News

A major VPN provider was hacked. Lesson: Don’t trust a VPN that doesn’t own and manage their own equipment.

I’m not going to make any recommendations on VPNs except to say what happened with NordVPN is why you never trust any VPN provider that rents out data center virtual server space, or uses other people’s equipment.

Should be noted TorGuard and VikingVPN are also listed as potentially compromised in the TechCrunch article.

The short version of the story is they appear to have rented a virtual server, or connected a physical server to a remote management console, one of the management servers for the data center had an insecure remote data management system which allowed attackers to compromise and pull private key data from the NordVPN server.

What that effectively means is a government agency could perform a man in the middle attack where you think you’re secure and connected to your VPN, but you’re not.

NordVPN says there’s not much they could have done at that point with what they got, but the acknowledgement of a breach brings about some troubling potential issues.

The first is this happened in March of 2018. 19 months ago if I math right. Now, I’m not particularly all in favor of immediate disclosure while you batten down the hatches, but in that time you could have had a kid, and that kid is now 10 months old and her first words are “no security”.

The second is that NordVPN is not in complete control of the boxes/environment/virtual machine they’re on. That’s troubling. I mean the nature of the internet is such that there’s an element of risk even with the greatest cryptography in the world, but when the box you’re trusting is accessible via means you don’t control … that’s not good.

Do they know that their equipment isn’t physically being accessed by third parties?

NordVPN says they were unaware of the data center’s software, that’s even worse. If I’m putting a VPN in a remote location and asking people to pay and trust me I’m going to that data center with my own equipment that plugs into the internet and a keyboard, 3 IP cameras pointed at it, and a monitor I bring. That VPN goes off line for any reason it will stay offline as I’ll assume a state agent has compromised it.

This was connected via some sort of shared resource. Some form of equipment or software that a company focused on security didn’t know about, and it took them 18 months to come clean about it.

Was any user data compromised? They claim no, although they probably have no way that I know to determine that the attacker didn’t pull connection information to match up IP addresses with times of political posts to sell to anti-democracy forces to use to go and round up suspected dissidents.

I mean if they’re renting server space NordVPN might have not been logging connection information but who’s to say that the data center wasn’t?

Troubling…

[TechCrunch]
Pocketables does not accept targeted advertising, phony guest posts, paid reviews, etc. Help us keep this way with support on Patreon!
Become a patron at Patreon!

Paul E King

Paul King started with GoodAndEVO in 2011, which merged with Pocketables, and as of 2018 he's evidently the owner. He lives in Nashville, works at a film production company, is married with two kids. Facebook | Twitter | Donate | More posts by Paul | Subscribe to Paul's posts

Avatar of Paul E King

One thought on “A major VPN provider was hacked. Lesson: Don’t trust a VPN that doesn’t own and manage their own equipment.

  • Avatar of Daniel D.

    As always, a system is as weak as its weakest link. No exception!
    Personally I see very little reason for the VPN craze that has taken the world by storm in the last 2-3 years.
    Everything should be encrypted by default (heck, HTTPS has been around since 20+ years ago?) and most of us have very little to hide (Google, Facebook & co are gathering enough valuable data anyway). It’s all a method of inducing a fear, creating an artificial need and then milking those that fall for it.
    There are very limited and specific usecases for VPN usage, of which I only remember a few: piracy & illegal stuff in general, internet blockades, corporate services that need virtual LAN in order to work, corporate workers that are dealling with highly sensitive data.
    I am open to and actually searching for someone to have a real conversation about the need of a VPN for normal, private activities.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *