Without much hesitation, it could be said that ExpressVPN and NordVPN are the champions of today’s VPN industry. Both of these VPN solutions have been around for a while, they offer great value for their price and plenty of highly advanced options. However, this is also what makes it hard to choose between the two. So, which one is better – ExpressVPN or NordVPN? Well, we are going to help you with this by comparing these two VPN services. Welcome to our ExpressVPN vs NordVPN comparison!

First, here’s a breakdown of the most important aspects of ExpressVPN and NordVPN. Take a look at the following table to compare their most prominent features.

	ExpressVPN	NordVPN
Jurisdiction	The British Virgin Islands	Panama
Logs	No logs collected, whatsoever.	No logs collected, whatsoever.
Number of Servers	3,000+ servers in 90+ countries.	5,200+ servers in 60+ countries.
Parallel Connections	5	6
Encryption Standards	AES-256; OpenVPN, PPTP, L2TP/IPSec	AES-256; OpenVPN, IKEv2/IPsec
Speed Reduction	19% on average.	38% on average.
P2P Support	YES	YES
Supported Platforms	Windows, macOS, Linux, Android, iOS, Web browsers, and routers.	Windows, macOS, Linux, Android, iOS, Web browsers, and routers.
Visit	ExpressVPN	NordVPN

Next, take a look at the final scores from our reviews of these two VPN providers. Then, keep on reading to dive deep into the specifics.

	ExpressVPN	NordVPN
Jurisdiction, Reputation	10/10	10/10
Supported Platforms	10/10	10/10
Installation Process	10/10	10/10
Prominent Features	9.5/10	10/10
Server Count	8.5/10	10/10
Ease of Use	10/10	9/10
Media Streaming & Torrenting Support	10/10	7/10
Security & Privacy	10/10	10/10
Speed & Performance	9/10	7.5/10
Customer Support	10/10	10/10
Pricing	9/10	8/10
Overall Score	9.6/10	9.2/10

We had no choice but to create the ultimate head-to-head to find out which VPN deserves to sit on the throne. So, keep on reading our ExpressVPN Vs NordVPN comparison.

ExpressVPN vs NordVPN (2019) – Which One’s Better?

Just like in our reviews of these two VPN giants, we’ll be taking a look at every important aspect of using a VPN service. So, let’s jump right in.

Background, Jurisdiction & Reputation

When choosing between different VPN services, you’ll want to check their background information first. Always go for the VPN outside of the 14-Eyes Alliance, and pick the one with no data leaks in the past.

• ExpressVPN: This VPN brand comes from the British Virgin Islands. It’s outside of the 14-Eyes Alliance, and it’s known for its dedication to its users. ExpressVPN has had its services reviewed by an independent party in the past, and it’s one of a few certified no-logs VPN services. And finally, this VPN has been providing free access to users from ‘problematic’ areas of the world during certain times, allowing them to unblock websites and get information from the outside world.
• NordVPN: This VPN comes from Panama, and it’s generally known for its transparency. This is yet another independently audited VPN service, so you can be sure that no data logging is happening in the background. In addition, NordVPN is always quick to resolve any problematic points in its apps via prompt updates. And let’s not forget the fact that this VPN is the recipient of numerous VPN-related awards.

Winner: Both ExpressVPN and NordVPN are highly reputable brands – so we’ll call it a tie. No manner which one you pick, you can be sure that you’re private and sensitive data is being handled in the best way possible. 

Supported Platforms & Devices

Depending on how many devices you want to connect to the Web, you need to be careful when picking a provider. Lucky for you, both ExpressVPN and NordVPN deliver what their promise.

• ExpressVPN: This VPN provider is based on the OpenVPN protocol, which ensures broad system compatibility. You can count on a wide range of native apps that can be installed on all popular desktop and mobile operating systems. There are also apps for Linux and even Blackberry. Of course, OpenVPN ensures that ExpressVPN can be installed even on VPN-compatible routers. Also, you can use this VPN service on up to 5 devices at the same time.
• NordVPN: When it comes to supported devices, NordVPN does not disappoint. It offers highly polished apps for every popular platform out there. And since OpenVPN is present here as well, you can even install in on your router. NordVPN can be used on 6 devices at the same time, which gives it a small advantage over its direct competitor.

Winner: It’s hard to pick a winner in this category since both of these VPNs are present on pretty much any platform. If we really want to nitpick, we’d go with ExpressVPN since it brings hugely helpful installation guides on its official website.

Installation & Initial Configuration

Next, let’s take a look at how easy it is to install and configure these VPN clients. After all, you want to begin using a secure connection without any hassle.

• ExpressVPN: After signing up for a new ExpressVPN account, you can proceed to download the app. It doesn’t contain any bloatware and takes very little hard drive space. You can install and begin using the application in less than a few minutes of your time. The same applies to desktop and mobile devices. It’s also worth noting that ExpressVPN comes with numerous helpful guides that show how to install this VPN on a wide range of devices, including routers.
• NordVPN: Just like its biggest competitor, NordVPN brings a highly polished installation method. The installation file is quite small so you don’t have to have a fast Web connection. Aside from desktop and mobile devices, NordVPN can be installed on compatible routers. However, we feel that this VPN provider should have invested more time in coming up with instructions and tutorials. Some of those are quite basic, making you turn to their support team for answers.

Winner: Once again, picking a clear winner is quite hard. However, we have to say that both ExpressVPN and NordVPN bring equally simple installation. Even complete newbies won’t have a hard time installing and getting started with these VPNs. 

