Information Technology

Because I write so often about VPNs, I tend to get a lot of reader questions. In this article, I’m going to do my best to answer questions from readers about using a VPN on a Mac. I’m also going to recommend VPNs that all must have a certain set of specs: Kill switch, no leaking, and fast. These are our table stakes for recommendations.  The VPNs below allow five or more simultaneous connections, as well, so if you have an iPhone and an iPad as well as a Mac, you can protect all three with one license. With that, let’s dive in.

Heavy hitter in the VPN market

Mac, iPad, iPhone: Yes, yes, and yesSimultaneous connections: 6Kill switch: YesLogging: Email address and billing information onlyTrial: 30-day refund guaranteeCountries: 60Best price: $89 for two years ($3.30 per month)NordVPN is one of the heavy hitters in the VPN market. In our aggregate speed test ranking, it came in first overall. We found that Nord’s user interface was crisp and clean, and the product was quick and easy to install. It also doesn’t get in the way. It runs when you want it to, but you can quickly shut it off when you’re back at home or in the office.Full review: NordVPN review: A market leader with consistent speed and performanceWe were quite intrigued by the five communications services offered: P2P, Double VPN, Dedicated IP, Onion Over VPN, and Obfuscated (which means “to render obscure, unclear, or unintelligible). The Double VPN feature is designed to run your data through a second VPN server, and while that’s a great idea, I found it was unreliable in real-world usage.Also: Meet NordSec: The company behind NordVPN wants to be your one-stop privacy suiteBeyond the Apple platforms, NordVPN supports Windows and Android. And beyond that, NordVPN has clients a huge number of platforms ranging from all the way back to Windows XP, forward to Raspberry Pi, Synology, and Western Digital, along with QNAP NAS boxes, Chromebook, a whole bunch of routers, and more.

View Now at NordSec

Among the fastest VPNs tested

Mac, iPad, iPhone: Yes, yes, and yesSimultaneous connections: 5Kill switch: YesLogging: NoTrial: 45-day refund guaranteeCountries: 80Best price: $95.88 for one year ($7.99 per month)Hotspot Shield came in second in our aggregate performance ranking, but that was because the performance was somewhat inconsistent. For some testers (myself included), Hotspot Shield was among the fastest VPNs tested. I actually found that some connections increased in speed when using Hotspot Shield, which feels almost like a violation of the laws of physics. But for other testers, performance was lower.Full review: Hotspot Shield review: Here’s a VPN that actually lives up to its hypeThat’s why we always recommend you take advantage of return policies and test actively before your money-back time is up.Hotspot Shield achieves its rather unexpected performance gains because it uses its own proprietary network and protocol. Those who love debating VPN protocols might be disappointed because “Catapult Hydra” is your only choice. But don’t let it keep you away, because — at least from America to other countries, which is how I tested — it works.Client installs were straightforward. You can’t modify some options until after you connect, which is vaguely annoying. But it gets the job done, and its speed, if it works for you, is something to behold.

View Now at Hotspot Shield

Payment via Bitcoin available for utmost anonymity

Mac, iPad, iPhone: Yes, yes, and yesSimultaneous connections: 5Kill switch: YesLogging: NoTrial: 30-day refund guaranteeCountries: 94Best price: $99.95 for one year ($8.32 per month-ish)ExpressVPN came in third in our aggregated performance testing. In one way, it was more like NordVPN than Hotspot shield, in that the standard deviation was low. What this means is that the performance numbers were generally consistent across all testers. Hotspot’s numbers varied considerably across testers.Full review: ExpressVPN review: A fine VPN service, but is it worth the price?Unlike Nord and Hotspot, ExpressVPN offers a 30-day money-back guarantee, not a 45-day. That’s not too much of a loss because if you make testing a priority, you can certainly determine if ExpressVPN works for you within a month. One standout benefit ExpressVPN offers that the others don’t is payment via Bitcoin. If you want to remain as anonymous as possible, Bitcoin payment makes sense.Oddly enough, the company advertises that its one year plan bills at $99.95, but they then list that a per-month fee of $8.32. 8.32 times 12 is 99.84, not 99.95. Eleven cents doesn’t really matter, but math clearly isn’t someone’s strong suit.One feature I really liked was the network-wide speed test. Once in the client, you can tell ExpressVPN to scan its entire network and tell you server speeds for each server. It takes a few minutes, but it’s great for not only picking the fastest server but for getting a feel for network performance overall.On the downside, we run into a weird security issue with something called Security Firewall Ltd. I recommend you read the review, as well as ExpressVPN’s response, to decide if this is of concern to you.I liked ExpressVPN. It was a breeze to set up and configure. I like how you can determine server speed across the entire network. And searching, saving, and configuring locations is dead simple. If you’re using a VPN to protect your coffee shop surfing, it’s fine. But if you’re using a VPN to protect your location to protect your life, I’d think twice.

