Information Technology

A former Kent police officer has been sentenced for downloading and viewing child abuse material. 

Thomas Blant, who served as a constable for Kent Police, was arrested in January last year on suspicion of being a visitor to a website that hosted child sexual abuse content. Investigators suspected that the website, available on the dark web, had been accessed from Blant’s property in Wye, Ashford, Kent.  The 38-year-old’s home was searched and a number of devices were seized, including a mobile phone and laptop.  Blant was released on bail and suspended from the police at the time of his initial arrest, pending the results of a forensic analysis of the devices.  Law enforcement found 17 incident images, including a number in the highest severity grade, category A.  A further four images were uncovered in old mobile devices belonging to the ex-officer. 

According to the UK National Crime Agency (NCA), Blant had made “attempts” to delete the material but failed.  He was arrested a second time in February 2020, and on July 22, 2021, Blant pleaded guilty to two criminal counts of making indecent images of children (IIOC) at Folkestone Magistrates Court.  On October 6, at Maidstone Crown Court, Blant was issued with a 12-month prison term, suspended for two years, a five-year Sexual Harm Prevention Order (SHPO), and has been placed on the sex offenders register for 10 years. 
NCA
The former constable has since been dismissed from Kent Police.  “It is abhorrent that Blant has committed these offenses, particularly while working as a police officer,” commented Detective Chief Superintendent Jon Armory. “His actions helped fuel the demand for children to be exploited which is a complete betrayal of his duty to protect the vulnerable. The vast majority of our officers and staff do an outstanding job serving the public in line with the highest standards of professionalism and conduct, and we expect no less from them.” In recent news, the UK’s Metropolitan Police are investigating claims made by Patsy Stevenson, who was arrested while attending a vigil for Sarah Everard. The campaigner says that following the arrest, she received roughly 50 ‘likes’ on Tinder by security guards and police officers in what she describes as an effort to ‘intimidate’ her, leaving her “terrified.”  The vigil was taking place in Clapham Common, in memory of Sarah Everard, who was abducted and murdered by Met Police officer Wayne Couzens. The police deemed the event illegal under lockdown restrictions at the time.  Couzens has since been issued a whole-life sentence.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Four cloud providers have received certified strategic status under the Australian government’s hosting certification framework (HCF). The companies are Amazon Web Services, AUCloud, Sliced Tech, and Vault Cloud. The Digital Transformation Agency (DTA) selected these companies as part of the first wave of cloud providers to receive the certified strategic status. The HCF is responsible for a new digital infrastructure service within the DTA, which entails assessing and measuring supply chain risks presented by hosting providers, and determining standards, measures, and timelines to achieve the government’s desired hosting standards. According to the Minister responsible for whole-of-government data and digital policy Stuart Robert, the HCF positions the federal government “as an exemplar in data protection and demonstrates our continued commitment to safeguarding the security and privacy protection of government-held data”. All relevant government data under the framework can only be stored in either certified assured or certified strategic providers. In June, Australian Data Centres (ADC), Canberra Data Centres (CDC), and Macquarie Telecom’s Canberra Campus became the first three data centre providers certified to store sensitive data locally. The June certifications were for the certified assured status, however, rather than the certified strategic status. The difference between the two is that certified strategic status is for cloud providers and the certified assured status is for data centre providers.

These are the first set of certified cloud providers for the federal government since July last year, after its previous certified cloud list was scrapped upon recommendations made by the Australian Signals Directorate. Related Coverage More

Image: Getty Images
The European Parliament has voted in favour to a resolution banning law enforcement from using facial recognition systems. In explaining the resolution, the European Parliament said the use of AI by law enforcement currently poses various risks spanning opaque decision-making, discrimination, privacy intrusion, challenges to the protection of personal data, human dignity, and the freedom of expression and information. “These potential risks are aggravated in the sector of law enforcement and criminal justice, as they may affect the presumption of innocence, the fundamental rights to liberty and security of the individual and to an effective remedy and fair trial,” the European Parliament said. In addition to calling for facial recognition to be banned for law enforcement purposes, the resolution has called for the permanent prohibition of law enforcement using automated analysis of other human features too, such as gait, fingerprints, DNA, voice, and other biometric and behavioural signals. By passing the resolution, the European Parliament explicitly expressed concern about facial recognition services such as Clearview AI, which has a database of more than three billion pictures that have been collected illegally from social networks and other parts of the internet. The final vote passed 36 to 24, with six abstaining from the vote. While the Parliament has passed the resolution, it is not legally binding. Although, it comes in the midst of the European Union working on new AI rules that would apply to both the public and private sectors.

