DHS/FBI Ransomware Alert

Standard

The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A.

The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.

SamSam

You may review the entire DHS/FBI alert here.

This threat is primarily targeting Remote Desktop Protocol (RDP) ports and systems.  The primary recommendation is close these ports or layer in two-factor authentication, at a minimum.  Onepath, the firm I work for, never recommends leaving RDP ports open to the Internet.  They should only be accessed from behind a firewall, through a VPN and always secure with two factor authentication.

The following are specific recommendations contained in this alert.  I strongly support each of these recommendations.  If you are unsure if your company is properly protected, reach out to your IT department or IT partner immediately to assess your vulnerability.

DHS and FBI recommend that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. System owners and administrators should review any configuration changes before implementation to avoid unwanted impacts.

  • Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Where possible, apply two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good back-up strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

Finally, here is a link to Onepath’s blog post on this matter.

More Data Breaches, Just In Time For The Holidays

Standard

The following was published in today’s Foster’s and Seacoast Sunday.

If you’ve been paying attention to the news over the last few days, you know that both the Marriott hotel chain and New England’s own Dunkin Brands, parent of Dunkin Donuts, have announced significant data breaches.

Let’s start with the breach at Marriott. There are several worrisome things about this breach. First and foremost, early reporting is indicating that this breach may have been underway for four years, beginning sometime in 2014. This speaks to the sophistication of hackers, in that they are able to gain access to a target network and take up residence, undetected for extended periods of time. This allows hackers to harvest untold troves of data from the targeted company, in this case Marriott.

Here is what we know about this breach. The attack targeted Marriott’s Starwood Preferred Guest rewards program database. This encompasses the Marriott brands including Aloft, Design Hotels, Element, Le Méridien, Sheraton, St. Regis, The Luxury Collection, Tribute Portfolio, W Hotels and Westin. If you have stayed at one of these brands, you could be impacted.

The data exposed in this breach is also a significant concern. Early estimates indicate the private information of as many as 500 million guests may be exposed. This includes personally identifiable information potentially including passport numbers, which is a major concern. Names, mailing and email addresses, phone numbers, account numbers, reservation details and more may have been breached.

Marriott uses advanced encryption algorithms for payment card data, so the hope is that the hackers may not be able to decrypt that data and gain access to credit, debit and bank account details. Regardless, if you have stayed at a Marriott property and may have an account in the Starwood guest system, you should keep very close watch on your accounts and enable any and all fraud alert features available to you.

You should obviously change your password if you have a login to any of the Marriott brand websites. And if there is any chance that you have used the same password for other accounts, you are best to change those account passwords as well.

Now let’s turn to Dunkin Donuts and its DD Perks rewards program. This one is a bit interesting in that Dunkin Brands, the parent company of Dunkin Donuts is not saying it experienced a data breach. Rather, it is saying other data breaches may have exposed usernames and passwords that may have given hackers access to come DD Perks accounts.

The company is warning customers who are DD Perks members or use their mobile app to pay for purchases at their stores, that their accounts may be exposed. The company is also saying this issue only impacts a small percentage of customers. Here’s hoping.

Time will tell how widespread the Dunkin issue is. As with the recommendations above, if you are a DD Perks member or use the mobile app, you should change your password immediately and closely monitor your linked payment accounts.

I expect far more details on each of these breaches will be coming out in the days and weeks ahead. With online shopping and mobile apps becoming more and more prevalent every day, you need to take prudent steps to protect yourself. These breaches will unfortunately continue. It’s up to each of us to take advantage of every available precaution to safeguard ourselves for the collateral damage that these breaches bring. I know I’m a broken record, but start by using a unique password for each and every account that you have.

Marriott and Dunkin Data Breaches

Standard

If you’ve seen the news this morning, Marriott has confirmed a massive databreach of their Starwood rewards program database.  The breach may have exposed extremely sensitive information including Passport and payment card data.

If you are a registered member in the Marriott or Starwood systems, you should immediately change your password and monitor your accounts very closely, as a precaution.  It appears this breach may have been ongoing for several years.  More to follow as details come in to focus.