Prominent Features

Our next category of the ExpressVPN Vs NordVPN comparison contains the most prominent features. So, let’s jump right in.

• ExpressVPN: The best thing we can say about ExpressVPN is that it just works. It is rock-solid, reliable, and nails the fundamentals. Aside from that, you’ll get to use a highly polished kill-switch as well as all currently available VPN protocols. And when it comes to the most advanced features, ExpressVPN brings split-tunneling. Where this VPN truly shines is the way it lets you handle these features. It’s not overly simple but even inexperienced users will be able to dive into advanced security-related technologies.
• NordVPN: NordVPN, on the other hand, is almost overflowing with features. We’ve talked about the kill-switch, double VPN, and Onion servers, but that’s just the start. There are special obfuscation servers, anti-DDoS servers, a paid option for dedicated IP servers, and more. All in all, you’ll find plenty of features here that can satisfy even the most demanding users.

Winner: Even though both ExpressVPN and NordVPN are hugely capable VPN services, we have to say that NordVPN is the winner of this round. You get a constant stream of new features and even ad-blocking is included. 

Server Count

Knowing the number of servers you’ll have at your disposal is a good thing. However, you also need to know in what way these servers are distributed. To check other options, take a look at our article on VPNs with the highest number of servers.

• ExpressVPN: This provider manages a network of over 3,000 servers spread across 90+ countries. This is more than enough to meet your every need. Also, you get to test the speed of each server and pick the one with the best result. This translates to a pleasurable media streaming experience and can be especially helpful if you want to download large files.
• NordVPN: Without any doubt, NordVPN is the most powerful VPN in terms of servers. It has more than 5,200 servers spread across the globe. Interestingly enough, this doesn’t translate to a throttle-free experience. Since double-encryption is involved, you’ll be using two secure servers at any moment. Therefore, some throttling is still present.

Winner: Even though it doesn’t have as many as NordVPN has, ExpressVPN should meet your every need. Having 3,000+ servers is an incredible power to have under your fingertips. In addition, ExpresVPN’s servers are present in 90+ countries, which is one of its biggest selling points. 

Ease of Use

Both VPNs have exceptional user interfaces, and they cater to almost every type of device under the sun. They’ve both invested a lot of time into refining their designs and making sure the experience is consistent across all clients and even their websites.

• ExpressVPN: This provider has a simple and elegant design, with no clutter to speak of. The main screen has a big, bold power button that will connect to a ‘Smart Location.’ With a single click or tap, you can connect to the Web anonymously, without needing to mess around with settings. If you do choose to pick your own server location, there is a shortlist of recommended servers to try, or the full list of ExpressVPN’s global army of servers. There’s no immediate way to know what server to choose, but you can run a speed test (it will take about five minutes) on all the servers to determine the fastest options. And finally, ExpressVPN is limited to just three simultaneous connections, although their router client will protect every device connected to it.
• NordVPN: This VPN greets you with a stylishly designed map of the world and a connection wizard that will find the best server for your specific need (like P2P or security). We absolutely adore how NordVPN organizes its servers into types and countries. It is always happy to make life simple by connecting you to the best server, but it also gives you the freedom to click on a country or type and get an overview of those available servers. You’ll find distance and server load to help you make the perfect manual choice. NordVPN allows double the amount of simultaneous connections (six), so you should be able to install it on pretty much every device that you own. And have a slot or two available for your friends.

Winner: Both VPNs offer exceptional ease of use, but ExpressVPN digs beneath the surface level to provide a richer experience. They are both exceptional, but ExpressVPN edges it.

Media Streaming & Torrenting Support

Planning to stream media on the Web? Do you still want to use Netflix and other media streaming services, even while using a VPN? If that’s so, keep on reading.

• ExpressVPN: We strongly believe there’s no better VPN for streaming than ExpressVPN. It can unblock pretty much any website out there, including Netflix, Hulu, Amazon Prime Video, BBC iPlayer, and plenty more. Also, this VPN fully supports torrenting via all of its servers.
• NordVPN: Even though it’s being advertised as a streaming-friendly option, that’s not exactly the case in practice. Even though you can unblock a nice list of websites, it can be tedious to find the one that works with the website you want to unblock. In addition, NordVPN supports torrenting only via specialized servers.

Winner: It’s clear that ExpressVPN wins this round. Without any doubt, this is the most capable VPN service for media streaming and downloading torrents. 

Security & Privacy

Privacy and security are the main reasons why people turn to VPNs. Thankfully, you can rest easy knowing that by using ExpressVPN or NordVPN, you are in safe hands.

• ExpressVPN: Aside from the standard VPN features, ExpressVPN has a very powerful Kill-Switch that prevents data leaks when your VPN connection drops. Then, you can utilize different VPN protocols (OpenVPN, PPTP, L2TP/IPSec), depending on if you want to prioritize speed or security. There are no data leaks as per our tests, and this VPN comes with a privacy policy that nicely explains everything that happens in the background.
• NordVPN: The flagship feature of NordVPN is double encryption, which is something that’s rarely seen these days. This means that you shouldn’t have any concerns when it comes to privacy. There are also two VPN protocols to choose from, so not as many as ExpressVPN offers. Still, NordVPN offers more than what any average user would ever need, and its list of features would make even the most highly demanding users happy.

Winner: Once again, ExpressVPN is one step ahead of its biggest competitor since it offers a larger number of VPN protocols. Even though both of these will keep you safe and sound online, ExpressVPN wins this round.

