Eliana Willis

Image: User XPS on Unsplash
If you’re going to use a VPN, you’re most likely going to do so away from your home and office. Sure, if you’re in a dorm or your have roommates (or your internet service provider is intrusive), you might use a VPN at your home base. But most often, you’re going to use a VPN because you’re in an airport, at a hotel, in a school, at a coffee shop, and you don’t want your data running over a public Wi-Fi hotspot that could be corrupted in any of a thousand different ways. And, if you’re using a VPN away from home base, you’re probably going to do so with a laptop. Yes, you might put a VPN on your phone or tablet, but if you’re doing real work, you’re almost undoubtedly doing it on a laptop. And if you’re using a laptop, you’re more likely than not running Windows. Yes, Chromebooks and Mac laptops are also prevalent, but PC’s are still the clear winner. In that context, we’re aggregating some of the best VPNs for Windows in this article. Not only have these all been put to the test in various reviews, but we also have aggregate benchmark data that we’re applying to our recommendations. Below, we recommend four VPNs and let you know how they fared in Windows performance testing against each other.

Fastest and most consistent Windows performance

Simultaneous Connections: 6Kill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Android TV, Chrome, FirefoxLogging: None, except billing dataCountries: 59Servers: 5517Trial/MBG: 30 dayAlso: How does NordVPN work? Plus how to set it up and use it on WindowsNordVPN distinguished itself as one of the fastest overall VPNs, as well as the one that turned in the most consistent Windows performance results from testers across the world. That said, ping speeds were slow enough that I wouldn’t want to play a multi-player first person shooter game over the VPN. To be fair, most VPNs have pretty terrible ping speeds, so this isn’t a weakness unique to Nord.Also: My in-depth review of NordVPNIn our review, we liked that it offered capabilities beyond basic VPN, including support of P2P sharing, a service it calls Double VPN that does a second layer of encryption, Onion over VPN which allows for TOR capabilities over its VPN, and even a dedicated IP if you’re trying to run a VPN that also doubles as a server. Also: My interview with NordVPN management on how they run their serviceIt supports all the usual platforms and a bunch of home network platforms as well. The company also offers NordVPN Teams, which provides centralized management and billing for a mobile workforce. Overall, a solid choice, and with a 30-day money-back guarantee, worth a try.

A little slower and a little less consistent than NordVPN on Windows

Simultaneous Connections: 5 or unlimited with the router appKill Switch: YesPlatforms: A whole lot (see the full list here)Logging: No browsing logs, some connection logsCountries: 94Locations: 160Trial/MBG: 30 daysExpressVPN has been burning up the headlines with not the best news. We’ve chosen to leave ExpressVPN in this recommendation, and I wouldn’t necessarily dismiss ExpressVPN out of hand because of these reports, but it’s up to you to gauge your risk level. The best way to do that is read our in-depth analysis:With 160 server locations in 94 countries, ExpressVPN has a considerable VPN network across the internet. In CNET’s review of the service, staff writer Rae Hodge reported that ExpressVPN lost less than 2% of performance with the VPN enabled and using the OpenVPN protocol vs. a direct connection. In ZDNet’s aggregate speed tests, we found that ExpressVPN for Windows came in just after NordVPN and Hotspot Shield in overall performance, but performance was more predictably consistent than that of Hotspot Shield across the world.ExpressVPN is one of the most popular VPN providers out there, offering a wide range of platforms and protocols. In addition to Windows, ExpressVPN offers clients for Mac, Linux, routers, iOS, Android, Chromebook, Kindle Fire, and even the Nook device. There are also browser extensions for Chrome and Firefox. Plus, ExpressVPN works with PlayStation, Apple TV, Xbox, Amazon Fire TV, and the Nintendo Switch. There’s even a manual setup option for Chromecast, Roku, and Nvidia Switch.Must read:While the company does not log browsing history or traffic destinations, it does log dates connected to the VPN service, amount transferred, and VPN server location. We do want to give ExpressVPN kudos for making this information very clear and easily accessible.Exclusive offer: Get 3 extra months free.

