Information Technology

US cloud service provider Accellion has announced the end-of-life for its FTA product after the software has been abused in recent attacks to breach tens of companies and government agencies across the world since December 2020.

Developed in the early 2000s, Accellion’s FTA was among the first products of its kind to provide a simple way to share large files.
Created long before the age of cloud-based products like Box, Dropbox, Google Drive, and OneDrive, companies would buy an FTA license, install the software on their own servers, and use it to allow employees and customers to store and share large files that couldn’t be sent via email.
While Accellion eventually developed better products, such as Kiteworks, which superseded FTA in features and security, many FTA appliances remained in use across thousands of companies and government organizations across the world, even to this day.
The FTA zero-day and subsequent attacks
And as the FTA code aged, security researchers also began finding vulnerabilities in the appliance, most of which were privately reported to the company and fixed before any damage could be done to its customers.
But in December last year, the person who found one of these bugs was a threat actor who began exploiting FTA appliances installed across the world.
The first case of an FTA-linked hack was reported by the Reserve Bank of New Zealand and then followed by other cases at the Australian Securities and Investments Commission (ASIC), law firm Allens, the University of Colorado, the Washington State Auditor Office, and this week, at the QIMR Berghofer Medical Research Institute and Singtel, Singapore’s largest telco.

According to a report from Guide Point Security, the attacker(s) appears to have been using an SQL injection to install a web shell and use this initial access to steal files stored on the FTA appliance.
In a press release [PDF] published on January 11, Accellion said it knew about the attacker’s zero-day vulnerability since mid-December 2020 and had responded by releasing an FTA firmware update within three days of the first attacks.
At the time, Accellion said that based on its data, less than 50 FTA customers appeared to have been attacked, but now, critics believe the company was being too positive in its assessment.
But the team behind infosec podcast Risky Business also noted that the software vendor failed to inform its customers. Besides releasing patches on Christmas Eve, when most IT staffers were away, Accellion didn’t publish patch notes for its firmware update, nor did it assign CVE security bug identifiers to the vulnerabilities it patched.
When IT staff returned from their winter holidays, many didn’t even know that a crucial firmware update was waiting to be applied for days.
Accellion announces official EOL for FTA appliances
Now, the Palo Alto-based company is seeing an ever-increasing fallout from the December 2020 attacks. Every time a new FTA-related hack is discovered and exposed, the company’s reputation takes a hit.
Last week, a Seattle law firm filed the first lawsuit against Accellion in relation to the Washington State Auditor Office, and many others are expected to be filed in the coming months as companies review appliances and discover signs of a breach.
And more hacks are expected to come to light. In a press release on February 1, the company said the initial December 2020 attacks “continued into January 2021.”
Two days later after this press release, Accellion published a PDF on its website announcing a formal end-of-life date for the FTA appliance, scheduled for April 30, 2021. After this date, Accellion said it wouldn’t honor requests to extend FTA appliance licenses.
While Accellion had designated Accellion a legacy product for years, the move to retire the appliance might have come a little bit too late, for both its reputation and its customers’ networks. More

Image: ZDNet
A Spanish student released a free decryption utility that can help victims of the Avaddon ransomware recover their files for free.

ZDNet Recommends

Published on GitHub by Javier Yuste, a student at the Rey Juan Carlos University in Madrid, the AvaddonDecrypter works only in cases where victims have not powered off their computers.
The tool works by dumping an infected system’s RAM and scouring the memory content for data that could be used to recover the ransomware’s original encryption key.
If enough information is recovered, the tool can then be used to decrypt files and help victims recover from Avaddon attacks without needing to pay the gang’s ransom demand.
Avaddon gang fixes their code
But while the tool’s release will most likely help past victims, it won’t be helping companies that fall victim to new Avaddon attacks.
This is because the tool’s release did not go unnoticed. In a forum post on Wednesday, the Avaddon gang said it also learned of Yuste’s decrypter and has already deployed updates to its code, effectively negating the tool’s capabilities.

Image: ZDNet
The Avaddon team’s reaction mirrors how the Darkside ransomware crew also answered the release of a similar decrypter for their own strain last month, in January.

Image: KELA
Infosec experts: Keep some ransomware decrypters private!

In the end, the release of both decryption utilities had a very limited impact. While a few victims were able to decrypt files, once the existence of the decryption tool was made public, the ransomware gangs analyzed how the tools worked and fixed their code within days.
The release of these two tools, along with a blog post from Dutch security firm Eye Control showing how victims could recover from attacks with the Data Doctor ransomware, has rekindled, once again, a years-long conversation in the cyber-security industry about how decryption utilities should be handled and released to victims.
Several prominent security researchers with a long history of helping ransomware victims since the mid-2010s have made their opinions known again over these past two months, highlighting the fact that decryption utilities that take advantage of ransomware encryption bugs should be kept private and distributed to victims via non-public channels rather than advertised online.
Furthermore, even if such tools need to be made public, there should not be any technical details that accompany the tool’s release, details that will obviously help the attackers patch their own code as well.

Good work, but it is nothing sensational… Actually, it would be much more helpful (or maybe even say, only would be helpful) if he not published this only says something like “if you got Avaddon ransomware, contact me immediately”.😫cc @demonslay335
— MalwareHunterTeam (@malwrhunterteam) February 9, 2021

Keep it in you pocket folks! You can help victims and hold that blog post till AFTER the TA patches..win win!
— Bill Siegel (@billseagull) January 9, 2021

You could have just posted that you have a fix for this particular ransomware and ask people to reach out to you. Then reach out to initiatives like NoMoreRansom or communities like BleepingComputer to propagate the news. You know, like everyone else who is responsible.
— Fabian Wosar (@fwosar) January 9, 2021

On the other side, decryption utilities that are built around master decryption keys obtained from the attackers’ servers are OK to share online, as there’s little that ransomware authors can do about these tools.
All in all, seeing how the Avaddon and Darkside groups have reacted —by fixing their encryption schemes within days— it’s hard to argue against the arguments made online over the past two months, namely that some decryption tools should never make it into the public domain. More

If finding the best VPN for your needs was a simple matter of comparing prices and features, this guide would not be essential reading. The fact is you won’t find the right VPN without first understanding how a VPN service accomplishes its primary mission: keeping you safe online.