Speed & Performance

Security and privacy are great but not when they come at the cost of speed. If you’re going to connect to servers on the other side of the world, you’re going to experience slower speeds, but a great VPN will minimize the slowdown. To check out other options, here’s our overview of the fastest VPN providers.

• ExpressVPN: There are two ways to connect to a remote server via ExpressVPN. You can run a speed test and then connect to a server manually. Or, you can let the application decide which server works the best in any given moment. As a result, you’ll experience throttle-free Web browsing and media streaming. In case you have a fast connection, to begin with, 4K streaming is not an unreachable dream. As per our tests, this VPN slowed us down by 19% on average, which is a highly respectable result.
• NordVPN: This VPN prioritizes the security of your data of performance (speed). By default, you’ll get to use double-encryption that will keep your data 110% safe. However, this setup might be on overkill for average home users. And as a result, some throttling will happen. As our NordVPN review will you, this VPN slowed us down by 38% on average, so it’s clear who’s the winner of this round.

Winner: Without any doubt, ExpressVPN wins this round. This is one of the fastest-performing VPN services, offering great performance no matter which VPN protocol you decide to use. 

Customer Service

We were very impressed by the levels of support that these VPNs offer to subscribers. No matter which one to pick, you’ll receive answers to your question. The only difference here is how long you’ll need to wait to get an answer.

• ExpressVPN: ExpressVPN was lightning fast in responding via live chat (which is 24/7) and via form submission on their website. You may not even need to talk to anyone because their website contains plenty of tutorials and guides to help you set up, resolve, and explain just about everything related to the service.
• NordVPN: As good as ExpressVPN’s live chat was, we were even more impressed with NordVPN. Their support members were just as fast and we didn’t feel like they were reading from a script. However, responses to our form submissions took much longer (six hours versus ExpressVPN’s one hour) during our testing period.

Winner: When you get stuck and need a hand, ExpressVPN is doing the most to help you get back on track. However, it’s worth noting that both of these provide top-level customer service, and your questions will be answered in a timely manner. 

Pricing

ExpressVPN and NordVPN are maybe two of the more expensive VPN offerings, but having spent a lot of time with both, we feel that they are worth every penny.

• ExpressVPN: At the moment, the most affordable plan of this VPN provider will cost you $99.95 per year (which comes down to $6.67 per month). For that money, you will receive full protection without any caveats. This means having access to 24/7 customer support and using the application without any bandwidth limitations. ExpressVPN comes with a 30-day money-back guarantee and you can use it on up to five devices at the same time.
• NordVPN: To make a direct comparison, you should know that NordVPN has a yearly plan, priced at $83.88 (so, it’s $6.99 per month). However, you’ll find other long-term plans which bring the price down to $2.99 per month if you get a 3-year plan. Even though this pricing structure helps you save in the long-term, it requires a significant upfront investment.

Winner: These two VPN services bring comparable prices. When it comes to their annual plans, ExpressVPN is the more affordable option. However, NordVPN brings the price of its service down via its 2- and 3-year plans. 

ExpressVPN vs NordVPN: Which One Should You Pick?

ExpressVPN and NordVPN are, in our opinion, the best of the best. You can’t go wrong with whichever choice you make, but there can be only one winner, and that is ExpressVPN.

ExpressVPN has the looks of a champion and delivers the anonymity and security that you’d want from a quality VPN service. It’s just as easy to use as NordVPN (newbie-friendly) but also offers deeper functionality for those who want a bit more control over their VPN. Even though NordVPN is more affordable, it doesn’t really offer the same level of service or functionality as ExpressVPN does. So, go ahead and sign-up for ExpressVPN today. You won’t regret it!

Your home network is a possible treasure trove for cyber attackers:

• You do your online banking on your phone or PC.
• You have credit card credentials stored in your smart TV and your video game consoles.
• Google Home and Amazon Echo devices are recording the audio in your home and likely have cameras, too.
• Your TVs, PCs, phones, stereos, and various “smart” devices contain CPUs that can be exploited to mine cryptocurrency.
• They can also be exploited as part of a massive botnet to perform more attacks.

If cyber attackers penetrate your home network, you could lose your privacy, your online identity, and money from your bank account. Your various devices may slow down, but you may notice no indication that the bad guys have compromised your comfortable home.

How to Secure Your Home Network

Popular TV shows like Mr. Robot describe super sophisticated cyber attacks and advanced “hackers.” But most of the attacks that your home entertainment and computing devices face are easy to prevent. More importantly, you don’t need a degree in computer science to improve the security of your home network. I’ll make the knowledge that you need simple to understand and implement.

1. Buy Only the Gadgets You Need

The first step in securing your home network might surprise you. It starts when you browse Amazon or Best Buy for new toys. Smart devices like Amazon Echo, Google Home, Ecobee thermostats, and “smart” toys are all the rage these days. The possibility of getting weather forecasts simply by saying “Okay, Google, what’s the weather like?” or being able to look at your security cameras from your phone when you’re away can be irresistible. But those are all Internet of Things devices, or IoT for short. They introduce new internet-connected interfaces to your home. Each of those new interfaces expands the cyber attack surface of your home network. The more interfaces you have, the more vectors you have for the bad “hackers” to get in. So consider the risks of new devices before you buy them. I personally have very little in the way of IoT tech in my home. I have a smartphone which, of course, doubles as a device that can be used to spy on me. The cybersecurity risks of my phone are similar to the risks my PC has, but it’s a desktop and it can’t be used to track my movements when I’m not home. I have a “dumb” TV, but it operates as a display for my PS4, PS3, and Raspberry Pi-based Retro Pie console. Those consoles are all internet-connected, and my PS4 also has a PlayStation Camera that could be intercepted to watch me while I’m in my bedroom. Aside from my router, those are all the internet-connected devices that I have. As a cybersecurity professional, you might assume that I want to have all the latest toys. But, in fact, being a cybersecurity professional means that I’m cautious about new toys. You could choose to cover your home in Google Home speakers and deploy internet-connected security cameras or whatever you want. Just keep in mind that those could be new means for cyber attackers to interfere with your life—and for security to harden accordingly.