View Now at ExpressVPN

So there you go. Three VPNs with well-considered configurations for Macs, iPhones, and iPads.

Do I even need a VPN on a Mac?

This comes because the Mac is often considered more secure than Windows. By virtue of both the smaller number of units sold (making it a less juicy target for hackers) and Apple’s tight lock on hardware/software integration, the Mac is somewhat more secure than Windows. That means less malware runs on the Mac platform.But you don’t use a VPN primarily to protect against malware. You use a VPN to protect the data you transmit and receive and prevent your location from being determined by your visit sites. Apple will be offering iCloud+ Private Relay when MacOS Monterey comes out in the fall, and while that does offer some protection, it’s not a full VPN.So, yes, you need a VPN on the Mac because you want to protect your communications when you’re out and about and your location any time you don’t want anyone to know where you’re located.

How should I choose a VPN for my Mac?

This comes from the question some readers ask about whether they should limit their VPN choices to products sold on the Mac App Store and because Mac programs that are built expressly for the Mac tend to integrate better.You definitely want a well-integrated VPN client into the Mac, but the Mac App Store puts some limitations on how a VPN can function. While I wouldn’t necessarily shy away from Mac App Store VPNs, it’s not necessarily a plus either.When you choose a VPN, the most important factor is going to be the security infrastructure of the VPN provider because you’re not just installing an app; you’re adopting a network.Look for VPNs with clean, responsive clients that have kill switches in case the connection drops, that are fast to start and stop that hides your location and traffic that doesn’t log your surfing behavior, and move data quickly.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

Apple has released iOS 14.7.1 and iPad iOS 14.7.1 and revealed that it fixes a previously unknown flaw that the company says appears to have been “actively exploited”.  The company also released macOS Big Sur 11.5.1 to address the same issue in the common Apple kernel extension IOMobileFrameBuffer.A malicious app could execute arbitrary code with kernel privileges, Apple warns in both advisories. “Apple is aware of a report that this issue may have been actively exploited,” it says, noting that the memory corruption issue tagged as CVE-2021-30807 was reported by an anonymous researcher. Already, proof of concept exploit code has been posted online.  Separately, Saar Amar, a security researcher and member of Microsoft Security Response Center (MSRC) revealed that he had also discovered the now-patched bug in iOS four months ago. He says he didn’t report the issue to Apple earlier since he was working towards a high quality bug report for Apple’s bug bounty program. After Apple disclosed the bug, he published detailed explanatory notes about the issues he found in IOMobileFrameBuffer. He notes that the the bug “is as trivial and straightforward as it can get”, but adds that “the exploitation process is quite interesting here” and offers more detail than Apple would ever provide in its advisories. Amar describes it as a local privilege escalation (LPE) vulnerability that can be triggered from a the core engine of a Safari WebKit component called WebContent. 

