Privacy and Transparency in the VPN industry by Ruben Rubio Rey
We are at an “Oh Noe!” Moment in the VPN Industry
VPN Advantages
- Protect your privacy
- Bypass Geo-Restrictions
- Beat Censorship
- Save money on Hotels and Flights
- Download torrents anonymously
- Bypass ISP speed regulations
- Secures Public WIFI
What Can be intercepted?
– Without Encryption: Any Data
– With Encryption: IP and Port
But HTTPS only works of client and server configured correctly
Client: Rough root certificate
Servers: CORS, insecure SSL version
Protect Your Privacy
- Many Countries Systematicly collecting data about citizens
- ISP collect data, must keep for two years and accessabil to agencies
- USA ISP’s can sell information
- Others Countries tried to put in MITM Certs
So Private companies have incentives to protect my data?
The Reality of Private VPN providers
- Several examples of collecting Data
- Several examples of them releasing data to agencies
- Random security and implementation problems
- Exaggerations in sales pitches
- Installs Rouge Roots Cert on user machine
Conflict of Interest, what is a business model of the providers?
Stats
- 59% of Free VPNs in play store had hidden Chinese ownership
- 86% had privacy policy flaw
- 85% asked for excessive permissions
Are VPN Companies Needed?
People with non-technical skills need an option
How to Improve the VPN Market?
- Privacy and Transparency go hand and hand
- Open Source Provides Transparency
- End to End open source VPN Company
- theVPNcompany.com.au
Install you own VPN
Algo and Streisand
Create your own VPN Company using the base for “The VPN Company”
https://thevpncompany.com.au/
Authentication Afterlife: the dark side of making lost password recovery harder by Ewen McNeill
Twitter Account “badthingsdaily” . Fictional Scenarios that might happen to security people. Inspired this talk.
Scenario 1
- A Big fire took out your main computer
- You done have the computer and you don’t know all your passwords
Recovery Traditional
- You get email somewhere else. On your phone
- Click on Forgot my password
- Repeat until all accoutns recoveryed
Scenario 2
- You need to login to your account on a new device
- All account secured with 2FA
- Your 2FA isn’t working
Recovery
- Recovery Tokens
- Alternative 2FA Solution
Scenario 3
- Your bad was stolen
- It had computer, phone and 2FA
- Can bad guy impersonate you?
- Can you recovery faster than the other guy (or at all?)
Recovery
- Does you 2FA pop up on your lock screen?
- So anybody with your computer is able to get this?
- Race to reset passwords and invalidate your login tokens
- Maybe you remember your passwords but not you 2FA
- Recovery questions “Mother’s maiden name”
- Can be easy to discover, but if it is something random then you have to be able to find it (ie on the password store you just lost)
Multiple alternate authentication methods
- Primary you use every day
- One or more backups
If resetting your password every time is easier than remembering your password people will do that.
Attackers will use the easiest authentication method. Eg Contacting the Helpdesk or going into a bank branch office.
But if recovery is too hard you can end up losing access to your account permanently
Recommend: GitHub’s 2FA recovery guide
Scenario 4
You startups founder has left. He has wipped out all his computer. Now your Cloudprovider is threatening to lock you out unless you authenticate using 2FA
- Hopefully in the password store
- Or perhaps they no longer work
- Contact Helpdesk, Account Manager, Lawyer, Social Media (usually the bigger you are and the more you pay the better you chance)
- Sore everything centrally. How do you audit that? , regularly?
Scenario 5
A relative dies. You first step is to login to all their accounts work out what should be kept.
This will take months not years. Sometimes you will only find out the account exists when they email you that your account is about to expire.
Personal Observations
- You will not have access to their cellphone
- or probably not past the lock screen
- Anything they told you that was obvious you will forget
- You will not have access to the password store
- You may have access to saved passwords in browser
- Maybe you need to optimise for family can access stuff not complete lockdown.
- Physical notebook with passwords
- Consider in advance how you will recover if your 2FA device breaks
- How will you convince a helpdesk person that you are you?
Personal Mitigations
- Kawaiicon 2019 ” How can I help you” Talk by Laura Bell
You Shall Not Pass by Peter Burnett
Moodle is an open souce Learning Management System.
- Legacy System
- First developed in 1997
- Open Sourced in 2001
- New Code is good quality, older stuff not as much
Efforts to improve password policy
- Password policy was a bit antiquated
- Best policies come from NIST, 2018 version is good.
- Don’t force a pattern, Check for compromised passwords, Check for dictionary based and identifying passwords
- Look at the “Have I been Pwned” API – takes first 5 characters of the sha of the password.
- Dictionary checks – Top 10,000 English words might be enough
- Indentifying information – Birthdays, names, cities are things to watch for. Name of the company.
Released as an open source plugin for Moodle
A look at the Authentication Flow
- Natively supported LDAP etc.
- Lots of extra plugins impliment other methods
- Had to put MFA in when people using plugins. Difficult to mix
- Added extra hook on “account related” actions, they would check for MFA etc.
- Required a bit of work to get merged in.
Implementing MFA
- MFA is a superset of 2FA implimentations
- Had to do extensible platform
- Traditional: TOTP, Email
- Non-Traditional: IP verification, Authentication type (might already have MFA)
- Design considerations – Keep secure but impact people as little as possible.
- Different users: Not required, Optional, Forced Upon . So built in the ability for a range of use across platform.
- Learnings
- Anything can be used as a factor
- delicate balance between secure and usable
- When designing, paranoid is the right mindset
- Give the least information possible to allow a legit user to authenticate
- What can the attacker do if this factor is compromised?
Final Thoughts
- Long way to go
- Security is a shifting goalpost
- Keep on top of new developments