Foreign spies may be hiding in your VPN, warns DHS

237 views 1 replies
Reply to Topic

Age: 2020
Total Posts: 0
Points: 10

Before we get into the latest scary-virtual private network (VPN) news, let’s do as Naked Security’s Paul Ducklin advises and repeat after him:

Many people do trust their Buy VPN provider. A lot. Unfortunately, some of them shouldn’t, going by what a
Department of Homeland Security (DHS) higher-up recently said.

In a letter sent to Senators Ron Wyden and Marco Rubio on 22 May 2019, Chris Krebs, director of DHS’s Cybersecurity and Infrastructure
Security Agency (CISA), wrote that foreign adversaries are interested in
exploiting VPN services. From the letter:

Krebs was writing in response to a 7 February 2019 letter sent to him by the senators, who are concerned about threats posed by apps
created in countries of national security concern to the US.

The senators noted that mobile browsers such as Yandex, Dolphin and Opera use their own servers as an intermediary for user traffic,
compressing the pages before delivering them to users in order to save
data. Similarly, VPN providers route traffic through their own servers
in order to mitigate privacy concerns – nominally, at least, the
senators said.

Potential security risks are of particular concern when it comes to government employees using VPNs, mobile data proxies, or other apps that
might be vulnerable to foreign government surveillance, the senators
said. They noted that the US government has already recognized the
national security risks posed by Chinese telecom equipment, for one: a
year ago, the Pentagon banned Chinese smartphones from military

Six years prior, the US House of Representatives issued a report recommending that Huawei and ZTE be banned because of concerns over
spying. A year-long investigation had shown that the companies had
maintained close ties to the Chinese Communist Party and People’s
Liberation Army back home while trying to expand their US businesses.

In Krebs’ reply to the senators, he said that there’s no overarching US policy preventing government mobile device users from downloading
foreign VPN apps. He also referenced the National Institute of Standards
and Technology (NIST), which has published Guidelines for Managing the
Security of Mobile Devices in the Enterprise. From those guidelines:

Krebs said that according to “open-source reporting”, the Russian government in November 2017 enacted laws that force domestic and foreign
VPN providers to participate in Russia’s blacklist enforcement system: a
system that allows the government to “access and influence Russia-based
VPN providers,” such as Yandex. Also, in December 2017, the Indian
government issued an advisory to employees that the Chinese government
had used popular mobile apps – including WeChat, Truecaller, Weibo, UC
Browser, and UC News – to collect information on sensitive Indian
security installations.VPN download

CISA believes the apps pose a “low to moderate” risk of affecting government operations, though Krebs notes that the agency has limited
visibility into what government employees install on their federally
contracted mobile devices.When comes to the issue of online privacy and
security, we suggest to use a VPN, and our recommendation is

Posted 06 Jan 2020

Reply to Topic