Fundamentally, most VPNs (virtual private network) provide two services: Encrypting your data between two points and hiding the IP address (from which a general location can be derived) where you’re located. For those traveling or out and about, the first function was critical because most Wi-Fi available publicly is unencrypted — so anyone on the network could see what you were sending. 
But VPNs also serve to hide your IP address, replacing the address logged on servers with one in a completely different location — even a different country. For those worrying about stalking or other threats, this feature could save lives. Most consumers, though, find streaming VPN features compelling because — in some cases, and with dubious legality — it allows them to spoof their region of origin to get access to streaming media and sports blacked out from their home locale.
There is no doubt that you should use a VPN service provider when you’re using public Wi-Fi when away from home. But what about when you’re at home? Should you use a VPN then?
Must read:
My general advice is that it’s not critical for most people at home, since your ISP rarely wants to look at your traffic. But if you live in an apartment with a bunch of curious roommates all sharing one router, a VPN might prove valuable. If you’re connecting to work and want to make sure you’re taking all the precautions you can (and if your employer hasn’t given you a corporate VPN to use) a VPN service would be useful. If you’re connecting to websites that log connection information and you don’t want to leave tracks where you are (especially where your home is), you might want to use a VPN. You get the idea: If you want extra protection at home, then a VPN isn’t a bad idea.
Now, let’s be clear. Using a VPN does add a bit of a load on your computer and can often slow down your connection. That’s because your data is encrypted, decrypted, and sent through intermediate servers. Game responsiveness might suffer. If you’re a first-person shooter player, you might have enough lag to lose the shot. That said, both computers and VPNs have gotten a lot faster. When I first used a VPN, every… thing…slowed… down… to… an… unbearable… c-r-a-w-l. But now, the negative impact is almost unnoticeable, and at least one service we spotlight below (Hotspot Shield) actually increased performance, making it one of the fastest VPNs we’ve seen.

Also, most (but not all!) of the providers we spotlight limit the number of devices you can connect simultaneously, so you may have to pick and choose which home devices connect through a VPN.
We’re also spotlighting paid services in this article, although some of them offer a free tier. I generally don’t recommend free VPN services because I don’t consider them secure. Think about this: Running a VPN service requires hundreds of servers across the world and a ton of networking resources. It’s boo-coo expensive. If you’re not paying to support that infrastructure, who is? Probably advertisers or data miners. If you use a free service, your data or your eyeballs will probably be sold, and that’s never a good thing. After all, you’re using a VPN so your data remains secure. You wouldn’t want to then have all that data go to some company to sift through — it completely defeats the purpose.
Before we jump into our cornucopia of VPN services, I want to make it clear that no one tool can guarantee your privacy. First, anything can be hacked. But more to the point, a VPN protects your data from your computer to the VPN service. It doesn’t protect what you put on servers. It doesn’t protect your data from the VPN provider’s VPN servers to whatever site or cloud-based application you’re using. It doesn’t give you good passwords or multifactor authentication. Privacy and security require you to be diligent throughout your digital journey, and VPNs, while quite helpful, are not a miracle cure.
In this article, we look at a bunch of our favorite VPN solutions. We’ll cover many of the best VPN service providers, how to access the native VPNs built into your desktop machine, and even how to use your NAS as a VPN client and host. If you’re curious about VPNs, you can learn a lot more in our massive VPN FAQ.
We’ll also dig back into what makes the best VPNs tick and answer some more of your questions at the end of this article, so read on. But first, our picks for the best VPNs of 2021.
Best VPN providers
If you’re curious about how VPNs work or what a VPN provider can do for you, here’s a great VPN overview article. Now that you understand how a VPN service can help keep you safe, let’s kick it off with our list of recommended service providers.

A top-rated VPN provider
Photo by Christian Englmeier on Unsplash
Simultaneous Connections: 5
Kill Switch: Yes
Platforms: A whole lot
Logging: No browsing logs, some connection logs
Countries: 94
Locations: 160
Trial/MBG: 30 days
ExpressVPN is one of the most popular VPN providers out there, offering a wide range of platforms and protocols. Platforms include Windows, Mac, Linux, routers, iOS, Android, Chromebook, Kindle Fire, and even the Nook device. There are also browser extensions for Chrome and Firefox. Plus, ExpressVPN works with PlayStation, Apple TV, Xbox, Amazon Fire TV, and the Nintendo Switch. There’s even a manual setup option for Chromecast, Roku, and Nvidia Switch.
Also: ExpressVPN review: A VPN speed leader with a secure reputation
With 160 server locations in 94 countries, ExpressVPN has a considerable VPN network across the internet. In CNET’s review of the service, staff writer Rae Hodge reported that ExpressVPN lost less than 2% of performance with the VPN enabled and using the OpenVPN protocol vs. a direct connection.
While the company does not log browsing history or traffic destinations, it does log dates connected to the VPN service, amount transferred, and VPN server location. We do want to give ExpressVPN kudos for making this information very clear and easily accessible.
View Now at ExpressVPN

