Information Technology

The Turla hacking group is back with new weaponry, recently used in attacks against the US, Germany, and Afghanistan.

On Tuesday, Cisco Talos said that the advanced persistent threat (APT) group, Russian in origin, has developed a new backdoor for persistence and stealth.  Dubbed TinyTurla, the previously unknown backdoor is simple in design but suitable for particular purposes: dropping payloads and staying under the radar if Turla’s primary malware is wiped from a compromised machine.  Active since at least 2004, Turla, also known as Snake and Uroburos, is a sophisticated operation with a long list of high-profile victims in its portfolio. Past targets include the Pentagon, government and diplomatic agencies, military groups, research institutions, and more in at least 45 countries. Now, it appears the APT is honing in on the US, Germany, and also Afghanistan — the latter of which being targeted before the Taliban took over the country and Western military forces pulled out.  Talos says it is likely the malware was used in attempts to compromise the systems of the previous government.  A sample acquired by the team revealed that the backdoor, which is formed as a .DLL, was installed as a service on a Windows machine. The file is named w64time.dll, and as there is a legitimate Windows w32time.dll, it may not immediately appear to be malicious.

Named “Windows Time Service,” the backdoor links to a command-and-control (C2) server controlled by Turla and contacts the system via an encrypted HTTPS channel every five seconds in order to check for any new commands or instructions.  TinyTurla is able to upload and either execute files and payloads, create subprocesses, and exfiltrate data. It may be that the backdoor was limited in its functionality and code on purpose, to prevent detection as malicious software.  Talos says that the backdoor has been in use since at least 2020.    “One public reason why we attributed this backdoor to Turla is the fact that they used the same infrastructure as they used for other attacks that have been clearly attributed to their Penguin Turla Infrastructure,” the researchers say. “It’s often difficult for an administrator to verify that all running services are legitimate. It is important to have software and/or automated systems detecting unknown running services and a team of skilled professionals who can perform proper forensic analysis on potentially infected systems.” Recently, Kaspersky researchers found code overlaps between Turla, the DarkHalo/UNC2452 APT, the Sunburst backdoor, and the Kazuar backdoor. While there are shared features between Sunburst and Kazuar, it is not possible to conclude with certainty any concrete links between the threat groups and these tools.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Siemens Energy has launched a new solution for monitoring and responding to cyberthreats against the Industrial Internet of Things (IIoT).

The industrial sector is undergoing a rapid shift from legacy, separate, on-the-floor systems to connected platforms that utilize IoT for maintenance, monitoring, and to collect data suitable for operations and future business decisions, in what is known as IIoT or Smart Factory (Industry) 4.0.  However, when you create networks and bring devices online, you run the risk of allowing threat actors access unless adequate protection is in place. As IoT continues to accelerate and operational technology (OT) becomes smarter, companies need to make sure they manage and secure endpoints and industrial networks to mitigate the risk of damage, data theft, and disruption caused by external entities.  On Tuesday, Siemens said a new offering, dubbed Eos.ii — not to be confused with the blockchain protocol EOS.IO — is an artificial intelligence (AI) and machine learning (ML) Security Information and Event Management (SIEM) platform that “provides CISOs with an evergreen foundation for industrial IoT cybersecurity.” The platform collects and collates data flows from IIoT endpoints for use by security teams, with insights brought together in one interface.  The data flows are also standardized to reduce complex or junk data, and Siemens says this will give analysts a better chance of spotting anomalous behavior “that might represent a cyberthreat.”

Furthermore, Eos.ii will automatically tailor defensive practices and prioritize high-impact events with the assistance of ML algorithms.  “As new threats emerge, Eos.ii seamlessly integrates their known characteristics into automated defenses, and allows for easy manual updates to its rules-based detection engine,” said Leo Simonovich, VP and Global Head of Industrial Cyber and Digital Security at Siemens. “With Eos.ii, defenders spend less time on routine tasks and more time conducting powerful investigations.” Siemens has produced a whitepaper (.PDF) describing the impact of IIoT cyberattacks and Eos.ii’s place in protecting today’s industrial systems.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Apple is cracking down on how apps access your private data, such as location data, photos, camera, microphone, as well as what domains the apps are communicating with. And part of that is giving users the ability to find out what the apps that they have installed are up to.With this in mind, iOS 15 and iPadOS 15 has a new feature that allows users to gather information on what apps are up to.But you have to turn the feature on yourself.This new feature is called Record App Activity.To find this feature, fire up Settings and go to Privacy, and scroll all the way down to the bottom where you’ll find Record App Activity.Record App ActivityTap on this and you get into Record App Activity, and as the name suggests, this allows you to record what apps are up to. But you first have to turn the feature on by sliding the toggle switch. Then you have to wait a few days for a report to be generated.Record App Activity

