Category: Technology

A

virtual
private
network
is
one
of
the
easiest
ways
users
can
protect
their
online
activity.
Through
what’s
called
a
tunneling
protocol,
VPNs
encrypt
a
user’s
online
traffic
and
make
their
data
unreadable
to
prying
eyes.

SEE:


Brute
Force
and
Dictionary
Attacks:
A
Guide
for
IT
Leaders

(TechRepublic
Premium)

This
additional
layer
of
security
has
become
a
go-to
option
for
both
businesses
and
consumers
alike
to
protect
their
privacy.
According
to
Statista,
over
24%
of
all
internet
users
in
2023
used
a
VPN
to
secure
their
internet
connection.

With
this
popularity,
one
can
be
forgiven
to
ask:
Are
VPNs
invincible
against
hackers?
Are
they
susceptible
to
being
hacked?
Can
VPNs
be
used
to
steal
user
data
instead
of
protecting
it?

We’ll
answer
these
questions
and
more
below.

Can
VPNs
really
be
hacked?

Like
any
software,

all
VPNs
are
technically
capable
of
being
hacked.
No
software
is
100%
perfect,
and
VPNs,
like
any
internet-based
software,
can
fall
victim
to
different
attacks.
That
being
said,

a
quality
VPN
will
be
incredibly
hard
to
crack
—
especially
if
it
has
a
secure
server
infrastructure
and
application.

SEE:


4
Different
Types
of
VPNs
&
When
to
Use
Them

(TechRepublic)

VPNs
work
by
generating
a
private
connection
where
your
internet
activity
is
encrypted
and
made
unreadable.
Your
internet
data
is
routed
to
a
VPN
server,
which
masks
your
IP
address
and
provides
you
an
additional
layer
of
anonymity
online.

This
encryption
hides
sensitive
user
data
such
as
your
IP
address,
device
location,
browsing
history
and
online
searches
from
your
internet
service
provider,
government
entities
and
cybercriminals.

While
VPNs
have
varying
types
and
sizes,
this
is
how
most
VPNs
fundamentally
work.
If
you’re
interested
in
a
more
in-depth
explanation
of
VPNs,
we
encourage
you
to
check
out
our

explainer
on
VPN
software.
Here
we
looked
into
the
different
types
of
VPNs,
VPN
benefits
and
drawbacks,
and
a
few
popular
VPN
providers
we
recommend.

By
encrypting
user
data
and
passing
it
through
a
secure
tunnel,
VPNs
serve
as
an
easy
way
to
add
protection
to
your
online
activity.
However,
this
doesn’t
make
them
invincible.

There
are
a
few
points
of
weakness
in
which
VPNs
can
be
exploited
or
attacked
by
hackers.
Let’s
go
through
a
few
of
them:

How
VPNs
can
be
hacked

Breaking
through
VPN
encryption

One
way
VPNs
can
be
hacked
is
by
breaking
through
the
encryption.
Hackers
can
make
use
of
cryptographic
attacks
to
break
poorly
implemented
encryption
ciphers.
However,
it’s
important
to
mention
that
breaking
encryption
takes
a
considerable
amount
of
effort,
time
and
resources
to
do
so.

SEE:


Free
VPN
vs
Paid
VPN:
Which
One
Is
Right
for
You?

(TechRepublic)

Most
modern
VPNs
use
what’s
called
the

Advanced
Encryption
Standard
or
AES-256
encryption
algorithm.
This
encryption
standard
uses
256-bit
key
length
to
encrypt
and
decrypt
data
and
is
widely
recognized
as
the
gold
standard
of
encryption.

This
is
because
AES-256
is
virtually
unbreakable
—
requiring
millions
to
billions
of
years
to
brute
force
and
crack,
even
with
today’s
technology.
That’s
why
many
governments
and
banks
use
AES-256
encryption
to
secure
their
data.

In
any
case,
most
modern
VPN
providers
use
AES-256
encryption
for
their
VPN,
so
there’s
not
much
to
worry
about
here.

VPNs
using
dated
tunneling
protocols

Another
way
hackers
can
hack
VPNs
is
by
exploiting
dated
VPN
tunneling
protocols.
Tunneling
protocols
are
essentially
a
set
of
rules
for
how
your
data
will
be
handled
and
sent
across
a
particular
network.

What
we
want
to
avoid
here
is
using
dated
protocols
such
as

PPTP
and
L2TP/IPSec.
These
protocols
are
older
and
considered
to
have
medium
to
low
security
by
today’s
standards.

SEE:


Are
Password
Managers
Safe
to
Use?