Also today, Dunkin Brands announced a breach of its DD Perks program.  If you are a DD Perks member, same drill.  Change your password and monitor your linked accounts closely.

You should never use the same password for multiple accounts, so if you do, pay special attention to those other accounts that use the same password.  Change those too, enable multi-factor authentication wherever possible and put alerts on your bank and credit accounts, so you get an alert for every transaction.  It may be your only way to catch anything suspicious.

I will update with more information as the details for both of these breached become more clear.

Net Neutrality Day Of Action!

Standard

Cover_Time

Congress has until the end of this session to reverse Ajit Pai’s net neutrality repeal — afterwards, it gets way harder to restore protections against blocking, throttling, and new fees. So we’re bringing together tech companies, small businesses, and Internet users for an epic push on November 29th to pressure lawmakers into signing the Congressional Review Act resolution to restore net neutrality before it expires.

Already today, one member of Congress has come over to voice their support.  Add your name to the list by clicking the image above to add your name to the list!

SupportNN

Alert for Citizens Bank Customers

Standard

We were recently the victims of check fraud with Citizens Bank.  The way this fraud took place and the manner in which the bank responded are the reason for this post.  This is a warning to all Citizens Bank customers.

Here is what happened.

In one case, my wife wrote a check, which was handed to the payee who deposited the check at their bank and it properly cleared.  Six days later, a check in the same amount was paid by our bank not once, but twice on the same day.  Here’s what Citizens Bank failed to flag:

  1. Two checks, one number apart, for the same exact amount deposited on the same day.
  2. These two checks were obvious photocopies.
  3. These two checks where hand written except for the payee, which was typed in.
  4. Below the written out amount line, a payee address was typed in.
  5. The day and month on the date line are written in different handwriting.
  6. The check number was typed in and not pre-printed.  It was also out of position.
  7. The security border and other check features are missing.

All of this was missed by the banks mobile deposit and verification systems.

In a second case, on a different account, an electronic check was entered online and sent to the payee.  This check was received and deposited by the intended recipient and paid properly.  Three months later, within the same time window as the first event, checks in the exact same amount were deposited and paid by Citizens Bank, three times on one day, one time the next day and two more times the day after that.  That is six identical transactions over three days that were not flagged by Citizens fraud department.  Here is what Citizens Bank failed to flag in this instance:

  1. Once again, the fake checks were photo copies.
  2. The six check numbers were within a range of thirteen numbers.
  3. The font of the check date, payee and address were different from the rest of the check.
  4. Security features of the check were missing from the duplicates.

This was all missed by Citizens Bank mobile deposit and check verification systems.

One account also had two ach withdrawals to pay a credit card one day apart with no transaction number recorded.

I noticed the check fraud one evening while doing normal maintenance on our accounts.  I immediately went to a local branch that is open late.  I was informed that this is happening “all the time” and that it’s a “huge issue” for the bank.  The local staff was very helpful and supportive and walked us through the required paperwork to file claims for the fraud and the freeze our accounts and get new ones opened.  The paperwork was cumbersome and required a few trips back to the branch to complete.  We were told that becuase this was obviously not our fault, the bank would return the funds lost.  We were told the bank has 10 business days, by law, to research the matter and let us know when we will get our funds back.  We are at 14 business days and counting with no contact from the bank.

To add insult to injury, it was our responsibility to call the banks online department to have our online profiles deleted and to setup new ones so we could access the new accounts and see our history, which is now frozen from the impacted accounts.  We did that, but only were given one online ID for me.  My wife had to call and get her own online access set back up.  Imagine our absolute disgust, when she called to do so and found out that Citizens had “randomly” set her up with a new online account the day after we froze our accounts and that her new usersname was her Social Security Number, plus one letter.  Yes, you read that right.  Citizens Bank setup a customer with an online usersname that was their Social Security Number!  Unbelievable!  Grossly negligent.  We never authorized nor requested this to be done and yet it was.  Worse, the “temporary” password was “welcome1.”  Hardly anything secure.

