Information Technology

Microsoft says it is the first company in the world to respond to recommendations by Europe’s privacy watchdogs following a decision by Europe’s top court over data being shipped to the US. 
The Court of Justice of the European Union (CJEU) in July struck down the EU-US Data Privacy Shield, throwing into question how companies – in particular US tech giants, but also thousands of European businesses – would send data across to the US without contravening Europe’s General Data Protection Regulation (GDPR). 

More on privacy

Julie Brill, Microsoft’s chief privacy officer, boasts that the maker of Windows 10, Office, and Azure is the first entity in the world to meet recommendations outlined by Europe’s data-protection heads last week. 
“Today, we’re announcing new protections for our public sector and enterprise customers who need to move their data from the European Union, including a contractual commitment to challenge government requests for data and a monetary commitment to show our conviction,” said Brill. 
“Microsoft is the first company to provide these commitments in response to last week’s clear guidance from data protection regulators in the European Union.”
European privacy authorities, under the European Data Protection Board (EDPB), last week adopted several recommendations to reflect the so-called ‘Schrems II’ ruling. 
“As a result of the ruling on July 16, controllers relying on Standard Contractual Clauses (SCCs) are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the European Economic Area (EEA),” the EDPB said.  

“The CJEU allowed exporters to add measures that are supplementary to the SCCs to ensure effective compliance with that level of protection where the safeguards contained in SCCs are not sufficient.”
US tech companies were forced to make significant adjustments to their terms with users and customers after Austrian lawyer and activist Max Schrems won a privacy lawsuit that he had filed against Facebook in 2013. He argued that information about Europeans sent to US servers could be used by US law enforcement. 
He lodged the case after former National Security Agency (NSA) contractor Edward Snowden in 2013 showed that the agency was conducting mass surveillance on US citizens and foreigners through Google, Microsoft, Facebook and other tech giants. 
Schrems’ lawsuit resulted in the CJEU in 2015 invalidating the EU-US Safe Harbor principle, which for 15 years permitted organizations to send data from Europe to the US. 
The demise of Safe Harbor gave birth to the EU-US Privacy Shield, which came into effect in August 2016. But Schrems filed another lawsuit and in July the ECJ ruled that the new agreement too violated GDPR rules in what is referred to as the ‘Schrems II’ ruling. 
Brill says Microsoft promises to contest all government requests for public-sector or enterprise customer data where it has a lawful reason to. 
“This strong commitment goes beyond the proposed recommendations of the EDPB,” said Brill. 
Microsoft also promises to “provide monetary compensation to these customers’ users if we disclose their data in response to a government request in violation of” GDPR. 
“It shows Microsoft is confident that we will protect our public-sector and enterprise customers’ data and not expose it to inappropriate disclosure.” More

Google is upping the security for at least some of the conversations on its Messages app by adding end-to-end encryption.
It will be rolling out end-to-end encryption on Messages, starting with one-on-one conversations between people using the Rich Communication Services-based version of the app.

“End-to-end encryption ensures that no one, including Google and third parties, can read the content of your messages as they travel between your phone and the phone of the person you’re messaging,” the company explained.
“We recognize that your conversations are private and it’s our responsibility to keep your personal information safe.”
SEE: Managing and troubleshooting Android devices checklist (TechRepublic Premium)
The end-to-end encryption will roll out to beta testers beginning this month and continue into next year, the company said, and eligible conversations will automatically upgrade to the new level of security, although this encryption will only be available when both people in the conversation have Messages installed and chat features on.
Google has been gradually rolling out RCS, the successor to SMS, which aims to bring to texting the same sorts of features you’d find in chat apps like Apple’s iMessage and WhatsApp.  

The company has been working with device makers and mobile operators to encourage them to offer the richer features available as result of the shift to RCS, like sending and receiving better quality photos and videos, chatting over Wi-Fi or data, and knowing when your message has been read. The advertising giant said it has now completed the global rollout of chat features and that anyone using Messages should now have access to these additional features, either from their phone company or from Google. More

Cyber criminals could exploit emerging technologies including artificial intelligence and machine learning to help conduct attacks against autonomous cars, drones and Internet of Things-connected vehicles, according to a report from the United Nations, Europol and cybersecurity company Trend Micro.
While AI and machine learning can bring “enormous benefits” to society, the same technologies can also bring a range of threats that can enhance current forms of crime or even lead to the evolution of new malicious activity.

Artificial Intelligence

“As AI applications start to make a major real-world impact, it’s becoming clear that this will be a fundamental technology for our future,” said Irakli Beridze, head of the Centre for AI and Robotics at the United Nations Interregional Crime and Justice Research Institute. “However, just as the benefits to society of AI are very real, so is the threat of malicious use,” he added.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
In addition to super-powering phishing, malware and ransomware attacks, the paper warns that by abusing machine learning, cyber criminals could conduct attacks that could have an impact on the physical world.
For example, machine learning is being implemented in autonomous vehicles to allow them to recognise the environment around them and obstacles that must be avoided – such as pedestrians.
However, these algorithms are still evolving and it’s possible that attackers could exploit them for malicious purposes, to aid crime or just to create chaos. For example, AI systems that manage autonomous vehicles and regular vehicle traffic could be manipulated by attackers if they gain access to the networks that control them.

