
In our previous article, we went into some detail regarding how VPNs work and what you might not be aware of when using them. In this article, I want to extrapolate upon that and give a brief account of what happened to NordVPN, why this bad but maybe not as bad as what you may read about it and why this sort of went reasonably under the radar as opposed to other high profile hacks like Capital One.
In March of 2018, a server being used for NordVPN within a data center in Finland was breached. This was done by using an insecure remote management suite. The challenges with this particular hack are partially a result of the slow public disclosure of the actions and some of the vernacular used by NordVPN.
Nord insists that it only had the one server compromised, had no user data or logs compromised and has successfully remediated the problem. They have terminated the host provider's contract in Finland and have changed their policies to reflect the lessons learned from this incident. While this is a well crafted press release, there are some questions that the security community as a whole still have. I can't speak for all of that community but I'll try and provide some considerations as a member of it.
The first question that I have with their disclosure is the declaration of no log compromise. It is definitely possible that NordVPN may not keep logs on their server regarding client activity. But the likely scenario is that the do keep logs of at least server performance metrics and those logs are likely sent to a management tool such as Splunk. But, if this server was compromised for any length of time and that compromise provided that attacker full control of both the server and the cryptographic keys associated with it, you have two major problems. First is that you cannot make the assumption that the third party didn't make changes that would allow the attacker to see those logs. There is no way to know with 100% certainty so to make that claim on your press release brings this kind of scrutiny with it. Secondly, if the attacker did obtain those keys, there is the potential that the attacker could establish their own NordVPN server for whatever purpose they wanted for as long as those TLS cryptographic keys were trusted (these are no longer trusted keys). This means that user data and browsing history had the potential to be harvested, DNS could be redirected to malicious sites, whatever an attacker might want. Again, we have no evidence that this occurred but Nord has no evidence that it didn't either. And third, why were those cryptographic keys local? Does Nord not use Hardware Security Modules to safeguard those keys? I find it a bit questionable that a VPN provider, whose entire business model is based upon privacy, wouldn't invest in an HSM where it could. Perhaps there were technical reasons this option was not possible but having those keys local to a server would be a practice I would avoid for this reason explicitly.
And the final major question I have here is if this occurred in March of 2018, why are we hearing about this in November 2019? I get they might want to verify their other servers are not vulnerable but I have to assume this violates GDPR. The lack of disclosure and accountability of a company that's entire business model is to have its end users trust them to keep their data private from their ISP or government is probably the most alarming part of this incident.
So why was this less high profile than Capital One? Well, the reality is this isn't nearly as bad. It's not good for NordVPN and myself and the Cyber Security community as a whole have questions that will likely go unanswered but at face value, we know of zero data that was breached as a result of this hack. Sure there are potential issues and hypothetical problems that we outlined above but we have no means to say for sure that they did. Capital One was far larger and more damaging based on the confirmed volume of records that were stolen, the means upon which they were stolen and the size of a corporation such as Capital One, who should have near endless means to protect the data. The biggest problem Nord has now is the PR nightmare this incident has created and it's lack of an appropriate response time that might cost them some serious revenue if GDPR was violated.
What are you opinions of NordVPN post hack? Do you still trust them enough to use them as your VPN of choice? Is there another VPN Provider you prefer? Feel free to comment below!
Kommentare