At the same time, the European Commission (EC) is reportedly preparing to release an antitrust charge against Apple regarding its Apple Pay system, according to Reuters. The charge is reportedly for Apple only allowing the NFC chip within iPhones and iPads to be used for Apple Pay. The EC is reportedly concerned about how Apple has refused competitors from accessing the payment system. The EC has been investigating whether Apple’s integration of Apple Pay into apps and websites violates EU competition rules since last June. With Europe preparing to ramp up scrutiny against Apple for not opening up access to the NFC chips in its devices, this is not the first time Apple has been in such a position. Three years ago, Apple won its fight against an Australian banking consortium when the country’s competition watchdog sided with Apple in allowing it to block Australian banks from accessing NFC on its devices. Most of the banks then caved and signed up for Apple Pay.Since then, Australian banks have continued to complain about the lack of access to Apple’s NFC antenna, with Commonwealth Bank of Australia CEO Matt Comyn in July accusing the tech giant of leaning on its market power to compel the banks into paying fees to use Apple Pay.Related Coverage More

The Justice Department has announced a new National Cryptocurrency Enforcement Team alongside a civil cyber fraud initiative designed to punish government contractors with lackluster cybersecurity. US Deputy Attorney General Lisa Monaco was speaking at the Aspen Cyber Summit on Wednesday when announcing the new efforts. “Cryptocurrency exchanges want to be the banks of the future, well we need to make sure that folks can have confidence when they’re using these systems and we need to be poised to root out abuse. The point is to protect consumers,” she said.

“For too long, companies have chosen silence under the mistaken belief that its less risky to hide a breach than to bring it forward and report it. That changes today,” Monaco added in reference to the civil cyber fraud initiative, which she said would “use civil enforcement tools to pursue companies, those who are government contractors, who receive federal funds, when they fail to follow recommended cybersecurity standards.”She went on to explain that the National Cryptocurrency Enforcement Team will be focused on disrupting financial markets that facilitate cybercrime. The effort is one of many rolled out by the White House and Justice Department in recent months to address ransomware attacks and the cryptocurrency payments that continue to plague hospitals, schools and companies across the world. Last week President Joe Biden said in a statement that the White House plans to convene a 30-country meeting this month to address cybersecurity. Despite the increased focus from law enforcement, ransomware gangs have shown little reticence in attacking any organization they think is willing to pay. 

Monaco later said according to FBI data, investigations are showing more than 100 ransomware variants implicated in at least 1,000 attacks. The civil cyber fraud initiative will leverage the False Claims Act to fine companies that either fail to keep their products secure or fail to be transparent about security incidents. The federal government is still grappling with the fallout from the SolarWinds scandal that exposed significant amounts of data and systems within dozens of US government agencies.  More

Becoming a Chief information security officer (CISO) is no easy task, especially with the threat of evolving and disruptive cyberattacks a constant threat. 

A CISO is expected to take on the leadership of a team responsible for managing cybersecurity concerns in an organization, and the role requires the creation and implementation of strategies to deal with compliance, regulatory and legal considerations, process and patch management, and more. The CISO of an enterprise firm is also expected to have a thorough knowledge of the evolving threat landscape, and as such, may be expected to play a key role in incident response. They may also work with a Chief Information Officer (CIO) to manage data compliance.  However, according to Steve Cobb, CISO of One Source Communications, a modern CISO needs to also have a head for numbers, too — with budgets becoming a key consideration.  See also: What is a CISO? Everything you need to know about the Chief Information Security Officer role Speaking to attendees of Mandiant’s Cyber Defense Summit 2021, Cobb said that in order to be successful, there are a number of topics these leaders need to consider and approach — whether or not they have been brought in externally or have organically grown into the role.   According to the One Source Communications CISO, these are some of the steps someone stepping into the role of a CISO or security officer should take.