Alternatively, you can export a JSON file that can be opened by any test editor, but this is quite a clunky method for the average user.What’s interesting is that Apple has documentation aimed at developers about this feature. This goes into depth about what data this feature records.Digging into this, it seems that this records each time an app accesses one of the following:The user’s photo libraryA cameraThe microphoneThe user’s contactsThe user’s media libraryLocation dataScreen sharingIt also records what domains any app accesses and how many times they are accesses.In short, it’s quite a deep dive into what’s going on but it’s important to note that you don’t get to know what specific data was accessed.While this is a great start in keeping app developers honest, I hope that more features and in-depth analysis will be added in future updates. More

Trend Micro has announced the launch of its first Australian Cloud One regional data centre in Sydney.The launch means all of Trend Micro’s SaaS services are now locally hosted in Australia in an Amazon Web Services data centre.Speaking to ZDNet, Trend Micro ANZ VP Ashley Watkins explained the move would better serve local customers, especially government and ASX100 companies that are bound by strict compliance and data sovereignty policies. “What has become clear is that our customers love our Cloud One product, but what was really clear about that feedback was, we want it to also be able to have it locally please because we are governed by requirements, be they regulatory, be they be policy-based requirements … so we’re really answering the call of our customers,” he said.At the same time, Watkins acknowledged the decision to host its services locally was timely given the increase in digital transformation projects across Australia.Trend Micro SaaS services offered to Australian companies historically have been stored in the United States. The launch of its first Sydney region is expected to be one of many globally for Trend Micro, including “several” across Asia-Pacific. 

The last time the security giant invested in the Australian market was when it picked up the Australian-based cloud security posture management firm Cloud Conformity for $70 million in 2019.At the time, the company touted the move would help address commonly overlooked security issues caused by cloud infrastructure misconfigurations.As part of the acquisition, all Cloud Conformity staff joined the company, which Watkins has now since grown. “We’ve retained [all the staff] and we’ve now more than tripled the Conformity team, from R&D to services. It’s a huge space globally for Trend Micro that has been running that business out of Australia,” he said.Related Coverage More

New Cooperative — an Iowa-based farm service provider — has been hit with a ransomware attack, continuing a streak of incidents affecting agricultural companies this year. The company did not respond to requests for comment but confirmed to Bloomberg News that it was suffering from a “cybersecurity incident” that impacted some of its devices and systems. They told Bloomberg reporters that they took systems offline to “contain the threat.”

Ransomware expert Allan Liska shared screenshots of the BlackMatter ransomware leak page with ZDNet, showing the group had troves of financial documents, network information for multiple companies involved with New Cooperative, the social security numbers and personal information for employees, R&D files and the source code for a farmer technology platform called Soil Map. The ransomware group claims to have 1,000GB of data and has set a timer that they say expires at noon on September 25.Liska confirmed that other documents show BlackMatter is demanding a $5.9 million ransom.On social media, multiple security researchers leaked chats between negotiators for New Cooperative and BlackMatter operators. Representatives for New Cooperative repeatedly say they are part of the much-discussed “16 critical sectors” that US President Joe Biden said was off-limits to ransomware actors in conversations with Russian President Vladimir Putin.In addition to saying they were part of the country’s critical infrastructure, they noted that there would be “public disruption” to the grain, pork and chicken supply chain if they are not back up and running. 

