In the past few years, VPN services have hit the big time—especially among BitTorrent users . These days more and more internet users see running a privacy enhancing service as a requirement rather than just a luxury. They’re not always perfect, though. Here are a few tips and tricks that can enhance the security of any VPN. While simple to set up and use out of the box, it may come as a surprise that the security of VPN anonymity services can be improved. Of course, when things run absolutely to plan there’s little to worry about, but there are occasions where there may be a hiccup or where an extra level of security is needed. Securing Your Privacy When Your VPN Fails Ok, so you've purchased your VPN subscription, enabled the service, and you're enjoying your newfound levels of privacy. Then—disaster strikes. While you were away from your machine somehow and for some unknown reason your VPN disconnected and now snoopers have a clear view of your IP address. Fortunately, there are solutions. “To protect against the event of VPN failure/disconnection, disable any internet access that does not tunnel through your VPN service provider,” Andrew from PrivateInternetAccess told TorrentFreak. “This can be achieved using specific Firewall rules ( Ubuntu ) or by changing TCP/IP routes .” But of course, not everyone wants to spend time with these manual configurations that could potentially cause problems if they’re not done properly. So, we spoke with the creators of two free pieces of software that do the job more easily. VPNetMon “VPNetMon continuously watches the IP addresses of your PC. If the IP address of your VPN is not detected anymore, VPNetMon closes specified programs instantly. The program reacts so quickly that a new connection through your real IP will not be established by these applications,” creator Felix told TorrentFreak. VPNetMon (Windows) can be downloaded here . VPNCheck “VPNCheck helps you to feel safe if your VPN connection breaks, this is done by shutting down your main network connection or programs of your choice and showing a notification box,” Jonathan from Guavi.com told TorrentFreak. “Basically it constantly looks for a change in your VPN network adapter. You can connect to either PPTP or L2TP with VPNCheck.” VPNCheck (Windows/Linux) can be downloaded here . Stop DNS Leaks When using a VPN service one might expect that all of the user’s traffic will go through the privacy network, but on rare occasions a phenomenon known as “DNS leakage” might occur. This means that rather than using the DNS servers provided by the VPN operator, it’s possible that the user’s default DNS servers will be used instead or otherwise become visible. “A DNS leak may happen whenever a DNS query ‘bypasses’ the routing table and gateway pushed by the OpenVPN server. The trigger on Windows systems may be as simple as a slight delay in the answer from the VPN DNS, or the VPN DNS unable to resolve some name,” explains Paolo from AirVPN . A tool for checking for leaks can be found at DNSLeakTest.com and a solution for fixing any problems can be found here . Alternatively, anyone using the pro version of VPNCheck will have this feature built in. Double up your security for extra sensitive data transfers What if you don’t have 100% trust in your VPN provider and worry that even they might snoop on your communications? Admittedly it’s a very unusual hypothetical situation, but one with an interesting solution. “If you don’t trust your VPN provider 100%, use two VPNs,” explains Felix from VPNetMon. “This way you are tunneling your already encrypted connection through another tunnel.” In Windows this is easily achieved. First, simply set up at least two VPN accounts as normal (if you’d like an extra one for testing purposes you can get a free limited account from VPNReactor ). Then connect to one VPN, and when complete connect to another without disconnecting the first. Like magic, a tunnel through a tunnel. Its also possible to VPN over TOR, but please please don’t use TOR for file-sharing traffic, it’s not designed for it. “VPN over TOR gives several security advantages, for a performance price, above all partition of trust,” explains Paolo from AirVPN. “In case of betrayal of trust by one party, the anonymity layer is not compromised in any way. A VPN over TOR tutorial can be found here , further discussion here . Fix the PPTP / IPv6 Security Flaw As revealed here on TorrentFreak in 2010, people using a PPTP VPN and IPv6 are vulnerable to a nasty security flaw which means that Windows and Ubuntu users could leak their real IP addresses. The following fix comes from Jonathan at VPNCheck. For Windows Vista and above: Open cmd prompt and type: netsh interface teredo set state disabled. For Ubuntu 10+: Copy and paste all four lines into a terminal: echo “#disable ipv6″ | sudo tee -a /etc/sysctl.conf echo “net.ipv6.conf.all.disable_ipv6 = 1″ | sudo tee -a /etc/sysctl.conf echo “net.ipv6.conf.default.disable_ipv6 = 1″ | sudo tee -a /etc/sysctl.conf echo “net.ipv6.conf.lo.disable_ipv6 = 1″ | sudo tee -a /etc/sysctl.conf Pay for Your VPN with Untrackable Currency “When anonymity is a factor, pay with an un-trackable currency,” explains Andrew from PrivateInternetAccess . “For example, signup for an anonymous