> <i>The attacker gained access to the server — which had been active for about a month — by exploiting an insecure remote management system left by the datacenter provider, which NordVPN said it was unaware that such a system existed.</i><p>This screams for clarification and I'd love for someone more knowledgeable in the area to elaborate on it. Is this common practice for data-center providers? Do I now not only have to worry about my own infrastructure security but also worry that my IaaS provider hasn't installed some backdoor to my servers?
If you care less about the pseudo-anonymous-but-not-really shared-IP aspect of using a VPN, and care more about the this-lan-is-sketchy use case, I have had good experiences with Algo [0]. You can just paste in an API key and spin up your own VPN on something like DigitalOcean. And it uses WireGuard!<p>[0] <a href="https://github.com/trailofbits/algo" rel="nofollow">https://github.com/trailofbits/algo</a>
What about the data-mining and selling infrastructure of NordVPN, known as Tesonet? Are those intact? Also interesting to know how their legal departments are doing, such as the Panamanian shell and the Lithuanian headquarters.<p><a href="http://vpnscam.com/wp-content/uploads/2018/08/2018-08-24-09_09_14-Window.png" rel="nofollow">http://vpnscam.com/wp-content/uploads/2018/08/2018-08-24-09_...</a><p><a href="http://vpnscam.com/hola-vpn-and-nordvpn-partners-in-data-mining-bot-network/" rel="nofollow">http://vpnscam.com/hola-vpn-and-nordvpn-partners-in-data-min...</a><p><a href="http://vpnscam.com/nordvpn-protonvpn-proton-mail-owned-by-tesonet-ceo-darius-bereika/" rel="nofollow">http://vpnscam.com/nordvpn-protonvpn-proton-mail-owned-by-te...</a>
NordVPN just posted this a few minutes ago: <a href="https://nordvpn.com/blog/official-response-datacenter-breach/" rel="nofollow">https://nordvpn.com/blog/official-response-datacenter-breach...</a>
What this article is missing is that the hackers had root access and had NordVPNs private key for their HTTPS cert for several months in 2018. This went undetected for months and they're only now publically admitting what happened due to press attention. Their public response seems to be "it's not a big deal guys, mitm is hard".<p><i>> The key wasn't set to expire until October 2018, some seven months after the March 2018 breach</i><p><a href="https://crt.sh/?id=10031443" rel="nofollow">https://crt.sh/?id=10031443</a><p>And here's a dump of their logs: <a href="https://share.dmca.gripe/hZYMaB8oF96FvArZ.txt" rel="nofollow">https://share.dmca.gripe/hZYMaB8oF96FvArZ.txt</a>
Someone is probably going to ask what other HN users recommend as an alternative. Personally, I use Private Internet Access because they're the only provider I've found with a track record of demonstrably not being able to turn your records over to someone asking for them [1].<p>[1] <a href="https://torrentfreak.com/private-internet-access-no-logging-claims-proven-true-again-in-court-180606/" rel="nofollow">https://torrentfreak.com/private-internet-access-no-logging-...</a>
<i>>NordVPN said it found out about the breach a “few months ago,” but the spokesperson said the breach was not disclosed until today because the company wanted to be “100% sure that each component within our infrastructure is secure.”</i><p>So instead of allowing their customers to do their own damage limitation, they left their customers in the dark and continued to expose them to a breach they weren't sure they had fully contained.<p>I wonder when that sort of thing will become a criminal offence.
This is always topical: Don't use VPN Services<p><a href="https://gist.github.com/joepie91/5a9909939e6ce7d09e29" rel="nofollow">https://gist.github.com/joepie91/5a9909939e6ce7d09e29</a>
I don't understand the obsession with VPN providers. Funneling all your Internet access through a single entity no matter where you connect from just seems like a fundamentally bad idea to me, especially if that entity's business is getting people to funnel all their traffic through, making them a juicy target for governments or hackers.