Needless to say, we no longer trust that Citizens Bank is a safe place for our money or our family members.  If you or anyone you know is a customer of Citizens Bank, watch your accounts closely and be certain that your online passwords are highly secure.

Speaking of passwords, Citizens Bank does not allow truly complex passwords.  They do not allow any symbols, only upper and lower case characters and numbers.  The vast majority of my small business clients have more secure password policies.  For a financial institution, they should be ashamed.

I will be reporting our experience to the State Banking Commission as something is very wrong with the control within the bank and the public needs to know and be protected.    I can’t imagine we are the only victims and can only hope that others have not had the run around we have.  Citizens used to be a great bank.  We’ve been customers for decades, but these security lapses are inexcusable.

 

The Best Tech For Your Black Friday List

Standard

The following was published in the November 21st editions of Foster’s and The Portsmouth Herald.  Due to family circumstances, I am just getting around to posting this now, but with many Black Friday deals still in effect, you will hopefully find this helpful.

Editor’s note: As is an annual Thanksgiving week tradition, we present technology columnist MJ Shoer’s high-tech holiday shopping guide.

There is no shortage of excellent tech available for those on your gift list this year. So, without further ado, here are some recommendations for those special people on your gift giving list this year.

SamsungSmartTV.png

If you find yourself in the market for a new TV, there really is no better option than a Samsung SmartTV. With sizes as large as 55 inches for less than $500 for 4K ultra high definition, these are more affordable than ever this year. One of the reasons I like Samsung so much is that out of the box, they are ready to cut the cord should you so desire. The Samsung interface is intuitive and easy to use, which is important if you intend to wade into the world of streaming.

Speaking of streaming, give the gift of YouTube TV. It’s the best option out there if you are looking for local stations, as well as streaming options for a mere $40 per month. You can set up to five users on the same account, so it’s great for families. Premium channel options are also inexpensive to add on an as needed basis with no long-term commitment.

Add an Amazon Fire Stick, if you are a Prime member, or Roku Streaming stick to your SmartTV and there should be nothing you will not have that you didn’t with your ever more expensive cable TV subscription. Sorry Comcast, this ship has sailed.

Speaking of Amazon, if you are in to Amazon’s Echo, Dot and Show devices, Amazon has promised a Black Friday sale that will make your wallet happy. If you want to give someone the gift of voice and video control of the home, Amazon is the best in the business.

With both Apple and Samsung releasing the latest versions of their popular iPhone and Galaxy smartphones, I’m sure these will be on many lists. If you do gift a smartphone, or know someone with one, consider a pair of touch-screen winter gloves as a practical gift. These gloves allow touch-screen smartphones to be used without removing the glove. If you want to protect your loved one from frostbite while they reply to all those urgent texts, these are a great gift. North Face makes a wide variety of touch capable gloves that are good looking and affordable. If you want to go for broke, spring for a $150-plus pair from Canada Goose.

If a smart home is on your list, options from Nest, Ring, Simplisafe and Abode are better than ever. You can turn these into home surveillance, security, lighting, appliance, leak alert, smoke, fire and carbon monoxide alerts and more. It’s easier than ever and the prices continue to come down, so this year is a great year to give the gift of a smart home.

While you may think setting up a smart home is expensive, you can get the ball rolling for well under $50 with smart light bulbs, WiFi cameras and plugs from a variety of manufacturers. Check out all the options, either online or at stores like Best Buy, Home Depot or Lowe’s.

Who doesn’t like to get a pair of wireless headphones or noise cancelling headphones for the holidays? Bose remains my brand of choice, but they are not for everyone, primarily due to cost. If you take care of your headphones and don’t look for the latest and greatest every year, they are a solid investment with unmatched sound, but there are very good options available for less money. Brands like JayBird, JBL, Jabra and more offer similar products. My advice is to go to your local electronics store and test them out and see what you think. For the serious traveler on your list, there is simply no better option than Bose QuietComfort QC 35 II’s. Just be prepared for it to use up a lot of your gift giving budget.

