• Dean Smith

Your VPN May Not Be as Secure as You Think

As long as the internet’s existed, data security’s been a problem. Whether the information belongs to an individual, business, organization, or government, keeping private data secure has been a struggle.


Today, the VPN (virtual private network) is one of the most powerful security tools, and one out of four people use a secured network. Most of these people use VPN’s to browse anonymously or to download copyrighted entertainment content, but businesses, hackers (state sanctioned or otherwise), and governments absolutely love the security, too. Of course, there’s a number of governments who loathe how VPN’s enable their citizens ability to view censored content, and the user demographics reflect this.


The VPN’s an internet within an internet, secure, private, and encrypted from prying eyes, malware, hackers, and anyone else who wants to know what you’re doing and where you’re doing it from, right?

Well… yes and no.

A short, ridiculously oversimplified explanation of the techy stuff

When a Microsoft employee developed the peer-to-peer tunneling protocol, or PPTP, in 1996, the precursor to modern VPNs, he created a more secure and private connection between a computer and the internet. This protocol’s encryption is the shield you and your data hide behind.


Ok, how secure is this encryption?

Extremely, but with caveats. Like everything else on the internet, nothing is 100% secure. This is especially true if you’re a high-value target and your adversary has the necessary resources, because it’s not easy, and very few organizations possess the time, money, and technical capabilities. The good news is most people, businesses, or organizations fall into the “high-value” category and are unlikely to be singled out.


Thus, the list of organizations with this capability is extremely short. The United States has the NSA. The Russians, Unit 26165 and Unit 74455. The Chinese, PLA Unit 61398. The United Kingdom, the 77 Brigade, and both Germany and Poland, among others, are investing enormous sums of cash into their own programs.


Got it. Unless I’m targeting by a government, I’m secure?

Yeah, about that. If there’s a common set of characteristics that define hackers, one stands out more than any other: creativity.

One hacking group decided to skip fighting impenetrable VPN protocols. Sure, they wanted access to all that wonderful data, but why bother fighting the dragon when you can sneak in, steal the princess, and run away?

This is what happened for five months, between 2018 and 2019, when hackers spent five months inside networking security giant Citrix Systems, the company who develops and sells the most sophisticated VPN’s to almost every Fortune 100 company and numerous western governments.

The hackers made off with employee logins, passwords, financial and product data for months, and one of the premier cyber firms in the world never noticed. That’s right, Citrix didn’t have a clue until the FBI notified them, and the feds informed Citrix not only of the hack, but of the method used to compromise the company.

In March 2019, the FBI alerted Citrix of the breech, and showed how hackers accessed their internal network through a technique called “password spraying,” a relatively crude, but surprisingly effective, attack where hackers attempt to access a large number of employee accounts (usernames/email addresses) through a handful of common passwords.

Citrix, unsurprisingly, hid the extent of the breech’s damage at first, and over a year passed before they disclosed further information. It’s a step many companies take in the wake of a serious data breech, and you’d think they’d have learned by now how this strategy never seems to work. In a statement, Citrix claimed hackers “may have accessed and downloaded business documents,” and that it was still working to identify what precisely was accessed or stolen.

Shortly after Citrix disclosed the intrusion in March 2019, a little-known security company Resecurity presented evidence that it notified Citrix of the breach as early as Dec. 28, 2018, that Iranian hackers were responsible, had compromised the company’s network years ago, and had offloaded terabytes of data. Citrix initially denied Resecurity’s claims, but later acknowledged the statements.

So, the hackers compromised VPN’s manufactured and distributed by Citrix using an early 90s hack?

According to Citrix, they’ve found no indication the security of any company product or service has been compromised. Resecurity didn’t agree, and wrote, that hackers accessed “at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including email correspondence, files in network shares and other services used for project management and procurement.”

We’ll leave the decision about who to believe in your hands but try to keep in mind that data security is a battlefield. Using a VPN is a profoundly responsible choice, but never, ever get complacent. No matter how strong the defenses, somebody will find a way in, under, or around that Great Firewall of yours.