Leak-free and unlimited connections
Photo by David Clode on Unsplash
Simultaneous Connections: Unlimited
Kill Switch: Yes
Platforms: Windows, Mac, Linux, iOS, Android, Fire TV, Firefox, Chrome
Logging: None, except billing data
Trial/MBG: 30 day
At two bucks a month for a two-year plan (billed in one chunk), Surfshark offers a good price for a solid offering. In CNET’s testing, no leaks were found (and given that much bigger names leaked connection information, that’s a big win). The company seems to have a very strong security focus, offering AES-256-GCM, RSA-2048, and Perfect Forward Secrecy encryption. To prevent WebRTC leaks, Surfshark offers a special purpose browser plugin designed specifically to combat those leaks.
Also: Surfshark VPN review: A feature-rich service with blazing speeds and a security focus
Surfshark’s performance was higher than NordVPN and Norton Secure VPN, but lower than ExpressVPN and IPVanish. That said, Surfshark also offers a multihop option that allows you to route connections through two VPN servers across the Surfshark private network. We also like that the company offers some inexpensive add-on features, including ad-blocking, anti-tracking, access to a non-logging search engine, and a tool that tracks your email address against data breach lists.
View Now at Surfshark

Interesting options to enhance VPN protection
Photo by Karl Köhler on Unsplash
Simultaneous Connections: 6
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Linux, Android TV, Chrome, Firefox
Logging: None, except billing data
Countries: 59
Servers: 5517
Trial/MBG: 30 day
NordVPN is one of the most popular consumer VPNs out there. Last year, Nord announced that it had been breached. Unfortunately, the breach had been active for more than 18 months. While there were failures at every level, NordVPN has taken substantial efforts to remedy the breach.
Also: My in-depth review of NordVPN
In our review, we liked that it offered capabilities beyond basic VPN, including support of P2P sharing, a service it calls Double VPN that does a second layer of encryption, Onion over VPN which allows for TOR capabilities over its VPN, and even a dedicated IP if you’re trying to run a VPN that also doubles as a server. It supports all the usual platforms and a bunch of home network platforms as well. The company also offers NordVPN Teams, which provides centralized management and billing for a mobile workforce.
Also: My interview with NordVPN management on how they run their service
Performance testing was adequate, although ping speeds were slow enough that I wouldn’t want to play a twitch video game over the VPN. To be fair, most VPNs have pretty terrible ping speeds, so this isn’t a weakness unique to Nord. Overall, a solid choice, and with a 30-day money-back guarantee, worth a try.
View Now at NordVPN

Deep capabilities hidden in an easy-to-use app

Simultaneous Connections: Unlimited
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Linux, Chrome, plus routers, Fire Stick, and Kodi
Logging: None, except billing data
Servers: 1,500 
Locations: 75
Trial/MBG: 30 day
IPVanish is a deep and highly configurable product that presents itself as a click-and-go solution. I think the company is selling itself short doing this. A quick visit to its website shows a relatively generic VPN service, but that’s not the whole truth.
Also: My in-depth review of IPVanish
Its UI provides a wide range of server selection options, including some great performance graphics. It also has a wide variety of protocols, so no matter what you’re connecting to, you can know what to expect. The company also provides an excellent server list with good current status information. There’s also a raft of configuration options for the app itself.
In terms of performance, connection speed was crazy fast. Overall transfer performance was good. However, from a security perspective, it wasn’t able to hide that I was connecting via a VPN — although the data transferred was secure. Overall, a solid product with a good user experience that’s fine for home connections as long as you’re not trying to hide the fact that you’re on a VPN.
The company also has a partnership with SugarSync and provides 250GB of encrypted cloud storage with each plan.
View Now at IPVanish

Open source with a dedicated focus on security

Simultaneous Connections: Depends on plan
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Linux, routers
Logging: None, except billing data
Countries: 54
Servers: 1,077
Trial/MBG: 30 day
We really like the ProtonVPN story. The company was created by engineers and scientists who met at CERN (the European Center for Nuclear Research — where the Web was invented) with a focus on creating encrypted email and VPN communications with the idea of protecting the communication of activists and journalists. The company is also headquartered in Switzerland, which has very strong privacy laws.
In terms of product, ProtonVPN has a belt-and-suspenders approach to security, layering strong protocols on top of perfect forward secrecy, on top of strong encryption. Not only does ProtonVPN have a kill switch, but it also has an always-on VPN, which attempts to restore VPN service if it’s dropped mid-communication. Finally, we like that all apps are open source and the company reports that they are independently audited. 
Finally, the company offers a very generous free service, allowing one machine to connect at medium speed, but there doesn’t appear to be any limit to the amount of data used in the free plan.
View Now at Proton

VPN service hosted on its own infrastructure

Simultaneous Connections: 5
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, QNAP, Synology, router, TV
Logging: None, except billing data
Servers: 700+ on their own infrastructure 
Locations: 70
Trial/MBG: 30 day
Golden Frog, the company behind VyprVPN, claims to be “A company as old as the Internet itself,” yet its own about page says the company was founded in 2009. Apparently, the founders of Golden Frog were founding companies back in the 90s, and they conflated the two facts. I’m always a bit uncomfortable when a security company conflates facts.
On the plus side, we like that Golden Frog owns and manages its own infrastructure and does not rely on hosting companies. VPN infrastructure is often a murky thing, with the VPN service providers renting time from available data centers in host countries.
The company offers a huge array of client software, including apps for routers and even BlackBerry devices. Apps support key features like a kill switch, a zero-knowledge DNS service, and their own Chameleon VPN protocol for added security. The company’s no-log service was last audited in 2018, so they’re a bit overdue.
Golden Frog, also registered in Switzerland, is a standout in their effort to provide privacy and thwart censorship. When China began its program of deep packet VPN inspection, Golden Frog’s VyprVPN service added scrambled OpenVPN packets to keep the traffic flowing.
View Now at Golden Frog

