Virtual private network provider, NordVPN, recently confirmed that the company was hacked last year. Ted Shorter, chief technology officer, Keyfactor, shares his views about the data breach. NordVPN’s measures to bolster its security follow the conversation.
On October 21, NordVPN admitted that it was breached last year. According to NordVPN, the attack happened in early 2018 at the Finnish data center of a service provider used by the company, exploiting a vulnerability in a remote management interface that NordVPN wasn’t told about. Initially, an exposed internal private key was being blamed for the breach. This expired key allowed anyone to spin out their own servers imitating NordVPN.
In this exclusive conversation with IT Toolbox, Ted Shorter, chief technology officer, Keyfactor, shares his thoughts about the state of cybersecurity today and throws more light on the NordVPN data breach.
Ted Shorter is the chief technology officer and co-founder at Keyfactor, a leading provider of secure digital identity management solutions. Responsible for Keyfactor’s Intellectual Property development efforts, Ted helps align Keyfactor’s security focus with the changing security landscape, ensuring our clients understand the importance of crypto agility.
Ted has worked in the security arena for over 20 years, in the fields of cryptography, application security, authentication and authorization services, and software vulnerability analysis. His experience includes ten years at the National Security Agency, a master’s degree in Computer Science from The Johns Hopkins University, and an active CISSP certification.
Here are the edited excerpts from the exclusive conversation with Ted Shorter on the NordVPN’s breach:
Are VPN providers a soft target for attackers today? If yes, why?
Ted: Not sure if you can call them a “soft†target, but they are certainly a valuable target. As with any organization that processes sensitive data – such as credit cards, personal data, or state secrets – the more lucrative a target is, the more resources hackers will bring to bear to penetrate it. The fact that NordVPN, TorGuard, and VikingVPN have all been attacked recently bears this out.
How did the attackers breach NordVPN? What could have the company done to prevent this attack?
Ted: My understanding is that a local provider in Finland left an administrative port for one server unsecured. It’s a difficult problem to solve in general; part of cloud and IT outsourcing means that providers must place some level of trust in a larger set of people and organizations than when IT was entirely centralized.
Although the company has maintained that it has a “zero logs†policy, do you think the hackers could have gained access to user data?
Ted: I’m willing to take NordVPN at their word on their “zero logs†policy. However, it seems likely that the hackers had access to the user data that flowed through that one server, while they were on it. That said, it seems like the actual impact on user data may have been relatively low in this case.
Considering that an attacker could have set up a fake NordVPN server, are the VPNs still secure? What are the next steps the company should take?
Ted: Some reports indicated that more than one certificate private key was stolen, including one that functions as a Certificate Authority, which issues certificates to other entities in the system. I’ve not seen corroboration of that from NordVPN, but if true, depending on what other systems may trust that CA, that could be a much bigger deal.
What can other organizations learn from this incident?
Ted: Assume hackers may get in and practice defense-in-depth to help reduce the impact of an attack. For example, in this case, there are technologies that could have been used, such as hardware security modules, which would’ve made the extraction of the keys impossible, even if the hackers had access to the server.
Learn More: Back to Basics: Learn the Fundamentals of a Data BreachOpens a new window
In response to the attack, NordVPN has listed five measures to bolster its security. Let’s look at them.
The company is taking action to enhance its security – one of the first moves being a partnership with VerSprite, a leading cybersecurity consulting firm. The partnership will include penetration testing, threat and vulnerability management, compliance management, and assessment services.
VerSprite also intends to help NordVPN form an independent cybersecurity advisory committee, which will consist of selected experts who will oversee NordVPN’s security practices.
Laura Tyrell, Head of Public Relations at NordVPN, said, “We are planning to use not only our own knowledge, but to also take advice from the best cybersecurity experts and implement the best cybersecurity practices there are. And this is the first of many steps we are going to take in order to bring the security of our service to a whole new level.â€
NordVPN says it is ready to take action in five different fields to enhance its security. Here’s the list of the planned measures:
1. Partnership with VerSprite.
Penetration testers, a key part of NordVPN’s security efforts, prod the infrastructure for weaknesses, and mitigate the vulnerabilities. NordVPN is, therefore, planning to engage in a long-term strategic partnership with VerSprite, a leading cybersecurity consulting firm.
VerSprite will collaborate with NordVPN’s penetration testers to test the infrastructure. The main tasks in the new agreement include comprehensive penetration testing, source code analysis, and intrusion handling. VerSprite will also help NordVPN to form an independent cybersecurity advisory committee.
2. Bug bounty program.
NordVPN plans to introduce a bug bounty program over the next few weeks. Bug bounty programs are designed to reward cybersecurity experts who catch potential vulnerabilities and report them to the developers. NordVPN plans to reward bounty hunters with a well-earned payout.
3. Infrastructure security audit.
NordVPN will complete an independent, full-scale third-party security audit in 2020. The audit will cover the VPN software, infrastructure hardware, backend source code, backend architecture, as well as internal procedures.
4. Vendor security assessment and higher security standards.
NordVPN also intends to build a network of collocated servers which will be wholly owned by NordVPN. The company is currently finishing its infrastructure review so that any other exploitable vulnerabilities left by third-party server providers can be eliminated.
5. Diskless servers.
NordVPN plans to upgrade its complete infrastructure to RAM servers. This move will allow the company to create a centrally controlled network where nothing will be stored locally. Everything will be provided by NordVPN’s secure central infrastructure. Anyone attempting to seize the servers will find an empty piece of hardware with no data or configuration files on it.
“The changes we’ve outlined will make you significantly safer every time you use our service. Every part of NordVPN will become faster, stronger, and more secure – from our infrastructure and code to our teams and our partners,†says Laura Tyrell. “That’s our promise – we owe it to you.â€
Learn More: Strengthen Your Cybersecurity With the LEAP MethodologyOpens a new window
Toolbox Perspective:
It is understandable that VPN providers would want to keep data breaches a secret. An incident like this can seriously damage the reputation of an organization. With companies like Viking VPN, NordVPN, and TorGuard coming under attack, VPN providers seem to be the new target for attackers.
The best way for VPN providers to prevent an attack is to ensure that enterprising hackers do not exploit usernames and passwords. They also need to make sure that they upgrade their security to restrict access to potential attackers.
Even though NordVPN spun into damage control mode to mitigate the impact of the breach and strengthened its security, what’s worrying is that it took them a long time to report the breach. Looking ahead, NordVPN, as well as other VPN services, will need to take their security practices to the next level to maintain the trust of their customers and the industry.
Found these views on NordVPN’s data breach intriguing? Follow us on TwitterOpens a new window , Facebook, Opens a new window and LinkedInOpens a new window to get the latest news and updates from the world of technology.