Adequate Windows performance that differs based on location

Simultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, Linux, iOS, Android, Fire TV, Firefox, ChromeLogging: None, except billing dataTrial/MBG: 30 dayAt two bucks a month for a two-year plan (billed in one chunk), Surfshark offers a good price for a solid offering. Windows users will like that, in addition to VPN functionality, Surfshark offers some inexpensive add-on features, including ad-blocking, anti-tracking, anti-virus, access to a non-logging search engine, and a tool that tracks your email address against data breach lists.In CNET’s testing, no leaks were found (and given that much bigger names leaked connection information, that’s a big win). The company seems to have a very strong security focus, offering AES-256-GCM, RSA-2048, and Perfect Forward Secrecy encryption. To prevent WebRTC leaks, Surfshark offers a special purpose browser plugin designed specifically to combat those leaks.Must read:Surfshark also offers a multihop option that allows you to route connections through two VPN servers across the Surfshark private network. 

Consistently slowest of our tested Windows VPNs, but still usable

Simultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Chrome, plus routers, Fire Stick, and KodiLogging: None, except billing dataServers: 1,500 Locations: 75Trial/MBG: 30 dayWindows users will appreciate that IPVanish is a deep and highly configurable product that presents itself as a click-and-go solution. Its UI provides a wide range of server selection options, including some great performance graphics. It also has a wide variety of protocols, so no matter what you’re connecting to, you can know what to expect. The company also provides an excellent server list with good current status information. There’s also a raft of configuration options for the app itself.Also: My in-depth review of IPVanishIn terms of performance, connection speed was crazy fast. Overall transfer performance was adequate, but slower overall than our other contenders. However, from a security perspective, it wasn’t able to hide that I was connecting via a VPN — although the data transferred was secure. Overall, a solid product with a good user experience that’s fine for home connections as long as you’re not trying to hide the fact that you’re on a VPN.The company also has a partnership with SugarSync and provides 250GB of encrypted cloud storage with each plan.

Doesn’t Windows 10 come with a VPN?

Yes, and no. Windows 10 includes a VPN client. But to run your data through the internet, you need an endpoint. If you’re connecting to your corporate VPN server, then you can use Windows’ built-in client. But if you want to connect elsewhere, you still need one of the services we’ve profiled. Plus, the base client is pretty barebones. If you want more advanced features, you’ll want to use one of the more premium clients included with the services we’re spotlighting.

Do these VPN clients support Windows on Arm?

Definitely not explicitly. My recent testing of Windows for Arm running on an M1 Mac showed that Intel apps can run on Arm-based devices in emulation. But what does that do for performance? How reliable is it? No idea. It’s not something I’d recommend at this early stage.

If I run these VPNs on my laptop, can I also run them on my phone?

Yes — as long as you’re running iOS or Android on your phone. All of the VPNs we recommend support multiple simultaneous connections for just this reason. Once you sign up for a service, you can generally run the VPN client on five or more devices at once.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

Mozilla has released the latest instalment of its “*Privacy Not Included” ranking, where they do deep dives into the privacy features of the most popular apps and platforms. The latest ranking, covering the privacy features of 21 popular video call apps, found that three of the most popular apps are also platforms that Mozilla researchers said had lackluster privacy features: Facebook Messenger, WeChat and Houseparty.Slack was also criticized by Mozilla for not allowing users to block certain contacts. Signal and Threema were both cited as “outstanding” from a privacy perspective, but only Signal is free. Threema costs $2.99.

“Signal’s open-source end-to-end encryption is lauded by many security professionals. And Signal won’t track you or sell your data to strangers who could use it to target you with weird ads. Shoot, it was even recently reported that Facebook CEO Mark Zuckerberg himself uses Signal,” Mozilla said in its analysis of Signal, noting that it has never had a data breach, only collects your phone number and never sells, rents or monetizes your personal data.The report tackles thorny issues like “What data does the product collect?” “Does the product use encryption?” and “How does the product use AI?” Fifteen of the apps were covered in Mozilla’s 2020 report and six new ones were added to the latest version. Jen Caltrider, the lead researcher for Mozilla’s *Privacy Not Included, noted that due to the COVID-19 pandemic, video calling apps have become a routine part of millions of people’s lives. Even as life begins to slowly return to normal, video calls for work and pleasure appear to be a pandemic trend that will continue into the future. “In this new world, people deserve to know if the apps they’re using everyday respect their privacy — or if they’re snooping on them,” Caltrider said. “While video call apps may feel more intimate than social media platforms, there’s still a ton of data being collected, stored, and shared. For that reason, users should assume that anything they say on a video call app could be made public.”