2. Check Your Router

If you have a typical 21^st century home, you have one account with an ISP (internet service provider.) The ISP transmits an internet signal through your home that you’ve connected a home router to. The home router could be fully wired, but it’s probably wireless. If you have a wireless router, you probably have a WiFi signal broadcast throughout your home that devices can connect to wirelessly, such as phones, tablets, laptops, video game consoles, smart devices, you-name-it. That internet connection through cable, Ethernet, and WiFi connects your home to the rest of the world. But it’s also how cyber attackers get in. The next course of action is to do the basic things you need to do to secure that source. It’s unlikely that a cyber attacker will intercept your internet connection physically. Chances are if they want access to your internet connection, they’ll look for your WiFi. Go to your router. If you have WiFi, your router assigns an SSID (a way of naming WiFi signals) and password to your account. Your router came with a default SSID and password. If you’re using that default SSID and password, you have a seriously dangerous security vulnerability in your home network and must fix it right away. Wardriving sounds more badass than it actually is. It entails traveling around a neighbourhood with a device that can pick up WiFi signals (such as a phone) and seeing if the WiFi can be easy to break into. The most vulnerable WiFi signals are the ones with no passwords (that’s public, unencrypted WiFi) and the ones with default SSIDs and passwords. The default SSIDs and passwords associated with the device model of your router and your internet service provider are easy to find on the internet. RouterPasswords.com is a great place to start. Try one of those passwords and you can easily break in. Default SSIDs let cyber attackers know what brand of device you have or who your ISP is and let them know which default passwords to try. Your SSID should be unique, and your password should be complex. You may be tempted to change your SSID to “Police Monitoring Van,” but the novelty of those jokes have long worn off. Be more original. My boyfriend’s SSID is related to the name of his record label. My home router SSID is a pun related to my nickname. Try something fun and different. Passwords should be as many characters as possible, with a mix of upper and lowercase letters, numbers, and symbols. Source: TechTarget.com Follow the instructions included with your router to change your WiFi SSID and password. If you’ve lost them, don’t worry. Open a web browser on your home PC, and try any of the following in the address bar: One of those addresses should lead to a console where you can change your router’s settings. Your router may also have some extra features, such as UPnP or WPS. If you aren’t certain that you’re using those features, disable them from the same router settings console you used to change your SSID and password for your WiFi. Those are both extra ways that cyber attackers can maliciously penetrate your home network. Disable them if you don’t have to enable them. Regarding WPS, network security expert Michael Horowitz says:

“This is a huge expletive-deleted security problem. That eight-digit number will get you into the (router) no matter what. So a plumber comes over to your house, turns the router over, takes a picture of the bottom of it, and he can now get on your network forever.”

It’s also pretty easy for a cyber attacker to crack your WPS from an app on their phone. According to Horowitz, UPnP is also terrible.

“UPnP was designed for LANs, and as such, it has no security. In and of itself, it’s not such a big deal. (But) UPnP on the internet is like going in for surgery and having the doctor work on the wrong leg.”

While you’re at your router’s console in your web browser, see if there’s a section where you can check for updates for your router’s firmware. Your router should automatically install new security patches when they become available. It’s quite possible that your router’s firmware isn’t getting updated, which leaves terrifying vulnerabilities that a cyber attacker can exploit. And when you’re looking for a new router, find one that supports the new WPA3 encryption standard. The other WiFi encryption standards (WEP, WPA, and WPA2) are older and have worse security vulnerabilities. Deliver WPA3 encryption for your WiFi, unless you have devices that cannot use WPA3.

3. Get a VPN

If you’re a smart reader of The Best VPN, you probably have a VPN, too. VPN routes your internet traffic through an extra layer of encryption. A good VPN, when properly configured, will greatly improve the security of your home network and make it a lot more difficult for cyber attackers to intercept your internet use. If you don’t have a VPN set up yet, or if you’re considering changing your VPN provider, The Best VPN is a great source of independent and objective reviews to help you choose the best. The best VPN providers have apps for your PCs, phones, and tablets that make everything easy to use. No computer nerd knowledge necessary.

4. Configure Your Firewalls

A firewall is an interface that controls how internet signals enter and leave your home network. They come in the forms of both hardware and software. Chances are that your router has a firewall, and your Windows, macOS, and Linux operating systems have firewalls, too. These firewalls usually work by blocking the internet ports you don’t use and filtering the internet ports that you do use. These ports are what we refer to as the TCP/IP stack. Internet services often have associated TCP/IP ports. For instance, you access the web through ports 80 and 443. Your firewalls aren’t configured for optimal security by default. The most secure firewalls are the ones you configure yourself. HowStuffWorks has an excellent article on how firewalls work with easy-to-understand information that should help you configure your firewalls properly, even if you’re a total layperson. Which ports do you use? You’ll be able to figure it out. As I said, block the ports you don’t use and filter the ports you do use. Remember I mentioned that each new internet-connected device in your home network is a new way that cyber attackers can break in? The same applies to TCP/IP ports.