(TechRepublic)

In
particular,
PPTP
is
based
on
older
technology
and
is
known
to
have
vulnerabilities
that
can
be
exploited
by
bad
actors.
L2TP/IPSec,
on
the
other
hand,
has
better
security
but
also
provides
slower
performance
than
newer
protocols
available.

Fortunately,
more
modern
VPN
protocols
like
OpenVPN,
WireGuard
and
IKEv2
provide
a
good
mix
of
both
high-end
security
and
speed.

Through
DNS,
IP
or
WebRTC
leaks

Malicious
actors
can
also
steal
user
data
through
VPN
leaks.
VPN
leaks
refer
to
user
data
being
“leaked”
out
of
the
secure
VPN
tunnel
due
to
some
flaw
or
vulnerability
within
the
app.
The
main
types
of
VPN
leaks
involve
the
following:

• 
  DNS
  leaks
  are
  when
  the
  VPN
  exposes
  your
  internet
  activity,
  such
  as
  DNS
  queries
  or
  browsing
  history,
  to
  the
  ISP
  DNS
  server
  despite
  being
  on
  an
  encrypted
  VPN
  connection.
• 
  IP
  leaks
  happen
  when
  your
  IP
  address
  is
  inadvertently
  revealed
  or
  exposed
  to
  the
  internet,
  defeating
  the
  main
  purpose
  of
  a
  VPN
  in
  masking
  your
  real
  IP
  address
  and
  location.
• 
  WebRTC
  leaks
  involve
  a
  leak
  with
  browser
  technology
  wherein
  websites
  get
  unauthorized
  access
  to
  your
  actual
  IP
  address
  by
  bypassing
  the
  encrypted
  VPN
  tunnel.

VPNs
themselves
logging
user
data

Finally,
hacking
can
also
occur
when
VPN
providers
themselves
take
hold
of
user
data
without
their
consent.

While
many
VPN
providers
claim
to
have

no-logs
policies,
stating
they
don’t
record
user
data,
there
have
been
times
when
VPNs
were
found
to
have
stored
user
information
regardless
of
such
policies.

Real-world
examples
of
VPN
hacks

Here
are
some
concrete
examples
of
VPNs
being
hacked
or
compromised
by
malicious
third-parties.

Ivanti
VPN
zero-day
exploits
in
early
2024

In
January
2024,

five
new
zero-day
vulnerabilities
were
discovered
in
Ivanti
Secure
VPN.
The
vulnerabilities
allowed
an
unauthenticated
attacker
to
execute
remote
code
and
compromise
systems,
possibly
affecting
almost
30,000
Ivanti
Secure
VPN
appliances
connected
to
the
internet.

Ivanti
Secure
VPN
is
a
popular,
remote-access
VPN
used
by
organizations
around
the
world.
Since
the
discovery
of
these
zero-day
vulnerabilities,
Ivanti
has
released
patches
to
address
some
of
the
vulnerabilities.

But
if
you
were
interested
in
Ivanti
and
want
an
alternative
solution,
or
if
you
were
a
former
Ivanti
user
yourself,
we’ve
rounded
up
a
list
of
the

top
four
Ivanti
competitors
and
alternatives.

NordVPN
breach
in
2018

In
2019,
NordVPN
announced
that
one
of
its
third-party
servers
was
breached
in
2018.
In
particular,
a
single
NordVPN
server
in
Finland
was
attacked.
According
to
NordVPN,
this
was
due
to
a
third-party
data
center’s
poor
configuration
of
the
server
that
they
weren’t
notified
about.

NordVPN
says
no
other
servers
or
user
credentials
were
affected
in
the
incident.
Following
the
breach,
the
VPN
provider
said
they
had
taken
all
necessary
measures
to
enhance
their
security
and
had
undergone
audits
to
confirm
these
efforts.

Since
the
incident,
NordVPN
has
been
widely
regarded
as
one
of
the
safest
VPNs
available
today.
You
can
read
our

full
NordVPN
review
here.

VPNs
with
no-logs
policies
caught
logging
data

There
have
also
been
a
handful
of
instances
where
VPNs
with
no-logs
policies
were
seemingly
caught
or
suspected
of
logging
user
data.