It’s Norton, a known and trusted brand. What else is there to say?
Photo by John Salvino on Unsplash
Simultaneous Connections: Based on plan
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android
Logging: None, except billing data
Countries: Unspecified
Locations: Unspecified
Trial/MBG: 60 day
We found performance is middle-of-the-road and platforms are limited to Mac, iOS, Windows, and Android. Don’t even think of using it on routers, Linux, or gaming platforms. Pricing is weirdly and unnecessarily tiered. The service raises its price by ten bucks when you jump from 1 device to 5, and another ten bucks when you jump to ten devices. Given the full ten simultaneous device package is a good deal at $59, it’s odd that it’s nickel-and-diming the lower tiers.
Also: Norton Secure VPN review: More work is needed for this privacy product to shine
We’re recommending Norton not as much because it’s a great VPN (it’s really kinda meh), but because it’s from a brand we’ve long come to know and trust. The company also offers live 24/7 phone support and has an excellent 60-day money-back guarantee. The company also offers a generous 60-day money-back guarantee, but oddly doesn’t promote it. The only place it’s mentioned is deep inside their refund policy document.
View Now at Norton

Clear and understandable instructions

Simultaneous Connections: 12
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Linux, Fire TV, Synology, Kindle, Kodi, and routers
Logging: None, except billing data
Countries: 30+
Servers: 950+
Trial/MBG: 30 day
StrongVPN stands out because its setup, website, and support materials are clear and easy to understand. We found setup to offer just the right amount of explanation when we needed it.
Also: My StrongVPN in-depth review
The fact that StrongVPN doesn’t log anything is a big win, but it’s offset a bit by the fact that our testing showed endpoints can tell you’re using a VPN. To be sure, data is nicely encrypted, but if you’re trying to hide the fact that you’re on a VPN, Strong isn’t for you. That said, it had solid performance, an excellent UI, and did the job. Plus, they recently upped the number of simultaneous connections from five to twelve. That’s nice to see. The company also includes 250 GB of SugarSync secure storage with all plans.
View Now at StrongVPN

Astonishing performance
Photo by Sergi Viladesau on Unsplash
Simultaneous Connections: 5
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Linux, router, TV
Logging: None, except billing data
Countries: 80
Locations: 115
Trial/MBG: 45 days
This is a company that has had some ups and downs in its coverage. That said, the company seems to have resolved its issues successfully. But I’m burying the lede for this story. Here’s what you need to know about Hotspot Shield: performance was astonishing.
Also: My in-depth review of Hotspot Shield
The company kept sending me bragging emails, claiming exceptional performance. Since reviewers often (always) get “we’re the best” emails, it’s something we ignore like the background noise it usually is. But then my editor challenged me to put Hotspot Shield to the test. And you know what? For most countries, while the VPN connection was active, it actually out-performed non-VPN connection speed. Go ahead and read my review. Surprised the heck out of me.
View Now at Hotspot Shield

A bundle of security features beyond VPN
Photo by Steinar Engeland on Unsplash
Simultaneous Connections: 7
Kill Switch: Yes
Platforms: All you’d expect and a lot more
Logging: None, except billing data
Countries: 89
Servers: 6,381
Trial/MBG: 45 days
The CyberGhost client is more than a VPN connection driver. The company’s offering is a decently complete full security system, including ad-blocking, malicious website blocking, online footprint blocking (blocking cookies from dropping), and forced https redirect.
Also: My in-depth review of CyberGhost
With more than 6,000 servers deployed in 89 countries and 112 locations, CyberGhost has a larger number of servers than many of the other VPN providers we surveyed. Performance was adequate. It provided enough bandwidth to stream video and get your job done, but it certainly wasn’t a rocket. Also, if you’re trying to hide the fact that you’re using a VPN, you’ll want to look elsewhere. That said, for a solid overall security package, CyberGhost is a good option.
View Now at CyberGhost

31-day guarantee because sometimes that extra day matters
Photo by Adam Vradenburg on Unsplash
Simultaneous Connections: 10
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Linux, and a lot more
Logging: None, except billing data
Countries: 140
Servers: 2,000
Trial/MBG: 31 day
Most VPN providers license their international server presence from local providers all over the globe. PureVPN doesn’t. They own their own self-managed network of more than 2,000 servers in 140 countries. This allows the company to support its full range of protocols (OpenVPN, L2TP/IPSec, SSTP, and IKEv2). It also offers PPTP, but it’s so porous, you probably shouldn’t use it.
Given the tough times due to the novel coronavirus, PureVPN has sent its support folks home, but they’re up and running providing 24/7 support from the safety of sheltering in place. So even though business isn’t as usual, PureVPN has, like many companies, routed around the problem using internet technology to keep connected. We also like the 31-day money-back guarantee, support for a wide range of devices, including Kodi, Roku, and Boxee boxes. 
View Now at PureVPN

A tremendous number of servers

Simultaneous Connections: 10
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Linux, Chrome, Firefox, Opera
Logging: None, except billing data
Countries: 76
Servers: 17,605
Trial/MBG: 30 day
One of the more interesting aspects of Private Internet Access is the wealth of payment options the company offers. Sure, you can pay by credit card. But you can also pay with cryptocurrencies including BitcoinCash, Bitcoin, Zcash, Ethereum, and Litecoin. If you’re not all up on the crypto-craze but still don’t want to leave a record of your payment, you can use over 100 brands of gift cards, including those from Best Buy, GameStop, Home Depot, Lowes, Target, and Walmart.
The company supports a good range of protocols and you can use it on your customized DD-WRT router. We do like the quick setup, included ad, malware, and tracker blocker, and unlimited bandwidth is always appreciated.
View Now at Private Internet Access