By causing traffic delays – perhaps even with the aid of using stolen credit card details to swamp a chosen area with hire cars – cyber attackers could provide other criminals with extra time needed to carry out a robbery or other crime, while also getting away from the scene.
The report notes that as the number of automated vehicles on the roads increases, the potential attack surface also increases, so it’s imperative that vulnerabilities and issues are considered sooner rather than later.
But it isn’t just road vehicles that cyber criminals could exploit by exploiting new technologies and increased connectivity; there’s the potential for attackers to abuse machine learning to impact airspace too.
Here, the paper suggests that autonomous drones could be of particular interest to cyber attackers – both criminal or nation-state-backed – because they have the potential to carry ‘interesting’ payloads like intellectual property.
Exploiting autonomous drones also provides cyber criminals with a potentially easy route to making money by hijacking delivery drones used by retailers and redirecting them to a new location – taking the package and selling it on themselves.
Not only this, but there’s the potential that a drone with a single board computer could also be exploited to collect Wi-Fi passwords or breach routers as it goes about its journeys, potentially allowing attackers access to networks and any sensitive data transferred using them.
SEE: 10 tech predictions that could mean huge changes ahead
And the report warns that these are just a handful of the potential issues that can arise from the use of new technology and the ways in which cyber criminals will attempt to exploit them.
“Cybercriminals have always been early adopters of the latest technology and AI is no different. As this report reveals, it is already being used for password guessing, CAPTCHA breaking and voice cloning, and there are many more malicious innovations in the works,” said Martin Roesler, head of forward-looking threat research at Trend Micro
One of the reasons the UN, Europol and Trend Micro have released the report is in the hope that it’ll be seen by technology companies and manufacturers and that they become aware of the potential dangers they could face – and work to solve problems before they become a major issue.
MORE ON CYBERSECURITY More

Fundamentally, most VPNs (virtual private network) provide two services: Encrypting your data between two points and hiding the IP address (from which a general location can be derived) where you’re located. For those traveling or out and about, the first function was critical because most Wi-Fi available publicly is unencrypted — so anyone on the network could see what you were sending. 

But VPNs also serve to hide your IP address, replacing the address logged on servers with one in a completely different location — even a different country. For those worrying about stalking or other threats, this feature could save lives. Most consumers, though, find streaming VPN features compelling because — in some cases, and with dubious legality — it allows them to spoof their region of origin to get access to streaming media and sports blacked out from their home locale.
There is no doubt that you should use a VPN when you’re using public Wi-Fi when away from home. But what about when you’re at home? Should you use a VPN then?
My general advice is that it’s not critical for most people at home, since your ISP rarely wants to look at your traffic. But if you live in an apartment with a bunch of curious roommates all sharing one router, a VPN might prove valuable. If you’re connecting to work and want to make sure you’re taking all the precautions you can (and if your employer hasn’t given you a corporate VPN to use) a VPN service would be useful. If you’re connecting to websites that log connection information and you don’t want to leave tracks where you are (especially where your home is), you might want to use a VPN. You get the idea: If you want extra protection at home, then a VPN isn’t a bad idea.
Now, let’s be clear. Using a VPN does add a bit of a load on your computer and can often slow down your connection. That’s because your data is encrypted, decrypted, and sent through intermediate servers. Game responsiveness might suffer. If you’re a first-person shooter player, you might have enough lag to lose the shot. That said, both computers and VPNs have gotten a lot faster. When I first used a VPN, every… thing…slowed… down… to… an… unbearable… c-r-a-w-l. But now, the negative impact is almost unnoticeable, and at least one service we spotlight below (Hotspot Shield) actually increased performance, making it one of the fastest VPNs we’ve seen.
Also, most (but not all!) of the providers we spotlight limit the number of devices you can connect simultaneously, so you may have to pick and choose which home devices connect through a VPN.
Also: Why even the best free VPNs are not a risk worth taking

We’re also spotlighting paid services in this article, although some of them offer a free tier. I generally don’t recommend free VPN services because I don’t consider them secure. Think about this: Running a VPN service requires hundreds of servers across the world and a ton of networking resources. It’s boo-coo expensive. If you’re not paying to support that infrastructure, who is? Probably advertisers or data miners. If you use a free service, your data or your eyeballs will probably be sold, and that’s never a good thing. After all, you’re using a VPN so your data remains secure. You wouldn’t want to then have all that data go to some company to sift through — it completely defeats the purpose.
Before we jump into our cornucopia of VPN services, I want to make it clear that no one tool can guarantee your privacy. First, anything can be hacked. But more to the point, a VPN protects your data from your computer to the VPN service. It doesn’t protect what you put on servers. It doesn’t protect your data from the VPN provider’s VPN servers to whatever site or cloud-based application you’re using. It doesn’t give you good passwords or multifactor authentication. Privacy and security require you to be diligent throughout your digital journey, and VPNs, while quite helpful, are not a miracle cure.
In this article, we look at a bunch of our favorite VPN solutions. We’ll cover many of the best VPN service providers, how to access the native VPNs built into your desktop machine, and even how to use your NAS as a VPN client and host. If you’re curious about VPNs, you can learn a lot more in our massive VPN FAQ.
We’ll also dig back into what makes VPNs tick and answer some more of your questions at the end of this article, so read on. But first, our picks for the best VPNs of 2020.
Best VPN providers
If you’re curious about how VPNs work or what a VPN provider can do for you, here’s a great VPN overview article. Now that you understand how a VPN service can help keep you safe, let’s kick it off with our list of recommended service providers.

A top-rated VPN provider
Photo by Christian Englmeier on Unsplash
Simultaneous Connections: 5
Kill Switch: Yes
Platforms: A whole lot
Logging: No browsing logs, some connection logs
Countries: 94
Locations: 160
Trial/MBG: 30 days
ExpressVPN is one of the most popular VPN providers out there, offering a wide range of platforms and protocols. Platforms include Windows, Mac, Linux, routers, iOS, Android, Chromebook, Kindle Fire, and even the Nook device. There are also browser extensions for Chrome and Firefox. Plus, ExpressVPN works with PlayStation, Apple TV, Xbox, Amazon Fire TV, and the Nintendo Switch. There’s even a manual setup option for Chromecast, Roku, and Nvidia Switch.
Also: ExpressVPN review: A VPN speed leader with a secure reputation
With 160 server locations in 94 countries, ExpressVPN has a considerable VPN network across the internet. In CNET’sreview of the service, staff writer Rae Hodge reported that ExpressVPN lost less than 2% of performance with the VPN enabled and using the OpenVPN protocol vs. a direct connection.
While the company does not log browsing history or traffic destinations, it does log dates connected to the VPN service, amount transferred, and VPN server location. We do want to give ExpressVPN kudos for making this information very clear and easily accessible.
View Now at ExpressVPN