e-mail account using Tor and use a Bitcoin Mixer to send Bitcoins to a newly generated address in your local wallet. Alternatively, use the Bitcoin-OTC to purchase Bitcoins ‘over the counter’ from a person, rather than an exchange. “Then, use a patched Bitcoin client, such as coderrr’s anonymity patch to avoid linking the newly generated address to any of your pre-existing Bitcoin addresses.” Only Use VPN Providers that Take Your Privacy Seriously We’ve said this before but it’s worth repeating. VPN providers who heavily log are useful if all you’re concerned about is securely communicating with the Internet through an open public WiFi connection, but not beyond that. For a run down of providers who do not log any data which would enable a 3rd party to identify a user, see our previous article here . Do you have a helpful security tip for VPN users? If so, feel free to add it to the comments below. How to Make VPNs Even More Secure | TorrentFreak TorrentFreak is a weblog devoted to all-things BitTorrent and file sharing. To get all of the latest from TorrentFreak, be sure to subscribe to the TorrentFreak RSS feed . Photo by Yama . Want to see your work here? Send an email to submissions@lifehacker.com !
Overview and features In the two years since its 2009 launch, free malware protection tool Microsoft Security Essentials (MSE) has become the world’s second most popular security package – a big change for a company regularly criticised for how it managed Windows’ security. While much of that may be down to the cost, compared with much of its competition, it’s also a well-designed anti-malware tool with both anti-virus and anti-malware capabilities. Available for Windows XP (Service Pack 2 and higher), Windows Vista and Windows 7 , and in both 32- and 64-bit form, Microsoft Security Essentials is part of the Genuine Windows programme, and can only be used on consumer PCs. Small businesses do have an exemption, and can run it on up to 10 machines; any more than that and you need to use Microsoft’s Forefront Endpoint Protection tools. It’s a small download, the latest beta version is 9MB for 32-bit machines, and 11MB for 64-bit. Microsoft has done its best to keep MSE unobtrusive. There’s no obvious slowdown when it runs, and all you see is a tiny task bar icon that shows whether your PC is protected or not. Right-click to launch a settings tool and to run scans – with a choice of quick, full or custom. Installation is quick and easy, with MSE replacing Windows’ built-in anti-spyware Microsoft Windows Defender . Once installed it downloads an updated set of malware definitions from Microsoft’s update servers and scans your PC, before starting up real-time protection. That first scan is relatively quick, and took less than five minutes on our test laptop. A small icon in the task bar is the only sign that MSE is installed and running, and it changes colour depending on the risk to your PC. Green is, of course, good and yellow means that it’s time to run a scan. MSE will automatically run a quick scan once a week, although we’d recommend changing the default 2am on Sunday to a time when your PC is likely to be turned on. You can limit the amount of CPU that MSE will use for a scan (the default is 50%), and you can also make sure it won’t scan if you’re using your PC. We’d recommend leaving real-time protection on – it won’t use too much power or add significant latency to downloads, and will reduce the risk of downloading malware inadvertently. Other tools built into MSE let you tune it to exclude specific files and locations from scanning, as well as specific file types and even specific processes. You’re better off not changing these settings, since it’s impossible to predict how malware may disguise itself or what zero-day attacks they might use. A custom scan will check specific files, folders, or drives, while a full scan will check everything on your PC. We’d suggest sticking with quick scans for everyday operation, which look for common malware and check system files. The advanced options in MSE’s Settings tab enable you to include removable drives in scans, to protect flash drives as well as your system disks. You can turn off archive scanning (although we’d recommend leaving it on, since it’s able to detect malware wrapped in several layers of zip compression). Other options enable you to set system restore points automatically before making system changes, including deleting, running or quarantining detected malware. You’re also able to set how long MSE will keep quarantined files before automatically deleting them. Use the History tab to see and remove quarantined malware, with links to online information about the malware so you can decide whether to delete a file or not. So how can Microsoft give a tool like this away for free? While it doesn’t advertise it, MSE is part of Microsoft’s Forefront suite of security tools, based on the Forefront Endpoint Protection client used on enterprise desktops. When MSE detects malware it reports back to Microsoft, giving the company a wider view of the security landscape than it would get from just its enterprise security software. With millions of free copies of MSE, Microsoft’s paying customers get a more responsive and more secure set of