-Review all existing policies: Cobb says the first step a new security officer should take is to review existing IT and security policies. Special attention should be paid to the company’s Incident Response Plan — if it exists — as well as business continuity and recovery plans.  If they don’t exist, the CISO says that this could mean those new to the role have “an opportunity to have a significant impact on the organization.” -Review the last three security assessments: These should include any records of penetration tests, red team engagements, and vulnerability scans.  Cobb also recommends that new security officers inquire about security awareness training, phishing simulations, and work out whether such training is actionable and valuable to staff.  -Review cyber insurance policies: As a new CISO, you should evaluate existing policies including cyber insurance, representation from legal teams, connections with incident response (IR) — and also who is handling the firm’s PR.  Insurance providers may list recommended or approved IR and legal responders, and so CISOs need to make sure an organization’s teams are either on the permissible list, or added to them. What is included in cyber insurance policies should also be explored. For example, does it cover ransomware infections or data theft and extortion, and if so, what is the limit of potential claims? You should also find out if you are covered when it comes to liability should you become part of a lawsuit due to a cybersecurity incident — and whether or not the same applies to your team.   -Fighting for it: Questions should be asked at leadership meetings which will give new security officers a fighting chance to perform well in their roles. This includes what cybersecurity budget is available — and this is separate or part of general IT budgets — and has there been an increase year-over-year? “If you are being brought in, I would argue that you should have a budget to make sure you can do what it is you’re being asked to do,” Cobb commented. In addition, CISOs should find out what the most valuable corporate resources are that require protection, how long the company can cope with disruptive events, and whether or not data is being held that, if stolen, could cause “substantial reputational damage and/or significant loss of revenue,” the executive says.  -Investigate: According to Cobb, the next step is to find out what tools are in place — what firewalls, is there any endpoint protection, is two- or multi-factor authentication in place, and is the organization protecting email flows?  Key areas that should also be considered are whether or not anyone is monitoring out-of-hours, and whether or not the organization is able to rapidly detect basic attacks.  Cobb also suggests asking for a new security assessment in light of your investigation.  -Build relationships: Meet with the director or leader of IT teams and the CIO, and find out if security is a consideration (at all) — and what protections are in place for the business. New CIOs should also find out what strategies are in place for on-premise and cloud setups.  Cobb also suggests that today’s security officers should try to be “visionary” and implement cultural change.  “Let’s start changing the culture,” Cobb says. “They [changes] don’t happen at the beginning of your stint as a CISO, they may happen years later. […] That’s why your strategy needs to be in place so you can be successful. Consider your limitations, but don’t put the entire weight of the world for security on yourself. Put a team around you [..] and set the expectations of the business early on with your leadership.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore and Finland have inked an agreement to mutually recognise each country’s cybersecurity labels for Internet of Things (IoT) devices, aimed at helping consumers assess the level of security in such products. Touting it as the first of such bilateral recognition, Singapore says the partnership aims to reduce the need for duplicated testing. The global pandemic had accelerated the pace of digitalisation as well as surfaced many uncertainties and challenges, driving governments and businesses to drive their digital transformation, said Singapore’s Senior Minister of State for the Ministry of Communications and Information, Janil Puthucheary.Dependence on IoT had increased as nations looked to transform into smart cities, fuelled by the need for connectivity and to tap data, said Puthucheary, who was speaking Wednesday at the Singapore International Cyber Week conference. He noted that the number of connected devices worldwide was projected to double to 50 billion devices in 2030, compared to 2018. 

This growing adoption brought with it security risks that must be addressed, he said. “Majority of consumer IoT devices are built and developed to optimise functionality and cost, usually at the expense of the security of the device. However, IoT security should not and cannot be an afterthought, but should be a key consideration and a design fundamental,” he noted. “Without the requisite security in place, it leaves end users exposed to malicious cyber threat actors seeking to compromise the devices and this results in the loss of data. More importantly, privacy and trust.”Pointing to leaked footage of home cameras in Singapore last year, he stressed the need to drive consumer awareness and responsibility, enhance the skills of security professionals, and build partnerships with the international community and industry. Singapore last year introduced its multi-tiered Cybersecurity Labelling Scheme (CLS) to enable consumers to make more informed decisions when buying IoT devices, said Puthucheary. The initiative also gave manufacturers a way to differentiate their products, he added. 