The BlackMatter threat actors refuse to back down, saying only financial losses will be incurred from the attack. The chats also show that New Cooperative said they would have no choice but to contact CISA if they are not back up and running within the next 12 hours.CISA did not respond to requests for comment, but the company told multiple outlets that law enforcement had already been contacted. Reuters reported that the cooperative is involved in a variety of aspects of the grain business, including running grain storage elevators, selling fertilizer, buying from farmers and providing technology to farmers. Don Roose, president of US Commodities in West Des Moines, Iowa, told the outlet that this was an especially important week for farmers because this is when harvests begin to ramp up, particularly for crops like soybeans. According to Bloomberg, New Cooperative said it is working with its customers to get grain to animals while they try to restore their systems. Despite the warnings from the White House, ransomware groups have not stopped their attacks on the agriculture industry. Earlier this month, the FBI released a notice warning companies in the food and agriculture sector to watch out for ransomware attacks aiming to disrupt supply chains.”Food and agriculture businesses victimized by ransomware suffer significant financial loss resulting from ransom payments, loss of productivity, and remediation costs. Companies may also experience the loss of proprietary information and personally identifiable information and may suffer reputational damage resulting from a ransomware attack,” the FBI said. The notice goes on to list multiple attacks on the food and agriculture sector since November, including a Sodinokibi/REvil ransomware attack on a US bakery company, the attack on global meat processor JBS in May, a March 2021 attack on a US beverage company and a January attack on a US farm that caused losses of approximately $9 million. JBS ended up paying an $11 million ransom to the REvil ransomware group after the attack caused meat shortages across the US, Australia and other countries. In November, the FBI also cited an attack on a US-based international food and agriculture business that was hit with a $40 million ransom demand from the OnePercent Group. The company was able to recover from backups and did not pay the ransom.Former CIA cyber official Marcus Fowler told ZDNet that the attack on New Cooperative is the fourth crippling and high-profile attack on US critical infrastructure in recent months.Fowler noted that while the Biden Administration can aspire for certain sectors to be off-limits from hackers, significant parts of the US’ infrastructure and businesses are interconnected, making it nearly impossible to separate critical from non-critical industries. “What’s more, if BlackMatter truly is DarkSide 2.0, then this is evidence that the President’s talks and warnings have had little impact. Based on the details currently available, there are striking parallels between this attack and the recent campaigns against Colonial Pipeline and JBS,” said Fowler, who is now director of strategic threat at cyber firm Darktrace.”Just like in these instances, New Cooperative took their operational technology (OT) systems offline as a precautionary measure to an IT side attack. We still need to get better at securing OT.”Jake Williams CTO at BreachQuest, noted that BlackMatter appears to be a spinoff of the REvil group and has been actively recruiting for initial accesses into victim networks in recent months. But others, like Lookout senior manager Hank Schless, said BlackMatter appears to be associated with DarkSide, the group behind the attack on Colonial Pipeline.Other experts said ransomware groups were ignoring the warnings of law enforcement because of how lucrative and costly ransomware attacks are on companies in the agriculture industry. “Companies working in the agricultural sector are particularly susceptible to ransomware activity as the harvest and fertilization of crops is highly sensitive to external factors; this typically involves weather changes and time of the year, however any delays caused by a ransomware attack could result in a significant loss of productivity and in turn lead to huge amounts of crops being wasted,” said said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.”The attack also comes at a time where COVID has resulted in a global shortages of truck drivers, which is impacting food supply chains.”Curtis Simpson, CISO at Armis, added that the food and agriculture industry is heavily reliant upon connected machinery to power key aspects of the business. These connected machines are growing targets for bad actors due to most companies’ limited visibility into risks and threats impacting these assets, their overall level of exposure to attacks (including through the exploitation of connected machines), and the high likelihood of being paid a ransom if the attack even approaches, let alone impacts, machine-driven operations. “Much of the food and agriculture supply chain is also enabled by small operations. Some of these operations were already strained by the pandemic and any such attack could simply knock them out of business for good. Once again, as this happens, downstream operations ranging from foodservice providers to restaurants to hospitals and consumers will all have issues sourcing products,” Simpson said.  More

F5 Networks, one of the world’s largest providers of enterprise networking gear, announced on Monday that it is acquiring cloud security company Threat Stack for $68 million.F5 said it was eager to meld its application and API protection tools with Threat Stack’s cloud security solutions to “enhance visibility across application infrastructure and workloads.”

