VPN Beginner’s Guide by John Mason

VPN Beginner’s Guide by John Mason

VPN Beginner’s Guide

John Mason  John Mason

This is the ultimate beginner’s guide to VPNs. Find out what is a VPN how does it work. I’ve tried making it as in-depth (and simple) as possible.

What is a VPNVPN is one of those “web things” that seem perhaps a bit intimidating when you first hear about them. However, once you get into it, they turn out to be really easy to use.

Today, we’ll demystify the topic of VPNs, what they can do for you, why use them, and how they all work under the hood.

Plus, we’ll give you some recommendations along the way, to help you pick the optimal VPN for your personal needs.

This is the beginner’s guide to VPN:

  1. What is a VPN
  2. How Does a VPN Work
  3. How Secure is VPN
  4. Is VPN Fully Legal
  5. Does VPN Make You 100% Anonymous
  6. VPNs and Their Logging Policy
  7. Free vs. Paid VPNs
  8. Is VPN Safe for Torrenting
  9. Can I Use VPN to Watch Netflix/Hulu
  10. Does VPN Work on Android/iOS
  11. Does VPN Work on SmartTV/Kodi
  12. How to Install VPN on Router
  13. VPN & Tor Combination
  14. IP Leaks and Kill Switch
  15. When to Use a VPN
  16. When Not to Use a VPN

What Is a VPN

What is a VPNThere are two ways of explaining this, really: (a) the 100% technologically correct way, and (b) the easier to grasp way that’s actually useful. I subscribe to the latter – especially since this resource is meant to be a beginner’s guide.

From a user’s point of view, all you must know is that a VPN (short for Virtual Private Network) is a service that lets you access the web safely and privately. This is all done by routing your connection through what’s called a VPN server.

If you have a friend who’s an IT professional then their definition might be a bit different, and involving a lot more technical detail (and jargon). However, at the end of the day, the VPN that’s actually an useful tool from a normal user’s point of view can still be defined by what we’ve said here.

On the face of it, a VPN is something you subscribe to – a product. All you do in order to use a VPN is sign up, download a small app, fire it up, and you’re good to go. But we’ll get into the specifics further down.

How Does a VPN Work

We might have used the following illustration on the site once or twice already, but it still does a great job of explaining what it is that a VPN actually does.

Here’s how things work when you’re connected to the web without a VPN – please excuse the simplicity and just bear with me for a minute:

No VPN connection

Albeit it’s the standard, this sort of connection has some flaws. Mainly all your data is out there in the open, and whoever wants to take a peek at what’s being transmitted, can.

What do I mean by take a peek? Well, this is all due to the way the web is constructed. More or less, what we know as “the web” is basically a bunch of computers (servers) that are responsible for storing websites and then serving them to whoever wants to look at them. And those servers talk with each other all the time.

For example, let’s say that you want to see a website located on a server that’s really far away. If that’s the case then there’s going to be at least a handful of servers that are going to participate in the transfer of this data and ultimately allow you to see the website. Now, the important part is that each of those servers will be able to check what it is that’s being sent/requested. Not great for privacy.

You can think of it like taking a flight to a place that’s on the other side of the globe. On your way, you will interact with clerks, sales representatives, airports, crew, other passengers, etc. Potentially, there’s going to be hundreds of people who can all help in identifying you as you’re going from A to B. The same thing happens on the web, to an extent.

If it’s just a fun website that you’re looking at then no need to worry. It doesn’t matter if someone takes a peek into that or not. But if it’s online banking we’re talking about, business email, or anything else that’s a bit more sensitive then it’s a whole other story.

Now, here’s how the same connection looks with a VPN enabled:

With VPN

What’s happening now is that your connection goes to the VPN server first – via an encrypted connection – and only then goes through “to the web.”

In other words, you connect through a third party – the VPN server – and then it’s the VPN server that connects to the web on your behalf.

This solves the privacy and security problem for us in a couple of ways:

  1. from the web’s point of view, it appears as if the VPN server is responsible for the traffic, not you,
  2. no one can (easily) identify you or your computer as the source of the traffic, nor what you’re doing (what websites you’re visiting, what data you’re transferring, and so on),
  3. since your connection is encrypted, even if someone takes a peek into what’s being transmitted, all they’ll see is some cobbled up data that doesn’t make sense.

As you would imagine, such a scenario is much safer than connecting to the web the traditional way. But how secure is it exactly? Let’s find out:

How Secure Is VPN?

how safe is VPNThe topic of VPN security is one that always causes a huge debate among IT pros and people with a horse in the race on either side. But it basically comes down to a couple of factors:

  • 1. There’s the technical limitations of the VPN technology itself,
  • 2. The legal ecosystem and jurisdiction that the company providing the VPN has been set up in, plus the company’s own policies and views on “what a good VPN should be” – this has an impact on how the company is legally able to build their VPN.

What all of the above means, in the end, is that no two VPNs are created alike, and there can be significant differences from one VPN provider to the other in terms of security.

Overall, the “idea of VPN” in itself is a very secure one, but the devil is in the details, so your mileage may vary depending on the provider that you choose.

Let’s break down the two elements mentioned above. Starting with (a):

(a) The technologies that are part of a VPN and how they translate to VPN security

When talking about VPNs and their security we need to cover two topics:

  • VPN protocols
  • VPN encryption

Let’s start with the former. While the topic of protocols can be a rather complex computer science concept, all we need to know now is that a protocol is basically a documented procedure or a set of rules that define how something is carried out. In our case, that something is handling data transmission via a VPN.

As you would imagine, there can be different ways of handling that transmission, and depending on the specific VPN that you decide to use, you’ll likely see one of the popular protocols implemented.

The most common protocols are: PPTP, L2TP, SSTP, IKEV2, and OpenVPN. Let’s just discuss them briefly so that you know what you’re getting into and what impact your choice can have on your overall VPN security.

