NordVPN hacked - More like FlawedVPN

[AlTech]

12 hours ago, Spotty said:

While I dislike TechCrunch as an outlet, the article they've published here about this seems rather balanced and mostly just contains quotes from the statement released by NordVPN confirming the unauthorised access on one of their servers. https://nordvpn.com/blog/official-response-datacenter-breach/

 

I doubt TechCrunch has anything to do with any internet or VPN services offered by Verizon, even if they are owned by the same parent company. Even if they were publishing stories to promote their parent companies own VPN service I don't think this story would be a smart marketing play. You don't convince people to sign up to VPN's by publishing a bunch of stories about how insecure they are, even if it's the competition. That's only going to drive people aware from VPNs and make them not trust VPNs. You're better off publishing stories about how the big spooky corporations or Governments are trying to spy on you and how VPN's are secure and how you need a VPN to protect yourself and your private data.

 

If you're still concerned about Tech Crunch's article then read the story from one of the many other tech outlets who also published the story.

https://www.tomsguide.com/news/nordvpn-torguard-admit-being-hacked-but-thats-just-the-beginning

https://www.theregister.co.uk/2019/10/21/nordvpn_security_issue/

https://www.androidpolice.com/2019/10/21/nordvpn-was-hacked-in-march-2018-only-some-servers-affected/

https://www.tweaktown.com/news/68298/nordvpn-hacked-knew-breach-months-ago/index.html

https://au.pcmag.com/torguard-vpn/64047/nordvpn-torguard-hit-by-hacks-involving-insecure-servers

https://www.theinquirer.net/inquirer/news/3082891/nordvpn-server-hack

I'm willing to bet almost all the other articles are based on the TechCrunch article so all it takes is for TechCrunch to get one thing wrong for everybody else to be wrong or in the case we were saying earlier all it takes is TechCrunch throwing NordVPN under the bus for all of them to do so.

 

See: The Internet Echo Chamber Effect.

[Taf the Ghost]

1 minute ago, AluminiumTech said:

I am gonna say the Echo Chamber effect is hard not to notice here.

 

Everybody's article is based on the TechCrunch article. So ultimately if TechCrunch is somehow wrong in any way then all of the articles are wrong.

 

Also I disagree with JayzTwoCents, NordVPN said that they looked at every one of their servers to make sure a similar thing wasn't on those servers.

 

Frankly I still thing that everybody is trying to make out NordVPN to be the bad guy here and treating them as if they were lying about logs which they aren't.

 

Yes, NordVPN should have taken a bit more care to make sure it didn't happen but ultimately it was the Data Centre guys who screwed up.

NordVPN is based out of Panama and so isn't required to provide logs. They have been audited and there was nothing bad or untowards there. They were found to have no logging and in general a secure system.

 

The same thing can't be said about PIA which would be forced to provide logs when required by a court of law because the laws in the US and UK require them to keep logs.

 

You can't handover logs if no logs actually exist.

 

Disclaimer: I am a paying customer of NordVPN and I am also in a position to financially benefit from the success of NordVPN.

At this point, the proper assumption should be that NordVPN does what they say and the attack vectors are intentional to hurt their reputation because, as you point out, they're not subject to Five Eyes rules. This is pretty classic Media Warfare stuff. Nord had a single end-point get compromised, which exposed very little. They reported it after they've tested they've checked their entire system. They did everything quite proper.

[Taf the Ghost]

2 minutes ago, valdyrgramr said:

I don't use public wifi or travel, yay Asperger's!

Introversion is a super power in the modern world.

[Vishera]

3 hours ago, BuckGup said:

I wouldn’t trust PIA at all too

No one should be trusted,always proceed with caution and stay vigilant on the internet.

[wanderingfool2]

13 hours ago, ravenshrike said:

If you had actually taken the time to read NordVPNs response you would know the delay after they were notified of the issue was because they were undergoing an audit of all their other extant servers(minus the ones from the company the breached server was with as they erased those servers and terminated their relationship with them) to make sure no other surprises like this were hanging around. They also started another audit to double check that it was impossible to get any logs from their servers in the event that such a breach happened again.

You are the one who didn't take the time to understand what was being said in the NordVPN article.  See the quote below

Quote

A few months ago, we became aware of an incident in March 2018 when a server at a datacenter in Finland we had been renting servers from was accessed without authorization

The "a few months ago", the incident happened in March 2018...so that means they were unaware of it for most likely over a year.  That really does beg the question, how effective are they at doing proper audits? And what precautions do they really take when it comes to sourcing vendors (notice no mention of breach of contract or them mentioning how they require certifications from vendors).  Who is to say that other vendors haven't/aren't doing the same?  (They obviously didn't have proper systems in place to have been able to check).

