We hear about phishing scams, malware and ransomware all the time. Those threats are common and real — and there are other, hidden threats lurking too. We can protect ourselves from those threats by using a Virtual Private Network (VPN).
Think of a VPN as the “Cone of Silence” from the 1960s sitcom Get Smart. A VPN is a kind of electronic tunnel through which your data can be sent. Do you need to enter a password and connect to a certain server if you want to log into work from home? That’s probably because your company is using a VPN. But that does not provide you protection when you are not logged into the company VPN.
You may not want to use a company VPN for your private use, as all of your personal communications will be routed through the company’s network. That could mean that they can see your personal communications, claim ownership of them, or both, depending on company policy.
So a VPN is a tunnel and my data moves through that tunnel. Why is that important?
I am glad you asked.
We talked about Wi-Fi last time, and the details of secured versus unsecured Wi-Fi. When you are on an unsecured W-Fi network, when you type in a username or password or send an attachment, it is sent in plain text — like the text you are reading right now. Anyone who is also on that same network and has the appropriate software can capture your data and either read it directly or piece it back together easily. These are known as man-in-the-middle (MITM) attacks, because the attacker digitally stands between you and the Wi-Fi connection.
One of the most common MITM attacks is called an “eavesdropping attack” like the one described above. In an eavesdropping attack, not only can the attacker capture your data — they can actually alter the data contained in the communication, both sent by you and coming from the other side, changing the content or meaning of the original message.
A VPN encrypts, or scrambles, your data so that when the attacker captures the data, it is unreadable to them.
The cyber-criminal who is eavesdropping is looking for easy targets. They want to get as many passwords as they can and sell them on the dark web, which is the black market of the internet. The going rate for stolen passwords and usernames ranges from $12 per password for retail establishment passwords to as much as $260 for bank credentials. So, if a hacker sits in a coffee shop for three or four hours harvesting unencrypted usernames and passwords, the profit can be significant.
But when data is stolen from a VPN connection, unencrypting that data is often a waste of time for hackers. With strongly encrypted data, it would take months or years with supercomputers performing the unencrypting. Only those working for nation-states have that kind of computing power.
On which devices should I have a VPN?
On all of your electronic devices that can connect to a network — which almost certainly includes your smartphone, laptop and tablet. Many of the top security companies such as McAfee or Norton have downloadable VPN apps for all of your devices.
How do I know which one to use?
While there are some very good free VPN apps available, many of them allow limited usage per month based on how much data you use. Once you exceed the limit — which is often only about a day or two’s worth of data for the average user — you are not protected until the next month rolls around, or you have to pay a fee. In some cases, these free VPNs are provided by well-intended groups who do not have the resources to maintain security in real time.
Personally, I now use only commercial (paid) VPNs because of the certainty involved. I recommend you do the same, even if it requires reworking your budget. Many of us are moving toward a digital-only existence, and even those who remain slow to adopt this lifestyle are vulnerable — and maybe more so — to attacks.
Isn’t my cellular data encrypted?
Yes it is — but that only applies to the data that is being transmitted through your cellular connection. When you see only bars on your phone, you are connected through cellular. But when you connect to Wi-Fi, you are not using cellular data. Most of us set this up by default so we do not use our cellular data when we can take advantage of the free Wi-Fi.
I use a VPN for both my cellular and Wi-Fi data so I am protected regardless of my connection. I have moved to an unlimited data plan so I can take advantage of the cellular encryption and rarely do I make use of free public Wi-Fi. I realize this is not economically feasible for many, so using a VPN allows you flexibility in your connection choices.
Take some time to protect yourself and your loved ones by using a VPN. I would like to hear your questions and concerns for future articles. You can reach me at firstname.lastname@example.org.
Data: The information that is being transmitted over the network or internet.
Unencrypted: Plain or clear text readable by anyone who intercepts the data.
Encrypted: Scrambled or encoded text that can only be read when unencrypted by someone who knows the secret code.
Virtual Private Network (VPN): A virtual private network allows users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.
Public Network: Wi-Fi or wired connection at a public place (hotel, coffee shop, restaurant) that is accessible to anyone who chooses to use it.
Private Network: A Wi-Fi or wired connection that requires specific logon credentials and is only accessible to those who hold credentials to use it.
Credentials: Username and password.
Eavesdropping: A network layer attack that focuses on capturing data from the network transmitted by other computers on the network. This type of network attack is generally one of the most effective when no encryption services are used.
Man-in-the-Middle Attack (MITM): The attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection. The entire conversation is being viewed by and possibly controlled by the attacker.
Dr. John B. Nicholas is a Professor of Computer Informations Systems and Co-Founder of the Cybersecurity Degree Track at The University of Akron. Dr. Nicholas has over 30 years experience in the technology field in both the private sector and higher education.