Leak-free and unlimited connections
Photo by David Clode on Unsplash
Simultaneous Connections: Unlimited
Kill Switch: Yes
Platforms: Windows, Mac, Linux, iOS, Android, Fire TV, Firefox, Chrome
Logging: None, except billing data
Trial/MBG: 30 day
At two bucks a month for a two-year plan (billed in one chunk), Surfshark offers a good price for a solid offering. In CNET’s testing, no leaks were found (and given that much bigger names leaked connection information, that’s a big win). The company seems to have a very strong security focus, offering AES-256-GCM, RSA-2048, and Perfect Forward Secrecy encryption. To prevent WebRTC leaks, Surfshark offers a special purpose browser plugin designed specifically to combat those leaks.
Also: Surfshark VPN review: A feature-rich service with blazing speeds and a security focus
Surfshark’s performance was higher than NordVPN and Norton Secure VPN, but lower than ExpressVPN and IPVanish. That said, Surfshark also offers a multihop option that allows you to route connections through two VPN servers across the Surfshark private network. We also like that the company offers some inexpensive add-on features, including ad-blocking, anti-tracking, access to a non-logging search engine, and a tool that tracks your email address against data breach lists.
View Now at Surfshark

Interesting options to enhance VPN protection
Photo by Karl Köhler on Unsplash
Simultaneous Connections: 6
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Linux, Android TV, Chrome, Firefox
Logging: None, except billing data
Countries: 59
Servers: 5517
Trial/MBG: 30 day
NordVPN is one of the most popular consumer VPNs out there. Last year, Nord announced that it had been breached. Unfortunately, the breach had been active for more than 18 months. While there were failures at every level, NordVPN has taken substantial efforts to remedy the breach.
Also: My in-depth review of NordVPN
In our review, we liked that it offered capabilities beyond basic VPN, including support of P2P sharing, a service it calls Double VPN that does a second layer of encryption, Onion over VPN which allows for TOR capabilities over its VPN, and even a dedicated IP if you’re trying to run a VPN that also doubles as a server. It supports all the usual platforms and a bunch of home network platforms as well. The company also offers NordVPN Teams, which provides centralized management and billing for a mobile workforce.
Also: My interview with NordVPN management on how they run their service
Performance testing was adequate, although ping speeds were slow enough that I wouldn’t want to play a twitch video game over the VPN. To be fair, most VPNs have pretty terrible ping speeds, so this isn’t a weakness unique to Nord. Overall, a solid choice, and with a 30-day money-back guarantee, worth a try.
View Now at NordVPN

Deep capabilities hidden in an easy-to-use app

Simultaneous Connections: Unlimited
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Linux, Chrome, plus routers, Fire Stick, and Kodi
Logging: None, except billing data
Servers: 1,500 
Locations: 75
Trial/MBG: 30 day
IPVanish is a deep and highly configurable product that presents itself as a click-and-go solution. I think the company is selling itself short doing this. A quick visit to its website shows a relatively generic VPN service, but that’s not the whole truth.
Also: My in-depth review of IPVanish
Its UI provides a wide range of server selection options, including some great performance graphics. It also has a wide variety of protocols, so no matter what you’re connecting to, you can know what to expect. The company also provides an excellent server list with good current status information. There’s also a raft of configuration options for the app itself.
In terms of performance, connection speed was crazy fast. Overall transfer performance was good. However, from a security perspective, it wasn’t able to hide that I was connecting via a VPN — although the data transferred was secure. Overall, a solid product with a good user experience that’s fine for home connections as long as you’re not trying to hide the fact that you’re on a VPN.
The company also has a partnership with SugarSync and provides 250GB of encrypted cloud storage with each plan.
View Now at IPVanish

Open source with a dedicated focus on security

Simultaneous Connections: Depends on plan
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Linux, routers
Logging: None, except billing data
Countries: 54
Servers: 1,077
Trial/MBG: 30 day
We really like the ProtonVPN story. The company was created by engineers and scientists who met at CERN (the European Center for Nuclear Research — where the Web was invented) with a focus on creating encrypted email and VPN communications with the idea of protecting the communication of activists and journalists. The company is also headquartered in Switzerland, which has very strong privacy laws.
In terms of product, ProtonVPN has a belt-and-suspenders approach to security, layering strong protocols on top of perfect forward secrecy, on top of strong encryption. Not only does ProtonVPN have a kill switch, but it also has an always-on VPN, which attempts to restore VPN service if it’s dropped mid-communication. Finally, we like that all apps are open source and the company reports that they are independently audited. 
Finally, the company offers a very generous free service, allowing one machine to connect at medium speed, but there doesn’t appear to be any limit to the amount of data used in the free plan.
View Now at Proton

VPN service hosted on its own infrastructure

Simultaneous Connections: 5
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, QNAP, Synology, router, TV
Logging: None, except billing data
Servers: 700+ on their own infrastructure 
Locations: 70
Trial/MBG: 30 day
Golden Frog, the company behind VyperVPN, claims to be “A company as old as the Internet itself,” yet its own about page says the company was founded in 2009. Apparently, the founders of Golden Frog were founding companies back in the 90s, and they conflated the two facts. I’m always a bit uncomfortable when a security company conflates facts.
On the plus side, we like that Golden Frog owns and manages its own infrastructure and does not rely on hosting companies. VPN infrastructure is often a murky thing, with the VPN service providers renting time from available data centers in host countries.
The company offers a huge array of client software, including apps for routers and even BlackBerry devices. Apps support key features like a kill switch, a zero-knowledge DNS service, and their own Chameleon VPN protocol for added security. The company’s no-log service was last audited in 2018, so they’re a bit overdue.
Golden Frog, also registered in Switzerland, is a standout in their effort to provide privacy and thwart censorship. When China began its program of deep packet VPN inspection, Golden Frog’s VyperVPN service added scrambled OpenVPN packets to keep the traffic flowing.
View Now at Golden Frog

