The Myths and Realities of VPNs

mthcht
4 min readSep 30, 2023

--

In recent years, VPNs have been aggressively marketed as the ultimate solution for online privacy and security. Influencers and content creators promote these services, often spreading misinformation. As a security analyst, it’s frustrating to see these lies proliferate. This article aims to debunk common misconceptions about VPNs and provide a more informed perspective on their use, both personally and within enterprises.

Myths

Protection Against Hackers, Governments and Viruses

The biggest lie in my opinion is the VPN providers claiming to protect you from hackers and viruses, both in their own advertising and through thousands of content creators reciting the scripted lines they’ve been given !

This is not true and dangerous, as many people might believe they are fully protected by third-party VPNs, but the reality is far different. Total anonymity is also a myth when using these third-party VPNs.

Reality

How these VPN providers works

When you use a VPN, all your data, including potentially sensitive information, is sent through the VPN company’s network.

A VPN provider doesn’t offer protection against malware, hackers, phishing, or other social engineering attacks. Their infrastructure is not necessarily more secure than other networks, they can be hacked and already have been.

Don’t be fooled, the majority of the VPNs sometimes install malware, push intrusive ads, log your data (despite their “no logs” claims), and use and sell your data even if they advertise otherwise. You’re essentially shifting your trust from your actual Internet Service Provider to the VPN company.

VPN providers do have their uses: they can mask your real IP address and location but don’t offer complete anonymity, you need to be aware of DNS leaks, WebRTC leaks, and other vulnerabilities that can still expose your information and when it comes to trusting third-party VPN providers instead of running your own, the risks are even higher, as you’re entrusting all your data to a service that is often not as secure or private as they claim !

Who really needs to use a VPN provider ?

The average person simply wants to watch content from Netflix or other streaming platforms that lack the rights to air specific content in various countries. VPN providers advertise that you can bypass these restrictions, and while sometimes you can, it’s against the terms of service of these streaming platforms and can get you banned. Advertising it as a legal workaround by these VPN providers is false advertising.

If you’re only using a VPN to access streaming content, there might be alternative options🏴‍☠️to consider rather than taking the risk of using a third-party VPN provider.

When you’re connected to a public Wi-Fi, opting to trust a VPN provider’s network over the public network can be a safer choice, though it’s important to remember that neither option protects against hackers and malware !

In countries with strict internet control, VPNs are often promoted as tools to bypass government surveillance and access restricted content. However, I do not recommend using third-party VPNs for this purpose. These third -party VPNs are easy to detect ! The government can actively block or monitor these services and may even force local VPN providers to log and share user data. Evading government censorship is a legitimate use case for VPNs, but it’s crucial to use secure methods rather than relying on random third-party services.

VPN Providers in your Enterprise

Security Bypass and Data Exfiltration Threat

The use of third-party VPNs on corporate workstations poses a significant risk for data exfiltration and should be taken seriously. By connecting to an external VPN, users create a tunnel to a third-party server, effectively bypassing your organization’s network security protocols. This raises concerns about data loss, compliance violations, and the general integrity of your network.

Detection

It’s important to implement detection measures for the use of external VPN providers. These measures can include identifying specific executable names, installed locations, VPN-related browser extensions, windows applocker detection, or traffic to known VPN IP addresses and domains used for the VPN connection (check out this repo for some VPN detection)

If you identify a user using external VPN providers, inform them about the risks involved and the company’s policy regarding VPN usage. While VPNs may offer the allure of encrypted traffic and ‘enhanced’ privacy, this is a double-edged sword in a corporate setting where data governance and compliance are paramount. By using a VPN, they’re not just evading company security measures but potentially jeopardizing sensitive data by transmitting it through a network that you don’t control, and whose data handling practices you cannot verify.

⚠️The only VPN that should be trusted for use is your own VPN ⚠️

Conclusion

In summary, don’t underestimate the risks associated with allowing third-party VPNs on your corporate network or your personal computer. The stakes are too high when it comes to the security and integrity of your business-critical data or your personal information. In enterprise, implementing simple detection measures, coupled with staff education, can go a long way in mitigating these risks.

--

--

mthcht
mthcht

Written by mthcht

Threat Hunting - DFIR - Detection Engineering

No responses yet