Since its launch in October 2020, CLS had shored up more than 100 applications, with some labelled products available online and on the shelves of physical stores. These included products from manufacturers Signify, BroadLink, Aztech.The new agreement with Finland now extended the programme internationally, where both countries would mutually recognise cybersecurity labels issued by the Cyber Security Agency of Singapore (CSA) and Transport and Communications Agency of Finland (Traficom).According to CSA, the agreement was the first of such bilateral recognition and Singapore hoped to rope in more partners. The pact with Finland aimed to reduce the need for duplicated testing and ease market access for manufacturers, said CSA. Under the agreement, consumer IoT products that met the requirements of Finland’s cybersecurity label would be recognised as having met CLS Level 3 requirements in Singapore, and vice versa. The Singapore Standards Council, which is parked under Enterprise Singapore, on Wednesday also launched the country’s first national standard, Technical Reference (TR) 91 on Cybersecurity Labelling for Consumer IoT. The move would provide a standard that could be adopted by manufacturers, developers, testing bodies, and suppliers of consumer IoT devices across the globe. CSA added that TR 91 offered a framework for countries to align and mutually recognise their respective cybersecurity labels. The Singapore government agency said it also was increasing the number of approved test labs for Levels 3 and 4 applications to meet growing demand for CSL assessment. In addition, the national labelling scheme would be further extended to include more products and services beyond consumer IoT devices, CSA said, adding that more details on this would be provided in future. In January 2021, several devices were added to the CSL including smart lights, smart door locks, smart printers, and IP cameras. The scheme initially applied only to Wi-Fi routers and smart home hubs.Puthucheary noted that security measures also were needed for the networks of IoT devices, particularly since the potential impact of Distributed Denial of Service (DDoS) botnets could go beyond individual users. He pointed to the Mirai malware in 2016 that exploited insecure IoT devices to build a botnet that launched a DDoS attack, bringing down internet access in the US.”The work of building a safe, resilient, and secure IoT ecosystem is, thus, very important and spans across various stakeholders,” he said. In this aspect, he noted that CSA had partnered with the Global Cyber Alliance to leverage the latter’s Automated IoT Defence Ecosystem (AIDE), which was a global network of partners that shared IoT threat information. RELATED COVERAGE More

An unknown hacker has leaked the entirety of Twitch’s source code among a 128 GB trove of data released this week. The hack, first reported by Video Games Chronicle and confirmed by multiple sources, includes:The entirety of twitch.tv, with commit history going back to its early beginnings

ZDNet Recommends

Mobile, desktop and console Twitch clientsCreator payout reports from 2019Proprietary SDKs and internal AWS services used by TwitchEvery other property that Twitch owns including IGDB and CurseForgeAn unreleased Steam competitor, codenamed Vapor, from Amazon Game StudiosTwitch SOC internal red teaming tools The hacker, who called themselves “Anonymous” on a 4chan discussion board, said Twitch’s community is “a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories.””Jeff Besos paid $970 million for this, we’re giving it away FOR FREE. #DoBetterTwitch,” the hacker added. 
Digital Shadows
Twitch and Amazon, which owns the company, did not respond to requests for comment. They released a brief statement on Twitter confirming that a breach occurred and pledging to release updates at some point. Twitch is one of the biggest gaming platforms in the world, with an average of 15 million daily users and more than 2 million Twitch creators broadcasting monthly.

