Select Page
VPN: A Key to Securing an Online Work Environment

VPN: A Key to Securing an Online Work Environment

The current COVID-19 epidemic is changing the way people work, rapidly moving to working remotely as I have done for 20 years. I am providing this advice for smaller businesses that should leverage virtual private networks (VPNs)  to enhance your security. This by no means should be all you rely on, but could be a simple, cost-effective way of adding an additional layer to your security posture in this changing environment.

VPNs offer great protection. Beyond the main discussion of this article, they are the second thing I generally recommend after using a password manager. As a supporter of internet privacy, I am especially concerned about internet service providers (ISPs) snooping on our online activity for profit. For this privacy protection alone, there are also browsers such as Opera.

Types of VPNs

The two more common VPN setups that internet users may be used to are larger corporate installations such as we use here at Sucuri. All large corporations provide these to allow remote working and to protect data in transit between sites. Then there are the commercial and free VPN products, which protect your browsing. You might use these while traveling for privacy and security. Or you might want to switch your location to access content normally restricted in your region, or to bypass political censorship, or maybe some other country has a better version of their streaming video service.

Corporate VPN setups are an expensive item, requiring considerable support to ensure employees are able to connect to their applications and data. They supply static IP addresses to their clients, whereas commercial VPNs do not provide the client with a static IP but do provide the protection of data in transit.

What is a VPN’s static IP address?

The static IP address provided by the VPN is, in effect, an additional credential when connecting to a resource. It also encrypts the connection, which provides security and integrity. Our Web Application Firewall (WAF) leverages this for web applications — you might see the setting “Allow only whitelisted IP addresses access to admin pages”— which is a standard feature. Often this feature of allowing only whitelisted IPs can be burdensome if working from a mobile connection or a home cable ISP. It is rare they would provide a static IP, requiring constant checking if the IP address has changed, and then whitelisting that IP address, on maybe more that one website. We suggest the use of a passcode or 2FA in addition to their applications login credentials if this is the case.

But you may need access to many applications, such as email, database or file servers, where there are few options to add an additional layer of security for those working remotely. While they might not have a 2FA option, they will nearly always have an option to restrict access to a static IP. Commercial VPN products, which do not generally provide static IP addresses, are of no help here.

Adding an additional layer of protection

But you can set up a VPN server for you and your coworkers to use to add this additional layer of browser security and provide a static IP address to be whitelisted across your remote applications. This may be setup in your office or using a VPN or dedicated hosting server. These VPN server applications are nearly all built on Linux, with many being open source. There is a list maintained on Github. For myself, I tend to use an adapted version of this simple script that only takes a few minutes to set up. 

Connecting to VPN servers

There are VPN clients that will connect to the VPN servers that are available for all devices and operating systems. You will find them in your app store for your device. Many will be from the same authors as the server applications, although versions of both the client and server are generally agnostic.

A good, well-supported product that I often recommend is WireGuard. Personally, I use OpenVPN Connect as I tend to use OpenVPN servers.

Many home routers will have an option to connect to a VPN server, encrypting all internet use, negating the need to add client software on every device. There are often options to “route” traffic for certain destinations through the VPN, and bypass it for other purposes (Netflix can use a lot of data!).

Cloud-hosted VPN servers

If most resources are within your infrastructure, the VPN server could stay within a server within your office. Better yet, use an office router which may have a VPN server that can also be used instead of setting up a dedicated VPN server. But if most of your company’s resources are cloud based, as is becoming more popular, it often makes more sense to also host the VPN server in the cloud.

You should keep in mind that a VPN with a static IP address does not offer the same privacy that commercial VPNs provide, masking your location, and any browsing while it would be encrypted, as you have a static IP address it could be traced back to you.

Use a VPN and be secure when browsing 

These days, as more people need to work from home, it is important to take some security steps to make your daily job happen more smoothly. Using a VPN can add another layer of security to your new work environment. Stay safe!

Many people are using a VPN for torrenting or bypassing geographic restrictions to watch content in a different country.

virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running on an end system (PC, smartphone etc.) across a VPN may therefore benefit from the functionality, security, and management of the private network. Encryption is a common, though not an inherent, part of a VPN connection.

Related Articles

Do I Need a Website for My Business?

Do I Need a Website for My Business?

If your business has gotten this far without a website, you might be wondering: do I need a website for my business? What’s the point if my business is already successful without one? The short answer is that there has never been a better or more important time to...

Malicious Scripts Posing as Google Tracking

Malicious Scripts Posing as Google Tracking

Over the last few months, I has been brought to our attention that several credit card-stealing scripts that use variations of the Google Analytics name to make them look less suspicious and evade detection by website owners.

The folks over at Sucuri have uncovered a new security threat involving malicious scripts posing as legitimate Google tracking calls in order to avoid casual detection. These scripts are designed to scrape sensitive data such as credit card information from compromised websites.

The malicious code attempts to mimic references to the standard Google Analytics and Google Tag Manager libraries using nearly identical URLs, in some cases registered using alternative TLDs.

In the below example, a malicious script uses a Cameroonian TLD to mimic a reference to the standard Google Analytics library.

Legitimate

www.google-analytics.com/analytics.js‌

Malicious ‌

www.google-analytics.cm/analytics.js

And below a malicious script is hosted on a domain registered under the standard ‘.com’ TLD but with a single letter change ‘q’ causing the malicious script to be loaded from a domain not owned by Google.

Legitimate

www.googletagmanager.com/gtm.js‌

Malicious ‌

www.gooqletagmanager.com/gtm.js

According to Sucuri, inspections of the malicious code reveal its true intention is to harvest sensitive details from form fields including credit-card details entered during checkout.

Possibly more alarming, Sucuri also outlines an attack vector involving equally obfuscated malicious code mimicking standard Google tracking calls embedded directly within sensitive forms. Suggesting that these sites have at some point, been compromised through targeted hacking and that the administrators of these sites have been unable to differentiate these calls from legitimate tracking.

To be sure none of these techniques are new, however the obfuscation by mimicking legitimate Google tracking calls is somewhat alarming given the significant use of Google tracking scripts across the web.

This is not the only case where this approach could help identify e-commerce site compromises. If you believe your site is being used for phishing campaigns and you need a hand cleaning up the infection, we’d be happy to help.

Other than being aware that such threats exists, we recommend that site administrators scan their sites for references to all of the malicious domains and libraries outlined in the original post.

 

In most cases, they are not formatted as well as the above sample and occupy just a long, single line of code.

Overall, this attack shows a significant level of customization, where attackers have taken an individualized yet very consistent approach to every compromise.

Each site has its own set of injected scripts, compromised sites, misleading variables and file names, and unique variations of obfuscation. At the same time, at each level, they consistently try to make an impression that they do something useful, are related to Google Analytics or Magento conversion tracking, or are built with reputable JS frameworks.

Related Articles

Do I Need a Website for My Business?

Do I Need a Website for My Business?

If your business has gotten this far without a website, you might be wondering: do I need a website for my business? What’s the point if my business is already successful without one? The short answer is that there has never been a better or more important time to...