Nord (and perhaps others) seem to have been compromised for months/years - lifetime accounts have been available on the DN for significantly cheaper than other VPNs: <a href="https://news.ycombinator.com/item?id=20094946" rel="nofollow">https://news.ycombinator.com/item?id=20094946</a><p>Doesn't seem like a smear - glad this is coming to light.
Maybe they should spend more money on security than throw at people like PewDiePie to advertise them ... by also giving false claims like protecting you from hackers and making you magically "secure", whatever that's supposed to mean. Doesn't give the impression they know what a VPN actually is. Considering that most likely the phrasing comes from NordVPN themselves I always questioned them as a whole. Good to have some positive feedback (from my point of view) on that now.
It's odd that NordVPN, VikingVPN and Torguard all got their private keys leaked here.<p>- Did the hackers use an SSH or a VPN service vulnerability?<p>- Or maybe even a previously unknown vulnerability?<p>- Was SSH access firewalled? If not, why?<p>- Do they still have root access?
I can't help but notice that NordVPN is one of the most heavily advertised VPNs from what I've seen (which raises the question, as one researcher pointed out in the article - are they not spending enough money on their security and infrastructure to protect their users?). They are claiming that: "no-one could know about an undisclosed remote management system left by the [data center] provider".<p>Apparently the hacker was able to find out - so while it may be unknown, it's not an impossibility to detect it. Beyond whether or not sensitive information was accessed, what will NordVPN do in the future to eliminate or mitigate the possibility that this will occur again?
NordVPN is being recommended a lot to people who don't know better by influencers on social media, especially on YouTube. This kind of endorsement is recklessly negligent and needs to stop.<p><a href="https://drewdevault.com/2019/04/19/Your-VPN-is-a-serious-choice.html" rel="nofollow">https://drewdevault.com/2019/04/19/Your-VPN-is-a-serious-cho...</a><p>Edit: note that I don't blame these influencers for their ignorance on the risks of using a VPN; rather I blame the shady VPN providers for overselling the security value of their product and leading users into a false sense of security.
Two days ago I deleted my old Digital Ocean VPN (built using the OpenVPN tutorial I found somewhere), then opted for a discounted 3-year NordVPN plan. Looks like I'm going to have to ask for a refund. <i>facepalm</i>.
"On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN."<p>If I had root, can't I just find out what crypto libraries are in use? and trigger an uprobe to decrypt the traffic on that crypto library ?<p>Every user connection handled by that vpn server would have been plain text for me.<p>I think they are downplaying the importance of this hack
"no-one could know about an undisclosed remote management system left by the [data center] provider"<p>Why not? I'm generally familiar with the services offered by dedicated-server/co-lo/vps providers, and remote management systems are very common. This includes out-of-band (OOB) access when using dedicated systems. Seems like the sort of thing that solid due diligence would pick up. Even if it's completely undocumented, designing a robust security checklist to be completed by the vendor should find this sort of thing.<p>This excuse also makes NordVPN look extremely bad for future use: If you say "nobody could have known" then you're also saying "it could happen again" because if you can't know about it, you can't know if other vendors do the same. If you can stop it from happening in the future by implementing additional measures, that means those additional measures could have been used to prevent it the first time. So either you're inherently unsecure, or the issue was preventable.
Did NordVPN know about this hack when they were offering their deal for something like $88 for 3 years? I went back and looked at their prices from 2017 and it was something like $69 to $83.99 billed annually (<a href="https://www.pcworld.com/article/3200777/nordvpn-vpn-review.html" rel="nofollow">https://www.pcworld.com/article/3200777/nordvpn-vpn-review.h...</a>). I've been a NordVPN customer for a while but have been thinking of switching due to some articles touching on nefarious marketing practices and/or questionable data practices. Then I see this deal for $88 for 3 years and it was tempting to re-up. Coincidentally, when the deal ran out the news broke several days later about the hack. I for one will be finding a new VPN provider, but I can't help to think they were trying to rope in as many existing customers as possible before news of the hack broke. Suspect at best.