tools, and we all get better security. The reporting system Microsoft uses is its Active Protection Service (previously known as SpyNet). You can choose whether to be part of it, but if you don’t, you won’t get full protection from MSE, since it won’t detect and alert you if unknown software has been download or is being run. Basic membership gives you additional protection in return for sending Microsoft details of downloaded and detected software, while Advanced membership sends more details, including how the software runs, what filenames it uses and where it installs. The process should be anonymous, but there is a slim possibility that personal information could accidentally be sent back as part of reporting malware behaviour – something to consider when signing up for the Active Protection Service. Verdict If you want good, free antivirus software, then Microsoft Security Essentials is the tool for you. It’s small, doesn’t sap system performance and gets regular automatic updates to keep you secure. There’s no obvious downside to using MSE – and because it’s the basis of a revamped Windows Defender that will ship as part of Windows 8 , it could well be a good idea to get used to it now. With Microsoft regularly updating MSE there’s really no excuse to not run anti-malware tools, when they’re as good as this – and especially when they’re free. We liked MSE is one of the simplest and easiest to use anti-malware tools around. It’s quick, unobtrusive and works without slowing your PC down. Malware is caught quickly, and the default actions work well for most users. It’s a small download, and keeps itself up-to-date. And above all, it’s free – with no need to register or re-register. We disliked There really isn’t much to dislike here, since MSE provides the service you want, carrying on raising the bar for all the other anti-malware vendors out there. Our one big caveat is the default time for scheduled complete system scans. Once a week, at a time that a PC is likely to be off is not good enough, by a long way. Final verdict If you’re not running anti-virus software, you really have no excuse. MSE is free, simple to use and has been tested by independent anti-malware certification bodies. It may not have all the features of other security suites out there, but that’s really not that important – especially when widespread use of MSE should help make it a safer internet for everyone.
iOS: Private browsing isn’t too difficult on a desktop computer, but keeping your web travels anonymous on an iPhone is a bit more difficult. If you want to hide your every move, Onion Browser is an app that uses Tor proxy servers to hide your activities from ISPs, other Wi-FI connections, and more. We’ve talked about ways to Tor in Chrome and Firefox before, and Onion Browser uses the same basic premise. It tunnels your browsing through a Tor proxy server so websites don’t see your IP address and it encrypts all of your information before it leaves your device. Loading pages in Onion Browser takes a lot longer than normal, but you’ll be completely anonymous when you’re doing it. Onion Browser is a 99¢ download for iPhone and iPad. Onion Browser | iTunes App Store via Geek
Microsoft Security Essentials is our favorite antivirus software for Windows , and a new version is out that’s even lighter and easier to use than ever. Here’s what’s changed. MSE veterans won't notice a lot of huge changes in this version, but certain interface elements have changed slightly—the icons along the top are gone, and certain wordings have changed a bit to make the program easier to use. The “Real-Time Protection” setting is now an all-or-nothing checkbox, and SpyNet has been renamed to the Microsoft Active Protection Service to make a bit clearer what it actually does. Microsoft has also baked in some performance improvements and better detection powers. Microsoft Security Essentials is a free download for Windows only. You can get the new version through Windows Update, or on its home page at the link below. Microsoft Security Essentials 4 | via @PionnerelmORocs
How SSL and TLS works Let us introduce some people who will help us talk about cryptography and SSL/TLS. First we have Alice and Bob. They live far apart and love communicating with each other, but because they want to keep their conversations secret, they encrypt all their messages. Eve is fascinated by these two and is continually eavesdropping on them, but that’s all she does: listen in, trying to work out what they’re talking about. Then there’s Mallory. He not only listens and tries to work out what they’re up to, but he’s malevolent as well. He will alter their messages, delete them and substitute his messages for Alice’s or Bob’s, trying to fool them both that his messages originate from the partner. He is known as the man in the middle. Back in the old days, Alice and Bob would use a shared key and an agreed-upon symmetric encryption algorithm. In 1981, the Data Encryption Standard (DES) was published publicly as a symmetric algorithm (that is, you encrypt and decrypt with the same key). Despite using what we might now think is a small key (only 56 bits), it took off and started the whole field of cryptanalysis. Alice and Bob took to DES with abandon, but they