rights by posting an auction notice that his home was repossessed. The matter was resolved years earlier but since “delete is never really delete” and “the Internet never forgets,” the personal data about his financial matters haunted his reputation online.
He requested that Google Spain and Google Inc. be required to remove the old news so it would not show up in search engine results. The Spanish court system reviewed the case and referred it to the European Union’s Court of Justice.
Here is an excerpt of what the May 2014 ruling of the EU Court said:
“On the ‘Right to be Forgotten’: Individuals have the right — under certain conditions — to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing… . A case-by-case assessment is needed considering the type of information in question, its sensitivity for the individual’s private life and the interest of the public in having access to that information. The role the person requesting the deletion plays in public life might also be relevant.”
In the U.S., implementing a federal law might be tempting, but the challenge is that the ability to comply with the law will be complex and expensive. This could mean that the next startup will be crushed under compliance and therefore innovation and startups will die before they can get launched.
However, we do need a central place of advocacy and a form of a consumer privacy bill of rights. We have remedies to address issues but it’s a complex web of laws that apply to the Internet. Technology changes society faster than the law can react, so U.S. laws relating to the Internet will always lag behind.
We have a Better Business Bureau to help us with bad business experiences. We have the FTC and FCC to assist us with commerce and communications. Individuals need an advocacy group to appeal to, and for assistance in navigating online defamation, reputational risk, and an opportunity to scrub their online persona.
TNW: What is your attitude toward social networking? What’s your advice to others regarding the trustworthiness of social networks?
Payton: Social networking can offer us amazing ways to stay in touch with colleagues, friends and loved ones. It’s a personal decision as to how involved you are online, how many platforms you interact with, and how much of your life that you digitally record or transact online.
If you want to be on social media but don’t want to broadcast everything about you, I tell my clients to turn off location tracking — or geolocation tools — in social media. That way you aren’t “checking in” places. Cybercriminals use these check-ins to develop your pattern of life and to track your circle of trust. If a cybercriminal has these two patterns, it makes it easier for them to hack your accounts.
Register for an online service that will give you a phone number, such as Google Voice or Talkatone. Provide that number on social media and forward it to your real cellphone. Avoid personality surveys and other surveys — they are often very fun to do, but the information posted often gives digital clues to what you may use for your password.
Always turn on two-factor authentication for your accounts, and tie your social media accounts to an email address dedicated to social media. Turn on alerts to notify you if there is a login that is outside your normal login patterns.
The amount of personal information you choose to share is up to you — and everyone has to find that limit of what is too much — but at the very least, never give out personally identifiable information like your address, DOB, financial information, etc.
TNW: As the first woman to serve in the role of CIO at the White House, under President George W. Bush, how did you feel about becoming an instant role model for girls and young women interested in tech careers?
Payton: It’s an honor to think about the opportunity to give back and to help along anyone that wants to pursue this career path, especially young women. Candidly, we need everyone to fight the good fight. My heart breaks when I see computer and engineering classes with very few women in them.
We did not reach out to the women early enough, and when I talk to young women in high school and college about considering cybersecurity as a career, many of then tell me that since they have had no prior exposure they are worried about failing, and that it’s “too late now to experiment.” To which I tell them that it’s always a great time to experiment and learn new things!
Prior to taking on the role at the White House, I had been very active in women in technology groups and was passionately recruiting young women to consider technology careers. At the time I was offered the role and accepted, I candidly didn’t have an immediate aha moment about being a role model for women because of that specific job. I was most focused on making sure the mission was a success. I see it now and it’s an honor to be able to be a role model and I strive to live up to that expectation.
The cybersecurity industry can do more to help women understand the crucial role that cybersecurity professionals play that make a difference in our everyday lives. Unfortunately, hackers, both ethical and unethical, are often depicted as men wearing hoodies over their faces, making it difficult for women to picture themselves in that role as a realistic career choice, because they don’t think they have anything in common with hackers.
Studies show that women want to work in professions that help people — where they are making a difference. When you stop a hacker from stealing someone’s identity, you’ve made a difference in someone’s life or business. At the end of the day, the victims of hackers are people, and women can make a tremendous difference in this field. This is something the industry as a whole needs to do a better job of showing women.
TNW: You’re now the CEO of a company in the private sector. Can you tell us a little about what Fortalice Solutions does, its mission, and your priorities in guiding it?
Payton: Fortalice Solutions is a team of cybercrime fighters. We hunt bad people from behind a keyboard to protect what matters most to nations, business and people. We combine the sharpest minds in cybersecurity with active intelligence operations to secure everything from government and corporate data and intellectual property, to individuals’ privacy and security.