 

They did not mention about their internal audit's being the one that caught the issue; they only ever mention becoming aware of it a few months ago.  Could be wrong, but I thought somewhere in the release this morning, or one of the quotes somewhere from the company mentioned it being brought to their attention about the configuration file by security researchers.  Either way though, that doesn't really make what I said too much wrong.  The breach went undetected, over a year of not knowing about it means it is undetected in my mind.    If they didn't realize it in over a year, then how can they be sure other vendors haven't done the same?  The potential attack vector is only a small amount in my mind of what may have been possible.

[NinJake]

I try to check for tech deals. Happened to come across this today....

Spoiler

Of course it's on sale now

[rushboarduk]

I'm slightly afraid for Linus Media Group on this - they originally had this issue with TunnelBear, and all companies tend to wait months (leaving users insecure until "they've done a full investigation"), before telling everybody they were hacked.

 

PIA could be in the same position, and people'd just never know unless they tell you.

[Hip]

It's hilarious how most ignore the fact that not only Nord was hacked. You really think PIA or tunnelbear are safer?

All providers are hacked already, but most do not publish information on that because they either paid the hackers to keep quiet or they didn't realize that they got hacked!

[desertcomputer]

VPN is great keep ISP out of your traffic but do you trust your VPN provider more than your ISP?

[roudyloo]

On 10/21/2019 at 11:44 PM, Arika S said:

Fail to see how this is Nords fault

 

 

Never used Finland servers anyway. Nord is still the best performing VPN for my shitty internet 

I also dont see the hype. I use nordvpn teams at the office and we will still be using them. Nothing was compromised anyway. 

[PHYLO]

On 10/22/2019 at 2:00 PM, valdyrgramr said:

I don't really trust VPNs, tbh.

Do you trust them less than your government...?

Anyway, I suggest Torguard to anyone. They've got very consistent speeds and higher speeds than NordVPN in my area. They don't have the prettiest GUI but the functions are amazing. Cheaper than NordVPN too.

[greenhorn]

I would have expected NordVPN to immediately notify its customers once things went south (sorry for the pun). I realize they might have been afraid to scare customers away and to damage their reputation, but saying nothing for so long made it much worse. Security only truly works with openness about incidents.

Errors can happen to any company (including all the other VPN services), but the way those errors are handled makes the difference.

[PHYLO]

14 minutes ago, valdyrgramr said:

Both are recording what you do.  The security from both sides really isn't there given both have been compromised and lie about that.  Why would I trust either?  And, if I really cared enough about the bs security both lie about then I'd just secure myself rather than trusting either which I use to do when I was paranoid like ten years ago and using proxy crap all the time.

Ah, so you think everyone's recording what you're doing regardless of whether they state they keep logs or not? Seems like you trust absolutely no one on this world.

[Taf the Ghost]

31 minutes ago, greenhorn said:

I would have expected NordVPN to immediately notify its customers once things went south (sorry for the pun). I realize they might have been afraid to scare customers away and to damage their reputation, but saying nothing for so long made it much worse. Security only truly works with openness about incidents.

Errors can happen to any company (including all the other VPN services), but the way those errors are handled makes the difference.

They found out in April 2019 and the announced in October 2019. That's about right for security breaches, especially backdated ones. You have a lot of auditing to do about your systems when something goes wrong. (Note, something will always go wrong. It's the nature of this work.)

 

Reality is a single node in Finland could have intra-node traffic sniffed for about a week. Which is little different than if a Nation State was sniffing the inbound traffic of the node anyway. (Which is likely true, just as a matter of practice.) Or, better yet, your own ISP without some sort of masking action being taken. Some sort of Man-in-the-middle attack might have been viable during that week, but so much of the Internet uses HTTPS that even that is getting harder. And the NordVPN.com TLS key really didn't matter because who that's got their VPN working would go to the normal website?

 

As pointed out in the thread, this smells like Five Eyes disinformation campaign. Nord (along with two other VPN providers, to note) had a weird, minor compromise because of a 3rd party vendor and a bunch of the Internet is up in arms. That smells like power player aligned Media doing their job to prop up the power players. Using your CC/Debt/Cash Card at a store is a bigger security risk these days. Or, apparently, having an Adobe subscription.

[PHYLO]

1 hour ago, valdyrgramr said:

VPNs clearly state in their ToS that if you're using them to break the law they will turn you over.  They also do log lots of data.  The US government is known for logging things, but at the same time they "claim" they can only access it with a warrant or if you're deemed a terrorist then, due to the patriot act, they don't need one.  Regardless of what you want to believe they both are logging and monitoring you to some degree.  But, if I actually cared enough now.  I just wouldn't have ever accessed the internet to begin with.  As secure as you might feel your data is out there.   Fun fact, in the US at least, when a corporation asks for your phone number they're not just setting you up for perks.  They're also selling it off to call centers.  That's one reason your being spammed.  Many of these "VPNs" are just giving you a scare into buying their bs security.  So, unless you made your own VPN/using proxies you're probably not as secure as you think.  Why would I really trust a corporation or a government with security?   One is in it for the money and the other is in it for abusing their power.   I mean the only real use for a VPN is to get around geo blocking.  But again, I don't really care.  There is no such thing as perfect security.  I'm just not going to pay a subscription for bs security.