The iOS/iPadOS update is available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). More

Half of security vulnerability reports the Singapore government received via bug bounties and public disclosure schemes have been ascertained to be valid. The public sector also recorded a 44% increase in data incidents over the past year, though, none were assessed to be of “high severity”.  The Singapore government reported 108 data security incidents in its fiscal 2020, ended March 31 this year, compared to 75 in the previous year. Despite the increase, the breaches were determined to be either low or medium in severity, according to a report released Tuesday by the Smart Nation and Digital Government Office (SNDGO). The level of severity was assessed based on the incident’s impact on national security or national interests, and on an individual or business entity. There were five levels of severity ranging from low to very severe.

All data incidents also were addressed within 48 hours, the report stated. Singapore in April 2020 set up the Government Data Security Contact Centre to provide a channel through which members of the public could report data incidents involving government data or government agencies. In its first year of operation, the centre received 119 reports, six of which were flagged as data incidents requiring further investigation. The remaining 113 were not related to government data and were referred to the relevant departments for action, according to the report. These included queries on promotion calls and texts when the individual had opted out of the Do Not Call registry. The government also established a vulnerability disclosure programme in October 2019 for anyone to report vulnerabilities they found on the public sector’s online platforms and mobile applications, which are used by citizens and businesses. To further identify potential security holes, the Singapore government also ran several bug bounty programmes, which previously had involved the Ministry of Defence and GovTech.  

As of March 2021, more than 1,000 vulnerability reports were submitted through the security contact centre and bug bounties, of which 496 were determined to be valid, SNDGO revealed. The smart nation office noted that several initiatives were rolled out over the past couple of years to bolster the sector’s security posture. Highlighting those that were implemented between last October and March 31, 2021, the SNDGO said a privileged identity management (PIM) tool was implemented in November for the government’s commercial cloud infrastructure. “With more government systems migrating to the cloud as part of our “cloud-first” strategy, the Government Commercial Cloud PIM solution will ensure that access by privileged users [including] those whose roles require wide access to data, such as system administrators, will be secured and monitored to prevent unauthorised use of data,” SNDGO said. Data loss protection services also were being developed across the public sector, so technical and process controls would be in place to detect anomalous activities, such as unexpected download of large data volumes to personal computers, that could indicate potential malicious activities. Implementation of these services would begin by end-2021. Civil servants also needed to be prepared to respond to data security incidents, the smart nation office said. In this aspect, central ICT and data incident management exercises would be conducted involving multiple government agencies, with four ministries slated to participate in the first of such initiatives in September this year. This would be in addition to cyber and data security incident exercises that all government agencies were required to hold every year, according to SNDGO. Last year also saw the highest number of complaints made to the Personal Data Protection Commission, which oversees the country’s Personal Data Protection Act (PDPA). Some 6,100 complaints were logged with the commission, compared to 4,500 in 2019 and 2,700 in 2018, noted the SNDGO report.Since the public sector is exempted from the PDPA, these complaints presumably pertain to potential data breaches involving only private organisations. Reported cybercrime cases accounted for almost half of total crimes in Singapore last year, where both ransomware and botnet attacks saw significant spikes. The Singapore Computer Emergency Response Team (SingCERT) handled 9,080 cases, up from 8,491 in 2019 and 4,977 in 2018, revealed the Singapore Cyber Landscape report released earlier this month. The number of reported ransomware attacks climbed 154% with 89 incidents, compared to 35 in 2019. These mostly affected small and midsize businesses in various sectors including manufacturing, retail, and healthcare. RELATED COVERAGE More

Malware developers are increasingly turning to unusual or “exotic” programming languages to hamper analysis efforts, researchers say. 

According to a new report published by BlackBerry’s Research & Intelligence team on Monday, there has been a recent “escalation” in the use of Go (Golang), D (DLang), Nim, and Rust, which are being used more commonly to “try to evade detection by the security community, or address specific pain-points in their development process.” In particular, malware developers are experimenting with loaders and droppers written in these languages, created to be suitable for first and further-stage malware deployment in an attack chain.  BlackBerry’s team says that first-stage droppers and loaders are becoming more common in order to avoid detection on a target endpoint, and once the malware has circumvented existing security controls able to detect more typical forms of malicious code, they are used to decode, load, and deploy malware including Trojans.  Commodity malware cited in the report includes the Remote Access Trojans (RATs) Remcos and NanoCore. In addition, Cobalt Strike beacons are often deployed.  Some developers, however — with more resources at their disposal — are rewriting their malware fully into new languages, an example being Buer to RustyBuer. Based on current trends, the cybersecurity researchers say that Go is of particular interest to the cybercriminal community. 