  • PPTP (Point-To-Point Tunneling Protocol). This is one of the oldest protocols in use, originally designed by Microsoft. Pros: works on old machines, can be used out the gate with most Windows PCs (comes with the system), and it’s easy to set up. Cons: by 21st century’s standards, it’s barely secure. If the VPN you’re considering subscribing to lets you connect via only this, avoid.
  • L2TP/IPsec (Layer 2 Tunneling Protocol). This is a combination of the PPTP and Cisco’s own protocol – the L2F. Although the idea behind this protocol is sound – it uses keys to establish a secure connection on each end of your data tunnel (so that nobody can take a peek at what’s being transmitted) – the execution of it isn’t actually very safe at all. The addition of the IPsec protocol to the mix improves security a bit, but there are reports of NSA’s alleged ability to break this protocol and see what’s being transmitted. No matter if those are actually true, the fact that there’s a debate at all is perhaps enough to avoid this as well.
  • SSTP (Secure Socket Tunneling Protocol). This is another Microsoft-built protocol on this list. Though this time the connection is established with some SSL/TLS encryption (the de-facto standard for web encryption these days). SSL’s and TLS’s strength is built on symmetric-key cryptography – a setup in which only the two parties involved in the transfer are able to decode the data within. Overall, SSTP is a very secure solution.
  • IKEv2 (Internet Key Exchange, Version 2). This one, as you’d guess, is another creation of Microsoft’s. Microsoft has its pawns on all boards, it seems. Though this time, it’s an iteration of Microsoft’s previous protocols, and a much more secure one at that. It provides you with some of the best security.
  • OpenVPN. This protocol has been designed to take what’s best in all of the above protocols and also do away with most of the flaws. It’s based on SSL/TLS and it’s an open source project, which means that it’s constantly being improved by hundreds of developers. It secures the connection by using keys that are known only by the two participating parties on either end of the transmission. Overall, it’s the most versatile and secure protocol out there.

Generally speaking, most VPNs will allow you to select the protocol through which you want to establish the connection. Obviously, the more secure protocol you connect through (OpenVPN, IKEv2), the more secure your whole session will be.

However, not all devices will allow you to use all these protocols. Since most of them were built by Microsoft, you’ll naturally be able to use them on all Windows PCs. For Apple devices, though, you will come across some limitations. For example, L2TP/IPsec is the default protocol for iPhone. And Android … well, Android has some problems of its own, which we’ll get to later on.

Then there’s the topic of encryption itself. In its most basic form, encryption works by:

  1. taking some plain data,
  2. applying a key to it (for instance, shifting every letter three letters back, so every “E” becomes a “B” and so on – known as the Caesar cipher – the original encryption algorithm),
  3. getting fully encrypted data as a result,
  4. that data is then only readable by someone who has that original key used to cipher it.

Modern encryption algorithms work basically just like that, but on steroids – they’re thousands of times more complex than that original Caesar cipher. At the end of the day, the only thing you need to remember is that if your data is being encrypted with the AES algorithm of at least 128 bits then it’s perfectly safe. So if your VPN provides you with that possibility, you can sleep peacefully.

Many of the top VPNs out there actually go even a step above that and offer AES-256 encryption – e.g ExpressVPN (review), NordVPN (review), and Buffered (review)

If you’re interested, you can learn more about encryption here.

At the end of the day, your VPN can be super secure, but it all comes down to the protocol that you’re connecting with and the encryption mechanism that’s used when handling your information.

(b) The legal ecosystem and company’s vision

(Note. None of this is legal advice. Read for entertainment purposes only.)

Being completely honest with you, all good VPN companies will do everything they can to protect your data, your privacy, and your overall security on the web. However, they’re still subject to the law in the jurisdiction they’re in.

Depending on the local law of the country where the VPN was established in, they may be forced by court order to share whatever records they have regarding your activity.

Now, the key part here is that choosing a VPN that’s in another country won’t necessarily solve this issue for you. There are international agreements between countries to share information in cases like that. Of course, depending on your location, if you do enough research, you can find a VPN established in a country that doesn’t have any such agreements in place with your country.

So in the end, you are only secure with a VPN if it’s not only willing and technically capable of keeping your information safe and private, but also if it’s legally allowed to do it.

Actually, let’s tackle this topic a bit more broadly and focus on answering the general question:

Is VPN Legal?In a word, yes. Though, not always.

First off, VPNs as a concept are somewhat new in “legal years,” so not all jurisdictions have managed to keep up. This means that the rules are murky and can be up for interpretation either way.

However, VPNs seem to be okay to use in most countries. Particularly if you’re located in the US, Canada, the UK, the rest of Western Europe. (Important! What matters here is your physical location when using the VPN.)

When it comes to the countries where VPNs are not okay, based on our research, those are: China, Turkey, Iraq, United Arab Emirates, Belarus, Oman, Russia, Iran, North-Korea, and Turkmenistan.

To learn more about the legality of VPN in your country:

  • consult with your local government (duh!),
  • review this in-depth resource of ours – it’s where we go through more than 190 countries and tell you what’s up.

Does VPN Make You Fully Anonymous Online?

Does VPN make me fully anonymousIn a word, no. But the extent to which it does is still impressive. But let’s hold off on this thought and start somewhere else:

As you already know, when you’re not using a VPN, your connection is fully in the open and every server that’s helping on with the connection can take a peek into what’s being transmitted. On top of that, there’s your ISP (Internet Service Provider), and even the person who owns the Wi-Fi router that you’re connected to (if it’s a public hotspot). All of those parties can find out what you’re transmitting.

Connecting via a VPN solves many of those problems by encrypting your transmission and also making it appear as if it’s the server itself that’s making the connection and not you.

Though, there are still some anonymity issues that stay potentially unsolved:

  • Are there any logs kept by the VPN? More on this in the next section below.
  • The jurisdiction under which the VPN is established. In some cases, they might be legally forced to keep records. In other words, what happens when the government comes asking questions?
  • If you’re paying for the VPN, do they keep payment records? Are those payment records by name?
  • Is the encryption level sufficient and the connection protocol a quality one? We talked about this above.

Overall, not every VPN will protect your anonymity equally. However, if you make your choice wisely, you can avoid most (if not all) of the problems described above. Here’s our comparison of the top VPNs in the market to help you out.