It’s Norton, a known and trusted brand. What else is there to say?
Photo by John Salvino on Unsplash
Simultaneous Connections: Based on plan
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android
Logging: None, except billing data
Countries: Unspecified
Locations: Unspecified
Trial/MBG: 60 day
We found performance is middle-of-the-road and platforms are limited to Mac, iOS, Windows, and Android. Don’t even think of using it on routers, Linux, or gaming platforms. Pricing is weirdly and unnecessarily tiered. The service raises its price by ten bucks when you jump from 1 device to 5, and another ten bucks when you jump to ten devices. Given the full ten simultaneous device package is a good deal at $59, it’s odd that it’s nickel-and-diming the lower tiers.
Also: Norton Secure VPN review: More work is needed for this privacy product to shine
We’re recommending Norton not as much because it’s a great VPN (it’s really kinda meh), but because it’s from a brand we’ve long come to know and trust. The company also offers live 24/7 phone support and has an excellent 60-day money-back guarantee. The company also offers a generous 60-day money-back guarantee, but oddly doesn’t promote it. The only place it’s mentioned is deep inside their refund policy document.
View Now at Norton

Clear and understandable instructions

Simultaneous Connections: 12
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Linux, Fire TV, Synology, Kindle, Kodi, and routers
Logging: None, except billing data
Countries: 30+
Servers: 950+
Trial/MBG: 30 day
StrongVPN stands out because its setup, website, and support materials are clear and easy to understand. We found setup to offer just the right amount of explanation when we needed it.
Also: My StrongVPN in-depth review
The fact that StrongVPN doesn’t log anything is a big win, but it’s offset a bit by the fact that our testing showed endpoints can tell you’re using a VPN. To be sure, data is nicely encrypted, but if you’re trying to hide the fact that you’re on a VPN, Strong isn’t for you. That said, it had solid performance, an excellent UI, and did the job. Plus, they recently upped the number of simultaneous connections from five to twelve. That’s nice to see. The company also includes 250 GB of SugarSync secure storage with all plans.
View Now at StrongVPN

Astonishing performance
Photo by Sergi Viladesau on Unsplash
Simultaneous Connections: 5
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Linux, router, TV
Logging: None, except billing data
Countries: 80
Locations: 115
Trial/MBG: 45 days
This is a company that has had some ups and downs in its coverage. That said, the company seems to have resolved its issues successfully. But I’m burying the lede for this story. Here’s what you need to know about Hotspot Shield: performance was astonishing.
Also: My in-depth review of Hotspot Shield
The company kept sending me bragging emails, claiming exceptional performance. Since reviewers often (always) get “we’re the best” emails, it’s something we ignore like the background noise it usually is. But then my editor challenged me to put Hotspot Shield to the test. And you know what? For most countries, while the VPN connection was active, it actually out-performed non-VPN connection speed. Go ahead and read my review. Surprised the heck out of me.
View Now at Hotspot Shield

A bundle of security features beyond VPN
Photo by Steinar Engeland on Unsplash
Simultaneous Connections: 7
Kill Switch: Yes
Platforms: All you’d expect and a lot more
Logging: None, except billing data
Countries: 89
Servers: 6,381
Trial/MBG: 45 days
The CyberGhost client is more than a VPN connection driver. The company’s offering is a decently complete full security system, including ad-blocking, malicious website blocking, online footprint blocking (blocking cookies from dropping), and forced https redirect.
Also: My in-depth review of CyberGhost
With more than 6,000 servers deployed in 89 countries and 112 locations, CyberGhost has a larger number of servers than many of the other VPN providers we surveyed. Performance was adequate. It provided enough bandwidth to stream video and get your job done, but it certainly wasn’t a rocket. Also, if you’re trying to hide the fact that you’re using a VPN, you’ll want to look elsewhere. That said, for a solid overall security package, CyberGhost is a good option.
View Now at CyberGhost

31-day guarantee because sometimes that extra day matters
Photo by Adam Vradenburg on Unsplash
Simultaneous Connections: 10
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Linux, and a lot more
Logging: None, except billing data
Countries: 140
Servers: 2,000
Trial/MBG: 31 day
Most VPN providers license their international server presence from local providers all over the globe. PureVPN doesn’t. They own their own self-managed network of more than 2,000 servers in 140 countries. This allows the company to support its full range of protocols (OpenVPN, L2TP/IPSec, SSTP, and IKEv2). It also offers PPTP, but it’s so porous, you probably shouldn’t use it.
Given the tough times due to the novel coronavirus, PureVPN has sent its support folks home, but they’re up and running providing 24/7 support from the safety of sheltering in place. So even though business isn’t as usual, PureVPN has, like many companies, routed around the problem using internet technology to keep connected. We also like the 31-day money-back guarantee, support for a wide range of devices, including Kodi, Roku, and Boxee boxes. 
View Now at PureVPN

A tremendous number of servers

Simultaneous Connections: 10
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Linux, Chrome, Firefox, Opera
Logging: None, except billing data
Countries: 76
Servers: 17,605
Trial/MBG: 30 day
One of the more interesting aspects of Private Internet Access is the wealth of payment options the company offers. Sure, you can pay by credit card. But you can also pay with cryptocurrencies including BitcoinCash, Bitcoin, Zcash, Ethereum, and Litecoin. If you’re not all up on the crypto-craze but still don’t want to leave a record of your payment, you can use over 100 brands of gift cards, including those from Best Buy, GameStop, Home Depot, Lowes, Target, and Walmart.
The company supports a good range of protocols and you can use it on your customized DD-WRT router. We do like the quick setup, included ad, malware, and tracker blocker, and unlimited bandwidth is always appreciated.
View Now at Private Internet Access

Relative newcomer that keeps improving each time we look at them
Photo by Cephas CC BY-SA 3.0 on Wikipedia
Simultaneous Connections: Unlimited
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Android TV, Linux, Chrome, routers
Logging: None, except billing data
Countries: Unspecified
Locations: Unspecified
Trial/MBG: 30 day
Here’s the thing about Goose VPN. It’s called “goose VPN.” That’s nearly irresistible for a writer. When I asked, I was told geese make excellent guard animals, having performed guard duty in ancient Rome, an Air Defense Command base in Germany, and a brewery in Scotland. Hence Goose VPN, where the goose is the mascot for a service that guards your Internet access.
When I first started talking to the folks at Goose VPN a few years ago, they didn’t offer a kill switch and only had clients for the Big Four. But, as time went on, they’ve been adding features and capabilities regularly and their offering is now a nice, robust system. Plus, here’s something really cool. Unfortunately, since the last time we looked at them, the company ditched its lifetime plan. Now, they offer yearly plan durations similar to their competitors. Finally, the company offers a reasonable 30-day money-back guarantee.
View Now at Goose VPN
Native VPN support on your desktop
If you’re connecting to a corporate VPN, you may not need to purchase a VPN service. All the major desktop operating systems include VPN capabilities. Here’s how to get started using those.