Wireless speakers are also an excellent gift. Who doesn’t want to have a great sounding wireless speaker? Just remember, if you’re on the ski slopes or out in public, no one wants to hear your tunes. That’s why the headphone recommendation came first. But in the privacy of your own home, check out the options from Bose and JBL. The sound is impressive.

Some additional more budget-friendly recommendations may be things like a Logitech Bluetooth keyboard to make typing on a smartphone or tablet more convenient. Logitech has always been an innovator with their wireless keyboards and their latest versions are no exception. They are small, lightweight and inexpensive.

With wireless charging finally becoming mainstream, consider a wireless charger for those on your gift list. The handy little docks make it easy to charge a compatible smartphone and you won’t have to worry about losing your cables all the time.

In years past I have recommended certain computers, gaming systems and smart watches. The market is so diverse this year, it really is hard to make these recommendations. I’m sure most of you have your preferences for each. All the manufacturers update their product lines for the holiday shopping season, so whether you are looking for a Windows or Mac computer, an Xbox, Play Station, Apple Watch or FitBit, check out the available models and make your selection. No matter what you choose, the recipient of your gift will surely be thrilled.

I could fill the pages of this paper with more recommendations. Hopefully, these ideas will help you get through your holiday shopping a little earlier. Thank you for your continued readership.

Is Your Tech Ready For Winter?

Standard

I have not been blogging much over the last two weeks due to a personal matter that has consumed my time.  I did however publish the following in yesterday’s Foster’s and Seacoast Sunday.  I hope to be back to regular blogging over the next week or so.

WinterTechWith the colder temperature, stronger winds and early snow, it’s all a good reminder that you should be prepared for winter weather events, especially as the snow flies.

Making sure you workforce is prepared for snow emergencies is one of the simplest things you can do. Even if you are still maintaining a traditional on-premise IT infrastructure, where your servers and all of your business applications reside within your office, it’s easier than ever to provide secure remote access for your team. When the snow is flying, or the roads are icy, people should be able to easily work from home and maintain near complete productivity. They key is how you have things setup.

With on-premise infrastructure, one of the most important elements, and surprisingly often overlooked elements, is power. Power outages are common during major snowstorms and even if you rarely lose power, you still need to be concerned about even the briefest interruption. The best option for this is a generator, but not every business can afford a generator. Next best is sufficient UPS, uninterruptible power supply, backups. These batteries will keep the infrastructure running and properly shut it down when the battery becomes low. UPS’s, properly configured, will also safely power systems back up when utility power is restored. WSecure remote access to all of these systems has really become the defacto standard. You may notice that more and more of the applications you use seem to run in a web browser. When you look at the address, the URL of the application, you will see https indicating the application runs securely over the Secure Sockets Layer protocol, encrypting all of the information exchange between your computer and the application, where ever it resides. Even if you are using a locally installed application that runs on your computer it’s likely using a secure protocol to connect.hile a good option, UPS’s with sufficient battery capacity are expensive, so you may only be able to keep things running for tens of minutes and not throughout an event.

This is where hybrid systems that leverage the Cloud are really the way to go. With critical business systems in the Cloud, coupled with an appropriate on-premise component, your business will be able to survive even the longest of outages, whatever the cause. Most businesses have already moved their email to the Cloud, so what tends to be the most critical communication component will keep working. Organizations that have installed Cloud hosted Voice over IP phone systems are also able to maintain their telephone services during outages like we are talking about. And when your most important business applications are also hosted in a Cloud data center, you will be able to work as if you were sitting at your desk, from wherever you may find yourself. This is the ideal scenario.

Secure remote access to all of these systems has really become the defacto standard. You may notice that more and more of the applications you use seem to run in a web browser. When you look at the address, the URL of the application, you will see https indicating the application runs securely over the Secure Sockets Layer protocol, encrypting all of the information exchange between your computer and the application, where ever it resides. Even if you are using a locally installed application that runs on your computer it’s likely using a secure protocol to connect.