VPNs and Their Logging Policy

VPN logging policiesLogging is the main issue as it relates to VPNs and the level of anonymity and privacy they can provide you with.

Long story short, there are multiple kinds of logs that a VPN can keep:

  • user activity logs,
  • IP addresses,
  • timestamps of when you connected/disconnected,
  • devices used,
  • payment logs if it’s a paid VPN, etc.

Any such logs make you a tiny bit less anonymous since your IP can be connected to a given browsing session that you had. Of course, tying this to you personally is very difficult but still kind of doable if some agency is deliberate enough.

Overall, the less logs your VPN keeps the better. With “none” being ideal.

But here’s the kicker, most VPNs these days will tell you that there’s “no logs” when you visit their websites and start reading through the sales material on the homepage. But where you should actually look is their privacy policies.

For example, if you visit PureVPN, you’ll see big headlines saying things like, “complete internet privacy […] remain invisible and invincible,” but their privacy policypage tells a bit different story, quote (emphasis mine):

When and if a competent court of law orders us or an alleged victim requests us (that we rigorously self-assess) to release some information, with proper evidence, that our services were used for any activity that you agreed not to indulge in when you agreed to our Terms of Service Agreement, then we will only present specific information about that specific activity only, provided we have the record of any such activity.

As you can see, it’s all in the details. Anyways, we did the research for you – here’s our big roundup of 118 VPNs and their logging policy. Check it out when picking your VPN.

FREE VPNs vs. Paid VPNs

FREE vs. paid vpnIn general, free VPNs are something you should be careful with. The first thing to realize is that running a good VPN costs serious money. There’s a lot of servers involved (and those cost money), a lot of data transfers being made over the web (and that costs money too), a lot of other infrastructure (real estate, electricity, etc.), and so on and so forth. So if at the end of it all the product is completely free for you, it probably means that some compromises have been made along the way.

Maybe the VPN is logging your activity for their own reasons. Maybe there’s a filter on your traffic displaying you ads. Maybe someone is paying for access to your logs or the ability to advertise to you. Either way, the situation is not perfect.

On the other hand, paying for a VPN isn’t actually such huge of an investment anyway. We’ve tested a number of great solutions that go around for as little as $3-5 per month, which doesn’t seem a lot in exchange for peace of mind and improved online privacy.

How Much Does a VPN Cost?

Just as I mentioned above, you can get a quality VPN for as little as $3-5 a month. Actually, the average out of 31 popular VPNs is $5.59 a month, which tells you a lot about what sort of an expense this usually is. VPNs that cost more than $10 are really uncommon, and there’s not a lot of reason to buy them since there are more affordable solutions out there.

Additionally, most VPNs also give out big discounts if you’re willing to subscribe for one or two years up front, instead of renewing your subscription monthly. For example, Private Internet Access – a VPN that we very much enjoy – costs $6.95 if paid monthly, but $39.95 when paid annually (which translates to $3.33 per month – that’s over 50% off).

We have a more in-depth pricing comparison table here (roughly in the middle of the page). And if you’re strapped for cash, you can also check out our roundup of the currently cheapest VPNs and fastest VPNs.

Can You Use VPN for Torrenting Safely?

vpn for torrentingIn general, yes, but that depends on the specific VPN that you’re using and also the kind of things that you are torrenting.

Let’s start with that second part – what you’re torrenting.

In general, torrenting is just a common name for a specific protocol used to transfer data and files over the web. Although it gets a lot of bad rap overall, torrenting is perfectly okay and legal if you’re transferring files that you have the rights to. Piracy, on the other hand, is completely illegal regardless of the tools that you use to do it.

Then, there’s the VPN’s own policy regarding torrenting and how it’s handled.

Most of the quality VPN solutions in the market will allow torrenting. According to our research, for example, you can torrent with: ExpressVPN, Buffered, VyprVPN, PIA, NordVPN.

When it comes to the security aspect of torrenting, it all comes down to the VPN’s aforementioned policies regarding things like logging or sharing your user data. In general, if a VPN doesn’t keep logs overall then they also don’t keep them for your torrent activity.

Another aspect that’s also worth considering when choosing a VPN for torrenting are the download speeds that the VPN can offer you. Of course, this sort of information is not advertised anywhere so it’s hard to come by, most of the time you only find out after you buy the VPN. Though, we did some testing of our own here, and based on it, we can recommend these VPNs for their good download speeds: ExpressVPN, VyprVPN, PIA, and Buffered.

Can I Use VPN to Watch Netflix and Hulu?

VPN for netflixYes. But like with most things on this list, it all comes down to the specific VPN that you use.

The problem with Netflix overall is that even though it’s now available in over 130 countries, not all shows are distributed equally. Due to complicated licensing agreements that were established before Netflix’s big international rollout, various TV stations retain the rights to some of even Netflix’s own shows, which effectively prevents Netflix from legally making those shows available on their platform. Complicated legal stuff. But VPNs can help here.

The way that Netflix and Hulu block some of their content in parts of the globe is based on location filters. Meaning, if you’re in a country that’s banned, you’re banned.

VPNs make this easy to fix. Since you can select the server that you want to connect with, all you need to do to unlock certain Netflix shows is to simply connect with a server that’s in a country where that show is available. That’s all.

We have a comprehensive post on how to watch Netflix via a VPN + the best VPNs that allow you to do that right here.

Does VPN Work on Android and iOS?

Again, that’s a yes.

Many of the top VPN services out there also let you download mobile apps for either Android or iOS.

Here’s our best VPNs for Android: PIA, Tunnelbear VPN, ExpressVPN.

Both platforms let you set up a VPN connection rather easily. For instance, on iPhone, you can do that in Settings → General → VPN.

With all that being said, be careful if you’re tempted by any of the free VPN apps for either Android or iOS. There’s research by a team of specialists (from CSIRO’s Data61, the University of New South Wales, the International Computer Science Institute and the University of California Berkeley), going through more than 280 free Android apps that use Android VPN permissions. The research reveals that 38% of those apps include malware, 84% leak users’ traffic and 75% use tracking libraries. So there’s that.