Tech Earnings

Haiyan Song, executive vice president of Security at F5, said Threat Stack brings technology and talent “that will strengthen F5’s security capabilities” and further the company’s adaptive applications vision with broader cloud observability and actionable security insights for customers.”Applications are the backbone of today’s modern businesses, and protecting them is mission-critical for our customers,” Song said. In a statement, F5 said it would be acquiring all issued and outstanding shares of the Boston-based Threat Stack and noted that the $68 million purchase would be financed with balance sheet cash.F5 expects to deliver revenue in the range of $660 million to $680 million for the current quarter and said the new acquisition will add about $15 million in revenue for the fiscal year 2022, with no change to F5’s previously stated operating margin targets for the fiscal year 2022.The deal is expected to be finalized in F5’s first-quarter fiscal year 2022, ending December 31, 2021.

In January, the company spent half a billion dollars to acquire Volterra, a maker of distributed multi-cloud application security and load-balancing software.F5 noted that attacks targeting applications are now costing businesses $100 billion per year, prompting the need for improved security around the environments where they are distributed. “A core tenet of adaptive applications is their capacity to protect themselves by detecting and mitigating threats in real-time. Threat Stack’s proactive risk identification and real-time threat detection combined with the breadth of F5’s application insights and controls will accelerate the delivery of this capability for our customers,” F5 explained.  More

Police have dismantled an organised crime group linked to the Italian mafia which defrauded hundreds of victims through phishing attacks and other types of online fraud.The joint operation was led by the Spanish National Police (Policía Nacional), with support from the Italian National Police (Polizia di Stato), Europol and Eurojust and has resulted in 106 arrests across Spain and Italy. According to Europol, the crime operation used phishing, SIM swapping and BEC attacks and it’s estimated that this led to profits of around €10 million ($11.7 million) during last year alone. Described as “very well organised”, the group included a number of experts in computer crime tasked with creating phishing domains and carrying out cyber fraud. Other individuals involved in the criminal network included money mules and money laundering experts, including experts in cryptocurrency. Working out of the Canary Islands, Spain, the criminals tricked victims – mostly from Italy – into sending large sums of money to bank accounts they controlled, before laundering the proceeds through money mules and shell companies. Business Email Compromise is one of the most lucrative forms of cyber crime, costing businesses billions a year, according to the FBI.  In addition to 106 arrests, 118 bank accounts have been frozen and a number of devices have been seized, including 224 credit cards, SIM cards and point-of-sale terminals.  

Police were investigating the group for over a year before making arrests. As part of the operation, Europol deployed two analysts and one forensic expert to Tenerife, Spain and one analyst to Italy. Europol also funded the deployment of three Italian investigators to Tenerife to support the Spanish authorities during the action day. MORE ON CYBERSECURITY More

ExpressVPN has been all over the news for the past week, and not in a good way. Because we recommend ExpressVPN here at ZDNet as one of the top VPNs out there, I’ve gotten a flood of reader questions asking for an objective read on the news. In this article, I’ll do my best. Sitrep Let’s start with a sitrep (situation report). There are two key items which are tangentially related.

ZDNet Recommends

The first item is that Kape Technologies has announced plans to acquire ExpressVPN for $986 million. I do have concerns about this because Kape was once considered a malware provider. I’ll talk more about this in a bit. The second item is a report in Reuters indicating that ExpressVPN CIO Daniel Gericke is among three men fined $1.6 million by the US Department of Justice for hacking and spying on US citizens on behalf of the government of the UAE (United Arab Emirates).I’ll discuss each of these reports individually, and then share with you some thoughts about how these situations might impact your decision to use (or not use) ExpressVPN. Kape Technologies Kape Technologies has had quite a convoluted history. According to a report in Forbes, a company called Crossrider was formed in 2011 by “billionaire Teddy Sagi, a serial entrepreneur and ex-con who was jailed for insider trading in the 1990s. His biggest money maker to date is gambling software developer Playtech,” and Koby Menachemi. Menachemi was a developer for Unit 8200, an Israeli signals intelligence unit responsible for hacking and collecting data (think of it as part CIA, part NSA, and part high school, because the unit hires and trains teenagers in hacking and coding skills).