Connect to a corporate VPN with Apple
Photo by Michail Sapiton on Unsplash
If you’re connecting to an existing corporate virtual private network, you may not need an additional service. MacOS comes with native VPN support built right in.
Apple provides VPN support for High Sierra, Mojave, Catalina, and now Big Sur. Just pop open System Preferences, head over to the Network tab, and either import the configuration file you were provided or hit the plus button and add a VPN interface. Here’s a handy tip sheet from Apple that will walk you through the process.
View Now at Apple

Connect to a corporate VPN with Microsoft

If you’re connecting to an established corporate VPN, all you need to do is add a new Windows 10 VPN connection. Point your mouse at the Start menu, hit Settings, then Network & Internet, and then VPN. Make sure you have the connection details provided by work and then click on Add a New VPN Connection. Fill in the form and you’re good to go. Here’s a handy tip sheet from Microsoft.
Windows 10 also allows you to host a VPN server by creating a new incoming network connection, choosing the users who can connect, and telling Windows that the incoming connection is across the internet. You’ll also have to configure your router to allow traffic to your computer. PureInfoTech has a helpful guide for setting it all up.
View Now at Microsoft

Connect your laptop with Google

Sadly, this simple solution isn’t built into the standard Chrome browser. If you’re just using the browser on a Mac or Windows machine, you’ll need a different solution. 
That said, if you’re rocking a Chromebook, all you need to do is open Settings and then Network. Click Add Connection. Then all you need to do is choose between OpenVPN and L2TP over IPSec. Google has a handy cheat sheet right here to guide you through the process. 
View Now at Google

Another reason to love open source
Photo by Rekjezt on Unsplash
WireGuard is Linux’s new baked-in VPN capability. Its code is relatively simple and small, making it far easier to maintain, test, and debug. Linus Torvalds, Mr. Linux himself, calls WireGuard “a work of art.”
Also: Linux’s WireGuard VPN is here and ready to protect you
So what do you need to set up WireGuard? More and more of the VPNs we spotlighted support WireGuard right out of the box. You can download it for Linux. But you can also download a package for Windows, Mac, iOS, Android, and FreeBSD. It’s like most open source products, in that you’ll need to do some reading and thinking to make it work. But it’s free, solid, safe, and, as Linus says, “Can I just once again state my love for it.” 
View Now at WireGuard
VPN for your whole home network
Many of the commercial VPN services discussed above offer router-based VPN solutions. Even though I have a pretty powerful router, I prefer to run my VPN on my NAS. Here are two NAS-based VPN solutions that will get you connected securely.

Built-in VPN app on the NAS

If you have a NAS like the top-reviewed Synology, you may already have a NAS app you can set up and protect your whole home network. The Synology server has a very capable little VPN built-in, and it’s available free to anyone with the NAS.
If you want to go a step further and use some Synology-exclusive VPN services like Synology SSL VPN, clientless WebVPN, and remote desktop, as well as a site-to-site VPN service, you can do so using the Synology router I reviewed last year. That service is called VPN Plus and it normally costs $9.99 per concurrent user. But because of COVID-19, Synology’s offering free VPN Plus between now and September.
View Now at Synology

A mini-FAQ about VPNs
I answered a bunch of common questions above our big list of the best VPNs for 2020. But here’s a quick lightning round of questions and answers about VPNs, just to round out your knowledge.
Do VPN providers limit usage? Some do. Check when you sign up. For non-free plans, none of the providers we recommended limit the amount of data you can use. But almost all limit how many devices you can use at once.
What does logging really mean? Logging is the recording of data about your usage and it occurs everywhere. Every website, at minimum, records an IP address, time, and data accessed so they can track traffic. All VPN providers have to check credentials against recorded personal data to make sure you paid, but a few let you sign up with Bitcoin, allowing you to completely hide your identity. When we say a VPN doesn’t log data, we mean they don’t track what sites you visit and for how long, but they may track how much of their own infrastructure you use.
Is it legal to use a VPN? Yes, in most countries. Some countries (and you should read my guide for more in-depth info) have made VPN use illegal. And even in countries where it’s legal, it’s likely to be illegal to use a VPN to spoof a streaming service into giving you content that otherwise wouldn’t be accessible. Plus…
Can I use a VPN to get free Netflix or watch a blacked-out sports event? Sometimes, but it’s likely illegal and probably fattening. There’s an ongoing arms race where the media vendors are getting better at identifying and blocking VPN connections, so each case is different. And that’s all we can say about it, because… illegal.
If I have a VPN to my office, do I need a VPN service? The VPN to your office will secure your link to your office. If you want to secure your link to anywhere else, you’ll need a VPN service.
Should I use a VPN on my phone or tablet? If it’s your data and you want it to be secure, yes. The same choices are valid regardless of what kind of device you use to transmit and receive data over the Internet.
What’s this kill switch thing? So let’s say you’re surfing along and all of a sudden your VPN connection fails. Your phone or computer is likely to immediately try to reconnect and do so directly, without going through a VPN. All of a sudden your data is unprotected. A kill switch is a feature in your device’s VPN app that detects that connection fail and immediately shuts down network access. Like with everything, it’s not a 100% perfect solution, but these days, I wouldn’t recommend using a VPN that doesn’t offer a kill switch.
What do simultaneous connections mean and why should I care? I’ll give you a personal example. When I travel, I often take my laptop and my tablet. I use the laptop to write and I use the tablet as a second screen to look stuff up. I have two connections I’m using at once and I want my VPN to protect both. If my wife is also doing the same thing, that’s four connections. Add our phones and you have six connections. If we’re using all those devices at once that’s simultaneous connections. The more the better.
What about all those weird protocol words? If you’ve been shopping for a VPN service, you’ve undoubtedly come across a bunch of names like SSL, OpenVPN, SSTP, L2TP/IPSec, PPP, PPTP, IKEv2/IPSec, SOCKS5, and more. These are all communication protocols. They are, essentially, the name of the method by which your communication is encrypted and packaged for tunneling to the VPN provider. To be honest, while VPN geeks can argue over protocols for hours, you’re probably good enough if you just use the default set up by your provider.
How to choose
I could write an entire article about how VPNs work and how to choose, and, in fact, I did. Rather than repeating it all here, I’m just going to point you to How to find the best VPN service: Your guide to staying safe on the internet.
Our process
This list did not involve as much original research and testing as some of my other recommendation lists. That’s because I’ve been writing VPN articles every month or so since early 2017. I have looked at a lot of VPN providers.
Many of the providers recommended in this list have been subject to in-depth testing and reviews, written either by me or by CNET’s product evaluation team. (See: The best VPN services for 2020.) For those, we have tangible testing numbers. Other VPNs have been ones we’ve been talking about for years, spoken with their management and their users, and have developed a generally positive impression.

