Why is using VPN so difficult?

9 Comments

mather-_660I was in the Manchester Central library over the last weekend, a newly refurbished space that has very recently been reopened to the public. I was only visiting Manchester, so it seemed like a good thing to do and I have to say I was very impressed with the space. There were computers and interactive kiosks throughout, even the cafe tables had a “Surface” like feel to them with images and documents you can read and manipulate with your fingers. As expected there was free Wi-Fi.

I connected to it, and duly fired up my VPN. It didn’t connect. Confused, I tried again. Still failed. Free, public Wi-Fi which blocks VPN! All I wanted to do was check the viewing figures of the latest Host Unknown video, but even that could potentially expose my Google username and password to anyone snooping; with BSides Manchester just around the corner I wasn’t about to become the subject of someone’s Wi-Fi pineapple presentation, so I tweeted my concern (as you do) and disconnected.

4_1024x1024There isn’t a piece of general security guidance that gets published that doesn’t include the advice to only connect through a public Wi-Fi point unless you are using a VPN. The risk of having your personal details, usernames and passwords transmitted and subsequently intercepted is too high and YOU MUST NOT DO IT! USE A VPN AT ALL TIMES!

Great advice, except that VPN has still not been adopted properly by any major hardware or software manufacturers of computers, tablets and smartphones. There needs to be a built in, simple and ubiquitous approach to VPN now that mirrors the adoption of anti-virus of 15 years ago and encryption of 5 years ago. There are paid for solutions for enterprises and the more technically minded and free solutions of both for the small business and home user. But not when it comes to VPN. No Apple VPN, or Google VPN for the average home user to be able to use with little effort or even understanding.

Where is VPN? Why can it not be made more accessible?

Where is VPN? Why can it not be made more accessible?

The VPN solutions on offer are typically smaller packages that the average person would simply not come across, basically the technology has yet to be commoditised. If you have a problem convincing someone to use a decent complex password, think about trying to explain to them about using a VPN.

Even Apple, whose interface design in my opinion is some of the best in the industry has missed a trick with iOS7; VPN is buried in the settings apps, rather than being on the easy access swipe menu where you can quickly and easily enable it and disable it. And what about the option to have it permanently running, automatically reconnecting when the device goes into standby? I have lost count of the number of times I have been using free Wi-Fi at a conference or hotel only to realise that at some point my VPN has disconnected me without realising it, and I am supposed to be a security professional.

Convenience always wins over security (a wise person once said) and so until VPN is made as transparent as antivirus and encryption (when installed properly) we are simply wasting our time trying to educate the greater population about using it the next time they are in Starbucks.

(Note: the Manchester Central Library Twitter account did respond, and we are in the process of communicating about the evils of open, password free Wi-Fi. Perhaps some InfoSec locals may also wish to reach out to them to educate and discuss?)

Travelling with your security blanket (cross post)

Leave a comment

security-blanket-schroeder(Originally posted on the Iron Mountain Information Advantage Blog on October 16th 2013)

Mobile devices are great. I’m sat here in the back of a car in India travelling to a meeting. I’m connected to the internet via my iPhone and using the time to write a blog post on my laptop about the inherent dangers of using mobile devices while travelling. The irony isn’t lost on me.

Much has already been said on the various things that can be done to protect yourself while working on the move. Indeed, just the other day I wrote a piece on exactly how not to do it, and I am sure it is a regular topic of internal security articles at many companies.

The key issue I see is that the security measures are not always seen as ways to protect information. Rather, they are often seen as hoops that people need to jump through to get to the information they need to do their work. When, as is sometimes the case, security measures are poorly designed and/or poorly implemented, then the view of information security as an obstacle should come as no surprise.

Therefore, rather than trying to foist technology or procedures onto people, would we not be better focussing on behaviours that can be reinforced with easy to remember concepts? Here are a few to consider:

Location
Think about where you are sitting with your laptop/mobile phone. Can it be stolen easily (as in this example) or can your screen be viewed easily by people sat nearby? Your data can be both physically stolen as well as “visually” appropriated.

Connection
All internet-based connections should go through a VPN. This might be overkill for some, but it ensures that there is no internal dialogue about the security of a Starbuck’s Wi-Fi versus a BT hotspot or even a hotel Wi-Fi. Always use a corporate VPN to encrypt and tunnel your traffic through any potentially unsafe network. Even when using a personal laptop to do your own work in a cafe, like a bit of banking or shopping, your credentials and details can be stolen, so use one of the many commercial (and sometimes free) VPN products that are available

Observation
Be aware of your surroundings. Is this a high-traffic area such as a cafe or airport lounge, with people moving in and out frequently? Be aware of what is on your screen – is it confidential? Should you really be working on it in a public space? This doesn’t mean you need to be paranoid, but travellers, especially when abroad, can often be spotted easily and are often viewed as vulnerable. Knowing your surroundings and behaving accordingly is an important part of not only keeping your data secure, but of keeping yourself safe also.

Let’s face it, technology is never going to solve everything. I wrote recently about an example which had all the right technology in place, only to be let down completely by a visit to the bathroom. If in doubt, your mobile devices should be your “bathroom buddies” and not left exposed in public!