While the use of VPN is important when employees work from home during the pandemic to ensure privacy and employers’ network security, a research scientist said VPNs might not provide the needed security.
“When you use your company VPN which makes you identify yourself exactly, perhaps with a password and a 2FA token, so the company knows who you are before you connect,” Paul Ducklin, Principal Research Scientist at Sophos noted. “This is great because it means that you’re only sharing that company network with other people who are supposed to be there and who can be held accountable for their behaviour, rather than with a random bunch of unknown strangers – or so you thought.”
According to a report published by VPNMentor, its researchers stumbled across copious user logs from seven VPNs operating out of Hong Kong, said Ducklin.
This data was not supposed to be publicly accessible, but was exposed via a cloud database that had not been correctly configured, he added.
About 1 billion database entries relating to approximately 20 million users were exposed, including various data fields, according to Sophos.
“Not only did these VPNs collect data that they ought not to have retained at all, such as plaintext passwords, but they inadvertently exposed it publicly,” Ducklin said. “As safe as any cybersecurity measure sounds, it is important to note that absolutely nothing is completely secure.”
According to Ducklin, users of VPNs need to bear the followings in mind.
- No VPN makes people anonymous or magically changes their identities when they use it. While websites one visits will not see the visitor’s true network location, users need to remember that they are still the same persons behind their browsers.
- Turning on a VPN is like switching to a new ISP (internet service provider). Like an ISP, a VPN provider still sees all users’ raw network traffic and knows where it originates. In addition, VPN companies may be subject to different laws than a regular ISP.
- If a user stores data in the cloud, he or she should never leave it open to everyone unless the data is explicitly intended to be public. Data needs to be locked down by default and one should never share what he or she promises to keep private. One should not even think of retaining data that he or she promises to throw away permanently after use.
- Companies should consider using a cloud management tool to keep track of which of their cloud assets are supposed to be where. Cloud storage is quick and easy to set up for short-term purposes, but correspondingly easy to forget about afterwards.