Additionally, you may have a secure Virtual Private Network, or VPN, that you use. VPNs secure your internet traffic by encrypting everything, ensuring all traffic from your computer is secure. VPNs have become pretty standard fare and while they used to be a bit cumbersome to work with, that is not longer the case.

One other little thing to be aware of: As temperatures fall, battery life decreases. Batteries last longer in warmer temperatures, so especially when you are outdoors, be mindful that your smartphone battery may discharge a bit more quickly in the cold weather. Battery technology continues to improve, so it’s not nearly as problematic as it used to be, but be aware it may happen, especially as your batteries age.

Missing IT Nation

Standard

This week marks the annual IT Nation industry conference.  I have attended the annual IT Nation industry event for all but one time, the second year when I had a personal conflict and was unable to be there.  Back then, ConnectWise and their partner community were still small and Arnie Bellini, the CEO of ConnectWise sent me a box with all of the event content and give aways the week after, so I wouldn’t miss out on the learning opportunity.  This year will mark only the second time I have missed the event since it’s inception as the ConnectWise Partner Summit in the early 2000’s.

ConnectWise is one of the leading Professional Services Automation platforms in the IT industry.  It’s the CRM, MRP, Accounting, Procurement system and more for companies that provide IT services globally.

As this event has matured, from the ConnectWise Partner Summit to IT Nation to now IT Nation Connect this year.  From the event About page:


Connections, Opportunities & Know-How to Accelerate Your Success

IT NationIT Nation 2018 welcomes technology industry leaders and professionals from around the world to experience three impactful days of speakers, sessions, and networking focused on business best practices, thought leadership, and growth.


I will miss being there this year.  I always came back from this event with several actionable items to implement in our business to make us better and serve our clients better.  Events like this are important opportunities to not just hear from key vendors in the business, but to share best practices and learn from peers.  It’s also an opportunity to share some of our successes, to help others and to be known as a member of this business community.  Some of my closest confidants and friends in the industry were met at this event over the years.  We stay in touch throughout the year and look forward to seeing one another at one or two events like this throughout the year.

It’s not uncommon for my phone to ring several times a year and have it be a friend I met at IT Nation, checking in and catching up.

To all my industry friends, I will miss seeing you this week.  I hope you all have an amazing week at IT Nation.  And please, once you settle back in and process what you learned this week, give me a call and share.  I’d love to hear all about it and will gladly share what’s happening over here with me 🙂

Be Cyber Vigilant All Year Long

Standard

Usernam

The following was published in yesterday’s Foster’s and Seacoast Sunday.

If you are a regular reader on my articles, you know October was National Cybersecurity Awareness Month. I have written about this for several years now and include links to resources to help you remain secure online. Now that we are in November, the hope is that these issues do not fade from the forefront.

If you’d like to review the various resources available from National Cybersecurity Awareness Month, visit https://staysafeonline.org/ncsam and review the Resources link for a wealth of information, tips and more.

Especially with election season in full swing, everyone should have a heightened awareness of cyber threats. Hopefully, you are well aware you should be suspect of just about everything you see posted on social media, even from your “friends.” Unless your “friend” is someone you know extremely well, you should be suspect of anything they post, especially links to “news.” Take the time to verify what you read online, don’t just take it for granted. Sites that seem quite legitimate may be facades for radical groups or even foreign actors looking to influence our elections and social discourse.

It’s not at all difficult to validate sites and check news for credible sources and reporting. Organizations as diverse as NPR, AARP and many, many others offer several suggestions to help you validate the source of your news. I encourage you to invest a little extra effort to verify what you read as news and be sure you are making decisions based on credible, verifiable sources. It’s more important than ever.

Hopefully, you read and took heed of some of the key themes of this year’s National Cybersecurity Awareness Month. One of the most basic themes was Lock Down Your Login. This is so easy to do, yet the most often overlooked thing to do. Simple usernames and passwords are the most used method to hack into networks and steal data and identities. These credentials are just too easy to break through. You should not be using passwords that are easy for you to remember, as if it is, it’s likely a hacker will be able to guess it or use tools to brute force their way through it and compromise your account.