There's a bittersweet irony with this story. They were recently pushing ads claiming that "Ain't no hacker can steal your online life. (If you use VPN)."<p>The ad has since been deleted :D
Lots of talk here from highly technical folks but not one person brings up the fact that these are expired keys - as in not usable?<p>I understand that the fact that these keys were obtained is concerning but the security of nord and etc prevailed at the end of the day.<p>The question is: were they leaked before they expired or long after?
<a href="https://twitter.com/hexdefined/status/1186214904132300800" rel="nofollow">https://twitter.com/hexdefined/status/1186214904132300800</a><p>The thread indicates that VikingVPN and Torguard were also compromised at some point. Highly concerning.
I guess it depends what you want from your VPN.<p>When I want to secure a shady connection in a coffee house, I have a raspberry 3 at home that I use only for that purpose with an openVpn setup with <a href="https://www.pivpn.io/" rel="nofollow">https://www.pivpn.io/</a> - super easy to use. Downside, I rely on my isp not to spy on me. Upside, it's mine and unless I'm specifically targeted it's unlikely someone will mitm me.<p>To hide my location for various purposes, I have used TigerVPN. They have been reliable so far, but I wouldn't trust entirely any third party when it comes to privacy. Upside - somewhat reliable and not my isp. Downside - for all I know someone in Czech Republic is watching what I stream with a bucket of popcorn
A while ago I read that there was a potential smear war going on between some of the larger VPN providers. Is there any chance that this is related? (I'd prefer more than just a tweet)
This sounds suspiciously like the Supermicro BMC bug reported here a while back[1], and while it actually can be hard to make sure the IPMI stuff doesn't take over a NIC you don't want it to[2], there are things you can do to prevent that, such as explicitly setting IPMI interface and address information so it won't use "smart" behavior to negate all your security.<p>As to whether "no-one could know", well, <i>I</i> knew after I read that HN submission, and at work we made sure to double check all our configs. This ended up being mostly a known problem, but the extra context helped us find another edge case I believe.<p>It's not great that you have to be aware of the latest security problems <i>and how they may interact in obscure ways with system configs</i>, but that's the nature of security and state of the industry right. Not much to do except buckle down and pay attention. To everything.<p>1: <a href="https://news.ycombinator.com/item?id=20870686" rel="nofollow">https://news.ycombinator.com/item?id=20870686</a><p>2: <a href="https://news.ycombinator.com/item?id=20872084" rel="nofollow">https://news.ycombinator.com/item?id=20872084</a>
Apart from deanonymizing customers and potentially reading the traffic of customers they sent over the VPN what are other risks for customers?<p>What I'm thinking about is that the VPN essentially tunnels through my firewall so a malicious VPN provider may possibly be able to do things that, for example, an arbitrary web server cannot.
This is difficult to track, as it is really just a sentence attached to some screenshots, with some commentary but no technical detail... but this seem to be a website key, not an OpenVPN key?<p>(edit: And, in fact, this is confirmed by NordVPN's statements on the matter: "The expired TLS key was taken at the same time the datacenter was exploited. However, the key couldn’t possibly have been used to decrypt the VPN traffic of any other server. On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com.")
I remember last week's episode on Darknet Diaries where NordVPN was offering 3y plans for a hefty discount. My first reaction was "Are they going out of business ?"<p>This week's news lets me make sense of that ad.
So what does this mean for an every day consumer? I had been debating using the 30-day money back guarantee as I realised I didn't use it as much as I thought I would. I want to stay protected on public Wifi. Added anonymity occasionally would be good too, as well as accessing US Netflix from here in the UK.<p>Now my 30 days is up. What would be the best course of action? Should I email and say that I'm not comfortable being their customer any more, and asked to be reimbursed? Carry on, for my use case? I'd never connected to a Finnish server.
Why would their website's SSL certificate be on one of their VPN servers? Do all of their current 3000 servers have the private key for their website right now?