Does VPN Work on Kodi/SmartTV?

Your smart TVs and Kodi boxes are yet another things that require a live internet hookup in order to provide you with their goodies. And with that, a VPN can help you keep those streams private, so that only you and the service itself know what you’re watching.

There are two ways in which you can enable a VPN connection on your smart TV:

  • configure it on the device itself,
  • configure it right on your router – effectively protecting your whole home network and everything that’s connected to it (we cover this in the next section below).

Let’s focus on the former here. Overall, many of the quality VPNs come with the ability to configure them right on your smart TV. For example, VyprVPN – which is one of our recommended VPNs – comes with an app for Android TV, and also with detailed instructions for Kodi/OpenELEC and Apple TV. Other VPNs in the market provide you with similar options.

Some of the networks that support smart TV devices and boxes: ExpressVPN, VyprVPN, NordVPN.

How Do I Install VPN on My Router?

How to install vpn on routerInstalling a VPN on your home router is the best way to make sure that everything that’s connected to that router is put through a safe VPN connection. In that scenario, you no longer need to install individual apps on your mobile devices, laptops, smart TVs or anything else with web access.

The first order of business is to make sure that your router is compatible with VPNs. This can be done on the website of the manufacturer that produced the router. Often, though, most DD-WRT and Tomato-boosted FlashRouters are compatible with VPNs.

The specific steps involved in setting things up differ from VPN to VPN and your specific VPN provider likely has a dedicated section on their website devoted to explaining how to carry through with the process. For example, here’s how to do this if you’re with ExpressVPN and here’s PIA.

We also have an example demonstration of how it’s done on most DD-WRT routers on this page (near the bottom).

In the end, the installation is quite simple, and it only involves you logging in to your router and then filling out a couple of standard forms – nothing you won’t be able to handle.

VPN & Tor – How to Use the Combination

Even though Tor and VPN are fundamentally different, they can still be used together for maximum security and online privacy.

  • Tor gives you the ability to access the web by routing your connection through a number of random nodes, while also encrypting that connection at every stage.
  • VPN gives you access to just one server at a time. Though, the nature of it is a bit different in principle, so we can’t say things like “Tor or VPN is better” than the other.

(We talked about the differences between Tor and VPN in detail on this site already, so feel free to visit that post to get the full picture.)

One of the good things about Tor is that you can use it 100% free and there are no built-in limitations to that free version. All you need to do is grab the official Tor web browser. Once you have it, you just need to fire it up like your standard Chrome or Firefox browser, click the connect button, and you’re up and running.

Due to this way in which Tor works, you can combine it with your VPN setup. All you need to do is:

  1. Enable your VPN connection normally – via your VPN’s official app. From this point on, everything that involves communicating with the web goes through your VPN.
  2. Open your Tor browser and connect with Tor.

At this stage, you have VPN running on top of your Tor connection (or the other way around).

The main downside with such a setup, though, is that it’s going to be much slower than your standard, VPN-only connection. Tor on its own slows down your experience noticeably, and when combined with VPN on top of it, the results can be even more dramatic. On the plus side, it gives you super privacy, which is a huge plus.

IP Leaks and Kill Switch

ip leaks and kill switchLet’s start with kill-switch, since it’s a crucially useful feature offered by quality VPNs.


In simple terms, a kill switch is a feature that will automatically kill your internet access if the encrypted, safe connection should ever drop. In other words, if there’s any connectivity issue at all, the kill switch will trigger and block all activity until the connection comes back up.

In an alternative scenario, if your VPN doesn’t have a kill switch and any connectivity issue arises then it’s probable that your device might attempt to restore the standard, unprotected connection, thus exposing what you’ve been doing up until that point.

According to our research, the following VPNs have a kill switch: ExpressVPN, PIA, VyprVPN, SaferVPN.

IP leaks

IP leaks are a known vulnerability with some setups that people use to access the web. Though, this is not entirely a VPN problem at its core.

cIP leaks can happen when your VPN fails to hide your actual IP as you’re browsing the web. For example, you want to access a geo restricted show on Netflix, so you change the server to an approved country and reload the page. However, you realize that the content is still blocked. This means that your real IP might have just been leaked.

The best VPNs all have some clever scripts programmed into their apps to minimize this risk. However, as I mentioned, your IP leaking is not always the VPN’s fault. Sometimes the configuration of your computer and the many apps within are to blame. Even the browser you use and the add-ons installed in it can cause IP leaks.

When to Use VPN

There are a number of good reasons to use VPN, here are some:

  • It encrypts your activity on the web.
  • It hides your activity from anyone who might be interested in taking a look.
  • It hides your location, enabling you to access geo-blocked content (e.g. on Netflix and other sites).
  • Makes you more anonymous on the web.
  • Helps you keep the connection protected when using a public Wi-Fi hotspot.

Overall, use a VPN if your web privacy, security, and anonymity are important to you.Roughly $3-5 a month is little price to pay for all that.

When Not to Use a VPN

As predictable as this may sound, we really see no good reason not to use a VPN if you’re taking your online security and privacy seriously.

VPNs are just incredibly useful as this another layer of security on top of SSL protocols on websites, having a good antivirus, not downloading shady email, not sharing too much private information on social media, and so on. Overall, they’re your next step towards using the web more consciously and with sufficient precautions set up.

There’s really not a lot of downsides to them. Perhaps the only one being that your connection can sometimes slow down – after all, you’re routing your data through an extra server.

But what do you think? Are you convinced to the idea of a VPN and think about getting one? Don’t forget about our huge review comparing more than 35 popular VPNs.

VPN Beginner’s Guide

International Women’s Day: Women in tech share their stories

International Women’s Day: Women in tech share their stories

Posted: March 8, 2018 by 

From the #metoo movement to Oprah’s Time’s Up speech to the women’s marches on cities throughout the world—it’s been a banner year for women’s rights. And on this International Women’s Day, we wanted to do more than pay lip service to the changes in feminist dialogue. After all, tech is an industry with a well-deserved reputation for being a boy’s club. But that’s something that needs to change.