A few of the VPNs (Hotspot Shield, in particular) had a more rocky road. They had some tough PR at the beginning and made some seemingly ludicrous claims about speed. It wasn’t until I brought them in house and pounded on them for a few weeks that I realized that their claims were justified. Sometimes, products just surprise you.
But here’s the thing: All these vendors have solid money-back guarantees and we would not have recommended them otherwise. We do test VPN services from multiple locations, but we can’t test from all locations. Every home, every community, every local ISP, and every nation has a different infrastructure. It’s essential that once you choose, you test for all your likely usage profiles, and only then make the decision to keep the service or request a refund.
One thing to consider is whether you’re looking for a solution for working at home vs. traveling. For example, if you travel rarely (even before COVID-19), have strong bandwidth at home, and have a NAS or a server box, you might want to VPN to your home server from your machine’s native client, and then out to the world. If you’re newly home for the duration and your company has a dedicated VPN, you’ll want to use whatever process they’ve set out for you.But, generally speaking, it doesn’t hurt to have a VPN provider already set up and in your kit bag. Most home-based traffic won’t require VPN usage, but if you’re on any sort of shared connection, having a VPN provider is a good idea. Also, if you ever think you’ll need to access the Internet from out and about — like a hospital or doctor’s office, then having a VPN provider can be a win. Likewise, if you want to obscure where you’re connecting from (this might be more important now that we’re always in the same place all day), a VPN provider might help.
Finally, don’t expect miracles. Your home-based pandemic broadband pipes are likely to be more clogged than ever before. Everyone is at home, many people are streaming movies to stay sane, and there are only so many bits that can fit at any given time. If you experience traffic slowdowns, be sure to check not only your VPN, but your Wi-Fi connection between your device and your router, your connection to your broadband provider, and even their connection to upstream providers.
That said, we’re all in this together. Hang in there and stay safe. How are you managing your home-based networking? Let us know in the comments below.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

Singapore is investigating claims that local-based mobile app, Muslim Pro, has sold “granular location data” to the US military. Clocking more than 98.5 million downloads worldwide, the popular prayer tracking app has denied the allegations, saying it shares only anonymised data with its partners.
The Personal Data Protection Commission (PDPC) confirmed it was investing the allegations and had asked for more information from the developer of Muslim Pro, Bitsmedia. The regulator told local media: “We remind users to also be mindful of the type of permissions and personal data they provide and how it may be used. If in doubt, users should not download or use any application.”
Founded in 2009, the Singapore-based Bitsmedia has offices in Malaysia and Indonesia. Its Muslim Pro app tracks prayer times and shows the direction to Mecca, amongst other features, and has been downloaded by users across 200 countries, according to its website. 

Earlier this week, the app was reported to have sold granular location data to X-Mode, a US third-party data aggregator that sells its services to customers, which had included US defence contractors. US-Canadian news outlet Vice Media broke the news in its report, stating that Muslim Pro was amongst other mobile apps that had sold data to the US military and that had included timestamps, phone model details, and the name of the Wi-Fi network to which the phone was connected. 
Bitsmedia has denied the allegations, publishing two statements on Tuesday and Thursday and dismissing the report as “incorrect and untrue”. 
Noting that it was in compliance with global data privacy laws and regulations such as the EU’s GDPR (General Data Protection Regulation) and California Consumer Privacy Act (CCPA), Bitsmedia said it “collect, process, and use information” that its users made available to the developer when accessing its app to “improve our service” and facilitate “research and development”  (R&D) work for its app. 
It said this might include analysing data to better understand user behaviours, so it could “improve the overall functionality” of its service. It added that location data was used for prayer times calculation and facilitated planning and designing features, as well as for improving the overall user experience.

