NordVPN hacked - More like FlawedVPN

[Teddy07]

11 hours ago, Queen Chrysallis said:

my nordvpn sub expires in 3 days... what to do, what to do... where to go, where to go?

mine too, I also wonder. I think I stay because it was just one server

[LeSheen]

13 hours ago, yolosnail said:

I personally find it quite scary that a company can go around saying they keep your data safe and secure, but rent out servers with security issues that they didn't know about!

Well, you can't possibly expect them to do a complete audit of any partner. That's why companies need certification. We just certified our company as well so I have a bit of experience with it. Before you can call yourself certified with whatever ISO you need to run an internal audit and an external. The external needs to be repeated time and time again to ensure you are still compliant with the certification.

 

If the datacenter wasn't compliant with it then Nordvpn could have strong case against them. Nordvpn simply relied on the integrity of the certificate like so many other companies do.

[Neftex]

12 hours ago, OneGuy83 said:

it really bugs me that they have known for months and told nobody!

yea man, tell everyone youre vulnerable before you make sure its all fixed. great idea

[LeSheen]

1 hour ago, Neftex said:

yea man, tell everyone youre vulnerable before you make sure its all fixed. great idea

I am all for keeping it secret until you fix the breach. But that is a lot of time...

[AlTech]

I think the reactions especially by the OP are quite overblown. The title is more than just a little sensationalist.

 

It feels like people are out for blood. NordVPN is a good offering and is far more private and secure than PIA or any UK or US based service ever will be.

 

The Five Eyes countries are out to get your data so that they can control you. If you choose to use a VPN from a Five Eyes country then you will end up with an organisation like the NSA having your data. PIA says they don't collect logs and I'm calling BS on it right now. PIA is a UK based company and so they are forced to keep data they collect for some period of time because of "Know Your Customer". ISPs here collect your data and must keep it for a good long while before they are allowed to delete it.

 

The reality is that most VPN services require some degree of trust in them but audits by 3rd parties help. In that respect, NordVPN has had an audit and they were found not to collect logs and so I believe and trust them. I would always pick a VPN from outside the FIve Eyes countries.

 

Disclaimer: I am a paying customer of NordVPN and I am also in a position to financially benefit from the success of NordVPN.

[CookieSmasherGus]

Agreed, this whole event is being blown wayyyy out of proportion. I mean, it's just one server, no actual serious damage has been done. Considering how big NordVPN is this is a fairly minor incidend. And besides, it seems to have an ulterior motive - Tech Crunch is owned by Verizon and they released their own VPN some time ago (source https://www.techdirt.com/articles/20180807/08182440385/verizon-launched-vpn-without-bothering-to-write-real-privacy-policy.shtml) so it could just be some desperate attempt to make Nord seem unreliable to push their own service. It just feels like everyone is reading the headline, see the word "hacked" and then just lose their minds. 

[Spotty]

13 minutes ago, CookieSmasherGus said:

And besides, it seems to have an ulterior motive - Tech Crunch is owned by Verizon and they released their own VPN some time ago (source https://www.techdirt.com/articles/20180807/08182440385/verizon-launched-vpn-without-bothering-to-write-real-privacy-policy.shtml) so it could just be some desperate attempt to make Nord seem unreliable to push their own service. It just feels like everyone is reading the headline, see the word "hacked" and then just lose their minds. 

While I dislike TechCrunch as an outlet, the article they've published here about this seems rather balanced and mostly just contains quotes from the statement released by NordVPN confirming the unauthorised access on one of their servers. https://nordvpn.com/blog/official-response-datacenter-breach/

 

I doubt TechCrunch has anything to do with any internet or VPN services offered by Verizon, even if they are owned by the same parent company. Even if they were publishing stories to promote their parent companies own VPN service I don't think this story would be a smart marketing play. You don't convince people to sign up to VPN's by publishing a bunch of stories about how insecure they are, even if it's the competition. That's only going to drive people aware from VPNs and make them not trust VPNs. You're better off publishing stories about how the big spooky corporations or Governments are trying to spy on you and how VPN's are secure and how you need a VPN to protect yourself and your private data.

