Why is using VPN so difficult?

mather-_660I was in the Manchester Central library over the last weekend, a newly refurbished space that has very recently been reopened to the public. I was only visiting Manchester, so it seemed like a good thing to do and I have to say I was very impressed with the space. There were computers and interactive kiosks throughout, even the cafe tables had a “Surface” like feel to them with images and documents you can read and manipulate with your fingers. As expected there was free Wi-Fi.

I connected to it, and duly fired up my VPN. It didn’t connect. Confused, I tried again. Still failed. Free, public Wi-Fi which blocks VPN! All I wanted to do was check the viewing figures of the latest Host Unknown video, but even that could potentially expose my Google username and password to anyone snooping; with BSides Manchester just around the corner I wasn’t about to become the subject of someone’s Wi-Fi pineapple presentation, so I tweeted my concern (as you do) and disconnected.

4_1024x1024There isn’t a piece of general security guidance that gets published that doesn’t include the advice to only connect through a public Wi-Fi point unless you are using a VPN. The risk of having your personal details, usernames and passwords transmitted and subsequently intercepted is too high and YOU MUST NOT DO IT! USE A VPN AT ALL TIMES!

Great advice, except that VPN has still not been adopted properly by any major hardware or software manufacturers of computers, tablets and smartphones. There needs to be a built in, simple and ubiquitous approach to VPN now that mirrors the adoption of anti-virus of 15 years ago and encryption of 5 years ago. There are paid for solutions for enterprises and the more technically minded and free solutions of both for the small business and home user. But not when it comes to VPN. No Apple VPN, or Google VPN for the average home user to be able to use with little effort or even understanding.

Where is VPN? Why can it not be made more accessible?

Where is VPN? Why can it not be made more accessible?

The VPN solutions on offer are typically smaller packages that the average person would simply not come across, basically the technology has yet to be commoditised. If you have a problem convincing someone to use a decent complex password, think about trying to explain to them about using a VPN.

Even Apple, whose interface design in my opinion is some of the best in the industry has missed a trick with iOS7; VPN is buried in the settings apps, rather than being on the easy access swipe menu where you can quickly and easily enable it and disable it. And what about the option to have it permanently running, automatically reconnecting when the device goes into standby? I have lost count of the number of times I have been using free Wi-Fi at a conference or hotel only to realise that at some point my VPN has disconnected me without realising it, and I am supposed to be a security professional.

Convenience always wins over security (a wise person once said) and so until VPN is made as transparent as antivirus and encryption (when installed properly) we are simply wasting our time trying to educate the greater population about using it the next time they are in Starbucks.

(Note: the Manchester Central Library Twitter account did respond, and we are in the process of communicating about the evils of open, password free Wi-Fi. Perhaps some InfoSec locals may also wish to reach out to them to educate and discuss?)

The Simple Things Part Two – Encryption

I have often said that encryption is like the anti-virus of twenty years ago, just without Doctor Solomon’s socks (that comment in of itself shows my age and when I first started in IT!). What I mean by that is twenty years ago when viruses first started to appear in their hundreds, anti-virus products started to appear in earnest. Not everyone bought or licensed an anti-virus package because they were expensive and the threat was also somewhat small. When it was licensed in the enterprise it was normally a low cost “detection” package that was rolled out onto the desktop with only a few of the expensive “removal packages” in the IT department to carry out the actual disinfection. Home use of anti-virus was virtually unheard of.

Roll forward nearly two decades and anti-virus is everywhere. It is on your computer when you first buy it, it is on every corporate machine (even the OSX environments) and there are even free versions. Everyone, everywhere has an anti-virus package, and only the most foolhardy or ignorant won’t have one installed (although it won’t take long before a trashed disk from a virus or malware will persuade them!).

This is not unlike the case today with encryption. I have come across many small to medium sized organisations that do not have any kind of encryption on any portable device, let alone their laptops, and home use is virtually non existent amongst my friends and colleagues (my peers in the info sec industry are obviously a little more ahead of the game!)  I do believe we are in the middle of a sea change however, but it is a slow, organic change similar to the anti-virus evolution.

I know there are many “encryption” companies out there that do a basic full disk encryption (FDE) package, but off the top of my head I can only name four:

  1. Symantec (PGP)
  2. TrueCrypt (Open Source)
  3. BitLocker (Microsoft)
  4. FileVault (Apple)

For the average user, and indeed many businesses, that is not a huge choice. Even companies that have Windows 7 and Lion installed, the encryption element itself is not automatically turned on, and with Apple there isn’t even any kind of centralised key management (unless, of course, you wish to trust Apple with the keys to your kingdom).

For me, it is simple; encryption must be a part of the full IT procurement cycle. It needs to be budgeted for in the lifecycle of any computer purchase, and in the case of the enterprise, key management needs to be as normal and as natural as Active Directory management. (That same rigour then needs to be applied to removable media as well). Education in the proper use of it is essential (when a laptop is running or suspended it is effectively unencrypted, when it is switched off it is encrypted), and the inclusion of desktops is essential. After all, hard disks get stolen or sent to the disposal company accidentally without being wiped…

Home use also needs to be targeted – only when encryption capabilities are as ubiquitous as anti-virus will a change occur in the way we use computers both at home, schools and work, because users will demand it. The theft of computers from homes opens up all kinds of issues regarding credit card, password and identity theft.

As with all of the things in this list, encryption is not a panacea, but it is an important tool that needs to become as natural to use as a knife and fork, or perhaps more appropriately, as acceptable as anti-virus. What price must be paid in lost data before encryption becomes the rule, rather than the exception?