Thanks to millions of voices bringing awareness to gender disparity, discrimination, and sexual harassment in the workplace, what was once whispered in hush tones are now delivered loudly, publicly, and on some of the widest-reaching platforms by some of the world’s most powerful people. It’s what makes sly comments like those from Natalie Portman and Emma Stone about the imbalance of power at the top of the movie-making business so well-received instead of PR nightmares.

It’s a lesson that women in tech can take to heart about how to face discrimination in everyday situations so that stories about frustration and shame can become stories about a teachable moment. (And trust me, we all have stories.)

And it’s a lesson that the women in tech that I spoke with have already internalized. Below, you’ll read about six women in cybersecurity, gaming, and other tech industries who’ve faced gender bias or discrimination. They told me what happened, how they handled it in the moment, and what advice they would give to other women in the industry on how to persevere.

These everyday Wonder Women have faced the odds head on and overcome, whether it was a subtle slight or a systematic diss. Some have gone on the record, while others chose to be anonymous. Here are their stories.

Female security researcher, Malwarebytes

I learned Chinese while in the military and occasionally use it in infosec. In my first civilian job, I would be asked for a translation in staff meetings from time to time. After giving one, a guy would routinely cut me off and provide his idea of “what the Chinese probably said.” (He did not speak Chinese.) I probably could have handled it better, but I was so aggrieved at my competence and judgment being questioned that the next time he did it, I interrupted him and asked, “Oh, so you speak Chinese too?” Long pause. “No?  So it’s just me?”

After that meeting, he never did it again, and in fact was very supportive for the remainder of our time together.

Advice for women in tech

This study examined sexism in online gaming, who was pushing it, and why. It found that the worst sexism was largely a hierarchy survival strategy by men who weren’t very good at the game. This stuck with me, as most of the sexism I’ve seen in the workplace hasn’t really been from the best and brightest or most experienced.

Seeking out and working with men who are experienced, secure, and good at their jobs has improved my work environment by quite a bit.

Amanda Glasser
Senior Business Developer, Mobile Games, Unity

As a quality assurance tester at a video games company in 2006, we were paid an hourly rate consistent with California minimum wage, plus overtime. One day, HR mixed up our paychecks and I ended up with one belonging to a white guy. His base was a fat $2 more than my pitiful California state minimum wage. We worked there the same length of time, had the same role, pulled the same overtime—we were even the same age. I asked HR about it, and about a month later, my contract was terminated (ostensibly for unrelated reasons). Not that I’m bitter; that guy still works in QA 10 years later, and he makes considerably less than me.

Later, when I worked at a large tech company, I was frequently told that my communication style was aggressive, bossy, and confrontational. This was usually told to me by male superiors or peers. These same people often interrupted me when I was speaking, stood up to walk around me where I was seated (as if I were in a police interrogation), and one of them actually would sneak up behind me on my way into the bathroom and slam a basketball on the floor directly behind me to “scare” me as a “joke.”

Didn’t even bother with HR this time; I just left that company for another one.

Advice for women in tech

Go to the networking events, even if you don’t think of yourself as a “woman in tech.” You’re not going to break in being picky about labels. Look for relevant conferences that hire volunteer staffers and apply to be one. It’s a great way to network and get free access to the content.

Make friends.

Do not be the poor sucker who always takes notes in meetings or gets coffee for people. Unless your actual job is “secretary” or “caterer,” in which case, carry on.

Ban the phrase “I’m sorry,” from your vocabulary at work. If you actually need to apologize for something, use the words “I apologize,” instead.

Seriously. Make friends. Whether you’re just starting out or have been in it a long time, you’ll never get through the hard days without friends.

Jovi Umawing
Malware Intelligence Analyst, Malwarebytes

To the best of my knowledge, I think I’m one of the rare ones in infosec where I have not encountered any biases because of my gender. That isn’t to say that there are no biases—it’s just that they’re fueled by other reasons that don’t include me being a woman. In my first eight years in the infosec industry, I was based in the Philippines, and we have a lot of female reverse engineers, spam and fraud experts, and technical writers. I’ve also served under a number of female managers and executives.

Did I come across sexism as a public figure? I don’t think so—unless we count the times I’m referred to as “he” by press people in my quotes, which happened (and continues to happen) most of the time. I guess that goes to show that not many women in infosec are covered in the media. I’d like to see a change in this.

Advice for women in tech

It may seem like I’m sheltered from the gender issues many women in tech in the US experience, and you’re probably right…although I do sympathize deeply. But one thing I can share is that if women ever wonder if it’s even possible to work in infosec and not feel unwelcome or unheard because of their gender—I can say that it is. And being part of a company that lets you do what you do best, helps you grow in your career, and doesn’t discriminate because of your gender is a very, very fulfilling experience. My takeaways from those years continue to serve me until today.

Allison [last name redacted]
works at one of the biggest tech companies in Silicon Valley

In tech, the clearest example of a gender bias is simply the other people in the room with me. I’m very frequently the only woman in a room and I can maybe recall 2-3 meetings where women made up more than 50 percent. Women are simply not represented in the tech teams in the same numbers. When you move to decision makers, directors, VPs, and above, it is even more stark.

In these situations, sometimes I mention it to someone I trust in the room to draw attention to the lack of diversity. I am a believer that awareness is the first step to change, and I honestly don’t believe that most men even notice that there aren’t women because that is normal for them. When I point it out, they are usually a bit taken aback, as they aren’t sure why I’m mentioning it, or why they didn’t notice it.

Another example I have of [gender bias] is in the terms and phrases that people use in the office. We were dealing with a pretty difficult issue with some vendors and the team needed to come to an agreement on the path forward. I was the only woman in the room and one of the technical leaders said, “Someone will need to put their balls on the table and commit to a decision!” I quietly sat at the end of the table and commented, “Well, some of us don’t have balls, so maybe our badges would be more appropriate.” At the end of the meeting, I had to step out. As I left, I simply said, “You can now return to referencing your male organs if that helps the conversation progress.”

It was a bit of a mic drop moment.

Advice for women in tech

Get some thick skin. Sexism comes in many forms, and some of it requires you to not let it impact you personally. Someone treating you differently because of your gender isn’t a reflection on you, so don’t let it get to your confidence. Call it out and let it go because there isn’t enough time in the day.