See also: <a href="https://news.ycombinator.com/item?id=21311475" rel="nofollow">https://news.ycombinator.com/item?id=21311475</a>
I'm frankly blown away that the comments I'm seeing here don't suggest to just roll your own.<p>$5/mo is the typical price nowadays for a 1 GB VPS with 1TB upload. Cancel at any time. Save image, redeploy monthly/weekly/daily to protect from longer term IP address tracking. Use scheme of your choice (e.g., SOCKS proxy, VPN, standard HTTP port for everything, etc.)
People have been talking about using VPN's because of "dangerous" public wifi, but I have to admit, I don't understand the risks.<p>Let's say you go to a coffee house and sign-in to their wifi with their password and use it browse https websites, like gmail or you favorite social media... what's the main risk? What can happen? What <i>does</i> happen?
I only use NordVPN to get around GeoIP blocks on a couple of streaming apps. So I'm not too worried about my data being compromised, but I don't like the way they handled this. Think I'll start looking for another provider?<p>Looks like you can side load OpenVPN onto a FireTV. Maybe I'll go the roll my own this time.
Wasn't NordVPN the one that was created by a marketeer? I wouldn't be suprised if this was just cover for them to sell their customer's data indirectly. If anybody finds a dump of the data they sold they could just claim it was from the breach.
NordVPN blog post, and the source: <a href="https://nordvpn.com/blog/official-response-datacenter-breach/" rel="nofollow">https://nordvpn.com/blog/official-response-datacenter-breach...</a>
This is a feature in my eyes. Just stack a bunch of these hacked by different people who don't cooperate with each other. Now any user has plausible deniability over anything that happens on these networks. No?
Get a VPS and run your own VPN. It doesn't have to be complicated: <a href="https://github.com/jedisct1/dsvpn" rel="nofollow">https://github.com/jedisct1/dsvpn</a>
The interesting thing about OOB on most modern servers is that its a separate, physical NIC. Not only is that easily VLAN able, a more security conscious datacenter could even air-gap the out of band LAN!
From the amazing service providing “Double VPN” (yes, really) for extra privacy and “Onion VPN” (with the Tor bit being behind NordVPN, not the other way around) for ultra extra privacy!
Any comments about Encrypt.me as a NordVPN alternative?<p>It looks <i>much</i> more reliable. (from their website; the team's CV's; etc -> i.e.: no hard evidence)
Any one knows WHICH server provider in Finland caused this?<p>Just following the chain because NordVPN says it was this provider who does not told about their security leak?
can't get hacked if you don't use a VPN.<p>I use sshuttle (<a href="https://www.terminalbytes.com/sshuttle-vpn-over-ssh-vpn-alternative/" rel="nofollow">https://www.terminalbytes.com/sshuttle-vpn-over-ssh-vpn-alte...</a>).
There are quite a lot of anti NordVPN and VPN in general experts pontificating here. A quick scroll down through all comments and I note a distinct <i>lack</i> of green handles.<p>This is a 500+ comment article with hardly any near null comment commentards. My analysis is not very rigorous.
Could this be another marketing trick to lure more customers? Last time I checked, companies are actually favourable when they "get slightly hacked". They get front page from top tech websites, magazines, forums...
The best thing NordVPN can do right now is make a statement that clearly and honestly describes how its users are affected. No bullshit marketing language, no trying to hide facts, just a short and simple explanation of what this means for users and what they should do next.
@dang or mods - I'm surprised that this isn't merged with <a href="https://news.ycombinator.com/item?id=21311475" rel="nofollow">https://news.ycombinator.com/item?id=21311475</a> ; is there some special value in keeping them separate?
If you're reading this and wondering which VPN service you should use to stay safe, start reading here: <a href="https://faq.dhol.es/@Soatok/cryptography/which-vpn-service-will-protect-me-from-hackers" rel="nofollow">https://faq.dhol.es/@Soatok/cryptography/which-vpn-service-w...</a><p>(Spoiler: You're asking yourself the wrong question.)