 

But if no one can tell what you're doing initially by using a VPN (which is exactly what it does), it makes a LOT harder for them to find evidence enough to force these companies to hand over any data. A VPN certainly does secure your footprint up front.

These VPN companies aren't monitoring your usage. They aren't seeing "oh look this guy is downloading a movie" or whatever. They're not out there to hand you over to the government or whatever entity, otherwise they would lose their customers quite fast.

 

So the argument that the push to use a VPN is just a scare tactic falls apart right at the gate.

[PHYLO]

17 minutes ago, valdyrgramr said:

Nor can my ISP when they're only seeing the domain.   However, the VPNs have been known for logging more than that and HMA was logging what the guy form LulzSec was doing, and with a warrant handed the logs over to a government.
 

Yes, they are logging what you're doing hence why the state in their ToS that if you do something illegal they will hand you over.  Even more so if the government has a warrant, if required.  This happens all the time.  You can pretend it doesn't all you want.

 

HMA, a VPN/the same one who is who of many that hands your data over to the government that was logged in cases of a warrant, was hacked in 2017.

 

NordVPN aka this article hacked.

Yes, the security is either misleading or bs to begin with.

So if one VPN hands over stuff for illegal activity then they all must do that right? They're all the same... Right? -.-

[Crowbar]

Yet another reason why consumers should make their own choices with the tools available online rather then ignorantly purchase whatever shit a youtube "influencer" is pedalling.

[NunoLava1998]

[Kroon]

On 10/30/2019 at 3:58 PM, PHYLO said:

Do you trust them less than your government...?

Anyway, I suggest Torguard to anyone. They've got very consistent speeds and higher speeds than NordVPN in my area. They don't have the prettiest GUI but the functions are amazing. Cheaper than NordVPN too.

 

According to GamersNexus was Torguard and VikingVPN affected by the same attack.

 

Morale of the story is that you can't trust ANYONE with your private data.

[wanderingfool2]

On 10/30/2019 at 9:07 AM, Taf the Ghost said:

They found out in April 2019 and the announced in October 2019. That's about right for security breaches, especially backdated ones. You have a lot of auditing to do about your systems when something goes wrong. (Note, something will always go wrong. It's the nature of this work.)

 

Reality is a single node in Finland could have intra-node traffic sniffed for about a week. Which is little different than if a Nation State was sniffing the inbound traffic of the node anyway. (Which is likely true, just as a matter of practice.) Or, better yet, your own ISP without some sort of masking action being taken. Some sort of Man-in-the-middle attack might have been viable during that week, but so much of the Internet uses HTTPS that even that is getting harder. And the NordVPN.com TLS key really didn't matter because who that's got their VPN working would go to the normal website?

 

As pointed out in the thread, this smells like Five Eyes disinformation campaign. Nord (along with two other VPN providers, to note) had a weird, minor compromise because of a 3rd party vendor and a bunch of the Internet is up in arms. That smells like power player aligned Media doing their job to prop up the power players. Using your CC/Debt/Cash Card at a store is a bigger security risk these days. Or, apparently, having an Adobe subscription.

They found out in April 2019, but was forced to announce it in October 2019.

 

 

The biggest issue about this breach is the lack of security via NordVPN (they downplay the effects and such, but this is quite a large security concern and you have to question how good the rest of their implementation is).  This went pretty much 1 year without them knowing that this happened; so their other auditing means nothing really.

 

This is not a minor compromise; this was a significant compromise.  This type of compromise could have easily allowed more lateral movement or the scraping of admin passwords.  NordVPN is only admitting to what is known to have been taken, but ignoring the other potential security risks.  The fact is, NordVPN didn't even encrypt the harddrive which is what made this attack possible..yes the 3rd party had a vulnerability, but it was NordVPN's general incompetence in security that is at issue here.  A vulnerability at a 3rd party host should not effect the security of a company (again, they should have encrypted the harddrive).

 

The certificate was compromised, but no one is really mentioning that the hackers would have likely had full access to the rest of the system.  That means they could have grabbed everything needed to host a fake NordVPN server (or inserted in things to again log the admin passwords to do a lateral movement attack).  To be clear as well the "viable during that week" is actually wrong, they could have installed other software that would have allowed them to control the server even after the vulnerability was closed.  So it could in theory have been months/a year.

 

To summarize, what makes this a larger security issue in my eyes is the lack of proper security by NordVPN.  They didn't encrypt harddrives that effectively should be treated as publicly visible, they didn't know about it for a year, and they only knew about it/publically came out about it because others discovered it.

 

[Colonel_Gerdauf]

And this is why I am sticking to ProtonVPN.

 

You wonder, with the amount of advertising and YouTube shilling, if they stand up to the actual tests (and that includes ExpressVPN).