In addition to the six that stood out for good and bad reasons, Mozilla also examined Apple’s FaceTime, 8×8’s Jitsi Meet, Cisco’s Webex, GoToMeeting, Viber, Discord, Doxy.me, Google Hangouts/Meet/Duo, Microsoft Teams, Telegram, BlueJeans, Zoom, Marco Polo, Skype and WhatsApp.The report explains that Facebook Messenger, WeChat and Houseparty all got the *Privacy Not Included tag because they collect significant amounts of personal information and data, share it with “shady data brokers” and use poor encryption, among a host of other issues. Mozilla also criticizes many other apps for either not having a block feature or having a limited one that can only be used in specific instances. “Forcing people to rely on HR or IT departments to protect them from abuse over messaging platforms is not ideal,” Mozilla researchers said, adding that they have launched a petition urging Slack to create a block feature. The report notes that in examining privacy policies, many are effectively unreadable and lack specific language about pertinent issues like data retention periods and how to delete data.Just eight of the 21 had what Mozilla considered “user-friendly” privacy information available to users. They also criticized companies like Microsoft for using umbrella privacy policies that make it difficult to know exactly what data certain platforms collect. “It’s surprising just how terrible video call app privacy policies are. They rarely help consumers understand what personal information a company collects on them and how they use that information,” Caltrider told ZDNet. “Vaguely worded privacy policies can mean companies are collecting just about anything and using it just about any way they want. Yikes! Companies need to do better at being direct, open, and honest with their customers at what data they collect and how they use that data. Our privacy depends on it.”There are signs that more companies are improving their privacy features. Mozilla noted that apps like Zoom have added more end-to-end encryption and others, like Discord and Doxy.me, are now demanding stronger password requirements.  More

If you ever get concerned about how easy your password is and worry whether someone could guess it, you need to tighten up your security processes. Whether through password sharing or sloppy password habits, many people still leave their personal and professional accounts vulnerable, and it is a huge risk for companies and home users alike.

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

New York, NY-based digital identity firm Beyond Identity spoke with 1,015 people in the US to learn more about their password-making strategies and how they generally conduct themselves in regards to online safety.Many of us already share our account passwords. Over half of us (50.1%) share our video streaming account, and almost as many share our music streaming accounts (44.9%). One in four of us (25.7%) share passwords to our online banking. On average, we share three of our passwords with other people. The study revealed that many people try to guess others’ passwords and are often successful. Over 73% managed to guess someone’s passwords. Over half (51.6%) try to guess their romantic partner’s passwords, and almost one in four (24.6%) try to guess their child’s password.

Over one in five (22%) try to guess their co-worker’s password, and one in five (19.9%) try to guess their ex-partner’s or boss’ password. The most common tactic is using information known about the other person (39.2%), while 18.4% check the person’s social media profiles to try and guess. Over two in five (43.7%) try to guess passwords for personal email accounts, and almost one in three (32.6%) try to guess phone passwords.
Beyond Identity
People were most interested in gaining access to the accounts of their romantic partners. Those trying to guess their boss’ password were trying to get into their employer’s work email, while phones were the most common target for those guessing the password of a romantic partner. Almost two in five (37.6%) of people never use a password generator. The average password tends to be 15 characters long, with over one in four (27.4%) choosing their pets names for a password. Over one in three (27%) use random letters, and three in ten (30.7%) use random characters to replace letters. The survey showed that Generation X were most likely to use a password generator whilst half of the baby boomers had never used a password generator.
With easy-to-guess passwords, it is not really surprising that 18% of people have had their online banking accounts compromised or hacked. Having a strong password policy in place with difficult-to-guess passwords drives many to write their complicated password down on paper — ruining its effectiveness. Two-factor authentication and authenticator apps can go some way to helping users secure their online environments, but add online security and social engineering to trick you out of your password, and you can see how easy it is for your online accounts to be compromised. Trying to stay vigilant to scams and protecting your passwords — even with a password vault, can become a layer of complexity too hard to manage — and if that happens, someone successfully guessing your password could be as easy as a walk in the park. More