Own your accomplishments. When you do something amazing (and you will), own it! Tell people and be sure you talk it up on your performance reviews and at networking opportunities. Finding the right way to self-promote while being humble is a balance that requires practice—learn to get good at it. Find other women, as we really are our best allies, and this means finding women who will help mentor and grow you, but it also means returning the favor. And finally, pick your battles, because you cannot confront every form of sexism every day. There isn’t enough emotional energy for one person to take it on.

My other piece of advice would be for women to simply call sexist behavior out when they see it. Sure it is awkward, 100 percent, but that awkwardness is temporary. And compared to the damage that unchecked sexism has already had on organizations and women’s culture, I think a little awkwardness is worth it.

I would also try to find the male allies around you. They exist and many of them understand the problem but simply don’t know what to do about it. Talk with them, ask them to back up your ideas, and if they are in a position to make decisions or influence leaders, ask them to represent women in conversations that are relevant.

Finally, I try to approach any issue about sexism and diversity as a coach vs. a critic. If you constantly berate people for doing or saying sexist things, you miss out on the teaching moment. I truly believe some men don’t see the sexist undertones in comments or they have unfortunately created habits that they no longer even question whether they are appropriate. I received a work email…that started out with “Hello Gentlemen.” Instead of getting all uppity, I chose to assume this was just a habit that this person got into because I was a new team member and up until that point, the factory leaders were all men. So I simply pointed it out and let it go vs. believing that the author of the email was a total sexist jerk. A little understanding and coaching go a long way.

A (different) female researcher at Malwarebytes

Yes, I’ve [experienced discrimination], especially in the beginning when I was a volunteer giving support in online forums. A few men didn’t want my help, as they believed that women didn’t fit for this job/work, and were not technical enough. They asked me if I could ask a male volunteer to help them instead. I didn’t want to waste my voluntary time on these people anyway. I ignored them and didn’t respond back.

One case had a twisting outcome, however. While another male volunteer was helping this person, after a few days, he sent me a message and asked if I could jump in and help him anyway. I originally refused and told him I am not technical enough to help him (his words). He then apologized, said he was wrong and misjudged me, and understood if I didn’t want to help him anymore. So I gave in and helped him. This happened more than 10 years ago, and as of today, we still occasionally have contact and share insight/knowledge.

Advice for women in tech

This applies to both those who are interested in working in tech and those who are already in it. From past experiences and the evolution of more women in tech, I’ve noticed that overall, women are well accepted in this previously all-male industry. Just stay yourself and especially don’t let someone run over you (male or female). Respect your peers and stay open and honest with them. Let them know when their behavior isn’t appropriate instead of hiding in a corner in silence. And ask for help if you don’t know how to handle a situation.

Special offer for those who’ve read this far

Thanks for being awesome and reading up on these incredible ladies and their worthwhile advice. As a treat, we’re going to tip you off to a special International Women’s Day offer on Jane Frankland’s book InSecurity: Why a Failure to Attract and Retain Women in Cybersecurity is Making Us All Less Safe. Good through today and tomorrow.


Head of Content, Malwarebytes Labs

Wordsmith. Card-carrying journalist. Lover of meatballs.

International Women’s Day: Women in tech share their stories

Explained: SQL injection

Explained: SQL injection

Posted: March 2, 2018 by 

Even though SQL injection is a type of attack that is relatively easy to prevent, it is one of the most common web hacking techniques. So, what’s it all about?

The basics

SQL is short for Structured Query Language and usually pronounced as “sequel.” SQL is a standard language used to query and change the content of databases. It was originally designed to perform business analyses. But with the implementation of product-specific application programming interfaces (API) and the growth of online applications, it quickly became more widely used.

Consider, for example, searching for a certain item in a big online store. What happens behind the scene is an SQL query on the databases containing products, pricing, and stock. And if you’re logged in as a customer, it might even include some of your preferences.

example SQL query

Example of a SQL query in a webstore

SQL injection

SQL injection is something that can happen when you offer the website visitors the option to initiate a SQL query without applying validation of the input. The effects are potentially horrible, since SQL injection might destroy your database or give the attacker access to parts of the database that you do not want publicly known. Attackers could be after personally identifiable information of your customers or the list of your suppliers.

While the most common use of SQL injection is for web applications, this is certainly not the only type of application that is vulnerable to these attacks. Basically, anything that asks for user input and uses a SQL-based database could be compromised this way without proper validation of the input, regardless of whether the input is stored in the database or initiates a query.


SQL injection is possible when the attacker applies any kind of code injection technique. These possibilities are called vulnerabilities because it makes the application vulnerable to nefarious SQL statements being inserted into an entry field and executed as commands. To execute a SQL injection, the attacker has to find and exploit a security vulnerability in an application, such as when user input is incorrectly filtered for string literal escape. This filtering is what we call validation. The input can be expected to have a certain format and should be rejected or sanitized if it does not match our expectations.

unsanitized php code

Above is a greatly exaggerated example of completely unfiltered php code. The input from the “name” field on the website goes straight into the SQL query. In this code, we can’t see what happens with the result of the query, but often it will be displayed in some form on the site. And with a little bit of trial and error, the attacker could retrieve the administrator’s username and change his password just by entering a string of valid SQL commands in the “name” field. That is why we call it SQL injection. An attacker can squeeze in his own strings of code.

Possible goals of the attack

There are several reasons why an attacker would use SQL injection.

  • Destruction: For whatever reason, the attacker wants to put the application or site out of business. You may have seen developers use the “drop table” when making fun of SQL-related accidents. The “drop table” command followed by the name of one of the tables in the database will make it delete the entire table with that name. Rebuilding such a table will be time-consuming—if it is possible in the first place.
  • Stealing information: Data breaches, anyone? The impact to your company is, at a minimum, the loss of trust of your customers and could completely put you out of business.
  • Feeding false information: An attacker could raise his credit or lead you to make business decisions based on false information. Both could cost you dearly.
  • Taking over control: An attacker that has control over your database may want to feed you false information, deny your access, or remove valuable information.