According to BlackBerry, both advanced persistent threat (APT) state-sponsored groups and commodity malware developers are taking a serious interest in the programming language to upgrade their arsenals. In June, CrowdStrike said a new ransomware variant borrowed features from HelloKitty/DeathRansom and FiveHands, but used a Go packer to encrypt its main payload.  “This assumption is based upon the fact that new Go-based samples are now appearing on a semi-regular basis, including malware of all types, and targeting all major operating systems across multiple campaigns,” the team says.  While not as popular as Go, DLang, too, has experienced a slow uptick in adoption throughout 2021. By using new or more unusual programming languages, the researchers say they may hamper reverse-engineering efforts and avoid signature-based detection tools, as well as improve cross-compatibility over target systems. The codebase itself may also add a layer of concealment without any further effort from the malware developer simply because of the language in which it is written.  “Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies,” commented Eric Milam, VP of Threat Research at BlackBerry. “This has multiple benefits from the development cycle and inherent lack of coverage from protective solutions. It is critical that industry and customers understand and keep tabs on these trends, as they are only going to increase.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft Teams has gained new Defender ‘Safe Links’ phishing protection to protect users against potentially dangeros phishing URLs.The additional phishing protection in Teams is available for organizations using Defender for Office 365 to guard against phishing attacks that use weaponized URLs. While email is the standard medium for delivering phishing links, Teams usage exploded during the pandemic, making it an attractive target for phishing.As Microsoft outlined earlier this year as part of its ‘hybrid work messaging’, time spent in Teams meetings grew 2.5 times globally between February 2020 and February 2021. Teams users now send 45 percent more chats per week on average, and 42 percent more chats per person after hours too.”Safe Links in Defender for Office 365 scans URLs at the time of click to ensure that users are protected with the latest intelligence from Microsoft Defender. We’re super excited to announce that this capability is now generally available,” Microsoft says in a blogpost. Given the massive shift to Teams chat and video over the past year, it’s sensible to make Safe Links — a feature of Defender for Office 365 since 2015 — available to the communications platform. Microsoft previewed the phishing protection feature for Teams in April.  Safe Links click protection can scan links in Teams conversations, group chats, and channels. Safe Links does a real-time scan and verification of URLs at the time a user clicks the link. Each month Microsoft’s ‘detonation systems’ detect almost 2 million unique URL-based payloads created by attackers for phishing. Microsoft monthly blocks over 100 million phishing emails with these booby-trapped URLs.  Microsoft scans URLs at the time they are clicked by a user because, Microsoft explains, attackers have learned to send benign links that redirect post-click to avoid detection.

“As detection technologies evolve to block malicious sites quicker, sending malicious links to users becomes less effective. So attackers evolve their attacks. Instead of sending malicious links to users, attackers now send benign links. Once the link has been delivered, the attacker redirects the link to a malicious site,” Microsoft notes. Admins configure Safe Links to protect Teams users by tweaking the policy in the Microsoft 365 Defender portal. Admins can view Microsoft’s documentation for Safe Links here. More