Relative newcomer that keeps improving each time we look at them
Photo by Cephas CC BY-SA 3.0 on Wikipedia
Simultaneous Connections: Unlimited
Kill Switch: Yes
Platforms: Windows, Mac, iOS, Android, Android TV, Linux, Chrome, routers
Logging: None, except billing data
Countries: Unspecified
Locations: Unspecified
Trial/MBG: 30 day
Here’s the thing about Goose VPN. It’s called “goose VPN.” That’s nearly irresistible for a writer. When I asked, I was told geese make excellent guard animals, having performed guard duty in ancient Rome, an Air Defense Command base in Germany, and a brewery in Scotland. Hence Goose VPN, where the goose is the mascot for a service that guards your Internet access.
When I first started talking to the folks at Goose VPN a few years ago, they didn’t offer a kill switch and only had clients for the Big Four. But, as time went on, they’ve been adding features and capabilities regularly and their offering is now a nice, robust system. Plus, here’s something really cool. Unfortunately, since the last time we looked at them, the company ditched its lifetime plan. Now, they offer yearly plan durations similar to their competitors. Finally, the company offers a reasonable 30-day money-back guarantee.
View Now at Goose VPN
Native VPN support on your desktop
If you’re connecting to a corporate VPN, you may not need to purchase a VPN service. All the major desktop operating systems include VPN capabilities. Here’s how to get started using those.

Connect to a corporate VPN with Apple
Photo by Michail Sapiton on Unsplash
If you’re connecting to an existing corporate virtual private network, you may not need an additional service. MacOS comes with native VPN support built right in.
Apple provides VPN support for High Sierra, Mojave, Catalina, and now Big Sur. Just pop open System Preferences, head over to the Network tab, and either import the configuration file you were provided or hit the plus button and add a VPN interface. Here’s a handy tip sheet from Apple that will walk you through the process.
View Now at Apple

Connect to a corporate VPN with Microsoft

If you’re connecting to an established corporate VPN, all you need to do is add a new Windows 10 VPN connection. Point your mouse at the Start menu, hit Settings, then Network & Internet, and then VPN. Make sure you have the connection details provided by work and then click on Add a New VPN Connection. Fill in the form and you’re good to go. Here’s a handy tip sheet from Microsoft.
Windows 10 also allows you to host a VPN server by creating a new incoming network connection, choosing the users who can connect, and telling Windows that the incoming connection is across the internet. You’ll also have to configure your router to allow traffic to your computer. PureInfoTech has a helpful guide for setting it all up.
View Now at Microsoft

Connect your laptop with Google

Sadly, this simple solution isn’t built into the standard Chrome browser. If you’re just using the browser on a Mac or Windows machine, you’ll need a different solution. 
That said, if you’re rocking a Chromebook, all you need to do is open Settings and then Network. Click Add Connection. Then all you need to do is choose between OpenVPN and L2TP over IPSec. Google has a handy cheat sheet right here to guide you through the process. 
View Now at Google

Another reason to love open source
Photo by Rekjezt on Unsplash
WireGuard is Linux’s new baked-in VPN capability. Its code is relatively simple and small, making it far easier to maintain, test, and debug. Linus Torvalds, Mr. Linux himself, calls WireGuard “a work of art.”
Also: Linux’s WireGuard VPN is here and ready to protect you
So what do you need to set up WireGuard? More and more of the VPNs we spotlighted support WireGuard right out of the box. You can download it for Linux. But you can also download a package for Windows, Mac, iOS, Android, and FreeBSD. It’s like most open source products, in that you’ll need to do some reading and thinking to make it work. But it’s free, solid, safe, and, as Linus says, “Can I just once again state my love for it.” 
View Now at WireGuard
VPN for your whole home network
Many of the commercial VPN services discussed above offer router-based VPN solutions. Even though I have a pretty powerful router, I prefer to run my VPN on my NAS. Here are two NAS-based VPN solutions that will get you connected securely.

Built-in VPN app on the NAS

If you have a NAS like the top-reviewed Synology, you may already have a NAS app you can set up and protect your whole home network. The Synology server has a very capable little VPN built-in, and it’s available free to anyone with the NAS.
If you want to go a step further and use some Synology-exclusive VPN services like Synology SSL VPN, clientless WebVPN, and remote desktop, as well as a site-to-site VPN service, you can do so using the Synology router I reviewed last year. That service is called VPN Plus and it normally costs $9.99 per concurrent user. But because of COVID-19, Synology’s offering free VPN Plus between now and September.
View Now at Synology

