Wednesday, December 13, 2017

Who Is Killing The Anonymizing VPNs?

The primary use for a VPN is to keep data encrypted from the point of origin to its destination. For corporations this means that when you start working on your emails on public WiFi at the airport, the data cannot be seen by people who are “sniffing” what is being sent across the network. Neither the corporation nor the users are trying to hide their location; it’s all about keeping that data private to the company. An anonymizing VPN serves the same purpose, however it is also used to hide the user’s location. When I use my anonymizing VPN it may look like I am in an entirely different state or country than I really at. In between the time data is sent through the anonymizing VPN to its destination, my IP address is effectively changed. I may be in Colorado, but to the websites I visit I’m in Tokyo. Well, I was until I decided to be in London. The only place I am not is where I am.

For the rest of this post I will generally refer to anonymizing VPNs simply as VPNs for simplicity, but not all VPNs are used for anonymity.

Ever since 9/11 encrypted communications by private citizens has been placed squarely in the crosshairs of the CIA, the FBI, the NSA, and probably the FDA too. FDA is a three letter acronym (TLA) so the FDA probably has to take a stand on encryption. Some laws and the interpretation of these laws require an innocent suspect (and guilty ones too) to provide passwords required to decrypt data that may be of interest to investigators, but so far encrypted data in transit through anonymizing VPNs has been relatively secure.

I’m not convinced that the biggest threat anonymizing VPNs face is the government though. I believe it is private industry and the reason may have more to do with security than disregard for privacy; and it is a pain in the @ss. But then so are the archaic password complexity requirements that most companies inflict upon their users. If security was painless only masochists would be insecure. Yes, advertisers and data aggregators despise privacy and hence hate these VPNs, but they probably are not the foe. The foe is security. A prime example of the situation involves Google – particularly Gmail. I access Gmail on my laptop as well as on my phone. I also have VPN clients on my laptop and on my phone. So here’s what happens. The email client on my laptop which appears to be in London, polls for new email at specified intervals. Polling for email requires my email client to automatically log into my Gmail account to check for new email, and it also tells Google that I am in London. My email client on my phone, which appears to be in Tokyo, polls for email five seconds later and tells Google that I am in Tokyo. What do you think that looks like to Google? I’ll show you.

I may not always be a big fan of Google, but they blocked the log in attempt because they are trying to protect me. It is annoying to get these messages multiple times a day, but giving credit where credit is due, Google no longer makes me change my password every time this happens. That’s nice, but what is really uncalled for is making me solve five captcha’s when I search for the meaning of the word “Omphaloskepsis.” Now when Google does that I just use Bing. Of course I only search using Google or Bing if I am not satisfied with the results from Usually DuckDuckGo finds what I need. I assume Google is forcing the captchas because of the anonymizing VPN I use, rather than the “suspicious activity” I am told was seen emanating from my computer. I can’t be sure that there was no suspicious activity though… I was using Lenovo laptops and we all know what happens when Lenovo pre-loads software.

Banks are not particularly fond of customers changing their locations frequently, or sometimes at all. For quite a while when I tried to access my account at a specific bank, I was told that I could not access my account at that time. Once I disabled my VPN I was granted access. The bank was not trying to force me to stop using the VPN, they just wanted to keep my account secure. Now I usually just have to answer challenge questions instead of being denied access. As a side note, I once discovered a bug (not a security bug) on my credit union’s website. In order to reproduce the issue I had to make it look as if I was in another location; but not just any location would work. If you want to set off alarms at a financial institution, where do you want them to think you are logging in from? Yes, Brazil. Banking Trojans seem to thrive in Brazil. They’re born there, they have their little bot kids there, and eventually retire in Brazil.

Typically I don’t try to sell anything on my blog, but I will make an exception this time because I can and I can loosely tie it to the subject. Anyone want to buy a rare, vintage, clear body Microsoft Mouse?

I decided to post this exact mouse for sale on Craigslist. Craigslist wouldn’t let me access their site until I turned off my VPN, or appeared to come from a different location. Appearing to come from a different location is an important point that I will get back to. Recently I tried to access one of my frequent flier accounts. Once again I had to turn off the VPN, or appear to come from a different location. Forced VPN relocation is becoming more and more common. The reason that changing the exit location makes a difference is that some of the IP addresses from exit points have been blacklisted.  In addition to using VPNs for good things, VPNs are used by cybercriminals too.

Once an IP address is identified as being associated with cybercrime it gets blacklisted. Craigslist, airlines, and most other companies do not care if I am in in Seattle, Texas, Denmark, Hong Kong, and so on, but they do care if IP addresses I use are also associated with criminal activity. Sometimes I have to try several different exit points before I am allowed to connect to a site. It can take 30 seconds or even a minute or more to do what should take a few milliseconds. That may not sound like a lot of time, but think about a single webpage taking a minute to load.

No, the anonymizing VPNs are not going to be killed by Google or Craigslist (although they might be beaten senseless by United Airlines), but I believe that users of anonymizing VPNs are finding an increasing number of problems when using them. The US government doesn’t need to do anything about the challenges that VPNs present; private enterprise will do it for them for free.

On a final note, regardless of its rarity it does not appear that I am going to get $150 for that mouse anytime soon.

Randy Abrams
Independent Security Analyst

No comments:

Post a Comment