Posted on 10/22/2019 5:41:27 AM PDT by Dacula
NordVPN, a virtual private network provider that promises to “protect your privacy online,” has confirmed it was hacked.
The admission comes following rumors that the company had been breached. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN.
VPN providers are increasingly popular as they ostensibly provide privacy from your internet provider and visiting sites about your internet browsing traffic. That’s why journalists and activists often use these services, particularly when they’re working in hostile states. These providers channel all of your internet traffic through one encrypted pipe, making it more difficult for anyone on the internet to see which sites you are visiting or which apps you are using. But often that means displacing your browsing history from your internet provider to your VPN provider. That’s left many providers open to scrutiny, as often it’s not clear if each provider is logging every site a user visits.
For its part, NordVPN has claimed a “zero logs” policy. “We don’t track, collect, or share your private data,” the company says.
But the breach is likely to cause alarm that hackers may have been in a position to access some user data.
The attacker gained access to the server — which had been active for about a month — by exploiting an insecure remote management system left by the data center provider; NordVPN said it was unaware that such a system existed.
NordVPN did not name the data center provider.
“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” said the spokesperson. “On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”
According to the spokesperson, the expired private key could not have been used to decrypt the VPN traffic on any other server.
NordVPN said it found out about the breach a “few months ago,” but the spokesperson said the breach was not disclosed until today because the company wanted to be “100% sure that each component within our infrastructure is secure.”
A senior security researcher we spoke to who reviewed the statement and other evidence of the breach, but asked not to be named as they work for a company that requires authorization to speak to the press, called these findings “troubling.”
“While this is unconfirmed and we await further forensic evidence, this is an indication of a full remote compromise of this provider’s systems,” the security researcher said. “That should be deeply concerning to anyone who uses or promotes these particular services.”
NordVPN said “no other server on our network has been affected.”
But the security researcher warned that NordVPN was ignoring the larger issue of the attacker’s possible access across the network. “Your car was just stolen and taken on a joy ride and you’re quibbling about which buttons were pushed on the radio?” the researcher said.
The company confirmed it had installed intrusion detection systems, a popular technology that companies use to detect early breaches, but “no-one could know about an undisclosed remote management system left by the [data center] provider,” said the spokesperson.
“They spent millions on ads, but apparently nothing on effective defensive security,” the researcher said.
NordVPN was recently recommended by TechRadar and PCMag. CNET described it as its “favorite” VPN provider.
It’s also believed several other VPN providers may have been breached around the same time. Similar records posted online — and seen by TechCrunch — suggest that TorGuard and VikingVPN may have also been compromised.
A spokesperson for TorGuard told TechCrunch that a “single server” was compromised in 2017 but denied that any VPN traffic was accessed. TorGuard also put out an extensive statement following a May blog post, which first revealed the breach.
Why don’t they release the name? L
One of my first lessons in internet security is there needs to be a balance between offense and defense security design.
Securing the Server Farm needs to be Job Zero.
CYA - It would mean that they still have a problem and are still trying to fix it.
I like and use NORD VPN, but like most services, they a vulnerable.
I have never been a huge fan of the various VPN services I see being offered today, in this case Nord.
It’s not a true end-to-end VPN, it’s more like a VPN proxy, where the traffic from end user is encrypted to Nord, then send on unencrypted to the destination.
For example if you connect to Freerepublic the traffic would be encrypted to Nord, but unencrypted to Freerepublic and the same in the response.
So if this person became a Man-in-the-Middle they would be able to see everything you sent and received.
Same here, nord is the best I’ve found and still works for my needs.
I don’t know what could be stolen from them really.
Agreed.
I took over a Global IT department around 2000. The was no protection whatsoever and we got hit by the Melissa virus. The first thing I did was shut down the system.
I was on the job for only a couple of weeks and the entire IT team quit, leaving me with having to rebuild and secure the servers.
Where were the ‘retention bonuses’?
I was able to get two employees to comeback as contractors with a heavy price tag, but the owner was willing to pay them to get back up and running.
They used cheap surge protectors to power their servers.
Truth is. The company was going to be bought out and they knew their days were numbered. This was right before the Dot Com bust.
It’s a layer of protection regardless, but I think you are right, I doubt many users even know this.
I have yet to use this type of “VPN” although I have had to tunnel into networks with them in the past.
What the article doesn’t say is what was accessible in the network. IE: Does NordVPN manage logging of all communications that pass through. If so, then this type of breach is big, at least for those who were using it. Which leads to the question, was it a more random intrusion by someone who found it (sounds like a KVM/terminal) or was it targeted.
I drew my conclusion. It is bigger than what they reported. It took them months to release information.
It is a layer of protection, if you are in a coffee shop using Wifi then it’s a reasonably solid security measure to take...
The last corporate VPN used was implemented a couple of ways, one we used a RSA token on our phones which produced a random 8-digit number that was only good for a short period of time, you had to use that to log into the Corporate VPN...
Then we used a credit card type of device that had to be plugged into the laptop in order to tunnel into the corporate network....
At other times and other contracts I used other VPN solutions...
If someone gets access to the servers as in this case and became a true man-in-the-middle they conceivably had access to all the traffic going into and out of the network, including usernames/passwords, etc.....
You have to know they log websites, etc that users visits in case of some type of law enforcement or security agency required access.
>>>the spokesperson said the breach was not disclosed until today because the company wanted to be “100% sure that each component within our infrastructure is secure.”
Sooo, will the whole IT team be fired? I wouldn’t trust one fraction-of-an-inch of this company in any business!
Had to rebuild Nord from scratch last week because the bandwidth wasn’t stable and I couldn’t connect to some of their servers. I run Nord from a Linux terminal because “Mr Paranoia” doesn’t trust point and click front ends but if you have a new directory “etc/PIK” you’re good to go.
“The attacker gained access to the server — which had been active for about a month — by exploiting an insecure remote management system left by the data center provider; NordVPN said it was unaware that such a system existed.”
A company like NordVPN does not live up to its claims of protecting its customers security, when it employes contractors on trust alone. They should never have contractors working alone on their systems at any time. Their own people should be dogging the contractors constantly.
“The attacker gained access to the server — which had been active for about a month — by exploiting an insecure remote management system left by the data center provider; NordVPN said it was unaware that such a system existed.”
A company like NordVPN does not live up to its claims of protecting its customers security, when it employes contractors on trust alone. If they employ servers hosted by third parties, NordVPN should be performing their own security analysis on the severs, before Nord data is sent to them.
A few other companies were involved too. My guess is that Nord may have been tricked or scammed and this story isn’t what it seems.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.