The Australian National Audit Office (ANAO) has said it considered continued transparency through reporting to Parliament where cybersecurity risk is concerned to be a positive, but it remained concerned that this may not be enough to drive improvement. In documentation [PDF] prepared for the Joint Committee of Public Accounts and Audit (JCPAA), ANAO said it was clear that auditing and reporting alone has not driven improvement in compliance with the government’s cybersecurity policy. “Non-corporate Commonwealth entities have not been held to account for not meeting the mandatory cybersecurity requirements under PSPF Policy 10,” it wrote, in reference to the Protective Security Policy Framework (PSPF) Policy 10, which is centred on safeguarding information from cyber threats. “The current framework to support responsible ministers in holding entities accountable within government is not sufficient to drive improvements in the implementation of mandatory requirements.”The JCPAA last year reviewed a pair of reports from ANAO and handed down a number of recommendations in its own report published in December. One of the recommendations asked ANAO to consider conducting an annual limited assurance review into the cyber resilience of Commonwealth entities.”The review should examine and report on the extent to which entities have embedded a cyber resilience culture through alignment with the ANAO’s framework of 13 behaviours and practices,” JCPAA asked. “The review should also examine the compliance of corporate and non-corporate entities with the Essential Eight mitigation strategies in the Information Security Manual and be conducted for five years, commencing from June 2022.”ANAO said implementing the recommendation has posed a number of practical challenges from an audit perspective, with the first being it considers there to likely be cybersecurity risk concerns raised by ASD.

“ASD has advised that a system-level report would pose cyber risks that it believes would be unacceptable. Given ASD is the technical expert, it is best placed to assess those risks and therefore difficult for the ANAO to take a different view,” it said. ANAO also considers the scope proposed in the recommendation as challenging, given that only non-corporate Commonwealth entities are mandated to apply the PSPF. It said the fact that there are currently 98 non-corporate entities subject to the policy has also created a scope challenge. “The absence of assurance over material reported by entities to AGD in their self-assessments means that audit procedures would need to be conducted across the population of entities’ self-assessments (whole or risk-based sample) to assure accuracy,” ANAO added.It also said limited assurance procedures do not result in a report, which informs the Parliament about the actual implementation of cybersecurity requirement.”Current ANAO work in cybersecurity in both financial statements audits (IT controls) and in performance audits indicate that the ANAO is likely to find issues with the accuracy of self-assessments,” it wrote. “In the event that accuracy issues are found, the ANAO would conclude that the report could not be relied upon, but would not report on whether entities actually do meet the requirements of the PSPF.”RELATED COVERAGEANAO finds two government departments inaccurately self-reported cyber complianceThe Audit Office report shows the Attorney-General’s Department and Department of the Prime Minister and Cabinet did not accurately self-report full implementation of one or more Top Four mitigation strategies.ACSC introduces Essential Eight zero level cyber maturity and aligns levels to tradecraftOverhaul of Essential Eight Maturity Model sees levels aligned with the sophistication of cyber tradecraft to attempt to prevent.Cybersecurity the responsibility of agencies, not us, AGD and ASD sayDespite being responsible for setting cybersecurity policy and monitoring its adherence across the board, the Attorney-General’s Department and the Department of Defence have said it’s the responsibility of Commonwealth entities themselves and any questions should be directed as such. More

Brazil has created a cyberattack response network aimed at promoting faster response to cyber threats and vulnerabilities through the coordination between federal government bodies. Created through a presidential decree signed on July 16, the Federal Cyber Incident Management Network will encompass the Institutional Security Office of the presidency as well as all bodies and entities under the federal government administration. Public companies, mixed capital companies and their subsidiaries may become members of the network on a voluntary basis. The network will be coordinated by the Information Security Department of the Office of Institutional Security of the presidency, through the government’s Center for Prevention, Treatment and Response to Cybersecurity Incidents.The Digital Government Secretariat (DGS), which operates under the the Special Secretariat for Management and Digital Government of the Ministry of Economy, will have a strategic role in the formation of the network. The DGS is the central body of SISP, a system utilized for planning, coordinating, organizing, operating, controlling and supervising the federal government’s information technology resources across more than 200 bodies.