The app developer also insisted it did not share any sensitive personal information, such as name, phone number, and email. “Any data shared with partners is anonymised, which means that our data is not attributed to any particular individuals,” it said.
“We apply industry-standard security arrangements and protective measures and select leading technology partners to keep our data safe and secure on our cloud infrastructure. We have also been open and transparent about the personal information we collect, store, and process.”
While it had refuted Vice Media’s claims, Bitsmedia said it had terminated all relationships with its data partners, including X-Mode, “effective immediately”.
It said it collaborated with “selected technology partners” to improve the quality of its app and shared data with its partners for “common purposes such as advertising”, which it noted was its main source of revenue. It said it did so “in full compliance” with all relevant laws and implemented “strict data governance policy” to safeguard its users’ data. 
According to the app developer, it worked with third parties such as social media networks and data analytics companies, and shared data with the consent of its users. 
It also noted that, aside from its Community section, features provided in Muslim Pro are made available without users having to sign in to the app. “This contributes to the anonymity of data we collect and process,” it said.
Should it be found to have breached Singapore’s Personal Data Protection Act (PDPA), Bitsmedia could face financial penalties of up to 10% of its annual turnover or SG$1 million ($735,490), whichever was higher. 
Singapore just this month updated the data protection legislation to allow local businesses to use consumer data without prior consent for some purposes, such as business improvement and research. The amendments also allowed for harsher financial penalties to be meted out for data breaches, above the previous cap of SG$1 million. 
In his speech discussing the amendments, Singapore’s Communications and Information Minister S. Iswaran said data was a key economic asset in the digital economy as it provides valuable insights that inform businesses and generate efficiencies. It also would empower innovation and enhance products, and be a critical resource for emerging technologies such as artificial intelligence (AI) that hold transformative potential, Iswaran said. 
Amongst the key changes in the PDPA is the “exceptions to the consent” requirement, which now allows businesses to use, collect, and disclose data for “legitimate purposes”, business improvement, and a wider scope of research and development. In addition to existing consent exceptions that include for the purposes of investigations and responding to emergencies, these also now include efforts to combat fraud, enhance products and services, and carry out market research to understand potential customer segments. 
In addition, further amendments defined under “deemed consent” to PDPA will now permit organisations to share data with external contractors for the purpose of fulfilling customer contracts. This caters to “modern commercial arrangements” and essential purposes including security.
Businesses will also be able to use data without consent to facilitate R&D that might not yet be marked for productisation. All other purposes outside of “deemed” and “exceptions” to consent, such as direct marketing messages, will still require prior consent from consumers. 
The PDPC last year investigated 185 cases involving data breaches and issued 58 decisions. It ordered 39 organisations to pay SG$1.7 million in penalties, including the highest fines of SG$750,000 and SG$250,000, which were meted out to Integrated Health Information Systems and Singapore Health Services, respectively. 
RELATED COVERAGE More

Image: Lina White
Gone are the days when ransomware groups operated by launching mass email spam campaigns in the hopes of infecting random users across the internet.
Today, ransomware operators have evolved from a niche of clumsy malware gangs into a series of complex cybercrime cartels with the skills, tools, and budgets of government-sponsored hacking groups.
Nowadays, ransomware gangs rely on multi-level partnerships with other cybercrime operations. Called “initial access brokers,” these groups operate as the supply chain of the criminal underground, providing ransomware gangs (and others) with access to large collections of compromised systems.
Consisting of hacked RDP endpoints, backdoored networking devices, and malware-infected computers, these systems allow ransomware gangs to easily gain access to corporate networks, escalate their access, and encrypt files to demand huge ransoms.
These initial access brokers are a crucial part of the cybercrime scene. Today, three types of brokers stand out as the sources of most ransomware attacks:
Sellers of compromised RDP endpoints: Cybercrime gangs are currently carrying out brute-force attacks against workstations or servers configured for remote RDP access that have also been left exposed on the internet with weak credentials. These systems are later sold on so-called “RDP shops” from where ransomware gangs often select systems they believe might be located inside the network of a high-value target.
Sellers of hacked networking devices: Cybercrime gangs are also using exploits for publicly known vulnerabilities to take control of a company’s networking equipment, such as VPN servers, firewalls, or other edge devices. Access to these devices and the internal networks they protect/connect is sold on hacking forums or to ransomware gangs directly.
Sellers of computers already infected with malware: Many of today’s malware botnets will often comb through the computers they infect for systems on corporate networks and then sell access to these high-value systems to other cybercrime operations, including ransomware gangs.
Protecting against these three types of initial access vectors is often the easiest way of avoiding ransomware.
However, while safeguarding against the first two typically involves practicing good password policies and keeping equipment updated, the third vector is harder to protect against.

This is because malware botnet operators often rely on social engineering to trick users into installing malware on their systems themselves, even if computers are running up-to-date software.
This article focuses on the known malware strains that have been used over the past two years to install ransomware.
Compiled with the help of security researchers from Advanced Intelligence, Binary Defense, and Sophos, the list below should serve as a “code red” moment for any organization.
Once any of these malware strains are detected, system administrators should drop everything, take systems online, and audit and remove the malware as a top priority.
ZDNet will keep the list up to date going forward.

Emotet is considered today’s biggest malware botnet.
There are few cases where Emotet has dealt with ransomware gangs directly, but many ransomware infections have been traced back to initial Emotet infections.
Usually, Emotet sold access to its infected systems to other malware gangs, which later sold their own access to ransomware gangs.
Today, the most common ransomware infection chain linked back to Emotet is: Emotet—Trickbot—Ryuk

Trickbot is a malware botnet and cybercrime similar to Emotet. Trickbot infects its own victims but is also known to buy access to Emotet-infected systems in order to boost its numbers.
Over the past two years, security researchers have seen Trickbot sell access to its systems to cybercrime gangs that later deployed Ryuk, and later the Conti ransomware.
Trickbot—ContiTrickbot—Ryuk

BazarLoader is currently considered to be a modular backdoor developed by a group with links or that spun off from the main Trickbot gang. Either way, regardless of how they came to be, the group is following Trickbt’s model and has already partnered with ransomware gangs to provide access to the systems they infect.
Currently, BazarLoader has been seen as the origin point for infections with the Ryuk ransomware [1, 2, 3].
BazarLoader—Ryuk

QakBot, Pinkslipbot, Qbot, or Quakbot is sometimes referred inside the infosec community as the “slower” Emotet because it usually does what Emotet does, but a few months later.
With the Emotet gang allowing its systems to be used to deploy ransomware, QakBot has also recently partnered with different ransomware gangs. First with MegaCortex, then with ProLock, and currently with the Egregor ransomware gang.
QakBot—MegaCortexQakBot—ProLockQakBot—Egregor

SDBBot is a malware strain operated by a cybercrime group referred to as TA505.
It’s not a common malware strain but has been seen as the origin point of incidents where the Clop ransomware was deployed.
SDBBot—Clop