A mini-FAQ about VPNs
I answered a bunch of common questions above our big list of the best VPNs for 2021. But here’s a quick lightning round of questions and answers about VPNs, just to round out your knowledge.
Do VPN providers limit usage? Some do. Check when you sign up. For non-free plans, none of the providers we recommended limit the amount of data you can use. But almost all limit how many devices you can use at once.
What does logging really mean? Logging is the recording of data about your usage and it occurs everywhere. Every website, at minimum, records an IP address, time, and data accessed so they can track traffic. All VPN providers have to check credentials against recorded personal data to make sure you paid, but a few let you sign up with Bitcoin, allowing you to completely hide your identity. When we say a VPN doesn’t log data, we mean they don’t track what sites you visit and for how long, but they may track how much of their own infrastructure you use.
Is it legal to use a VPN? Yes, in most countries. Some countries (and you should read my guide for more in-depth info) have made VPN use illegal. And even in countries where it’s legal, it’s likely to be illegal to use a VPN to spoof a streaming service into giving you content that otherwise wouldn’t be accessible. Plus…
Can I use a VPN to get free Netflix or watch a blacked-out sports event? Sometimes, but it’s likely illegal and probably fattening. There’s an ongoing arms race where the media vendors are getting better at identifying and blocking VPN connections, so each case is different. And that’s all we can say about it, because… illegal.
If I have a VPN to my office, do I need a VPN service? The VPN to your office will secure your link to your office. If you want to secure your link to anywhere else, you’ll need a VPN service.
Should I use a VPN on my phone or tablet? If it’s your data and you want it to be secure, yes. The same choices are valid regardless of what kind of device you use to transmit and receive data over the Internet.
What’s this kill switch thing? So let’s say you’re surfing along and all of a sudden your VPN connection fails. Your phone or computer is likely to immediately try to reconnect and do so directly, without going through a VPN. All of a sudden your data is unprotected. A kill switch is a feature in your device’s VPN app that detects that connection fail and immediately shuts down network access. Like with everything, it’s not a 100% perfect solution, but these days, I wouldn’t recommend using a VPN that doesn’t offer a kill switch.
What do simultaneous connections mean and why should I care? I’ll give you a personal example. When I travel, I often take my laptop and my tablet. I use the laptop to write and I use the tablet as a second screen to look stuff up. I have two connections I’m using at once and I want my VPN to protect both. If my wife is also doing the same thing, that’s four connections. Add our phones and you have six connections. If we’re using all those devices at once that’s simultaneous connections. The more the better.
What about all those weird protocol words? If you’ve been shopping for a VPN service, you’ve undoubtedly come across a bunch of names like SSL, OpenVPN, SSTP, L2TP/IPSec, PPP, PPTP, IKEv2/IPSec, SOCKS5, and more. These are all communication protocols. They are, essentially, the name of the method by which your communication is encrypted and packaged for tunneling to the VPN provider. To be honest, while VPN geeks can argue over protocols for hours, you’re probably good enough if you just use the default set up by your provider.
How to choose
I could write an entire article about how VPNs work and how to choose, and, in fact, I did. Rather than repeating it all here, I’m just going to point you to How to find the best VPN service: Your guide to staying safe on the internet.
Must read:
Our process
This list did not involve as much original research and testing as some of my other recommendation lists. That’s because I’ve been writing VPN articles every month or so since early 2017. I have looked at a lot of VPN providers.
Many of the providers recommended in this list have been subject to in-depth testing and reviews, written either by me or by CNET’s product evaluation team. (See: The best VPN services for 2021.) For those, we have tangible testing numbers. Other VPNs have been ones we’ve been talking about for years, spoken with their management and their users, and have developed a generally positive impression.

A few of the VPNs (Hotspot Shield, in particular) had a more rocky road. They had some tough PR at the beginning and made some seemingly ludicrous claims about speed. It wasn’t until I brought them in house and pounded on them for a few weeks that I realized that their claims were justified. Sometimes, products just surprise you.
But here’s the thing: All these vendors have solid money-back guarantees and we would not have recommended them otherwise. We do test VPN services from multiple locations, but we can’t test from all locations. Every home, every community, every local ISP, and every nation has a different infrastructure. It’s essential that once you choose, you test for all your likely usage profiles, and only then make the decision to keep the service or request a refund.
One thing to consider is whether you’re looking for a solution for working at home vs. traveling. For example, if you travel rarely (even before COVID-19), have strong bandwidth at home, and have a NAS or a server box, you might want to VPN to your home server from your machine’s native client, and then out to the world. If you’re newly home for the duration and your company has a dedicated VPN, you’ll want to use whatever process they’ve set out for you.But, generally speaking, it doesn’t hurt to have a VPN provider already set up and in your kit bag. Most home-based traffic won’t require VPN usage, but if you’re on any sort of shared connection, having a VPN provider is a good idea. Also, if you ever think you’ll need to access the Internet from out and about — like a hospital or doctor’s office, then having a VPN provider can be a win. Likewise, if you want to obscure where you’re connecting from (this might be more important now that we’re always in the same place all day), a VPN provider might help.
Finally, don’t expect miracles. Your home-based pandemic broadband pipes are likely to be more clogged than ever before. Everyone is at home, many people are streaming movies to stay sane, and there are only so many bits that can fit at any given time. If you experience traffic slowdowns, be sure to check not only your VPN, but your Wi-Fi connection between your device and your router, your connection to your broadband provider, and even their connection to upstream providers.
That said, we’re all in this together. Hang in there and stay safe. How are you managing your home-based networking? Let us know in the comments below.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

KeepChange, a Bitcoin exchange portal that launched last year, said it was hacked over the weekend but that security safeguards it had in place stopped the intruders from stealing user funds.

“Bitcoin withdrawal requests were initiated from customer accounts to an address belonging to attackers,” the Bitcoin marketplace said in a blog post this week.
“One of our control subsystems kicked in and stopped those withdrawal requests, and no Bitcoin is stolen from KeepChange.”
However, the exchange said that while hackers were unsuccessful in stealing user funds, they managed to steal some of its customers’ personal data. This included details such as names, email addresses, trade counts, total traded amounts, and hashed passwords.
“Even though passwords were hashed and they are very unlikely to be retrieved from the hashed form, we recommend changing your password as soon as possible. If you have used the same password on other sites, we recommend that you change them as well,” KeepChange told its customers on Tuesday.
KeepChange has halted funds withdrawals on the platform until today, Thursday, February 11, to give users time to change passwords and enable various security features for their accounts.
Among these are two-factor authentication (2FA), which the company urged users to enable for their accounts.