At Fortalice, our strengths lie in studying the adversary and outmaneuvering them with our human-first, technology-second approaches.
TNW: How have attitudes toward women in powerful positions changed — for better or worse — in recent years?
Payton: Although thankfully this is beginning to change, I am typically the only woman in the room — and that was common in banking as well as technology. I had to learn how to stand up for myself and ensure my voice was heard. I’ve had more than my fair share of times when my technical acumen has been discounted because I’m female.
I’ve learned that grace and tact go a long way, and I’m very, very proud to say that my company is nearly dead-equal male/female. We even started an organization called “Help A Sister Up” — you can find us on LinkedIn — that’sdedicated to advancing women in technology and serving as a rallying point for them and their male advocates. We post job openings, interesting articles, avenues for discussion. Please join us!
TNW: What’s your advice to girls and women entering technological fields about whether to seek employment in the private or the public sector? What are some of the pros and cons, particularly from the standpoint of gender equality?
Payton: An April 2013 survey of Women in Technology found that 45 percent of respondents noted a “lack of female role models or [the encouragement to pursue a degree in a technology-related field].”
It’s been proven that professional mentorship and development dramatically increase participation in any given field, so the lack of women in cybersecurity is really a compounding problem — we don’t have enough women in cyber because there aren’t enough women role models in cyber.
While connecting with other women has had its challenges, there are wonderful women in cyber today. Look at Linda Hudson — currently the chairman and CEO of The Cardea Group and former president and CEO of BAE Systems Inc. — shattering the glass ceiling for women behind her. Also, up-and-comer Keren Elazari, a global speaker on cybersecurity and ethical hacker out of Israel.
I’ve been very lucky to work with wonderful, inspiring women in cyber, but I recognize that my exposure might be more than women starting their career. This brings me to my next point: I recommend all cyber practitioners, and especially women, take advantage of all the amazing free tools out there from RSA, TED talks, and even YouTube.
You can watch speeches from veteran cybersecurity professionals about their careers, hear their advice on how to succeed, and learn new skills to keep you competitive in the workplace. Consider free online courses in cybersecurity or popular programming languages like Python. Ask your colleagues to show you their favorite geek gadget or ethical hack.
There are some excellent security frameworks and guidance available for free online, such as the NIST framework, CIS Critical Security Controls, SSAE 16, and discussions on GDPR. Leverage social media to hear what’s on the minds of security experts. You must be a constant student of your profession in this field.
Google replaces its Bluetooth security keys because they can be accessed by nearby attackers
- Google offered free replacements of its Bluetooth Titan Security Keys after it found that nearby attackers could access them.
- Google said the issue does not impact the tool’s ability to prevent remote phishing attacks.
- The company advised users to continue using the key until a replacement arrives.
Logging in to Gmail on a phone is a cinch.Magdalena Petrova | CNBC
Google found a security issue that could give an attacker access to a users’ device based on a tool meant to keep it secure, the company disclosedWednesday.
Google is offering free replacements of its Bluetooth Low Energy Titan Security Keys after it found that anyone within about 30 feet could communicate with the key and its paired device while a user tried to activate the key or pair their devices.
The Titan Security Key is meant to provide an additional layer of protection for users hoping to prevent their accounts from being taken over by phishing attacks. While Google said the issue does not interfere with the key’s ability to protect users from a remote phishing attack, it still reveals a significant gap in the device’s security.
The flaw could undermine Google’s recent messaging around privacy and security, which has become a hot issue in Silicon Valley. Google CEO Sundar Pichai penned a New York Times op-ed earlier this month advocating for the democratization of privacy after unveiling a host of new privacy features at Google’s developer conference.
Google recommended continuing to use the affected keys until their replacement arrives. As an extra precaution, users should use the keys when they aren’t near other people who may try to gain access to their devices, then immediately unpair the key after signing on, Google said. However, iOS users who have updated the version 12.3 will not be able to sign into any accounts linked to the key until they receive a replacement, according to Google. The company advised staying logged onto accounts on iOS devices until the new replacement arrives.
Google said that only BLE versions of the keys are affected. Devices with a “T1” or “T2″ on the back are eligible for the free replacement by visiting google.com/replacemykey.
Google’s new security key will protect you from phishing attacks
Google Chrome Update — ‘A Threat To Children, Cybersecurity And Government Snooping’
The way we access websites is about to change. As a result, crisis talks have now been scheduled between the U.K. government and the internet industry to discuss the risks. The primary concern is a proposed but as yet unconfirmed update to Google’s popular Chrome web browser, one that would hit many of the techniques used to monitor internet content for both safety and snooping. It isn’t just Google that will change. But the market-leading position of its Chrome browser has focused governmental minds.