More than 18 billion hours of Twitch videos were streamed in 2020. #DoBetterTwitch has trended for weeks as the platform has faced backlash for allowing “hate raids” — where the comment sections of minority gamers are overwhelmed by slurs and abuse. Twitch was forced to address the issue in a Twitter thread in August and pledged to do more about racial abuse. “This is not the community we want on Twitch, and we want you to know we are working hard to make Twitch a safer place for creators. Hate spam attacks are the result of highly motivated bad actors, and do not have a simple fix,” Twitch said. “Your reports have helped us take action-we’ve been continually updating our sitewide banned word filters to help prevent variations on hateful slurs, and removing bots when identified.”The words did little to quell outrage and gamers held a protest last month, boycotting the site for 24 hours due to the company’s inaction on “hate raids.” Public reaction to the leak has focused on the massive earnings of popular gamers — which reached the millions for some. In an interview with BBC News, Fortnite streamer BBG Calc confirmed that his earnings in the leak were correct and other high earners backed it up. There was also a significant amount of business information from Amazon released in the hack, including the company’s plans for a rival to gaming platform Steam called Vapor.Others raised severe concerns about the security of the platform and the many bank accounts connected to it. SocialProof Security CEO Rachel Tobac warned streamers to ensure their financial services have the strongest MFA available because they will now be targets for other hackers and scammers.”For streamers with payout data leaked, this includes Venmo, CashApp, Bank, etc. If hardware based MFA is an option, move to that by end of day (though many banks still don’t offer security key options). If security key not an option, move to app-based MFA rather than SMS-based,” Tobac wrote. “Intruders supposedly leaked Twitch internal red team tools & threat models — brutal. If true, this would likely include phishing lures known to be successful against Twitch employees, the hacking playbook. If you work at Twitch, be politely paranoid about messages, requests, etc.”F-Secure researcher Jarno Niemela said password hashes have leaked, so all users should change their passwords and use 2FA if they are not doing so already. “But as the attacker indicated that they have not yet released all the information they have, anyone who has been a Twitch user should review all information they have given to Twitch, and see if there are any precautions they need to make so that further private information isn’t leaked,” Niemela added. All of Twitch’s red team security measures are now widely available, providing hackers with untold information about how to invade the company and those connected to it, she added. Among the files leaked, experts were focused on the folders “core config packages,” “devtools,” (developer tools) “infosec,” (information security). James Chappell, co-founder of Digital Shadows, said one of Twitch’s internal GitHub repositories was stolen in the attack.The leaked data was made available through torrents shared as magnet links. The data set appears to be comprehensive. It has also been labeled as a ‘part 1,’ which suggests that there is more to come. Whilst user data does not currently appear to be in the archive, users on the forum are speculating as to what may follow,” Chappell said. “There appears to be evidence that the original files came from an internal GitHub server, git-aws.internal.justin.tv, was at least part of the breach. Justin.tv was the name of a company that eventually transformed into Twitch. It rebranded as twitch in 2011 – so this looks like a long-standing piece of infrastructure.”Security experts like ThreatModeler CEO Archie Agarwal described the hack as “as bad as it could possibly be” and questioned how someone managed to exfiltrate 128 GB “of the most sensitive data imaginable without tripping a single alarm.” More

You would think that the method of protecting Chrome browsing would be the same for Chrome as for Chromebooks. After all, Chromebooks are pretty much machines designed to run Chrome. But there are differences, and we’ll discuss that in this article.

ZDNet Recommends

The best Chromebooks 2021

Not everyone needs a MacBook or a Windows 10 laptop. These Chromebook laptops feature low prices and long battery lives.

Read More

Desktop Chrome on PCs and Macs is best protected by VPN applications designed for those operating systems. We’ve done closer look articles into both of those categories, which should help.  See:  Essentially, you’re installing a VPN application that runs in the background and protects all network traffic. Chrome extensions are available for most of the popular VPN services that allow you to turn on and off features, and provide some added WebRTC protections.  For iOS and Android, users also will install a device-wide application. Mobile Chrome doesn’t support extensions, so your device-based app is your best defense. If you want to protect a Chromebook, the Chrome browser extension isn’t enough. The way most VPN vendors recommend you protect your Chromebook is by installing their Android app. Android apps now run on most modern Chromebooks, but older Chromebooks don’t have that capability. Be sure to check each vendor’s compatibility list. Once you install their Android app on the Chromebook, you’re generally protected. Finally, for Linux devices running Chrome, some vendors offer a Linux binary, but the most common method is to install VPN software on a router, and then run all traffic through that router. That doesn’t help for mobile Linux users, but it’s a start.

Let’s take a look at four of our favorite VPN services and see how they do with Chrome and Chromebook.

Chromebook Compatibility: See full list hereSimultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Chrome, plus routers, Fire Stick, and KodiLogging: None, except billing dataServers: 1,500 Locations: 75Trial/MBG: 30 dayIPVanish is a deep and highly configurable product that presents itself as a click-and-go solution. I think the company is selling itself short doing this. A quick visit to its website shows a relatively generic VPN service, but that’s not the whole truth.Also: My in-depth review of IPVanishIts UI provides a wide range of server selection options, including some great performance graphics. It also has a wide variety of protocols, so no matter what you’re connecting to, you can know what to expect. The company also provides an excellent server list with good current status information. There’s also a raft of configuration options for the app itself.In terms of performance, connection speed was crazy fast. Overall transfer performance was good. However, from a security perspective, it wasn’t able to hide that I was connecting via a VPN — although the data transferred was secure. Overall, a solid product with a good user experience that’s fine for home connections as long as you’re not trying to hide the fact that you’re on a VPN.The company also has a partnership with SugarSync and provides 250GB of encrypted cloud storage with each plan.