Crossrider’s business was ad injection. Remember back in the day when companies like Yahoo tried to convince you to download their browser extension with their search bar? Crossrider’s business was creating tools that allowed them to inject ads into other companies’ web pages, sometimes overriding even ads that were paid to run on the sites that were being compromised. Ad injection skirted the line between just being scummy and being malware. Forbes reported that Symantec’s anti-malware identified software based on Crossrider’s product as malware, in part because the product effectively stole the ad revenue from the sites its users visited, and in part because it collected whatever data it could find in the process. According to Publift, an ad partnering service founded by ex-Googlers, the ad injection business is still out there. But Google has been fighting it for about five years now, meaning it’s not nearly as lucrative a business as it once was. According to a 2018 report in the Israeli business daily Globes, Kape Technologies was a rebranding effort on the part of then relatively new Crossrider CEO Ido Erlichman. Crossrider’s share price had fallen to a low of £0.27 on the London Stock Exchange and the company was seeking a new strategy. What better strategy for a company dedicated to siphoning users’ data and eyeballs than to branch out into the one area of cybersecurity where users are obsessed with anonymity and information security? You can cut the irony with a knife. In any case, the newly renamed Kape Technologies set out on an acquisition binge. The company started buying in 2017, acquiring CyberGhost VPN for about $9 million. Next, in 2018, came Mac antivirus company Intego for $16 million. A few months later, Kape gobbled up another VPN provider, ZenMate, for about $5 million. A year later, in 2019, Kape spent $95 million for Private Internet Access, one of the best known VPN providers at the time. After a 2020 IPO on the London Stock Exchange (which raised $115 million), and a year of record earnings where the pandemic and work-from-home cybersecurity concerns drove VPN demand, Kape was riding high. Back in March of this year, the company bought Webselenese for $149 million. This is worthy of further discussion. At first glance, it’s tough to pin down what Webselenese does. The company describes itself as “an online platform specialising in consumer-focused privacy and security content.” What does this mean? According to investment site The Twenties Trader, Webselense owns two very high profile review sites, VPNMentor and Wizcase. According to Alexa (Amazon’s traffic monitoring service, not Amazon’s voice assistant — I know, it’s confusing), VPNMentor has a rank of 5,807. Wizcase has a rank of 7,280.

Are you seeing where this is going? Adware provider pivots to become a provider of VPN services, then that company buys up two of the largest VPN review sites on the internet. Does anyone think those reviews will remain unbiased? According to site RestorePrivacy.com (which itself traffics in VPN reviews), VPN rankings on both VPNMentor and Wizcase changed in Kape Technologies’ favor just as soon as Kape bought Webselenese. Can you spell “conflict of intererest?” Sure. I knew you could. And then, last week, Kape siphoned up ExpressVPN for $936 million, its biggest deal to date. With Kape’s somewhat sordid history, you can see the concern. I’ll mention one other issue about Kape, and then we’ll move on. Last year, my CNET colleague Rae Hodge did an extensive analysis of Kape Technologies. At the time, she was looking at Kape as it pertained to its ownership of CyberGhost. But one thing she pointed out should be a concern. She pointed out that even after the change from Crossrider to Kape, “Kape still operated the infamous scareware Reimage — a potentially unwanted program that positions itself as a computer performance enhancer but which has been known to signal false positives on security threats in order to persuade you to pay for its premium service.” She also pointed out that as recently as 2019, “new Crossrider-Kape mutations have been cropping up on the web.” So, there’s that. Now let’s get to know Daniel Gericke a little better. ExpressVPN CIO Daniel Gericke Last week, as a completely separate story from Kape’s acquisition of ExpressVPN, Reuters reported that, “Three former U.S. intelligence operatives who worked as cyber spies for the United Arab Emirates admitted to violating U.S. hacking laws and prohibitions on selling sensitive military technology.” They were Marc Baier, Ryan Adams, and…Daniel Gericke. Gericke, as it turns out, is also ExpressVPN’s CIO. Baier, Adams, and Gericke were not good boys. They were hired guns for a special intelligence unit set up by the United Arab Emirates (UAE) to gather intelligence on journalists, activists, dissidents, and rival governments. According to some excellent in-depth reporting by Reuters, Raven was a substantial project, using money from Arab royalty to hire at least a dozen former NSA and CIA operatives to hack into networks in the US and other countries on behalf of their clients. Remember Project Raven. We’ll come back to that in a bit, with even more irony. Unfortunately, Gericke doesn’t have a profile on LinkedIn. There is a profile for a Daniel Gericke listing his sole position as “IT Director at Professional Corporation,” so if that’s our Daniel, it’s not much to go on. The most we know is in the 1,563-word statement issued by ExpressVPN regarding Mr. Gericke. ExpressVPN said it hired him in 2019. It did not say whether he was still doing work for Project Raven or the UAE at that time.