These days, almost everyone is familiar with the concept of internet domain names and the fact that memorable, human-readable addresses are translated into machine-readable IP addresses. But most people have likely never heard of DNS over HTTPS or DOH, and so will be unaware of a planned change to how all this works.
However, DOH is now being fast-tracked, and it has agitated U.K. child safety and intelligence agencies enough to convene a crisis meeting on 8 May, citing child safety, cybersecurity and even terrorism as concerns.
DOH will encrypt the addresses of the websites we visit, potentially bypassing local Internet Service Providers (ISPs), and connecting directly to central nameservers that could well be managed by the companies behind the browsers themselves. This means that many of the filtering and protection tools in place today, usually administered by ISPs, would no longer work.
The new approach brings definite security advantages, notwithstanding that we’ll be entrusting Google and its peers with even more data on us. If the addresses of the websites you want to visit can’t be seen, they can’t be filtered or policed. And campaigners claim that this has implications for the fights against terrorism and extremism, as well as for child safety.
Coming at a time when the monitoring of online content has never been more in the news, and when cybersecurity breaches are reported weekly, the clear need to improve online security is driving welcome change. But the unintended consequences of those changes are apparently now a major concern.
The Internet’s Domain Name System (DNS) is one of its greatest strengths and also one of its greatest weaknesses. The internet is easy to use, but that comes with the risk of the manipulation of DNS names, with snooping on open traffic, and, in many parts of the world, with local monitoring and filtering. So it’s little surprise that the Internet Engineering Task Force (IETF) has been working on a revised approach.
As open traffic, your IP address and browsing activities can be profiled and your requests can potentially be intercepted and manipulated. Who you are and what you’re looking at can be monitored. But with more and more of what is done online being encrypted, the very act of accessing specific websites can be encrypted as well. This is what DNS over HTTPS is all about, bypassing locally held DNS nameservers, sending encrypted traffic to a central server instead.
The change would see web browsers (or other central services) handling domain queries, transparently to users, rather than fielding these as open internet traffic through the ISP. More secure and less open to interception, yes, because all of this would be encrypted HTTPS traffic, but it means that you would be serviced from a central location and not by an operator under your country’s legislative control. Think of it as a built-in, always-on VPN.
A presentation from BT on the ‘Potential ISP Challenges with DNS over HTTPS’ earlier this month, acknowledged that “DOH could be a game changer in operator/application dynamics” with fast-tracked standards bringing potentially adverse implications on cybersecurity and on safety from online harms. BT cited a reduced ability to derive cybersecurity intelligence from malware activity and DNS insight, significant new attack opportunities for hackers, and the inability to fulfill government mandated regulation or court orders as potential concerns.
Online responses to the ‘crisis’ suggested that this latter point, the impact on government snooping, was much more of a concern for the authorities than any impact on online safety filters.
Crisis meeting scheduled
According to the Sunday Times, a crisis meeting has now been convened for 8 May to bring together the country’s major ISPs, including BT, Virgin, Sky and TalkTalk, with the country’s National Cyber Security Centre (NCSC) to discuss the implications. The primary concern is that it will be impossible for the country’s ISPs to filter out illegal or inappropriate material. This could have implications for terrorism, extremism, child safety and, of course, password-protecting the U.K.’s countrywide porn habits from July 15, as announced last week.
Because DOH is expected to be largely centralized, and (at least initially) managed by the major browsers, this is where Google comes in. Chrome is the U.K.’s most popular browsing application. With DNS queries not being serviced by an ISP’s nameservers, the ISPs would have no way of tracking, filtering or policing browsing. It would invalidate child safety locks and render useless the planned porn filter. For the ISPs, it could also mandate a rethink in the ways content is cached through efficient and cost-effective content delivery networks.
The well-populated databases of dangerous sites held by ISPs would be bypassed. But, it would also make government online snooping much more difficult. According to the Sunday Times, “BT, which has 9m broadband customers, said in a statement that parental controls, the first line of defense for millions of households, could be rendered ‘ineffective’ by the new system. It added that it could ‘hamper our ability to protect customers from online harms’.”
A spokesperson for the U.K.’s Internet Services Providers’ Association, the trade association representing more than 200 ISPs, including BT, Sky and Virgin, told me that “U.K. broadband providers are actively involved at a national and international level in ensuring that encrypted DNS is implemented in a way that does not break existing protections provided to U.K. internet users. If internet browser manufacturers switch on DNS encryption by default, they will put users at serious risk by allowing harmful online content to go unchecked. Internet browser companies must ensure that parental controls and cybersecurity protections offered by broadband companies continue to work and protect users. We would expect internet browsers to provide the same protections, uphold the same standards and follow the same laws as U.K. ISPs currently do.”