5. Don’t Forget the Antivirus

Each device in your home network that can have an antivirus installed on it should have an antivirus installed on it. Malware on your phone or PC can be a means for cyber attackers to attack the rest of your home network. Your Android malware could be a way in for a cyber attacker to watch your baby on your baby monitor or control your Ecobee thermostat. I work for an antivirus company, so I won’t recommend anything specific. Instead, I’ll direct you to AV-Test.org. Just as The Best VPN does independent VPN provider reviews, AV-Test is an excellent source for independent third-party reviews of antivirus software. They list their reviews per operating system, such as Windows, Mac, and Android. Use their advice to choose the best antivirus software for all of the PCs, phones, and tablets in your home network.

6. Tie Up All the Loose Ends

Remember how I mentioned that my PS4 has a PlayStation Camera? I use it with my PSVR device. When I’m not playing a VR video game, I disconnect my Camera from my PS4. Laptops often have built-in webcams, and you may also have cameras for your Google Home or Amazon Echo, or as a separate peripheral connected to your desktop PC. Disconnect all cameras or cover them with duct tape when you’re not using them. It’s also a good idea to disconnect your Google Home or Amazon Echo speakers when you’re not at home. By disconnecting or covering cameras and speakers in your home network when you’re not using them, you’re making it more difficult for cyber attackers to watch or listen to you in a space that should be private. There are lots of malware and man-in-the-middle cyber attacks that can grant the bad guys a way to violate your privacy. My advice is to limit your “cyber attack surface” as much as possible by reducing it in ways that are feasible. Credit card and personal banking credentials are also highly attractive to cyber attackers. Sometimes people store this sort of data in their smart TVs and video game consoles. My advice is to use your credit card as infrequently as possible. If you have services that you pay for, such as Netflix, Hulu, Amazon Prime, PlayStation Network, Xbox Live, or Spotify, you can often pay for them using gift cards. Alternatively, there are credit card gift cards you can use to pay for most online services. Use gift cards as much as possible. The worst-case scenario with a gift card is that a cyber attacker steals its value from you, whether it’s $100 or whatever. The worst-case scenario with a conventional credit card is much more expensive than $100. If a cyber attacker acquires that data, they could access your personal banking and wipe your bank accounts dry or engage in identity fraud where they pretend to be you online.

Protect Your Home Network, Safeguard Your Security

These tips are all simple ways to greatly improve the security of your home network. It’s surprising how many people don’t do these things. Most cyber attacks aren’t complex, sophisticated, or Hollywood-movie-worthy. Most of the time, cyber attackers will try easier ways to engage in cyber crime, and by following my guide, you have now made their lives much more difficult. Give yourself a pat on the back!

-

For many, the way we live our lives has moved online. As a result, our information is constantly being processed through sign-up forms, submissions, online quizzes, and even sensitive documents.  Companies must manage this data to keep it safe and prevent it from falling into the wrong hands, but issues related to leaks are still prevalent. Massive data breaches such as the Equifax leak and Cambridge Analytica scandal have even made national news, the latter of which involved the mining of personal information on Facebook.  In light of these events, online privacy is becoming increasingly important, so we surveyed over 1,000 people about how much they valued their data and even asked them to assign a monetary value to different pieces of personal information. How safe is our data, and what are we doing to protect ourselves? Read on to find out more.

Digital Security Measures

Nearly all respondents (94%) took some effort to protect themselves online, with only 6% admitting to taking no precautions to protect their online privacy. For anyone who is in the minority and wants to know where to start, the Federal Trade Commission (FTC) suggests an array of tips such as proper electronic disposal methods and internet best practices.  Changing passwords regularly proved to be the most used approach to data protection (63.5%). This practice, while tried and true, is evolving thanks to password-generating tools and two-factor authentication, the latter being a method favored by almost half of all respondents. Some options, such as VPNs, succeed in creating a strong line of defense against potential data mining. In fact, 19.6% of people reported using a VPN to connect to public Wi-Fi to protect their privacy online. Virtual private networking is on the rise globally, allowing users to anonymize their internet activity under one server. This helps quell concerns among people who are wary about using public Wi-Fi (56% of respondents felt this way) and other vulnerable areas on the web.  Other methods, however, have wide public appeal but don’t do much in the way of data protection, including the use of incognito mode. Around 44% of people surveyed reported using incognito mode to protect their online privacy, even though incognito tabs clearly state no relation to online data protection; they only edit viewing permissions for browsing history and cookies.  For a while, covering your webcam with a slider or piece of tape was thought to be largely ineffective. That is, until FBI Director James Comey recommended the practice publicly, possibly causing 44% of people surveyed to use this precaution.

Which Data Do We Care About Most?

Nearly half of people said they were most protective of identification, such as a driver’s license and passport. Billions of people worldwide have been affected by data breaches at some point, putting identity protection at the forefront of the minds of many.  Similarly, respondents were likely to keep financial information under lock and key, with over one-third citing this type of data as the most valuable. Employing protection services like LifeLock can be a good strategy, but even the world’s largest banks and financial institutions are not immune to breaches.  Photos seem to be innocuous enough, especially if they don’t show any sensitive information. Less than 1% of respondents reported having concerns over this type of data. However, our faces could be digitally hijacked for deepfakes, a digital means of recreating someone’s voice, image, or video footage to alter and manipulate it. Although they are mostly used to target celebrities and political figures right now, experts say this technology is closer than we may think.