Dridex is yet another banking trojan gang that has reorganized as a “malware downloader,” following the examples set by Emotet and Trickbot in 2017.
While in the past Dridex botnet has used spam campaigns to distribute the Locky ransomware to random users across the internet, for the past few years, they are also using computers they have infected to drop either BitPaymer or the DoppelPaymer ransomware strains for more targeted attacks against high-value targets.
Dridex—BitPaymerDridex—DoppelPaymer

A late arrival to the “install ransomware” game, Zloader is catching up fast and has already established partnerships with the operators of Egregor and Ryuk ransomware strains.
If there’s one malware operation that has the ability and connections to expand, this is it.
Zloader—EgregorZloader—Ryuk

Buer, or Buer Loader, is a malware operation that launched late last year, but has already established a reputation and connections in the cybercrime underground to partner with ransomware groups.
Per Sophos, some incidents where the Ryuk ransomware has been discovered have been linked back to Buer infections days before.
Buer—Ryuk

Phorpiex, or Trik, is one of the smaller malware botnets, but not less dangerous.
Infections with the Avaddon ransomware seen earlier this year have been linked to Phorpiex. Although neither Avaddon nor Phorpiex are common names, they should be treated with the same level of attention as Emotet, Trickbot, and the others.
Phorpiex—Avaddon

CobaltStrike is not a malware botnet. It’s actually a penetration testing tool developed for cyber-security researchers that is also often abused by malware gangs.
Companies don’t get “infected” with CobaltStrike. However, many ransomware gangs deploy CobaltStrike components as part of their intrusions.
The tool is often used as a way to control multiple systems inside an internal network and as a precursor to the actual ransomware attack.
Many of the infection chains listed above are actually [MalwareBotnet]—CobaltStrike—[Ransomware], with CobaltStrike usually serving as the most common intermediary bridging the two.
We included CobaltStrike on our list at the request of our sources, who consider it as dangerous as a de-facto malware strain. If you see it on your network and you’re not running a penetration test, then stop everything you’re doing, take systems offline, and audit everything for an attack’s entry point. More

Shares of cloud-based security provider FireEye shot up almost 10% in late trading Thursday evening after the company announced that private equity firm Blackstone Group is making a $400 million investment in the company and taking a board seat.
FireEye announced in a separate press release that it will buy four-year-old security startup Respond Software of Mountain View, Calif., for $186 million in cash and stock.
New York-based Blackstone, one of the most powerful private equity firms in the world, with a market cap of $67 billion or so, is teaming up with venture capital firm ClearSky Power & Technology Partners, based in Juno Beach, Florida, to buy $400 million worth of convertible stock in FireEye. 
The duo will purchase “shares of a newly designated 4.5% Series A Convertible Preferred Stock of FireEye,” said FireEye, “with a purchase price of $1,000 per share.” 
The Series A Preferred will be convertible into shares of FireEye’s common stock at a conversion price of $18.00 per share, the company said.
A senior managing director at Blackstone, Viral Patel, will take a seat on FireEye’s board, the company said. 
Said Patel, “Blackstone and FireEye have a shared vision of the unique role FireEye can play in addressing the increasingly sophisticated cyber security challenges their customers face.”

“We are excited to partner with the company’s board and management to accelerate execution on their vision.”
Also: FireEye Q3 results beat expectations, raises year view, shares jump 6%
Proceeds of the convertible offering will be put toward the purchase of Respond, the company said, as well as “increased investment to accelerate the growth of the company’s cloud, platform and managed services portfolio,” it said.
Respond makes software in the class known as “eXtended Detection and Response,” or XDR. 
As FireEye describes it, the software “accelerates cyber investigation and response by automating the correlation of multi-sourced attack evidence using cloud-based data science models that ingest data from a comprehensive set of security technologies.”
FireEye said the “will become a key part of the Mandiant Advantage platform, bringing vendor-agnostic XDR and investigation capabilities that integrates with any customer environment.”
Tonight’s announcement follows an upbeat earnings report by FireEye three weeks ago, in which the company beat Wall Street’s quarterly revenue and profit expectations, and raised its year forecast above expectations as well.
FireEye management is hosting a conference call with analysts this evening at 5 pm to discuss the deal, and you can catch it on the company’s investor relations Web site.
Shares of Mandiant are up almost 10% in late trading at $15.65. More

Facebook has fixed a major security bug today in its Messenger for Android app that could have allowed attackers to place and connect Messenger audio calls without the callee’s knowledge or interaction.

The vulnerability, which could have been abused to spy on Facebook users via their Android phones, was found during a security audit by Natalie Silvanovich, a researcher working for Google’s Project Zero security team.
In a bug report made public today, Silvanovich said the bug resided in the WebRTC protocol that the Messenger app is using to support audio and video calls.
More specifically, Silvanovich said the problem resided in the Session Description Protocol (SDP), part of WebRTC. This protocol handles session data for WebRTC connections, and Silvanovich discovered that an SDP message could be abused to auto-approve WebRTC connections without user interaction.
“There is a message type that is not used for call set-up, SdpUpdate,” Silvanovich explained. “If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings.”
Exploiting the bug takes a few seconds, according to Silvanovich’s bug report.
The Google researcher reported the issue to Facebook last month, and the social media giant patched it today in an update to its Messenger for Android app.

“This report is among our three highest bug bounties at $60,000, which reflects its maximum potential impact,” Facebook said today.
In a Twitter message, Silvanovich said Facebook awarded her a $60,000 bug bounty for reporting the issue, which the Google researcher chose to donate to the GiveWell, a non-profit that coordinates charity activities for maximum funds usage.

In previous years, Silvanovich also found and reported similar issues in other instant messaging applications, one of her areas of expertise.
In October 2018, she found a bug in WhatsApp for Android and iOS that would have allowed attackers to take over the app after a user answered a video call.
In July 2019, Silvanovich found four interactionless bugs in the iOS iMessage app. In the same month, she also discovered a fifth iMessage bug that could have been used to brick iPhones. More