 

If you're still concerned about Tech Crunch's article then read the story from one of the many other tech outlets who also published the story.

https://www.tomsguide.com/news/nordvpn-torguard-admit-being-hacked-but-thats-just-the-beginning

https://www.theregister.co.uk/2019/10/21/nordvpn_security_issue/

https://www.androidpolice.com/2019/10/21/nordvpn-was-hacked-in-march-2018-only-some-servers-affected/

https://www.tweaktown.com/news/68298/nordvpn-hacked-knew-breach-months-ago/index.html

https://au.pcmag.com/torguard-vpn/64047/nordvpn-torguard-hit-by-hacks-involving-insecure-servers

https://www.theinquirer.net/inquirer/news/3082891/nordvpn-server-hack

[rcmaehl]

13 hours ago, FezBoy said:

You probably already know this, but TOR on its own is a bad idea.  TOR traffic is really obvious, and can be used to identify you, like in the case of this guy who called in a fake bomb threat to get out of finals (Verge link plz don't kill me) 

TOR is far from secure just by itself. DNS leakage, traffic identification through owning a large amount of nodes, traffic sniffing at TOR endpoints. At the very least it's distributed instead of owned by a specific company 

[Sauron]

18 hours ago, Deli said:

Fxxk, it's time to switch. Which VPN service is safer?

You just can't know, there's no way to be sure a VPN service is well secured and actually respects your privacy.

[2FA]

14 hours ago, FezBoy said:

You probably already know this, but TOR on its own is a bad idea.  TOR traffic is really obvious, and can be used to identify you, like in the case of this guy who called in a fake bomb threat to get out of finals (Verge link plz don't kill me)  If you don't want that to happen to you, you should use TOR underneath a VPN, like today's sponsor, PIA!

It's only obvious if you use the stock config, and that's mainly due to it using ports other than 443 (there are a couple well known ports specific to Tor). That and it only hides the data en route. The destination can still identify you if you aren't careful (for example with browser finger printing).

[dfsdfgfkjsefoiqzemnd]

27 minutes ago, Sauron said:

You just can't know, there's no way to be sure a VPN service is well secured and actually respects your privacy.

Indeed.  You will only know that your chosen VPN wasn't trustworthy after they suffered a massive breach that leaked your account info, payment details and your browsing history.

[paddy-stone]

18 hours ago, QXC said:

more details about the indecent

Incident?

[Sauron]

50 minutes ago, rcmaehl said:

TOR is far from secure just by itself. DNS leakage, traffic identification through owning a large amount of nodes, traffic sniffing at TOR endpoints. At the very least it's distributed instead of owned by a specific company 

TOR is secure in that the data you send cannot be accessed and the receiver cannot feasibly trace it back to you without already knowing more or less who you might be. In the bomb threat case the FBI already suspected a student was responsible and the guy thought it would be a good idea to use the school's wifi which logs traffic.

 

If you're concerned about privacy, using TOR from your own network is more than enough. If you're committing federal crimes... don't.

[wanderingfool2]

3 hours ago, AluminiumTech said:

I think the reactions especially by the OP are quite overblown. The title is more than just a little sensationalist.

 

It feels like people are out for blood. NordVPN is a good offering and is far more private and secure than PIA or any UK or US based service ever will be.

 

The Five Eyes countries are out to get your data so that they can control you. If you choose to use a VPN from a Five Eyes country then you will end up with an organisation like the NSA having your data. PIA says they don't collect logs and I'm calling BS on it right now. PIA is a UK based company and so they are forced to keep data they collect for some period of time because of "Know Your Customer". ISPs here collect your data and must keep it for a good long while before they are allowed to delete it.

 

The reality is that most VPN services require some degree of trust in them but audits by 3rd parties help. In that respect, NordVPN has had an audit and they were found not to collect logs and so I believe and trust them. I would always pick a VPN from outside the FIve Eyes countries.

 

Disclaimer: I am a paying customer of NordVPN and I am also in a position to financially benefit from the success of NordVPN.

 

 

7 hours ago, Teddy07 said:

mine too, I also wonder. I think I stay because it was just one server

 

6 hours ago, Queen Chrysallis said:

was thinking the same... i haven't connected to a finland server in ages, (i like it cuz it gives me good ping) but thankfully that are others, what i like to call "golden server" so ye, still pondering but likely to remain with them and renew my sub in 3 days, we'll see

It is only one server...that NordVPN has knowledge of.  If the only way NordVPN learned about this was because security researches found the configuration file, then one needs to question what safeguards do they currently have in place?  The fact is they didn't do their due-diligence when it came to vetting a vendor; how many other vendors have done the same (and just aren't telling NordVPN).

 

Another consideration, if they got a configuration file from a remote management system, then how do they know other information wasn't compromised?  (e.g. monitoring for passwords of admins, planting other material onto the servers, and other such things).  Internal audits don't really mean a whole lot if the problem existed without detection before

 

 

[ravenshrike]

5 minutes ago, wanderingfool2 said:

It is only one server...that NordVPN has knowledge of.  If the only way NordVPN learned about this was because security researches found the configuration file, then one needs to question what safeguards do they currently have in place? 