Cost of Personal Data

Here, we asked survey respondents to tell us which types of information were up for grabs for the right price. However, people were the most likely to protect data indicating someone’s identity.  Unfortunately, nearly 22% of survey participants were still likely to surrender their Social Security number for a quick buck. Relinquishing this important number to a questionable source can result in identity theft, and this statistic is concerning when coupled with the government’s slow response time, with some recent years capping out at fewer than 250 new social security numbers that were processed.  On the other hand, shopping data has become popular with apps that offer discounts in exchange for access to receipts and spending history. In fact, Ibotta boasted over $627 million in cash-back savings and rebates as of this writing. A majority of respondents were willing to offer both a month’s worth (61%) and year’s worth (56%) of their shopping data, indicating comfortability when approaching this type of data sharing.  Many hesitate at the idea of “selling” their data, but we give our data away every day. Besides shopping programs, we use our email addresses to sign into apps and software all the time. Over 40% of respondents refused to sell their email addresses, but many don’t bat an eye when websites ask someone to create an account by signing in with their email.

Putting a Price on Data

We found that people tended to greatly overestimate the value of their data. Comparing the fact that Social Security numbers go for as low as $2 apiece on the black market, most respondents radically overestimated the worth of even the most sensitive of data.  Across the board, the valuations were high, especially for information that we commonly use to sign into a variety of apps and platforms, such as email addresses ($50) and birthdates ($50).  Similarly, respondents valued one month of location data at $150 and one year of location data for $750, yet we use location-tracking apps such as ride-hailing services (Uber and Lyft) and delivery apps (DoorDash and Postmates) that already store our data. Some of the priciest types of data that are up for grabs are medical records and passports, one-stop shops for collecting a wide variety of information. Even then, however, respondents still aimed their prices well above the going rate.

Data Brokering: The Way of the Future?

Although still small, the number of people looking to sell their personal data is growing, due in part to companies that base their profit model on the acquisition, buying, and selling of large hoards of personal data. These businesses are called data brokerage firms, and they gain data through public records and information from other companies.  These groups are not well-regulated, and data brokers can even deny requests to remove information they’ve acquired. To reclaim personal data, many are selling their data to AI groups and think tanks rather than having their data leaked or processed without their consent.  However, just over 1 in 4 people would consider selling their personal data, with people in their 20s the most likely candidates. Only 7.5% of respondents were familiar with the practice, and the median payout after selling data was $100, a far cry from the valuations that respondents cited. So this begs the question: Is selling our data really better than having it leaked? That’s up for you to decide.

The High (or Low) Value of Privacy

Turns out, some personal data is off limits while others can be bought (and subsequently sold without consent) to the highest bidder. One of the most important things we can protect is our personal and intellectual security. Many people we surveyed admit to not doing enough to protect themselves and their identities in the digital age.  Are you looking to add the next line of defense to your digital data? Consider setting up a VPN to ensure your browsing history and data are concealed against would-be hackers and companies looking to mine your information. Head over to TheBestVPN.com to read comparison guides and resources to learn which VPN is the best for you.

Methodology

We surveyed 1,002 people about their online privacy. Respondents were 51.1% women and 48.9% men. An additional two respondents reported being nonbinary, and two others did not disclose their gender identity. The average age of respondents was 38.1 with a standard deviation of 11.9.  Respondents were asked what precautions they took to protect their online privacy as a check-all-that-apply question. Therefore, percentages will not add to 100 for that data.  Respondents were asked to realistically report what price they would consider selling various pieces of data for. If they were unwilling to sell a piece of data at any price, they were told to put N/A. The median amounts presented in the final visualization of the data are based on respondents who were willing to sell their personal data.

Limitations

The data presented are based on self-reporting. Common issues with self-reported data include exaggeration and selective memory. It’s possible that respondents purposefully exaggerated the prices they would put on their personal data and skewed the dataset.  No statistical testing was performed, so the claims presented are based on means alone. This is purely exploratory content, and future studies on this topic should be more rigorous.

Fair Use Statement

Data privacy is not something to be taken lightly. If someone you know would benefit from this study’s findings, you are free to share for any noncommercial uses. Our only request is that you link back here so that people can view our findings in their entirety. This also gives credit to our hardworking contributors.

-

We’ve been working hard with internal and external security researchers to uncover serious remotely exploitable loopholes in SSL VPNs and Firewalls like Cyberoam, Fortigate and Cisco VPNs. This article is a technical go-to about a patched critical vulnerability affecting Cyberoam SSL VPN also known as CyberoamOS. This Cyberoam exploit, dubbed CVE-2019-17059 is a critical vulnerability that lets attackers access your Cyberoam device without providing any username or password. On top of that, the access granted is the highest level (root), which essentially gives an attacker unlimited rights on your Cyberoam device. In most network environments, Cyberoam devices are used as firewalls and SSL VPN gateways. This gives a potential attacker a strong foothold in a network. It makes it easier to attack hosts inside the network, and since Cyberoam devices are usually trusted in most environments, this gives a would-be attacker extra edge. According to Shodan (a search engine for internet-connected devices), there are more than 96,000 internet-facing Cyberoam devices from all over the world. Most of these devices are installed in enterprises, universities and some in world-renowned banks. This leads to the attacks having huge impacts on these environments. Working with Sophos security team has been a large delight as they acted quickly by acknowledging and rolling out patches only a few days after our initial report to them. Kudos to them! (pun-intended!) And since most of these entities are attractive targets for attackers, it makes the bugs all that more critical.

