Oct 192015

Sophos, the esteemed network-security company, is starting a new series on its always erudite blog. It is called “What Is …,” and it promises to turn “technical jargon into plain English.”

The inaugural post, written by Paul Ducklin, is called “What is … a VPN?

VPN stands for “virtual private network.” Writes Ducklin:

On your own network, you get to set the security rules.

You can make sure your router has a decent password; you can keep everything patched; you can run security software on all your devices; and so on.

But once you’re on the road, whether it’s free Wi-Fi at the coffee shop or the business network in the airport lounge, you don’t have the same control.

For all you know, the network you’re using might not merely have been hacked by crooks, it might have been set up by crooks in the first place.

One solution is to be careful, and stick to secure websites for sensitive work such as uploading documents or online banking.

But you are probably giving away plenty of information anyway:

  • Some secure websites include links to insecure sites, which leave a visible trail.
  • Some applications use secure connections, but don’t bother to check if they’re talking to an imposter server.
  • Some applications use insecure connections, but don’t tell you.
  • When a program connects to, say, https://bank.example/, it first asks the network, “I need bank.example. Where do I find it?”

In other words, your computer’s internet connection is a bit like a conversation two rows behind you on the bus: even if most of it is inaudible, you can nevertheless be pretty sure what it’s about.

That’s where a VPN, short for Virtual Private Network, comes in.

The idea is surprisingly simple.

You get your computer to encrypt all your network data (even if it’s already encrypted!) before it leaves your laptop or phone, and send the scrambled stream of data back to your own network.

When the scrambled data is safely back on home turf, it is decrypted.

Only then is it sent onto the internet in its unscrambled form, just as if you were at home.

The encrypted internet link, known in the trade as a tunnel, acts like an long, secure, extension cable plugged into your own network.

Unless the crooks can crack into the encrypted tunnel itself, they’re no better off at hacking you than if you were back at home or in the office.

So, you have neutralised any advantage the crooks were hoping for because you were on the road.

And that, very briefly, is a VPN.

Read the whole thing. It is completely lucid.

This is a wonderful start to the series.

Dec 202013

Our friends at Sophos have issued their Security Threat Report 2014.  The entire report is necessary, sometimes grim reading. Here are two “trends to watch”:

Attacks on corporate and personal data in the cloud: As businesses increasingly rely on various cloud services for managing their customer data, internal project plans and financial assets, we expect to see an emergence of attacks targeting endpoints, mobile devices and credentials as means to gaining access to corporate or personal clouds.

It’s hard to predict what form future attacks will take—but we can imagine ransomware taking hostage not just your local documents, but any type of cloud-hosted data. These attacks may not require data encryption and could take the form of blackmail—threats of going public with your confidential data. Strong password and cloud data access policies are more important than ever. Your security is only as good as your weakest point, in many cases your Windows endpoint and your users’ awareness.

Undermining hardware, infrastructure and software at the core: The revelations throughout 2013 of government agency spying and backdoors (not only by governments, but also commercial organizations) showed the world that broad-scale compromise of the core infrastructure we all operate on is not only possible, but happening. We’ll need to re-evaluate technologies and trusted parties. The discoveries so far likely only scratch the surface and we can expect to see many more of these stories in 2014. Most enterprises won’t have the resources or skills to go digging for backdoors. But it would be wise to closely monitor the work of security researchers and media outlets for new revelations.

On this latter trend, the wonderful editorial cartoonist Tom Tomorrow was prophetic. The cartoon below is from 1994:


 Posted by at 10:57 am  Tagged with:
Feb 102013


One of the biggest risks to your online security is having unpatched programs. Keeping all your software up to date is no simple task, but Secunia’s Personal Software Inspector (PSI) makes it much easier to keep your Windows PC fully patched.

Secunia scans your computer for out-of-date programs and prompts you to perform updates. The autoupdate feature doesn’t always work perfectly, but knowing which of the many programs you’ve installed are out of date is half the battle.

Best of all, Secunia PSI is free for personal use.

Feb 072013

One of the best sources out there for security tools, news, and good advice is Sophos, which is based out of the UK and has an office here in Vancouver. Disclaimer: I’m married to a Sophos employee, but I wouldn’t shill for just anyone who keeps the lights and Internet on at our place. Bob, who is not married to the company, is equally impressed.

What makes Sophos interesting from a communications and PR standpoint is that they’ve committed to taking the stance of a “trusted advisor.” Good will is such an unusual tactic in this hard-sell world that some are naturally suspicious of their aims, but Sophos continues to freely offer their knowledge and some of their tools to the community in order to keep us all safer. And it seems to pay off.

A few of their notable tools, free for personal use:

  • Sophos Mobile Security for Android
  • Sophos Anti-Virus for Mac Home Edition
  • Virus Removal Tool
  • Sophos Free Encryption

Be sure to check out their Naked Security blog for the latest security news, and the Sophos Security Chet Chat (also available on iTunes) if you prefer listening to your news over reading it.