According to the DGS, the information sharing outlined in the decree that creates the network is expected to improve the articulation of SISP in terms of prevention of incidents, as well as actions required in a possible cyberattack. The Secretariat also implied that there is an expectation that public companies such as Dataprev, the government’s social security technology and information company, and Serpro, the federal data processing service, will join the initiative even though their participation is not compulsory.Having immediate knowledge about attacks as well as potential vulnerabilities being exploited will enable the Secretariat to alert other bodies to enforce the necessary containment measures, it noted, adding that another area of focus could include the development of guides and training to address the main issues identified by the network.Mentioning Brazil’s improvement in the latest Global Cyber Security Index by the United Nations, where Brazil rose 53 positions in the ranking from the 70th place in 2018 to the 18th position in 2021 – the best result across all of Latin America – digital government and management secretary Caio Mario Paes de Andrade noted the creation of the network will help the Brazilian federal government to further strengthen its role in confronting cyber threats.

“The advancement of digital transformation must be accompanied by the protection of users and we have ensured this protection”, the secretary noted. “The network’s rational is to further foster the culture of coordinated confrontation within the government, so that we can continue advancing on the issue of cyber security.”According to a survey released earlier this month, Brazilians are concerned about the security of their data. The survey has found that the fear of cyber attacks is high among Brazilian users, with 73% of respondents reported having suffered some kind of digital threat, such as receiving fake messages from companies and stolen passwords. More

Software company Kaseya has denied paying a ransom for a universal decryptor after days of lingering questions about how the tool was obtained. On July 21, the company announced that a universal decryption tool had been obtained “from a third party” and that they were working with security company Emsisoft to help victims of the sprawling ransomware attack. On Monday, Kaseya released a statement denying rumors that they paid a ransom to REvil, the ransomware group that launched the attack. REvil initially released a ransom demand of $70 million but reportedly lowered it to $50 million before their entire operation went dark on July 13.”We are confirming in no uncertain terms that Kaseya did not pay a ransom — either directly or indirectly through a third party — to obtain the decryptor,” Kaseya’s statement said. “While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment.”The statement goes on to address reports suggesting that their “continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks.” 

Kaseya attack

According to the statement, Emsisoft and Kaseya’s Incident Response team worked through the weekend providing the decryptor to some of the 1,500 victims affected by the attack, which included a major supermarket chain in Sweden, Virginia Tech University and the local government computers in Leonardtown, Maryland. 

The company said it is encouraging any victims to come forward, adding that the tool “has proven 100% effective at decrypting files that were fully encrypted in the attack.”While the news of a universal decyptor was welcomed by hundreds of affected victims, some noted that there was a non-disclosure agreement that Kaseya was forcing companies to sign in exchange for the decryptor. CNN confirmed that Kaseya was requiring the non-disclosure agreement in order to gain access to the decryptor. Kaseya spokesperson Dana Liedholm and multiple cybersecurity companies involved told ZDNet they were unable to comment on the non-disclosure agreement. Former White House Chief Information Officer and cybersecurity expert Theresa Payton said non-disclosure agreements after attacks are more common that one would think but noted that “asking for an NDA from victims is not an everyday, every incident practice.” “When a cyber incident impacts multiple victims in a supply chain attack, sometimes the legal counsel will ask victims to sign an NDA to ensure that the fix for the problem does not get disclosed publicly,” Payton said. Payton added that the reasons behind asking for a non-disclosure agreement are not always nefarious and urged companies to consult their lawyers before signing anything. “If the reason behind the NDA is to ensure that the 3rd party that provided the key is not disclosed and the manner in which the decryption is made available is not disclosed, then the NDA makes a lot of sense,” Payton told ZDNet. “We don’t want to tip our hands publicly to the cyber operatives behind any of the ransomware syndicates. We need to keep the nefarious cyber operatives guessing. If the NDA is not for that reason and is instead a legal maneuver to avoid lawsuits that is disappointing. Given the large impact, it is understandable why their legal counsel might recommend the NDA for legal protections.” Mark Kedgley, CTO at New Net Technologies, said it was an extremely rare set of circumstances considering Kaseya is both the exploited vendor and the provider of the decryption kit. He added that the NDA “will help diminish further analysis and discussion of the attack.” “While you could see this would be desirable for Kaseya, it won’t further the cyber security community’s understanding of the breach,” Kedgley said.  More