Knowing what the attackers are after and which methods are used to attack should help you to prevent successful attacks.

For example, a common method to steal passwords is to trick your search results into displaying them. The only thing the attacker needs to do is see if there are any submitted variables used in SQL statements that they can pass unfiltered. These filters can be set to customize WHERE, ORDER BY, LIMIT, and OFFSET clauses in select statements. The union operator is used to combine the result-set of two or more select statements. If your database supports this construct, the attacker might try to add an extra query to the original one. This query could be used to list passwords or usernames. On top of sanitizing input, using encrypted password fields is another defensive weapon you can use.

Encrypting important data and building some filters to validate the input goes a long way. Obviously, the method of validation depends on the application itself and the coding language. Methods of attack that work in PHP might fail in ASP, for example. Excluding certain characters that are unexpected and/or irrelevant in a text field is a good start.

Is it more important to accommodate the customer who wants to be addressed as Mr. & Mrs. Jones or to avoid the risk of an attacker happily being able to use the “&&” symbols that are a valid command in SQL queries and many coding languages. It doesn’t have to be one or the other, by the way. You can accept the input of such characters as long as you make sure they are dealt with before they are added to the query commands.


SQL injection is the placement of unauthorized code into SQL statements and is one of the many web attack mechanisms used by hackers to steal data. It is perhaps one of the most common application layer attacks. Knowing what attackers are after and what methods they are using can help you protect your business from these types of attacks.


Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

Explained: SQL injection

Blast from the past: stowaway Virut delivered with Chinese DDoS bot

Blast from the past: stowaway Virut delivered with Chinese DDoS bot

Posted: March 1, 2018 by 

Recently, we described an unusual Chinese drive-by attack that was delivering a variant of the Avzhan DDoS bot. The attack also contained multiple components that were not-so-new. Among the exploits, the newest was from 2016. Avzhan is also not a recent malware—the compilation timestamp of the unpacked payload was from August 2015. But there was one more unusual thing that triggered our attention. The outer layer of Avzhan matched the signatures of Virut, a malware that’s been dead in the water since 2013.

At first, it was hard to believe this detection. Who would want to distribute such an old piece of malware that is no longer developed, and whose CnC servers were sinkholed long ago by Polish CERT? Maybe it was the author of the packer by which the DDoS bot was wrapped incorporating some Virut-like obfuscation?

After further research, it turned out the detection was not wrong. The Avzhan bot carried along with it a legitimate Virut. But it is unlikely that the distributors added it intentionally. Rather, the server from where the attack was deployed happened to be infected with Virut. The virus attached as a parasite to the distributed DDoS malware, and was dropped with the drive-by attack into new places. Interestingly, in 2016 Virut’s code was also found in Chinese cameras. Similarly, the computers of developers were infected with Virut, and by this way its code got passed further.

Since Virut has made this unexpected reappearance, we will have a look at how it works in this post.

Analyzed sample

05749f08ebd9762511c6da92481e87d8 – the main sample, dropped by the exploit

Behavioral analysis

Virut behaves like a typical, old-fashioned infectious virus. As we observed, samples infected by Virut always crashed on 64-bit systems.

However, when deployed in a 32-bit environment, Virut spread like fire, trying to infect all executables it could reach by attaching its own code. The code of Virut is polymorphic and designed with great care, so the infection patterns are not easy to grasp. Often (if there is enough space), Virut adds a new, empty section with a random name, for example:

If there is no space for a new header in the input file, this step is omitted. So, the absence of the added section does not guarantee that the file is clean. Another suspicious indicator may be that the last section is set to RWX (Read-Write-eXecute).

Virut changes sizes of the sections and the entry point of the application in order to redirect to its own code. After the malicious code is deployed, the original entry point is executed. So, from the user’s point of view, the infected application works as before.

In addition to infecting files on the disk, Virut attacks running processes as well. So, even if the first infected process was killed, the malicious code keeps running in the memory.

The malware uses some hardcoded CnC addresses, as well as a DGA (Domain Generation Algorithm). Looking at the network traffic, we can see the queries to the domains follow the pattern of using six letters before the dot com: 6{a-z}.com

Due to the fact that the full infrastructure of Virut was sinkholed, none of its CnC servers are active.


Infection patterns

As mentioned before, Virut’s code can mutate—each infection looks different. Some of the chosen patterns depend on the features of the input.

In PE files, each section must be aligned to the minimal unit that is indicated by a file alignment field in the PE header. This is why sometimes there is an empty space between one PE section and the other, filled only with padding. This empty space is called the cave. Old infectors often used this space to implant their own code. This is what Virut also tries to do.

In the example below, a cave after the .text section has been filled with malicious code:

Depending on the input, there may not be sufficient caves between sections. Then, Virut adds its code just at the end of the last section:

But this is not the only thing that impacts the features of the infection. The code generated by Virut is polymorphic, so the same file will not be infected twice in the same way. Below is a comparison of code from the same application, infected by Virut in two different runs:

Virut’s shellcode

The code appended to the infected files makes an initial stub that unpacks in the memory of Virut’s shellcode. That is a heart of the malware. This is how the unpacked shellcode looks:

The same code is also injected into other processes. It is implanted in a new page in the memory. Example:

The shellcode contains the functionality of a userland rootkit. It hooks NTDLL within every infected process so that each time the specific function is called, the execution is redirected first to Virut’s implant. There are seven functions that are hooked:

  1. NtCreateFile
  2. NtCreateProcess
  3. NtCreateProcessEx
  4. NtCreateUserProcess
  5. NtDeviceIoControlFile
  6. NtOpenFile
  7. NtQueryInformationProcess

Below you can see an example of the hooked function NtCreateFile. As you can see, the first instruction is a call to the malicious memory page:

And this is how the code looks that is being called:

We also find the lists of AV products, that Virut uses in order to check if it is running in the controlled environment:

Apart from the rootkit, it contains the code responsible for communication with the CnC. For example, among the embedded strings we found IRC commands that suggest that IRC was part of Virut’s communication:

List of command patterns:

NICK nrmbhoz
JOIN #.%d
DSTAMP %s%02d%02d

There are also hardcoded addresses of the CnCs. Two servers are static and always occur in Virut samples (both of them are sinkholed by Polish CERT):


But, we can also see the domains generated by the Virut’s DGA:

While the code infecting the file mutates, the injected shellcode has a pretty consistent structure. If we compare dumps from two different processes, we find that most of the code is the same.