Passwords should be replaced with passphrases, a sentence or collection of words that are easy for you to recall, but not easily breached. I’ve written about this a lot over the years, both here in the paper and online in my blog at https://mjshoer.com. Use a combination of letters, numbers and symbols, replacing letters in the phase with numbers and symbols where it makes sense. You should also be using multi-factor authentication everywhere it is available. Your bank, personal and corporate email and just about every online site you log into should support multi-factor authentication. Use it. Newer computers running Microsoft Windows 10 support facial recognition to login, enable it. Almost every portable computer has a finger print reader, use that. Just do it, as the famous Nike advertising campaign says.

Finally, though nothing is ever final when it comes to matters of cybersecurity, stay ever vigilant of phishing email campaigns. Don’t click links or open attachments you are not 100 percent certain of. If you get shipping documents, invoices or other attachments you are not accustomed to, don’t open them until you call the sender and verify they actually sent it. Same for links within email messages. Hover over the link and verify that the link is going to a valid domain associated with the company that sent the email. This is one of the easiest ways to spot a phish. Same for the senders email address.

Check carefully to be sure the senders name is not misspelled, even by just one letter. Check the name and check the email address attached to the name. These are simple steps that you should familiarize yourself with and regularly practice to stay safe online.

Please Use a VPN on Public WiFi

Standard

I’m sure you’ve heard the term VPN, which stands for Virtual Private Network.  Most people are familiar with it in the context of connecting remotely to their work network.  For those that aren’t familiar with a VPN, here’s a word picture I often paint to describe what a VPN does.

VPNThink of a four lane highway as the public Internet.  All the cars traveling on this highway are equivalent to each person’s Internet traffic.  As one car passes another, you can look at or in the car and possible see some of what’s there.  This is akin to unencrypted traffic traveling across the Internet, it can be seen and watched by others.  This is why sending sensitive information across the Internet is not safe, as it may be seen by those it’s not intended for.  When you use a VPN, your Internet traffic is sent across an encrypted connection.  Think of an encrypted connection as being like those pictures you see in Car and Driver Magazine when they publish “spy” reports on the next model year of vehicles.  The vehicles are typically wrapped to conceal what they actually look like and the windows may be tinted so darkly that you can’t see inside.  This is like encrypted traffic on the Internet.  You know it’s there, but you can’t tell what it is.  When you establish a VPN, it’s even better.  It’s like putting a tunnel over one of the four lanes on the highway.  The “public” traffic is happily driving along three of the lanes, able to see one another and get where they are going.  The traffic that is being sent across the VPN is being sent in the new tunnel that has taken over one of the lanes.  You know there is traffic there, but you can’t see it or access it.  It can only be seen at it’s starting and ending points.  It’s the safest way to send data, especially sensitive data.

When you connect to a wireless hotspot in a public location like a town square, a restaurant, hotel, etc., you are connecting to a very “public” network.  You should never log in to your bank or other sensitive site over a public wireless network.  Unless you are using a VPN.  If you use a VPN when connecting to these public networks, then you can safely connect to secure sites and protect your traffic from being seen by others.  I have used a VPN for years, for this very reason.

There are many excellent VPN’s on the market, but I am very excited that a company I trust a lot, Webroot, has a VPN specifically designed for WiFi.  Webroot has been an innovator in the cybersecurity space for years.  Their anti-virus/anti-malware tool, Webroot SecureAnywhere is a leader.  They have now added Webroot WiFi Security.  If you already have an anti-virus/anti-malware solution that you are happy with, you can add any VPN easily.  If you are looking for a better anti-virus/anti-malware solution and a VPN, there is a great bundle of both available as well.

I encourage you to check out Webroot’s WiFiSecurity.  Whether you decide to use that solution or another VPN, just pick one and stick with it.  You’ll be glad you did and a whole lot safer as well.