CyberoamOS Remote Unauthenticated Root Command Execution

The CyberoamOS is a modified Linux-based operating system for Cyberoam devices. This OS has a web-based configuration interface and an SSLVPN portal. The web interface is divided into two main parts:

• A frontend written in Java
• A backend that uses a combination of C and Perl

We will not dive deep into the internals of the front- or back-end code, mainly to save time and limit the amount of information revealed. But we will discuss briefly how the bug is triggered. Both the configuration and SSLVPN interfaces have a servlet that handles main operations. These operations are defined using a parameter named “mode”. Most of these are authenticated. But there are a few ops we can access without authentication (like login). The bugs we have found lie in the email antivirus/antispam module. The request mode for this endpoint (module, op) is 458. One thing to note is the opcodes are mapped to their names in the Cyberoam database (internal database Postgres). By looking up 458, we can find out what the name of this opcode is. Here is a line from the database initialization SQL script showing the name opcode 458:

insert into tblcrevent(opcode,description,mode,requesttype) 
values('RELEASEQUARANTINEMAILFROMMAIL','RELEASE QUARANTINE MAIL FROM MAIL','458',2);

The opcode functions are stored in the directory /_conf/csc/cscconf/. We will not be revealing the whole code of the vulnerable function, but we will provide a few snippets showing where and how the bug occurs. A code from the Java frontend that handles the opcode 458:

if ((jsonObject.getString("hdnSender").equals("") ||
validateEmail(jsonObject.getString("hdnSender"))) &&
validateEmail(jsonObject.getString("hdnRecipient")) &&
isSafeFilePath(jsonObject.getString("hdnFilePath")) && b) {
    httpServletResponse.setContentType("text/html");
    CyberoamLogger.debug("Antivirus/AntiSpam", "CSC Constant value " + 
CSCConstants.isCCC);

As you can see above, a few parameters are checked for validity. If they are valid values, the following happens:

final EventBean eventByMode = EventBean.getEventByMode(363);
...redacted.
final int sendWizardEvent = cscClient.sendWizardEvent(eventByMode, hashMap, sqlReader);

As we can see above, we have a new event code (363) that will be sent to the backend. The bug we have discovered is in the code that handles this in the backend. The opcode is named sendmail, and to avoid exploitation of this bug, we will be redacting most of the code from the following code. The opcode handler for send_mail.

...redacted...

<code>$param = $request->{release};</code>
        param = DLOPEN(base64_decode,param)
        LOG applog " Decode values :: $param \n"
        <code>%requestData = split(/[&=]/, $param);
            $mailServerHost = $requestData{hdnDestDomain};
            $mailFrom = $requestData{hdnSender};
            $mailTo   = $requestData{hdnRecipient};
            $file = $QUARANTINE_PATH."/".$requestData{hdnFilePath};

    $mailfile=$requestData{hdnFilePath};
    $validate_email="false";
    my $email_regex='^([\.]?[_\-\!\#\{\}\$\%\^\&\*\+\=\|\?\'\\\\\\/a-zA-Z0-9])*@([a-zA-Z0-9]([-]?[a-zA-Z0-9]+)*\.)+([a-zA-Z0-9]{0,6})

As we can see above, the pseudo-Perl code shows us how the backend receives input from the frontend ($requestData) and how it attempts to verify some of the parameters we send. After the verification, if our parameters are valid, the following code is executed:

%mailreq=("mailaction"=>"$MAIL_FORWARD","subject"=>"$strSubject","toEmail"=>"$mailTo","attachmentfile"=>"$file","smtpserverhost"=>"$mailServerHost","fromaddress"=>"$mailFrom");
    </code>

  out = OPCODE mail_sender json %mailreq

The code above sets our request parameters into mailreq variable and calls the mail_sender function (OPCODE). We will see how this opcode is executed and where exactly the RCE happens:

    <code>
        #mailaction 0=mail_with_var,1=mail_forward,2=mail_attachment
        $mailaction=$request->{mailaction};
        $subject=$request->{subject};
        $mailbody='';
        $attachmentfile=$request->{attachmentfile};
        $toEmail=$request->{toEmail};
    </code>
    #mail body
    IF("defined $request->{mailbody} && '' ne $request->{mailbody}"){
        <code>$mailbody=$request->{mailbody};</code>
    }
    #SMTP server host
    IF("defined $request->{smtpserverhost} && '' ne $request->{smtpserverhost}"){
        <code>$smtpserverhost=$request->{smtpserverhost};</code>
    }ELSE{
        result = QUERY "select servicevalue from tblclientservices where servicekey='MailServer'"
        IF("defined $result->{output}->{servicevalue}[0] && '' ne $result->{output}->{servicevalue}[0]"){
            <code>$smtpserverhost=$result->{output}->{servicevalue}[0];</code>
        }ELSE{
            <code>$smtpserverhost="127.0.0.1";</code>
        }
    }

    #SMTP server port
    IF("defined $request->{smtpserverport} && '' ne $request->{smtpserverport}"){
        <code>$smtpserverport=$request->{smtpserverport};</code>
    }ELSE{
        result = QUERY "select servicevalue from tblclientservices where servicekey='MailServerPort'"
        IF("defined $result->{output}->{servicevalue}[0] && '' ne $result->{output}->{servicevalue}[0]"){
            <code>$smtpserverport=$result->{output}->{servicevalue}[0];</code>
        }ELSE{
            <code>$smtpserverport="25";</code>
        }
    }