No need to panic?
The encryption of DNS name traffic is not the issue. The central management of the system, bypassing local controls, is the issue. There’s no reason that the new ecosystem cannot work in the existing framework. But it won’t start out that way, and it puts significant control in the hands of the device browsers. Theoretically, there could be device- or even application-specific DOH datasets accessed. And any user filtering would need to be at a device level instead of relying on the ISP. These changes need to be fully communicated and documented in how-to guides before being made.
For their part, Google has confirmed that an encrypted version of Chrome is already available but is not yet included as standard. In a statement, the company said that “Google has not made any changes to the default behavior of Chrome.”
Here’s Why You Need A VPN — And Which One To Choose
Whether you are a tin foil hat wearing cyber security aficionado or not, it’s a sad but true fact that our privacy is in danger. Even when surfing the web, data is collected in droves by big brands people used to trust. Add to this the internet blocks being introduced even in western nations, and people are realizing the need to actively protect their own privacy.
Last week, when the UK government announced porn users would have to enter their details to be age verified from 15 July this year – signalling a potential privacy disaster – people all over the nation started showing more interest in virtual private networks (VPNs).
A VPN works by allowing you to browse privately and securely, encrypting your data and hiding your location. But not all VPNs are built the same. You need, for example, to be wary when a service is free and of course a VPN that logs your data is a definite no.
Set against a backdrop of increasing internet surveillance, data breaches and insecure public Wi-Fi, VPNs are an essential tool. Here is a useful guide including what to look out for and what to avoid when choosing a VPN, with some options to consider.
Some VPNs log data
VPNs that log data defeat the point of having one at all.
“One of the most important aspects to consider when choosing a VPN is security,” Ariel Hochstadt, co-founder of vpnMentor tells me. “A VPN that logs your data is not safe to use. You need to ensure you’re picking a reliable no-log VPN so that your data won’t be susceptible to leaks and attacks.”
And most of the data logged is totally uncalled for: Free VPNs such as Hola know the websites you visit; how much time you spend on those pages; and timestamps. Meanwhile, they might sell your data to their partners.
Trust and security
Trust is important. “Generally, you have to trust your VPN provider with your traffic more than you trust your network,” says Jerry Gamblin, principal security engineer at Kenna Security.
He thinks large commercial VPN providers, such as NordVPN or Private Internet Access (PIA), are best, because they are “invested in making sure that your traffic is delivered safely and quickly”.
“I have used PIA in the past, but due to some sites filtering those IP addresses, I have moved to building my own VPN server.”
Can VPNs be hacked? Yes, but it’s not easy: VPN Base says it’s best to avoid PPTP or L2TP/IPSec protocols; instead use only the latest versions of the OpenVPN protocol, which is considered to be extremely secure. “In terms of encryption, make sure your VPN provider offers 2048-bit or 256-bit encryption as they are harder to crack,” the site reads. “Rest assured, if anyone ever tries to hack you, these protocols and encryptions will be a real nightmare.”
VPNs by their nature can be slow, because they work by encrypting your data and sending it to another server. To avoid this, Hochstadt recommends choosing a server in your own country: of course, the further your data has to travel, the slower the connection will be. Other features such as server network size, encryption, censorship, and torrenting should also be taken into account, he says.
The fastest VPNs are ExpressVPN, Surfshark, NordVPN and CyberGhost, according Hochstadt, who has tested 300 VPNs.
Some VPNs will be located in countries with governments that allow their surveillance agencies to spy. For the highest level of anonymity, it’s a good idea to use a provider located outside of the “14-eyes” jurisdiction.
14-eyes is a list of countries that allow surveillance agencies to spy on people. Members include the UK, US, Australia, Canada and New Zealand.
Where you can use them
Some people find their VPN is blocked in airports or hotels. At the same time, nations such as China ban or control VPN use. However, VPNs are made to bypass restrictions and make your connection anonymousis, so a good product should work anywhere.
Five VPNs to consider
Here are five highly rated VPNs that don’t log your data:
ExpressVPN, which comes highly rated by users and reviewers, works on devices including Windows, Android, iOS, Linux and routers. Based in the British Virgin Islands, it costs around $6.67 a month if you take out a 12-month plan. With a network of more than 2,000 servers in 94 countries, Express offers top notch coverage in Europe and the US. It also works pretty well in Asia, South America, the Middle East and Africa. It uses its own DNS servers and employs high end encryption tech to ensure your security and privacy.
