NordVPN hacked

NordVPN was hacked in a fairly bad way recently.

According to the VPN provider, one of their servers was accessed by an unauthorized user, who took advantage of a security vulnerability in remote management software left on the server by the hosting provider.

This just goes to show that even if the stuff you install on your server is secure and audited, the stuff that it comes with can’t be trusted. This is the main argument for the minimum necessary packages aspect of hardening.

NordVPN claims that no user credentials were obtained, nor were any logs. (they reiterated that they do not keep logs)

NordVPN claims it found out about the breach “a few months ago” but didn’t disclose it until they were all systems were secure.

Everybody gets hacked. The only real problem here is they failed to disclose for several months.

I’d say that the bigger problem is that their service provider was installing insecure software on their systems.

Bummer
I use Nordvpn, though I havent connected to any of their servers in Finland.
But It’s kinda alarming that they don’t check if the data center has any remote management on the servers they rent, when they set them up.

yeah, that’s the one. Timely disclosure [and learning so it’s like doesn’t happen again…]

Nah. There’s always some random BS going on. Everybody gets hacked. It’s how you respond that matters.

How does it matter that they tell us in a timely manner? Obviously there’s going to be user flight when it comes out, but it’s not like you can actually do anything about what’s already happened.

The important thing is to actually take steps to ensure you’re not alerting the general public that your systems are currently insecure in a specific manner. if they released this before the systems were patched, it’d have been way worse. Open season on the servers.

Totally agree, but it shouldn’t take them months to fix the problem. In this case it reads like they wouldn’t have disclosed at all, but rumors were going around to force their hand. Whether that’s true is immaterial, the optics are bad.

It really depends on the situation. The wording of it, to me, read like it was OOBM software. Not as simple as a “yum remove badshit”…

Remember that it’s techcrunch. That’s their style. “let’s insinuate a bunch of bullshit because it’ll make for more views”

This is the only article I could find so far. I’d much rather not use them.

Disclosure in a timely manner is a FEELZ thing, more of a PR matter then anything else.

But the fact they disclosed it after making sure the servers were now secure as they can be is fine with me.

The only sure way of NOT getting hacked is to NEVER connect to the inet, now who is going to do that

Update, twitter thread from the article:

Looks like the certs expired 10/2018. Not sure if they were already expired when they were leaked or if it’s really 12 months old.

The 8chan source:

If you take an unreasonably long time to disclose it looks like you’re trying to cover up. That’s a much bigger problem than getting hacked in the first place which again, happens to everybody.

Upon more digging, it looks like this happened around early may 2019. So… 5ish months. Your call.

Ain’t it funny how a company which touts privacy all night long won’t disclose their own breach? Sure does instill trust in me, and they definitely aren’t lying about anything else. /s

I always knew nord was a bunch of shit anyways.

5ish months, and since then they have encouraged others to either have OOBM fixed or replaced? seems okay to me.
Like bug reporting, disclose when others are fixed, else everyone else gets spanked straight away?

I mean, they left spectre/meltdown at 9ish months I think?

Obviously that’s a different scale, but the fix was easier on spectre/meltdown.

Um, there are some microcode hacks, but are spectre/meltdown even fixed in silicon yet?

I thought it still relied on a cpu microcode for every vulnerable chip, where they are running an OS that supports the “fix” update?

Who tf knows.

The fix is easy.

Disable HT.

If people are as concerned with security as they claim, they should be doing it.

Of course, on my non-sensitive systems, I’m using kernel args to disable the mitigations for that extra perf per watt.

harder to hack into a computer with it’s ethernet ports glued. (but still happens)