If you’re deeply interested in this, the best thing to do is read ExpressVPN’s statement. It’s a bit of a marvel. It goes on to say that the company knew Gericke was involved in spy stuff, but did not know about anything illegal, immoral, or fattening. The company explains that it’s necessary to hire someone “steeped and seasoned in offense” in order to build the best defenses. Then it goes on to state how it protected its services from corruption from within and have subsequently hardened its services from external attack. As of September 17, the company reaffirmed its support of Gericke and did not indicate any plans to terminate him. Edward Snowden and his glass house Y’all remember Edward Snowden? Back in 2013 and 2014, Snowden used up a lot of my column inches. For those of you doomed to forget history, Edward Joseph Snowden was a former NSA employee and CIA contractor who stole and then leaked more than a million top secret documents from the governments of the United States, Australia, and Great Britain. After the leak, he ran from the US to Hong Kong, and then from Hong Kong to Russia, where he received asylum after living in the Sheremetyevo Alexander S. Pushkin International Airport for about 40 days and 40 nights. In 2020, Snowden applied for and was granted permanent residency in Russia. He then went on to apply for dual Russian-American citizenship in December of that year. In his years subsequent to his theft and escape to Russia, Snowden has made quite the name for himself. A movie was based on his exploits. And he makes a living doing remote speaking engagements for willing and credulous audiences. So how did Mr. Snowden wind up in our story? As it turns out, he weighed in on ExpressVPN and Daniel Gericke when the news broke last week. On September 15, he tweeted, “If you’re an ExpressVPN customer, you shouldn’t be.” This came out the day after the Reuters report on Gericke and ExpressVPN and was picked up by media sources across the internet. You’ve probably heard the phrase, “people who live in glass houses shouldn’t throw stones.” Well, here’s Snowden’s glass house. According to Reuters’ in-depth report on Project Raven, two months before Snowden’s fateful theft of US government top secret information, he was recommended for work at military contractor Booz Allen Hamilton (which then subcontracted him out to the three letter agencies) by Lori Stroud, who herself was later recruited to Project Raven by Marc Baier. Baier worked at NSA Hawaii along with Snowden. Baier was also one of the three men indicted by the Justice Department along with ExpressVPN’s Gericke. So, as we wade deeper in irony, we have a former NSA operative who stole millions of documents from the US Government and ran to Russia, who is complaining about the employer of a former colleague of a former colleague, both of whom were involved in shady activities, but nothing as vastly criminal as his own actions. What now? Okay, so now you’re up to date. You know about the company that just acquired ExpressVPN and its somewhat shady past and, at the very least unethical juking of the stats when it comes to VPN reviews. You know about the  background of ExpressVPN’s CIO. But what of ExpressVPN itself? The key question is, should you use it or skip it? What I use One of the most frequently asked questions I get is which VPN service I use. This week, it’s been all about whether I’m going to stop using ExpressVPN as my VPN service. Here’s the hard truth: I don’t use a commercial VPN service. I don’t like the idea of my data going through any of the VPN players’ servers. But I’m a bit of an outlier. I’ve long run my own bare-metal Linux VPN server network located across a few cloud infrastructure providers. I’ve been hacking my own Linux kernel mods for years, and I’m just as comfortable spinning up a series of servers that bounce traffic as I am making a cup of coffee in the morning. I do test all the VPN services I review, but only for a limited time, and only on dedicated test machines. Any that I have concerns about have been documented in my reviews. So far, at least among the top players, I haven’t found anything much worse than a VPN connection indicating that the connection is routing through a VPN. But it’s important to note that I personally only use a VPN for communication security at airports, hotels, and coffee shops — which I’m visiting a whole lot less these days. I don’t have any need to obfuscate my location in order to illegally route around sports viewing restrictions, or to cheap out and not pay for new episodes of Star Trek Discovery or Picard. I am also not a dissident, or someone running from an abusive relationship. I don’t do financial transactions online when away from my home network. As such, I don’t need all the services and all the clients offered by many of the VPN service providers I’ve profiled. None of the VPN services I recommend are bad — I just don’t need them in my day-to-day life because I built my own. But what about ExpressVPN? What about ExpressVPN? Do these revelations change anything? To answer that for yourself, you’ll need to ask yourself three questions. How good is ExpressVPN for my needs? When I looked at ExpressVPN, I called it “an easy-to-use VPN with middle-of-the-road everything.” I did find that an ExpressVPN connection routed through Security Firewall Ltd, a firm with a surprisingly high Google fraud rating. ExpressVPN reached out to say that Security Firewall is just one of many companies it leases infrastructure from, and its network is secure. You can read the company’s statement in my review.Also: ExpressVPN review: A fine VPN service, but is it worth the price?