Furthermore, KeepChange took the rare step of forcibly enabling a security feature for all users. Named Login Guard, once enabled, users won’t be able to access their accounts unless they open a verification link they receive via email.
News of the KeepChange attack came on the same day that Japanese news agency Nikkei reported that North Korean state-sponsored hackers stole an estimated total of $316 million from cryptocurrency exchanges in 2019 and 2020.
A Chainanlysis report published yesterday also blamed North Korean hackers for most cryptocurrency exchange hacks, including the theft of $150 million from KuCoin, last year’s biggest hack.
KeepChange said it’s still investigating the breach, but at this point, it wouldn’t surprise any cryptocurrency expert if the exchange confirms it was targeted by Pyongyang hackers. More

Two variants of Android spyware connected to pro-India, state-sponsored hacking campaigns have been discovered. 

On Tuesday, cybersecurity firm Lookout said that two malware strains, dubbed Hornbill and SunBird, have been linked to Confucius, an advanced persistent threat (APT) group thought to be state-sponsored and to have pro-India ties. 
First detected in 2013, Confucius has been linked to attacks against government entities in Southeast Asia, as well as targeted strikes against Pakistani military personnel, Indian election officials, and nuclear agencies.  
According to the cybersecurity firm, the APT can be reasonably linked to Hornbill and SunBird, two forms of Android spyware. Specifically, the malware appears to be focused on compromising the Whatsapp messaging platform and exfiltrating the content of conversations. 
The team’s analysis of the malware suggests that Hornbill is based on MobileSpy, a commercial stalkerware app for remotely monitoring Android devices that was retired in 2018. SunBird, however, appears to have a similar codebase to BuzzOut, an old form of spyware developed in India.
Confucius was known to have used ChatSpy for surveillance purposes back in 2017, but it is thought that both Hornbill and SunBird predate this malware. There doesn’t appear to be any new campaigns utilizing SunBird, believed to have been in active development between 2016 and early 2019; however, Hornbill has been found in a wave of attacks dating from December 2020. 
Apurva Kumar, Lookout Staff Security Intelligence Engineer, says that both forms of spyware abuse Android accessibility services to plunder Whatsapp for information and exfiltrate content without the need for root access or a jailbroken device. 

Mobile apps containing the malware appear to be hosted outside of Google Play and are offered as software packages including the fake “Google Security Framework,” local news aggregators, Islam-related apps, and sports software. According to Lookout, the majority of these malicious apps appear to target the Muslim population. 
Hornbill and SunBird have different approaches to spying. Hornbill is described as a “discreet surveillance tool” designed to selectively steal data of interest to its operator, whereas SunBird contains Remote Access Trojan (RAT) functionality, permitting the additional deployment of malware and remote hijacking. 
Both malware variants, however, can steal data including device identifiers, call logs, WhatsApp voice notes, contact lists, and GPS location information. In addition, they can request administrator privileges on a compromised device, take screenshots and photos, and record audio both when calls are taking place or just as environmental noise. 
SunBird’s capabilities go beyond Hornbill’s as this malware is also able to grab browser histories, calendar information, BlackBerry Messenger (BBM) content, and more extensive WhatsApp content including documents, databases, and images. SunBird will also try to upload stolen data to a command-and-control (C2) server at more regular intervals than Hornbill. 
However, Hornbill is able to detect and record active WhatsApp calls by abusing Android accessibility functions. 
“The leverage of Android’s accessibility services in this manner is a trend we are observing frequently in Android surveillanceware, avoiding the need for privilege escalation on a device,” the researchers say. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

PayPal has resolved a reflected cross-site scripting (XSS) vulnerability found in the currency converter feature of user wallets. 

First disclosed on February 19, 2020, by a bug bounty hunter who goes by the name “Cr33pb0y” on HackerOne, the vulnerability is described as a “reflected XSS and CSP bypass” issue. 
The bug was found in the currency converter feature of PayPal wallets on the PayPal web domain.
In a limited disclosure, published on February 10 — close to a year after the researcher reported the issue privately — PayPal said the bug existed in the currency conversion endpoint and was caused by a failure to properly sanitize user input. 
A weak URL parameter failed to clean up input which could allow threat actors to inject malicious JavaScript, HTML, or any other code “that the browser could execute,” according to the advisory. 
As a result, malicious payloads could trigger in the Document Object Model (DOM) of a browser page of a victim without their knowledge or consent. 
Typically, reflected XSS attacks reflect scripts from a web source to a browser and may only require a victim to click on a malicious link to trigger. Payloads may be used to steal cookies, session tokens, or account information, or could be used as a step in wider attacks. 

Following the bug bounty hunter’s disclosure, PayPal has now implemented additional validation checks and sanitizer controls to control user input in the currency exchange feature and wipe out the bug.
A CVE has not been assigned but the vulnerability has been categorized as medium-severity. The researcher was awarded $2,900 as a financial reward. 
Last year, HackerOne published a list of the most impactful and rewarded vulnerability types reported on the platform during 2020. XSS attacks, improper access control, information disclosure, and Server-Side Request Forgery (SSRF) vulnerabilities secured the top spots. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singtel says it is investigating the impact of a cybersecurity breach that may have compromised customer data, after it ascertained on February 9 that “files were taken”. The attack had affected a file-sharing system developed two decades ago by a third-party vendor Accellion, which the Singapore telco had used internally and with external stakeholders. 
Singtel revealed in a statement Thursday it was notified by Accellion that the file-sharing system, called FTA (File Transfer Appliance), had been breached by unidentified hackers. The telco said the tool was deployed as a standalone system and used to share information within the organisation and with external stakeholders. 
All use of the system had been pulled back and relevant authorities, including Singapore’s Cyber Security Agency and local police, were notified. Singtel added that it currently was assessing the nature and impact of the breach, and the extent of data that might have been illegally accessed. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

“Customer information may have been compromised,” the telco said. “Our priority is to work directly with customers and stakeholders whose information may have been compromised to keep them supported and help them manage any risks. We will reach out to them at the earliest opportunity once we identify which files relevant to them were illegally accessed.”
Adding that the incident was “isolated” since it involved a standalone third-party system, it said its “core operations” was not unaffected. In its FAQ posted online, Singtel said it was reviewing its processes and file-sharing protocols to “further enhance our information security posture”. 
It noted that due to the “complexity of the investigations”, its impact assessment would take some time. It said it would contact those that might have had their data illegally downloaded.
Accellion on February 1 said its FTA system was a 20-year-old large-file transfer software nearing the end of its lifecycle. It had been the target of a “sophisticated cyberattack”, which was first made known on December 23 when Accellion informed all its customers of an attack involving the file-sharing system. 