ran into a problem: they needed a 56-bit key (preferably randomly generated) that they could share, but keep secret. Once the key was agreed on, all of their communications would be opaque to Eve and Mallory. FIGURE 1: Alice and Bob use the same key to encrypt and decrypt messages, so agreeing on this key can be a problem There was just one problem – how could they agree on a key? Alice couldn’t send a key to Bob, because both Eve and Mallory would see it as she’d have to send it unencrypted. Even worse, Mallory could substitute another key entirely and send that to Bob. After that, Mallory could intercept messages from Alice to Bob, decrypting them with the real key, reading them, then encrypting them with the fake key and sending them on. The same thing would happen on the return journey. Alice and Bob’s messages would be nowhere near secure. Shared keys There was nothing for it: Alice and Bob would have to meet in person and devise a shared key, making sure that they couldn’t be overheard by Eve or Mallory. Of course, if the shared key was ever disclosed or hacked, they’d have to go through the whole rigmarole of travelling to meet up and decide on a key again. The most important thing to realise here is that the secret between Alice and Bob is the key. If the shared key was ever discovered, the totality of the communications between them would no longer be secure. Then, two things happened: computers became fast enough to apply brute force decryption to messages encrypted with DES, and public key cryptography was invented. With brute force decryption, you use a computer that tries every single key until one is found that decrypts the message (it assumes that the plaintext message is recognisable in some sense). When DES was first devised, PCs had only just entered the market and brute force cracking of a DES-encrypted message was infeasible. Nowadays, using a specially built computer, a DES 56-bit key can be discovered within a week on average. Standard DES has been supplanted with variations (triple-DES) and new algorithms (AES) with longer keys, but for Alice and Bob, the same old problem is still present: how to agree on and exchange a key securely. Public key cryptography FIGURE 2: The public key system still leaves Alice and Bob with the problem of exchanging public keys securely With public key cryptography, things are different. Public key cryptosystems use two separate keys: a public key and a private key. The cryptosystem (the most famous one is RSA, named after its inventors Rivest, Shamir and Adleman) uses special mathematical algorithms so that the encryption of a plaintext message and the decryption of that encrypted message use different keys. The keys are related mathematically, but knowing one doesn’t really help you discover the other (the process involves the factorisation of a very large number into two very large prime numbers – an algorithm that with current mathematical knowledge would take an inordinate amount of time to calculate). Because there are different keys for encrypting and decrypting, these cryptosystems are known as asymmetric algorithms. This is how Alice would encrypt a message to send to Bob with a public key algorithm. Both she and Bob have private/public key pairs, properly generated according to the algorithm they’re using. Alice will encrypt the plaintext message with her private key (known only to her), and then encrypt the result of that with Bob’s public key. She knows Bob’s public key, because he publishes it (similarly she publishes her own public key). She then sends this twice-encrypted message to Bob. Bob receives the encrypted message from Alice. He then decrypts the message with his private key (this key is a secret known only to him), and then decrypts the result of that with Alice’s public key. If the result is legible, he knows a couple of things with certainty: only he could read it (neither Eve nor Mallory could, since only his private key could decrypt it), and Mallory couldn’t have slipped in a fake message since the original message could only have been encrypted with Alice’s private key. So everything is well, and he and Alice can communicate with abandon. In fact, since public key cryptosystems are much slower at encrypting and decrypting than symmetric algorithms, in general only one message is sent using a public key cryptosystem: ‘Here’s a randomly generated key for a symmetric algorithm, let’s both use that from now on.’ All of a sudden, Alice and Bob’s original problem with a symmetric encryption algorithm is removed: Alice just sends Bob a brand new 256-bit key encrypted using RSA in the manner I just described, and then they communicate using AES with that 256-bit key. They don’t have to meet at all. Sounds great, but what’s the flaw? The flaw is this: how do Alice and Bob exchange their public keys securely? Alice can’t send an unencrypted message to Bob containing her public key, because Mallory may intercept that message and substitute his own public key. (Ditto for Bob informing Alice of his public key.) If that did happen, Mallory would be in complete control of the message channel. Let’s call the two key pairs that Mallory generates, fakeAlice and fakeBob; Alice thinks fakeBob is actually Bob, and Bob thinks