Overall, I didn’t find that ExpressVPN was the fastest or the cheapest VPN, but it did have great documentation, support for a whole lot of clients, a nice user interface, and was easy to setup. So, from a functional point of view, it’s fine. Not great, but generally good enough. Will the Kape acquisition change things? Kape has genuinely been going hard after acquiring cybersecurity companies. I’d be comfortable with its pivot (we all did things in the past we regret) if it weren’t for the Webselenese acquisition this year. Acquiring those review sites for $149 million just has terrible optics. I reviewed both CyberGhost and Private Internet Access well after their acquisition by Kape, and both products were good. Also:  Kape has had a past that’s at odds with the mission of a VPN provider. Kape, back when it was Crossrider, liked to hoover up users’ data, probably to sell to advertisers. Will it continue to do so? I don’t know, but it’d be really foolish if it did. The VPN market is a vastly more profitable business than ad informatics, and Kape’s VPN brands are now its golden geese. It’d be insane to risk those cash cows (I know, the mixed metaphor hurts), in favor of selling out its users’ data. What about keeping Gericke on staff? The company’s blog post went to great lengths to show how it is restricting Gericke’s access so he won’t do baaaad things. But I agree with the premise that you need some offensive warriors when you’re at war. I’m not sure Gericke should stay as the company’s CIO with any infrastructure responsibility, but keeping a stable of folks who know and understand the enemy is important in this business. So what’s the bottom line? One thing I’m asked regularly is whether or not ExpressVPN (or any other VPN) is going to share information with the FBI (or name your favorite intelligence agency). The prevailing wisdom is that VPN vendors located outside the various “Eyes” intelligence sharing treaties are somehow safer for those hiding information from government access. This is generally not true. As I discussed in my analysis of NordVPN, most VPN providers have enough of a footprint in MLAT treaty countries that if a three-letter agency wants your information, it’ll get it. So, unless you’re a very serious dissident (or, I guess, a criminal) on the run from the government, the whole issue of jurisdiction is merely VPN theatre for the benefit of good marketing hype. And if you are relying on a VPN service to protect your life and freedom, why are you relying on something you read online for your truth? I just showed you that the biggest VPN review sites are owned by a VPN conglomerate. You need to do some very serious investigation and testing on your own, if you want to be truly safe. If you’re currently using ExpressVPN for general-purpose safe computing (like checking your mail at the local coffee shop) and you like it, I wouldn’t say you should give it up. If you’re relying on any of the Kape brands for a life and death situation, I’d say it’s probably not worth the risk. If you’re shopping for a VPN, read all the reviews and try them out. Most give you thirty days, so see how they actually work for you. Again, I wouldn’t necessarily dismiss ExpressVPN out of hand because of these reports, but it’s up to you to gauge your risk level. In the mid-1980s, US president Ronald Wilson Reagan was preparing for a summit with Soviet president Mikhail Sergeyevich Gorbachev and wanted to bond with his Soviet counterpart. When Reagan spoke with Russian history scholar Susanne Massie, an American, she introduced him to the phrase doveryai, no proveryai. In English, that’s trust, but verify. Reagan apparently liked the phrase so much, he overused it, much to the annoyance of Gorbachev. In any case, that’s how I recommend approaching ExpressVPN: trust, but verify. We’ll keep an eye on how the company behaves. Does Kape do anything else that indicates their moral compass is askew? Does Gericke’s access become more limited or does he leave the company? Does data secured by ExpressVPN turn out to be less secure? I don’t believe we need to pillory ExpressVPN just yet. All the bad news is tangential to its operations. But I’d advise the company to walk very carefully, to hold its new masters at Kape accountable, and to both know where the line is and stay firmly on the angels’ side of that line. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More