Freedome From The NSA, Your Boss, Or Anybody Else Watching You
Disclaimer: These notes are neither product recommendations or complete reviews. They are intended to share a couple of things I'm playing around with right now. Feedback in the comments section would be welcome, especially shared experience with these apps.
F-Secure Freedome VPN
F-Secure, the Finnish security company, has made a bit of a splash in the technical media (not to mention Forbes as well) lately with their mobile VPN and security app Freedome. Freedome is intended to enhance anonymity and reduce tracking for mobile device users on iOS and Android. F-Secure claims: "We’ve gathered the most sophisticated security features – VPN, anti-virus, anti-tracking, and anti-phishing – into one intuitive service. With the push of a button, Freedome watches your back." Here's some of the details. The connect-on-demand VPN means that all of your traffic is encrypted leaving the device, so there is no more need to fear snoopers on public access points. Your visible IP address is the one assigned by the Freedome VPN server, enhancing your anonymity. The app also claims to block tracking cookies and access to phishing web sites. You can choose from a number of VPN servers in different countries (Europe, North America, Latin America, Turkey and Russia,) which can serve to mask your location as well. There are both legitimate and illegitimate reasons to hide your location, but I won't aid and abet the latter by mentioning them here. I've had this on my phone and tablets for less than a week. On the upside, I don't worry nearly as much as I used to about Firesheep and other risks of public access points. On the downside, it looks to me like this app is power hungry and you need to watch your battery level more diligently when it's turned on. Also, I've noticed some freezes in areas with weak connectivity, which I can usually break out of by turning airplane mode on and off.
For individuals, the privacy enhancements of an app and ecosystem such as Freedome are pretty clear, and well worth the subscription cost ($5/month or $30/year). For businesses, too, a system such as this can be a big win. Like it or not, your users have a lot of their work lives on their mobile devices (e.g. calendar, email and contacts) which is vulnerable to snooping when they connect to public access points. A VPN that comes up whenever they connect to the Internet goes a long way to keeping snoopers at bay. In addition, F-Secure is based in Finland (outside of US jurisdiction) and promise to never disclose any of the data that they see going through their servers, which again lets you keep your business to yourself.
Duo Two Factor Authentication
I saw an interesting banner ad on Krebs on Security this week. It's for a two-factor authentication system called Duo. Duo uses voice, SMS, or smartphone app as a second authentication factor, integrating with a number of VPNs, enterprise cloud applications, etc. The integration that caught my eye was with SSH on Unix or Linux systems (including OS X). Now I've been wanting a way to expose SSH on my home MacOS system for some time, but have always been a bit paranoid because script kiddies like to hack away at open SSH ports. Duo has an easy integration to add their two-factor authentication into an SSH login, or indeed any authentication using PAM. Setup was less than half an hour. Let me be clear that there are a lot of good two-factor authentication systems out there, and each has its particular sweet spot. This was the first that appealed to the *nix geek in me by making it easy to secure SSH. The pricing is also pretty sweet, ranging from free for personal use, to $3/month/user for full enterprise features and support. This could be an attractive 2FA option for businesses whose integration needs are fully covered by Duo's capabilities.
Feedback welcome
As I said up front, these are things I've been kicking the tires on right now because they look interesting, useful, and affordable. I'd love to get feedback from other people trying these things out about their experience.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.