If you had actually taken the time to read NordVPNs response you would know the delay after they were notified of the issue was because they were undergoing an audit of all their other extant servers(minus the ones from the company the breached server was with as they erased those servers and terminated their relationship with them) to make sure no other surprises like this were hanging around. They also started another audit to double check that it was impossible to get any logs from their servers in the event that such a breach happened again.

[jdubya421]

18 hours ago, Shadow Bullet said:

Been with PIA since the start, and it's going to stay that way...

same

[Euchre]

22 hours ago, lewdicrous said:

Military grade encryption at work.

That means done by the lowest bidder who fulfilled the bid using the minimum specs required in the cheapest way possible. Remember that.

19 hours ago, Arika S said:

Fail to see how this is Nords fault

Trusting a 3rd party for high level security you're selling to your customer means you vet your partners extremely carefully, to avoid such issues. They did not do enough of that, apparently.

[Vishera]

It's important to note that everything can be hacked,the question is how difficult it is.

[PairedPrototype]

Rent a cheap OVH VPS, install OpenVPN, rent additional geolocated IPs if required. Done. You have your own VPN. 

 

Sure there's a few others bits to do, like 2FA on OVH account, change default SSH port and make it public key auth only, maybe add 2FA to that if you really feel that public key auth is not enough. Add UFW. And you're pretty secure by that point. 

[spartaman64]

7 hours ago, AluminiumTech said:

I think the reactions especially by the OP are quite overblown. The title is more than just a little sensationalist.

 

It feels like people are out for blood. NordVPN is a good offering and is far more private and secure than PIA or any UK or US based service ever will be.

 

The Five Eyes countries are out to get your data so that they can control you. If you choose to use a VPN from a Five Eyes country then you will end up with an organisation like the NSA having your data. PIA says they don't collect logs and I'm calling BS on it right now. PIA is a UK based company and so they are forced to keep data they collect for some period of time because of "Know Your Customer". ISPs here collect your data and must keep it for a good long while before they are allowed to delete it.

 

The reality is that most VPN services require some degree of trust in them but audits by 3rd parties help. In that respect, NordVPN has had an audit and they were found not to collect logs and so I believe and trust them. I would always pick a VPN from outside the FIve Eyes countries.

 

Disclaimer: I am a paying customer of NordVPN and I am also in a position to financially benefit from the success of NordVPN.

yep and who knows what backdoors that they built into their network and their encryption 

[yolosnail]

JayzTwoCents has suspended his sponsorship with NordVPN and made quite a good video simplifying what the issue was

 

 

[BuckGup]

On 10/21/2019 at 12:46 PM, TetraSky said:

And some people were giving shit at LTT in the beginning for not choosing NordVPN instead of PIA for their VPN of choice...

Hah.

I wouldn’t trust PIA at all too

[QXC]

5 hours ago, paddy-stone said:

Incident?

you rite

edited

[AlTech]

57 minutes ago, yolosnail said:

 

I am gonna say the Echo Chamber effect is hard not to notice here.

 

Everybody's article is based on the TechCrunch article. So ultimately if TechCrunch is somehow wrong in any way then all of the articles are wrong.

 

Also I disagree with JayzTwoCents, NordVPN said that they looked at every one of their servers to make sure a similar thing wasn't on those servers.

 

Frankly I still thing that everybody is trying to make out NordVPN to be the bad guy here and treating them as if they were lying about logs which they aren't.

 

Yes, NordVPN should have taken a bit more care to make sure it didn't happen but ultimately it was the Data Centre guys who screwed up.

2 hours ago, spartaman64 said:

yep and who knows what backdoors that they built into their network and their encryption 

NordVPN is based out of Panama and so isn't required to provide logs. They have been audited and there was nothing bad or untowards there. They were found to have no logging and in general a secure system.

 

The same thing can't be said about PIA which would be forced to provide logs when required by a court of law because the laws in the US and UK require them to keep logs.

 

You can't handover logs if no logs actually exist.

 

Disclaimer: I am a paying customer of NordVPN and I am also in a position to financially benefit from the success of NordVPN.

[Taf the Ghost]

55 minutes ago, valdyrgramr said:

I don't really trust VPNs, tbh.

VPNs are like security cameras. They're a layer of security. If you want something to be secure, you need a lot of layers to really nail something down. But, they're very useful for basic security, especially if you're traveling or on a public wifi. VPNs also give a layer of security against badly setup webpages and programs/apps.