Nowadays, such old viruses are mostly forgotten, but it doesn’t mean that we are fully safe from them. Fortunately, most AV products can detect viruses like Virut by their signatures – but the people who decided not to use AV may still become their victims.

Even their command-and-controll infrastructure is dead, the old infectors can roam around. There are old servers in the world that are left infected with old viruses, such as Virut or MyDoom. On our honeypots, we regularly get spam that is being sent from such abandoned bots.

Yet, it is unusual to encounter an old virus in wild sent by a modern-style drive-by attack. We never know how an old threat can get blended with a new one. This time we were lucky and the attack was simple, with a small reach.

Malwarebytes detects this DDoS bot binary as Trojan.Bayrob.



Malware Intelligence Analyst

Unpacks malware with as much joy as a kid unpacking candies.

Blast from the past: stowaway Virut delivered with Chinese DDoS bot

How to protect your computer from malicious cryptomining

How to protect your computer from malicious cryptomining

Posted: February 27, 2018 by 
Last updated: February 26, 2018

Noticing that your computer is running slow? While sometimes a telltale sign of infection, these days that seems doubly true. And the reason is: malicious cryptomining. So, what, exactly, is it? We’ll tell you how bad this latest malware phenomenon is for you and your computer, plus what you can do about it.


Malicious cryptomining, also sometimes called drive-by mining, is when someone else is using your computer to mine cryptocurrency like Bitcoin or Monero. But instead of cashing in on your own computer’s horsepower, the collected coins go into the other person’s account and not yours. So, essentially, they are stealing your resources to make money.

Cryptomining can sometimes happen with consent, but unfortunately these occasions are rare.

visitor choice

Salon.com gave its site visitors the choice to view ads or let them mine your computer

 How bad is it?

If the duration of the cryptomining is not too prolonged and you are aware of what is going on, then it’s not that big a deal for regular computer users. When you are not aware of the mining activity—which is the majority of the time—it is a theft of resources. This is because cryptomining takes advantage of your computer’s Central Processing Unit (CPU) and Graphics Processing Unit (GPU), running it at higher capacities. Imagine revving your car engine or running your air conditioning while driving up a steep hill.

If cryptomining is too prolonged and running at, or near, the maximum of what your computer can handle, it can potentially slow down every other process, shorten the lifespan of your system, or ultimately brick your machine. And obviously, any malevolent threat actors want to keep using as many of your resources for as long as possible.

Finding the origin of the high CPU usage can be difficult. Processes might be hiding themselves or masking as something legitimate in order to hinder the user from stopping the abuse. And as a bonus to the cryptominers, when your computer is running at maximum capacity, it will run ultra slow, and therefore be harder to troubleshoot. Besides the theft and the slow, possibly damaged computer, being cryptomined could also make you more vulnerable to other malware by introducing additional vulnerabilities to your system, like in the case of the Claymore Miner.

Local or website?

When you notice high CPU usage and suspect it might be malicious cryptomining, it is important to know whether it’s being done in your browser or whether your computer itself is infected. So the first thing to do is to identify the process that is gobbling up your resources. Often using the Windows Taskmanager or MacOs’s  Activity Monitor is enough to identify the culprit. But, like in the example below, the process may have the same name as a legitimate Windows file.

taskmanager taskhostw

In case of doubt about the legitimacy of the process, it is better to use Process Explorer, which allows you to see the parent process (what started the suspicious process) and the location of the file. In the same example as we used above, Process Explorer shows you the path is different from the legitimate Windows file and the parent process is strange.

Process Explorer taskhostw

And if you have the VirusTotal check enabled, you will see that the file itself and the parent are widely detected. (The Chrome detection 1/66 is a false positive by Cylance). Knowing this, you can stop the process to speed up your system and then start working on removing it.

Finding the offender, however, is harder when the process is a browser like in the example below.

task manager chrome

Of course, you can simply kill the process and hope it stays away, but knowing which tab/site was responsible does provide you with information that can help you avoid it from happening again. Chrome has a nifty built-in tool to help you with that. It’s called the Chrome Task Manager. You can start it by clicking “More Tools” in the main menu and choosing “Task manager” there.

Chrome Taskmanager

This Task Manager shows the CPU usage of the individual browser tabs and of the extensions, so if one of your extensions included a miner, this will show up in the list as well.

Chrome Task Manager list

Note that the Chrome Task Manager sometimes shows over 100 CPU usage, so I’m not sure whether it’s a percentage.

An alternative method that can also be used in other browsers is to disable extensions and close tabs in reverse historical order. If disabling an extension does not help, it’s easy to re-enable it. And if closing a tab does not help, you can use the “Reopen last closed tab” option in browsers that have this option, such as Opera, Chrome, and Firefox.

undo close

Firefox’s reopen last closed tab is called “Undo Close Tab”

How to protect against cryptomining

Malwarebytes stops the installation of many bundlers and Trojans that drop cryptominers on your system. We also block the domains of the most abused scripts and mining pools.

coinhive block

Another option, if you don’t have Malwarebytes, is to block Javascript in the browser that you use to surf the web, but this could also block functionality that you like and need.

If you want more specialized blocking capabilities there are programs like “No Coin” and “MinerBlock” that block mining activities in popular browsers. Both have extensions for Chrome, Firefox, and Opera. Opera’s latest versions even have NoCoin built in.

Opera NoCoin protection


Cryptomining can be done locally on the system or in the browser. Knowing the difference can help you remediate the problem, as both methods require different forms of protection. The solutions are almost as popular as the problem, so choose wisely, as there may be frauds out there trying to grab a portion of the market.


Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

How to protect your computer from malicious cryptomining

Pin It on Pinterest

Share This