The z0Miner cryptojacker is now weaponizing a new Confluence vulnerability to mine for cryptocurrency on vulnerable machines. 

Trend Micro researchers said on Tuesday that the cryptocurrency mining malware is now exploiting a recently-disclosed Atlassian Confluence remote code execution (RCE) vulnerability, which was only made public in August this year.  Tracked as CVE-2021-26084, the vulnerability impacts Confluence server versions 6.6.0, 6.13.0, 7.4.0, and 7.12.0.  Issued a CVSS severity score of 9.8, the critical security flaw is an Object-Graph Navigation Language (ONGL) injection vulnerability that can be exploited to trigger RCE — and is known to be actively exploited in the wild.  The vulnerability was reported by Benny Jacob through Atlassian’s bug bounty program. z0Miner, a Trojan and cryptocurrency mining bundle, has been updated to exploit the RCE, as well as Oracle’s WebLogic Server RCE (CVE-2020-14882) an ElasticSearch RCE (CVE-2015-1427), Jenkins, and other code execution bugs in popular server software.   Once a vulnerable server has been found and the vulnerability has been used to obtain remote access, the malware will deploy a set of webshells to install and execute malicious files, including a .dll file disguised as a Hyper-V integration service, as well as a scheduled task that pretends to be a legitimate .NET Framework NGEN task. 

The task will attempt to download and execute malicious scripts from a repository on Pastebin, but as of now, the URL has been pulled.  These initial actions are aimed at maintaining persistence on an infected machine. In its second-stage payload deployment, z0Miner will then scan and destroy any competing cryptocurrency miners installed on the server, before launching its own — a miner that steals computing resources to generate Monero (XMR). A patch has been released to resolve CVE-2021-26084, and as threat actors will always seek to exploit new bugs for their own ends — the Microsoft Exchange Server attacks being a prime example — vulnerable systems should always be updated with new security fixes as quickly as possible by IT administrators. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A “design flaw” in the Microsoft Autodiscover protocol was subject to an investigation by researchers who found they were able to harvest domain credentials. 

On Wednesday, Guardicore Labs’ AVP of Security Research Amit Serper published the results of an analysis of Autodiscover, a protocol used to authenticate to Microsoft Exchange servers and to configure client access.  There are different iterations of the protocol available for use. Guardicore explored an implementation of Autodiscover based on POX XML and found a “design flaw” that can be exploited to ‘leak’ web requests to Autodiscover domains outside of a user’s domain, as long as they were in the same top-level domain (TLD).  To test out the protocol, the team first registered and purchased a number of domains with a TLD suffix, including Autodiscover.com.br, Autodiscover.com.cn, Autodiscover.com.fr, and Autodiscover.com.uk, and so on.  These domains were then assigned to a Guardicore web server, and the researchers say they “were simply waiting for web requests for various Autodiscover endpoints to arrive.” The “back-off” procedure is described as the “culprit” of the leak as failures to resolve URLs based on parsed, user-supplied email addresses will result in a “fail up”: “Meaning, the result of the next attempt to build an Autodiscover URL would be: http://Autodiscover.com/Autodiscover/Autodiscover.xml,” the researchers explained. “This means that whoever owns Autodiscover.com will receive all of the requests that cannot reach the original domain. […] To our surprise, we started seeing significant amounts of requests to Autodiscover endpoints from various domains, IP addresses, and clients.”