• 
  
  IPVanish
  VPN
  in
  2016:
  IPVanish
  allegedly
  handed
  user
  data
  logs
  to
  the
  United
  States
  Department
  of
  Homeland
  Security
  to
  track
  down
  a
  child
  pornography
  suspect.
  This
  was
  in
  spite
  of
  an
  initial
  no-logs
  claim,
  eventually
  confirming
  they
  did
  in
  fact
  provide
  logs
  to
  government
  authorities.
• 
  
  Hotspot
  Shield
  VPN
  in
  2017:
  The
  Center
  for
  Democracy
  and
  Technology
  accused
  Hotspot
  Shield
  of
  logging
  user
  data
  and
  selling
  it
  to
  third-parties
  via
  its
  free
  VPN
  application.
• 
  
  Norton
  Secure
  VPN:
  Despite
  having
  a
  no-logs
  policy,
  Norton’s
  Global
  Privacy
  Statement
  states
  that
  it
  stores
  user
  data
  such
  as
  device
  names,
  IP
  addresses
  and
  URLs
  —
  info
  that
  we
  primarily
  don’t
  want
  a
  VPN
  to
  ever
  have
  access
  to.

If
you’re
interested
in
a
rundown
of
the
best
no-logs
VPNs,
we’ve
got
you
covered.
Check
out
our

best
no-logs
VPN
roundup
here.

Measures
to
enhance
VPN
security

Given
these
points
of
weakness,
there
are
several
key
things
you
can
do
to
improve
your
security
and
VPN
experience.

Invest
in
a
paid
VPN
over
a
free
one

While
free
VPNs
can
be
convenient
for
the
one-off
time
you
need
to
change
your
IP
address,
they’re
not
the
most
secure
solution
out
there.
VPNs
take
money
to
operate
and
run.
With
this,
some
free
VPNs
are
known
to
sell
user
data
to
third-parties.
This
may
be
to
serve
these
users
with
personalized
ads
or
for
other
purposes.

What’s
clear,
though,
is
that
a
paid
VPN
subscription
is
going
to
offer
a
far
more
secure
overall
experience.
With
premium
VPNs,
you
get
the
full
server
network,
better
customer
support
and
stronger
security.

Check
for
no-logs
policies
with
independent
audits

You
should
also
check
for
VPNs
that
offer
both
a

no-logs
policy
and
independent
audits.
While
promises
of
no-logs
are
important,
we
can
only
leave
it
up
to
trust
if
providers
actually
abide
by
their
words
or
not.

A
good
way
to
combat
this
is
to
look
for
VPNs
that
have
been
independently
audited.
These
are
providers
that
have
had
third-party
firms
look
into
their
software,
audit
them
and
share
whether
their
services
pass
security
standards
or
not.

I
highly
recommend
looking
at
VPNs
that
offer
both
no-logs
policies
and
third-party
security
audits.

Use
modern
security
protocols

Another
useful
measure
is
to
use
modern
VPN
protocols
instead
of
older
ones.
In
particular,
I
recommend
using

OpenVPN,
WireGuard
or
IKEv2
protocols
as
your
main
tunneling
protocols
of
choice.

While
these
protocols
are
different,
they
all
provide
high-end
security
and
VPN
speed
that
won’t
affect
your
regular
browsing.
There
are
also
proprietary
protocols
from
VPN
providers
themselves,
such
as
ExpressVPN’s
Lightway
or
NordVPN’s
NordLynx.
These
are
also
viable
options
that
provide
good
security
and
performance.

Utilize
built-in
VPN
kill
switches

VPNs
come
with
a
number
of
included
security
features
that
further
enhance
your
security.
One
of
these
is
a

VPN
kill
switch.

Kill
switches
automatically
block
any
connection
between
your
machine
and
the
internet
that’s
not
routed
via
an
encrypted
VPN
tunnel.
This
means
that
if
your
VPN
connection
drops,
the
kill
switch
will
immediately
prevent
any
of
your
sensitive
data
from
being
leaked.

Many
modern
VPNs
include
a
kill
switch
turned
on
out
of
the
box,
but
it’s
a
good
idea
to
double-check
your
VPN
settings
to
be
sure.

Why
you
should
still
invest
in
a
VPN

Even
after
learning
the
different
ways
VPNs
can
be
compromised,

using
a
VPN
is
still
far
more
secure
than
not
using
one.
VPNs
allow
you
and
your
business
to
hide
your
IP
address
at
a
click
of
a
button.

Hiding
your
IP
address
is
important,
as
this
can
be
used
by
malicious
actors
to
serve
you
intrusive
ads,
gain
data
about
your
location
and
gather
data
about
your
personal
identity.
VPNs
are
some
of
the
easiest
and
most
accessible
ways
to
do
this.

For
larger
organizations,
VPNs
are
also
a
great
way
to
ensure
company
data
is
kept
secure
—
especially
if
your
business
consists
of
remote
workers
who
access
company
resources
over
the
internet.

VPNs
also
let
you
access
region-locked
content
by
using
a
VPN
server
from
a
different
location.
This
can
be
incredibly
useful,
especially
for
businesses
that
need
access
to
various
types
of
content
in
other
parts
of
the
world.