Chromebook Compatibility: See full list hereSimultaneous Connections: 5 or unlimited with the router appKill Switch: YesPlatforms: A whole lot (see the full list here)Logging: No browsing logs, some connection logsCountries: 94Locations: 160Trial/MBG: 30 daysExpressVPN has been burning up the headlines with some pretty rough news. We’ve chosen to leave ExpressVPN in this recommendation, and I wouldn’t necessarily dismiss ExpressVPN out of hand because of these reports, but it’s up to you to gauge your risk level. The best way to do that is read our in-depth analysis:ExpressVPN is one of the most popular VPN providers out there, offering a wide range of platforms and protocols. Platforms include Windows, Mac, Linux, routers, iOS, Android, Chromebook, Kindle Fire, and even the Nook device. There are also browser extensions for Chrome and Firefox. Plus, ExpressVPN works with PlayStation, Apple TV, Xbox, Amazon Fire TV, and the Nintendo Switch. There’s even a manual setup option for Chromecast, Roku, and Nvidia Switch.Must read:With 160 server locations in 94 countries, ExpressVPN has a considerable VPN network across the internet. In CNET’s review of the service, staff writer Rae Hodge reported that ExpressVPN lost less than 2% of performance with the VPN enabled and using the OpenVPN protocol vs. a direct connection.While the company does not log browsing history or traffic destinations, it does log dates connected to the VPN service, amount transferred, and VPN server location. We do want to give ExpressVPN kudos for making this information very clear and easily accessible.Exclusive offer: Get 3 extra months free.

Simultaneous Connections: 6Kill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Android TV, Chrome, FirefoxLogging: None, except billing dataCountries: 59Servers: 5517Trial/MBG: 30 dayAlso: How does NordVPN work? Plus how to set it up and use itNordVPN is one of the most popular consumer VPNs out there. Last year, Nord announced that it had been breached. Unfortunately, the breach had been active for more than 18 months. While there were failures at every level, NordVPN has taken substantial efforts to remedy the breach.Also: My in-depth review of NordVPNIn our review, we liked that it offered capabilities beyond basic VPN, including support of P2P sharing, a service it calls Double VPN that does a second layer of encryption, Onion over VPN which allows for TOR capabilities over its VPN, and even a dedicated IP if you’re trying to run a VPN that also doubles as a server. It supports all the usual platforms and a bunch of home network platforms as well. The company also offers NordVPN Teams, which provides centralized management and billing for a mobile workforce.Also: My interview with NordVPN management on how they run their servicePerformance testing was adequate, although ping speeds were slow enough that I wouldn’t want to play a twitch video game over the VPN. To be fair, most VPNs have pretty terrible ping speeds, so this isn’t a weakness unique to Nord. Overall, a solid choice, and with a 30-day money-back guarantee, worth a try.

Simultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, Linux, iOS, Android, Fire TV, Firefox, ChromeLogging: None, except billing dataTrial/MBG: 30 dayAt two bucks a month for a two-year plan (billed in one chunk), Surfshark offers a good price for a solid offering. In CNET’s testing, no leaks were found (and given that much bigger names leaked connection information, that’s a big win). The company seems to have a very strong security focus, offering AES-256-GCM, RSA-2048, and Perfect Forward Secrecy encryption. To prevent WebRTC leaks, Surfshark offers a special purpose browser plugin designed specifically to combat those leaks.Must read:Surfshark’s performance was higher than NordVPN and Norton Secure VPN, but lower than ExpressVPN and IPVanish. That said, Surfshark also offers a multihop option that allows you to route connections through two VPN servers across the Surfshark private network. We also like that the company offers some inexpensive add-on features, including ad-blocking, anti-tracking, access to a non-logging search engine, and a tool that tracks your email address against data breach lists.

I’m running a VPN app. Do I still need a Chrome extension?

The answer will differ a bit from vendor to vendor, but generally the Chrome extension will give you in-browser control over your app. More important is that sometimes sites using WebRTC can punch through the VPN’s tunnel and grab your actual IP address. Chrome extensions can usually block that behavior.

If I have a Chrome VPN extension, do I need a full app?

Yes, because Chrome extensions only work in Chrome. If you are doing anything else on a network that’s outside of your browser, Chrome’s extensions won’t catch it.

How can I stay protected if my older Chromebook doesn’t support Android apps?

The answer to this is much like the answer to anyone asking how to stay protected on old gear: sometimes you can’t. If your gear can’t keep you safe online, either don’t go online or upgrade your gear. Sorry, but the cost of an upgrade is far less than the damage that can be caused if you’re a victim of identity theft.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More