In total, Guardicore was able to capture 372,072 Windows domain credentials and 96,671 unique sets of credentials from sources including Microsoft Outlook and email clients between April 16 and August 25, 2021. Some sets were sent via HTTP basic authentication.
Guardicore
Chinese companies, food manufacturers, utility firms, shipping and logistics organizations, and more were included.  “The interesting issue with a large amount of the requests that we received was that there was no attempt on the client’s side to check if the resource is available or even exists on the server before sending an authenticated request,” the team explained.  Guardicore was also able to create an attack method based on an attacker controlling relevant TLD domains which downgraded credentials sent to them in alternative authentication systems — such as NTLM and OAuth — to HTTP basic authentication. Serper told ZDNet, “the protocol flaw isn’t new; we were just able to exploit it at a massive scale.” Past research conducted by Shape Security and published in 2017 explores Autodiscover and its potential for abuse (.PDF). However, the paper focuses on Autodiscover implementations in mobile email clients. Guardicore says it has “initiated responsible disclosure processes with some of the vendors affected” by the latest discovery.In order to mitigate this issue, Guardicore says that Autodiscover TLD domains should be blocked by firewalls, and when Exchange setups are being configured, support for basic authentication should be disabled — as this is “the same as sending a password in clear text over the wire.” Update 20.39 BST: “We are actively investigating and will take appropriate steps to protect customers,” Jeff Jones, Sr. Director at Microsoft said in a statement. “We are committed to coordinated vulnerability disclosure, an industry standard, collaborative approach that reduces unnecessary risk for customers before issues are made public. Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today.”  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

There’s been a rise in distributed denial of service (DDoS) attacks in recent months in what cybersecurity researchers say is a record-breaking number of incidents. According to a report by cybersecurity researchers at Netscout, there were 5.4 million recorded DDoS attacks during the first half of 2021 – a figure that represents an 11% rise compared with the same period last year. 

ZDNet Recommends

A DDoS attack is a crude but effective form of cyberattack that sees attackers flood the network or servers of the victim with a wave of internet traffic that’s so large that the infrastructure is overwhemed by the number of requests for access, slowing down services or taking them fully offline and preventing legitimate users from accessing the service at all.  Often, the machines being used to launch DDoS attacks – which can be anything that connects to the internet and so can range from servers and computers to Internet of Things products – are controlled by attackers as part of a botnet. The real owners of the devices are unlikely to know that their device has been hijacked in this way.  SEE: Cybersecurity: Let’s get tactical (ZDNet special feature) In some cases, DDoS attacks are simply designed to cause disruption with those behind the attacks just launching them because they can. However, in other instances there’s also an extortion element at play, with attackers threatening to launch a DDoS attack against a victim if they don’t give into a demand for payment. But it isn’t just the rise in DDoS attacks that makes them disruptive; cyber criminals are adapting new techniques to evolve their attacks in order to help them bypass cloud-based and on-premise defences. 

“The tooling behind these attacks has matured over the years,” Hardik Modi, Netscout area vice president of engineering, threat and mitigation products, told ZDNet.  For example, cyber criminals are increasingly leveraging multi-vector DDoS attacks that amplify attacks by using many different avenues to direct traffic towards the victim, meaning that if traffic from one angle is disrupted or shut down, the others will continue to flood the network of the target. In many cases, the attackers will specifically tailor these to exploit vulnerabilities of the target. 

Researchers note that multi-vector attacks are getting more diverse (a vector is essentially a method or technique that is used in the attack like DNS reflection or TCP SYN floods). In 2020, the largest one of these attacks used 26 vectors. During the first half of 2021, there have been a number of attacks using between 27 and 31 different vectors, plus an attacker can switch between them to make the attack harder to disrupt. SEE: Four months on from a sophisticated cyberattack, Alaska’s health department is still recoveringDDoS attacks have become more effective during the past year due to the added reliance on online services. Disruption to services that people are relying on in both their professional and personal lives has the potential to have a significant impact.  However, in the majority of cases it’s possible to defend against DDoS attacks by implementing the industry’s best current practices to maintain availability of services in the face of an incident. These practices include setting specific network access policies as well as regularly testing DDoS defences to confirm they can protect the network from attacks. MORE ON CYBERSECURITY More