fakeAlice is Alice. Suppose Alice sends a message to Bob. She encrypts it with her private key and then with fakeBob’s public key and then sends it. Mallory gets it, decrypts it with the fakeBob’s private key and with Alice’s public key, and reads the message. He then encrypts a new message with fakeAlice’s private key and Bob’s public key, and sends it to Bob. Bob can decrypt it with his private key and fakeAlice’s public key. Suddenly it seems we’re right back to square one: Alice and Bob still have to meet in order to exchange their public keys. We’re no better off than we were before. Certificate authorities SECURE COMMUNICATION WITH SSL: Alice’s browser verifies that Bob’s certificate issigned by a trusted CA, then generates and encrypts a one-time public key In practice, this problem is solved by one more level of indirection: the CA or certificate authority. A CA issues digital certificates that identify a particular person or entity and the public key used by that person or entity. In essence, a digital certificate is the name (usually a domain name) and the associated public key encrypted by the CA’s private key. You can check the validity of a certificate by decrypting it with the CA’s public key. But hold on, you may be asking, how do Alice and Bob know the CA’s public key? Can’t Mallory just intercept this and replace with his own public key? Technically yes, but in practice the CA’s public key is provided as a certificate with the browser or as part of the operating system. CA certificates are truly publicly published. You trust that these certificates are valid because they’re delivered to you with your operating system or browser. Once Alice and Bob buy their digital certificates from a particular CA, they can send them to each other with impunity, in essence by trusting the CA. Alice can check Bob’s certificate (and discover his public key) by decrypting it with the CA’s certificate, and vice versa. Once that’s done, they can send each other secure messages ad infinitum. Online banking Now imagine that Alice is you, Bob is your bank, and you want to take a look at your accounts online and pay some bills. You certainly don’t want Eve to see your account details, and definitely don’t want Mallory to be fiddling with your transactions as you send then to your bank. Before RSA and public key systems, this would have been nigh on impossible: you would have had to securely agree on a large key with your bank. In fact, the bank would have had to agree on (and store) a random-looking key for all of its customers and keep them safe from prying eyes. The bank would have a nigh-on impossible task keeping the world’s Eves and Mallorys from joining as employees and accessing all those private keys. But with public key cryptosystems, this all becomes feasible. It is the basis of SSL (Secure Socket Layer) and TLS (Transport Layer Security). The latter is the newer version of the former, but everyone still uses the term SSL – although it does look a little different. The first problem is that we normal people don’t (usually) have a private/public key pair and a digital certificate that proves who we are (for a start, certificates are very expensive), so we have to approach things differently. SSL explained When you visit a bank’s website, the bank’s server will automatically redirect you to its secure site using the HTTPS protocol before you can log in. This results in your browser and the bank’s site negotiating a secure channel using SSL. This negotiation goes a little like this (note that I’ve simplified it greatly). The browser sends a message stating what the latest version of SSL it can support and a list of symmetric algorithms it can use. The web server sends back a message with the version of SSL and the algorithm that will be used. It sends its certificate as well. The client verifies the certificate using the known certificates that came with the browser; in other words, it checks that it has been signed by a trusted CA and that it hasn’t expired. If the certificate is valid, the browser generates a one-time key for the session, encrypts it with the server’s public key (it’s part of the certificate), and sends it to the server. The server decrypts the key, then uses that key together with the agreed symmetric algorithm for the rest of the session. Let’s take stock. Your browser is certain that the server is who it says it is (your browser is trying to access YourBank.com, and the certificate says it’s valid for YourBank.com – and the CA agrees). The browser has generated a cryptographic key that will be used for one time only: this particular session. It’ll be thrown away after you log out. The key was sent encrypted with YourBank.com’s public key, which only YourBank.com can decrypt with its private key. There are a couple of other messages sent that check your browser and the web server have agreed on the same key (if anything went wrong, the session is dropped). Once YourBank.com has presented you with a login screen (which will be sent over HTTPS, if the bank knows what it’s doing) and you’ve filled it in, it’ll know who you are. Your id and password will have been sent encrypted over the secure channel that you’ve both established. Eve and Mallory are completely out of the loop.