    #SMTP auth flag
    <code>$smtpauthflag="0";</code>
    IF("defined $request->{smtpauthflag} && '' ne $request->{smtpauthflag}"){
        <code>$smtpauthflag=$request->{smtpauthflag};</code>
    }ELSE{
        result = QUERY "select servicevalue from tblclientservices where servicekey='SMTPAuthenticationFlag'"
        IF("defined $result->{output}->{servicevalue}[0] && '' ne $result->{output}->{servicevalue}[0]"){
            <code>$smtpauthflag=$result->{output}->{servicevalue}[0];</code>
        }
    }

    IF("$smtpauthflag == 1"){
        IF("defined $request->{mailusername} && '' ne $request->{mailusername}"){
            <code>
                $mailusername=$request->{mailusername};  
                $mailpassword=$request->{mailpassword};
            </code>
        }ELSE{
            result = QUERY "select servicevalue from tblclientservices where servicekey = 'MailServerUsername'"
            <code>$mailusername = $result->{output}->{servicevalue}[0];</code>
            result = QUERY "select servicevalue from tblclientservices where servicekey = 'MailServerPassword'"
            <code>$mailpassword = $result->{output}->{servicevalue}[0];</code>
        }
    }ELSE{
        <code>
            $mailusername = "";
            $mailpassword = "";
        </code>
    }
    IF("defined $request->{fromaddress} && '' ne $request->{fromaddress}"){
        <code>$fromaddress=$request->{fromaddress};</code>
    }ELSE{
        result = QUERY "select servicevalue from tblclientservices where servicekey = 'FromAddress'"
        <code>$fromaddress = $result->{output}->{servicevalue}[0];</code>
    }

    #Security Mode
    IF("defined $request->{smtpsecurity} && '' ne $request->{smtpsecurity}"){
        <code>$smtpsecurity=$request->{smtpsecurity};</code>
    }ELSE{
        result = QUERY "select servicevalue from tblclientservices where servicekey = 'smtpsecurity'"
        <code>$smtpsecurity = $result->{output}->{servicevalue}[0];</code>
    }

    <code>$smtpsecuritymode=0;</code>
    IF("$smtpsecurity eq 'STARTTLS'"){
        <code>$smtpsecuritymode=1;</code>
    }ELSE IF("$smtpsecurity eq 'SSL/TLS'"){
        <code>$smtpsecuritymode=2;</code>
    }

    #SMTP Certificate
    <code>
        $smtpcertificate = '';
        $certpassword='';
    </code>
    IF("$smtpsecuritymode!=0"){
        IF("defined $request->{smtpcertificate} && '' ne $request->{smtpcertificate}"){
            result = QUERY "select certname,password from tblvpncertificate where certid=$request->{smtpcertificate}"
        }ELSE{
            result = QUERY "select certname,password from tblvpncertificate where certid=(select servicevalue::int from tblclientservices where servicekey = 'smtpcertificate')"
        }
        <code>
            $smtpcertificate = $result->{output}->{certname}[0];
            $certpassword=$result->{output}->{password}[0];
        </code>
    }

    #From Address with Name
    IF("defined $request->{fromaddresswithname} && '' ne $request->{fromaddresswithname}"){
        <code>$fromaddresswithname=$request->{fromaddresswithname};</code>
    }ELSE{
        <code>$fromaddresswithname = $OEMNAME . " <" . $fromaddress . ">";</code>
    }

The code above does the same thing the other opcode did when it starts. It initializes variables (some from us or from the device if not specified). After the variables are assigned, the following code block is executed.

out = EXECSH "/bin/cschelper mail_send '$fromaddress' '$fromaddresswithname' '$toEmail' '$toEmail' '$subject' '$mailbody' '$smtpserverhost' '$smtpserverport' '$mailusername' '$mailpassword' '$mailaction' '$smtpsecuritymode' '$smtpcertificate' '$certpassword' '1' '$attachmentfile'"

And there it is, the command execution. Now the call here is EXECSH which calls /bin/sh -c “ARGUMENTS”. With the execution happening using values we control, we can easily attain remote command execution, all without authentication. We will be releasing a full report and the Proof of Concept with proper outlines in a few months. Update: This research was covered first on TechCrunch, read more here. The post CVE-2019-17059: Preauth-RCE in Sophos’ Cyberoam Explained appeared first on TheBestVPN.com.

; if($requestData{hdnRecipient} =~ /$email_regex/ && ((defined $requestData{hdnSender} && $requestData{hdnSender} eq '') || $requestData{hdnSender} =~ /$email_regex/) && index($requestData{hdnFilePath},'../') == -1){ $validate_email="true"; } ....redacted....

As we can see above, the pseudo-Perl code shows us how the backend receives input from the frontend ($requestData) and how it attempts to verify some of the parameters we send. After the verification, if our parameters are valid, the following code is executed:

The code above sets our request parameters into mailreq variable and calls the mail_sender function (OPCODE). We will see how this opcode is executed and where exactly the RCE happens:

The code above does the same thing the other opcode did when it starts. It initializes variables (some from us or from the device if not specified). After the variables are assigned, the following code block is executed.

And there it is, the command execution. Now the call here is EXECSH which calls /bin/sh -c “ARGUMENTS”. With the execution happening using values we control, we can easily attain remote command execution, all without authentication. We will be releasing a full report and the Proof of Concept with proper outlines in a few months. Update: This research was covered first on TechCrunch, read more here.

-