ProtonVPN offers a truly free VPN but there are sacrifices to make if you don’t want to pay: The free version only allows you to connect one device at a time and speeds are slower. But there are paid for versions starting at $4 per month going up to $24 for 10 connected devices. Proton is also a trustworthy brand: most of you will be familiar with the highly-secure ProtonMail used by journalists and activists. Developed by CERN and MIT scientists, Proton doesn’t log your data so it’s never revealed to third parties.
A newcomer to the VPN market, Surfshark is quickly gaining popularity. It’s easy to see why. With over 500 servers in 50 countries, the VPN claims it is fast; it doesn’t collect logs and it allows you to connect as many devices as you like. Costing $11.95 a month and with discounts for multiple months, Surfshark offers Windows, Mac, iOS and Android apps and there’s 24/7 support if things go wrong.
Private Internet Access (PIA)
With over 3,300 servers in 32 countries PIA offers apps for Mac, Android, Windows, iOS and Linux, and browser extensions for Firefox, Opera and Chrome. Costing $9.95 a month, PIA blocks ads, trackers and malicious websites. It uses OpenVPN on desktop and mobile devices, making it a highly secure and trustworthy option whatever you want it for.
Like ExpressVPN, NordVPN is a big provider. Available on Windows, MacOS and Linux – and with apps for iOS, Android, and Android TV and encrypted proxy extensions for Chrome and Firefox – NordVPN allows you to connect up to six devices. It’s also fast, with 5,100 servers in 60 countries and a one month plan for around $12.
Three more to consider
The following come highly rated by users:
Which one should you choose?
Making a final decision will depend on your technical expertise, what you want to use a VPN for and where you want to use it. Personally, I use ExpressVPN but that doesn’t mean it’s right for you. Proton is super-trustworthy and PIA also comes very highly-regarded. There are of course, VPNs to avoid, but hopefully by using this article plus a little research, you will feel confident in making the decision.
These are the improvements Samsung has made to the Galaxy Fold
Twitter finally allows several locked users regain control
Huawei’s Honor 20 might just feature 4 rear cameras
Google Translatotron translates and imitates user’s own voice
Samsung insider teases breakthrough phone design coming in the second half of 2019
Super Mario Maker 2 Has A Story Mode And Much More
SanDisk’s 1TB microSD card is now available
Google replaces its Bluetooth security keys because they can be accessed by nearby attackers
A new security flaw in Intel chips called ‘Zombieload’ impacts PCs and servers (INTC)
Google’s latest app, Rivet, uses speech processing to help kids learn to read
Z10 Tips, Tricks and Shortcuts
FACEBOOK UNVEILS ANONYMOUS LOGIN
Mujjo reveals exclusive full-grain leather cases for the Galaxy S8/S8+, and they come with style
THE ‘BRUSHED ONYX’ DELL XPS 15 2-IN-1 (9575) IS A MONOLITHIC BEAUTY WORTH THE EXTRA $50
ISACA INSTALLS 2018-2019 BOARD OF DIRECTORS
WANT TO MAKE LINUX MINT LOOK LIKE A MAC? THIS THEME CAN HELP
SAMSUNG GALAXY NOTE 9: EVERYTHING YOU NEED TO KNOW ABOUT SAMSUNG’S LATEST PHONE
THIS HANDMADE TESLA GUN IS SHOCKINGLY COOL
5 COMMON MISTAKES TO AVOID WHEN CHOOSING A WEB HOSTING SERVICE
1 BLOOD SUGAR ‘TRICK’ KEEPS BLOOD SUGAR NORMAL – TRY TONIGHT
6 Stunning new co-working spaces around the globe
3 Ways to make your business presentation more relatable
5 Crowdfunded products that actually delivered on the hype
Startup adds beds and Wi-Fi to buses to turn them into ‘moving hotels’
The 9 worst mistakes you can ever make at work
15 Habits that could be hurting your business relationships
- Hardwares6 days ago
Xiaomi outs Mi Mural TV with a 65-inch Super Thin Wallpaper style design
- Hardwares7 days ago
Forget about foldable phones: Here’s the first foldable PC
- Tech News7 days ago
Amazon hints that it may return to the smartphone market after its $170 million Fire phone fiasco
- Tech News5 days ago
SanDisk’s 1TB microSD card is now available
- The Motivator5 days ago
Google Translatotron translates and imitates user’s own voice
- Internet5 days ago
Google’s latest app, Rivet, uses speech processing to help kids learn to read
- Mobile Phones5 days ago
These are the improvements Samsung has made to the Galaxy Fold
- Tech News5 days ago
For 5G Nokia smartphones, HMD enters into a patent-licensing agreement with Qualcomm