The vendor said it was “made aware of a zero-day vulnerability” in mid-December, which then was the “beginning of a concerted cyberattack” that continued into January 2021, with further exploits identified. It said it had released a fix for the initial exploit within 72 hours and continued to release patches to close each vulnerability discovered in the following weeks. 
Fewer than 50 customers were affected by the incident, Accellion said, noting that it had added monitoring and alerting tools to identify anomalies associated with these attack vectors. 
It said the vulnerabilities were limited to the FTA software and did not impact its enterprise content firewall product, Kiteworks, on which most of Accellion’s customers operated. Kiteworks was developed on a different code base and security architecture, the vendor said. 
Patches rolled out did not effectively plug holes
ZDNet sent several questions to Singtel including when it was first notified of the breach and why it still was using a 20-year file-sharing product that was nearing the end of its lifecycle. A spokesperson did not directly address the questions, but confirmed Accellion first notified Singtel of the vulnerability on December 23 and, following which, provided a series of patches. 
The telco said the first fix was deployed on December 24, while the second and find patch was applied on December 27. Singtel said no further fixes were released since. 
Accellion on January 23 pushed out another advisory citing a new vulnerability, against which the patch rolled out on December 27 was ineffective, according to Singtel. The telco then “immediately” took the FTA system offline. 
A subsequent patch was provided on January 30 to plug a new vulnerability, which Singtel said had triggered an anomaly alert when efforts were made to deploy it. 
“Accellion informed thereafter that our system could have been breached and this had likely occurred on January 20 January,” the Singtel spokesperson told ZDNet in an email. “We continued to keep the system offline and activated cyber and criminal investigations that confirmed the January 20 date. Given the complexity of the investigations, it was only confirmed on February 9 that files were taken.” 
Commenting on the potential data breach, Acronis’ co-founder and technology president Stas Protassov noted that the information would be useful to Singtel’s competitors if leaked, since the FTA system was used mostly amongst employees and likely would touch on internal information, such as current business plans.
He further noted that the software was a 20-year-old legacy system and would pose significant security risks. “Singtel and others should consider migrating to supported modern systems,” Protassov said, adding that Singtel also could have started addressing the issue sooner since Accellion was aware of the compromise since December 23.
Accellion points out that FTA is over 20 years old – it seems this legacy system did not get as much attention from developers and security teams as it should have. Singtel now suspended the use of the system, which is good. However, Accellion says, the first signs of compromise appeared 23 December 2020, so Singtel could have started the process much earlier.
He noted that Acronis was monitoring the dark web for potential data leak from the FTA breach, but had yet to see any signs of data being dumped. 
RELATED COVERAGE More

Image: Tingey Injury Law Firm
Cyber-security powerhouse Proofpoint has filed a lawsuit this week against Facebook in relation to the social network’s attempt to confiscate domain names the security firm was using for phishing awareness training.

The case is a countersuit to a Facebook filing from November 30, 2020, when the social network used a UDRP (Uniform Domain-Name Dispute-Resolution) request to force domain name registrar Namecheap to hand over several domain names that were mimicking Facebook and Instagram brands.
Among the listed domain names were the likes of facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net, and instagrarn.org.
Proofpoint says lookalike domains are fair game
In court documents filed on Tuesday, Proofpoint said the UDRP should not apply to these domains, which it should be allowed to keep and continue using.
Proofpoint argues that UDRP requests should only be used for domains registered in bad faith. The security firm instead says its use of the Facebook and Instagram lookalike domains “has been in good faith and for a legitimate purpose.”
Proofpoint claims its phishing awareness tests are crucial for the security of its customers, but also for the security of Facebook itself, as the phishing awareness tests teach users to recognize Facebook and Instagram lookalike domains and phishing attacks —something that Facebook also benefits from, although indirectly.
The security firm also argues that while other lookalike domains are used for criminal activity, the Facebook lookalike domains it owns are not weaponized and do no harm to users.

Users who click on links found inside Proofpoint phishing tests are always notified that they performed an unwanted action, no Facebook account credentials are collected, or harm is done to the user, the security firm said.

Image: Proofpoint
Furthermore, users who access the domains directly are also warned that these are not official Facebook sites.
“Consumer confusion is unlikely because Proofpoint clearly states on the websites to which the Domain Names are pointed: ‘Hi! This web site belongs to Proofpoint Security Awareness Training. This domain is used to teach employees how to recognize and avoid phishing attacks.'”

Image: ZDNet
Now, Proofpoint wants a judge to issue a ruling allowing its use of these domain names is “in connection with a bona fide offering of goods or services” and in good faith; hence they should not be subject to a classic UDRP seizure request.
A copy of the court documents are available here and here. The legal case was discovered by Seamus Hughes, deputy director of the program on extremism at George Washington University.
Facebook and Proofpoint have not responded to requests for comment.
Over the past year, Facebook’s legal department has been very active and has filed multiple lawsuits against developers of rogue browser extensions and Facebook apps who have collected Facebook user data without authorization.
Among its tens of lawsuits last year was one the social network filed against Namecheap, seeking to unmask cybercrime groups who registered malicious Facebook lookalike domains. More