There's NordVPN odd about this, right? Infosec types concerned over strange app traffic Weird things are afoot with NordVPN's app and the traffic it generates - Reg readers have spotted it contacting strange domains in the same way compromised machines talk to botnets' command-and-control servers. Although NordVPN has told us this is expected behaviour by the app and is intended as a counter-blocking mechanism, …
"They've been inside Cisco for years so this was just the next step."
Are you still suggesting government mandated Lawful Intercept (aka CALEA in the US or EU C 329 in Europe) is somehow a Cisco exclusive issue, as though using other vendors avoids the issue?
I understand that you're paranoid, but paranoid and poorly informed tends to lead to mistakes...
Without specific inside knowledge of the VPN providers, I would assume they are subject to the same Lawful Intercept requirements as conventional ISP's/telco's. You're unlikely (my guess, not a legal opinion...) to get monitored for minor copyright violations, but end up on any watchlists or high profile crimes in your home country and a commercial VPN provider is unlikely to offer any anonymity.
Note: this assumes you are based in a country that has a lawful intercept policy (US/Canada/EU/Australia/NZ/Russia). For China and other countries known to closely monitor Internet traffic, I would expect similar actions. Outside of that, you would need to look into your own specific circumstances.
Some of the major manufacturers have had very specific security doors in them for years. I can't prove it but you can't prove it's not true. Regardless of laws in place to protect us, consumers, anybody . . . when the FBI and the Government come-a-knocking at your Cisco door, what do you do ? You take the advice, you build in the little doors and you accept the orders and protection and keep quiet.
Why do you think Huawei is under attack now ? Partly because the FBI assume the Chinese Govt are doing what the FBI have been doing for years and partly in support of the American firms which have been playing ball for years.
This NordVPN issue looks like a cover for something else. What's been found is not likely to be the real issue - that will be deeper hidden. Of course the FBI don't need to see the data your're transferring, they just need to know who you are and they can take it from there and even this sloppy issue does go some way to telling them who you are.
For the FBI at least, there's a fair few articles suggesting that Cisco has at least acknowledged that the backdoors existed (https://www.zdnet.com/article/cisco-removed-its-seventh-backdoor-account-this-year-and-thats-a-good-thing/), although no confirmation that they were FBI driven. Outside of that though I'm not aware of any such thing outside of China, which seems primarily targeted at the internal rather than external market
"For the FBI at least, there's a fair few articles suggesting that Cisco has at least acknowledged that the backdoors existed"
As Cisco's product range is so broad, there are many security issues that are either not relevant to most environments or shouldn't be relevant to many environments. A lot of the backdoor accounts are in management tools that should be of limited risk (i.e. not open to external threats) and were a consequence of how Cisco presented their Linux tools to customers, usually via a GUI with limited direct OS access. In my experience, a number of appliance vendors had similar issues when they tried to provide restricted access to the underlying OS but still allowed access via troubleshooting tools.
That isn't to say they shouldn't be fixed, but access to network management data from an internal network will generally be of less value than access to the network in the first place, so the risk should be assessed as such.
If the comment is aimed at Cisco's security culture, then that's a judgement call. My security concerns around Cisco are largely around the quantity of legacy code that they depend on (as evidenced by security bulletins related to OpenSSL) rather than government palnts.
In most security sensitive environments, multiple vendors will be used, be it for firewalls, IPS/IDS systems, compliance tools or anything with a potential external attack surface. Having back doors from any vendor (Cisco, Huawei or anyone else) is very likely to be spotted by someone over the time frames the products have been in-place.
Where government agencies have been able to infiltrate networks, the weaknesses have generally been in operational practices rather than the hardware platforms - I include not installing known good firmware on new hardware in that category which has been one of the most popular vectors.
Improving operational security practices will likely result in significantly greater security benefits than believing the bogeyman is hiding in vendor X. At least until someone proves otherwise.
"Some of the major manufacturers have had very specific security doors in them for years."
Yes - it's called lawful intercept. If you want to provide carrier-grade equipment, you need to support the ability to direct specific traffic to law enforcement systems for further analysis.
You can even find out how to configure Huawei equipment to do it with a simple google search (i.e. https://webcache.googleusercontent.com/search?q=cache:be6czF9UBSAJ:https://support.huawei.com/enterprise/en/doc/EDOC0100504796%3Fsection%3Dj00b+&cd=3&hl=en&ct=clnk&gl=uk&client=firefox-b-d).
Why is Huawei under attack now? Primarily because they have a significant technology lead on western communications equipment providers. Huawei have undercut competitors historically in competitive tender processes (thats a statement rather than a judgement) and western companies have relied on their intellectual property to prop up their revenues as the Enterprise market has disappeared - a number of miss-steps across the industry (Marconi's demise, Nortel's bankruptcy, Nokia's mobile division being uncompetitive in smartphones resulting in their carrier business suffering from underinvestment, the Lucent-Alcatel merger providing limited synergies/value, and further merger challenges within Ericsson-Lucent and Siemens-Nokia. While Cisco/Juniper/others provide routers/switches for the IP portion of the systems, this is generally a tiny proportion of a telecoms providers estate by value/functionality).
The attacks on Huawei are around the levels of comfort western governments have with a Chinese communications equipment provider, but the arguments presented are largely "what if" at present - I'm not convinced there is solid evidence that they may cause issues if the market remains diverse and alternatives remain.
Financially, I'm not sure serious alternatives to Huawei/ZTE will remain in 5-10 years if Huawei competes purely on features and price as the alternatives will struggle to survive, or at least become minority players in a Huawei world. That's more a judgement on the western telecommunications companies rather than an attack on Huawei, although Huawei have certainly benefited from China's industrial strength.
For the NordVPN issue, it will be interesting to see what appears. I would guess it was development/testing code to assist with operational issues around availability/failover/fault detection, but I'm surprised they didn't register the domains for themselves to avoid issues with others doing it and grabbing the traffic.
"That's more a judgement on the western telecommunications companies rather than an attack on Huawei, although Huawei have certainly benefited from China's industrial strength."
Yup.
It should be realised that the _core_ of most Huawei kit is american (usually Broadcom) silicon, running an American hardened embedded linux operating system (https://www.windriver.com/company/) and unfortunately then badly bodged by hordes of Bangalore "payment by the yard" programmers.
on the FUD front:
The rather infamous "Huawei switches are full of security holes" video on youtube a few years back was actually a demonstration of their white labelled(under license) relabadged 3com stuff running Comware - the EXACT SAME HOLES (and worse) were in 3com kit - and since HP acquired 3com those holes have started popping up in HP kit.
What's more interesting is the _timing_ of that presentation and video release - just as Huawei dumped 3com and went with their fully independent Wind River Linux VRP systems running on Broadcom Trident family chipsets (the exact same chipset Cisco were using in their high end Nexus stuff for 5 times the price, but on par with HP and Juniper's pricing for the same chipsets)
Cisco reps used that video presentation as their major selling point "Don't buy Huawei" and got rather pissed off when I pointed out in a room full of people that the code in question was 3com's, bearing no relationship to Huawei's then-current range of switches on sale (Quidways and Cloudengines are all Broadcom/Windriver systems). They then effectively tried climbing under a desk when I asked about the videos of NSA intercepts of cisco kit that had started circulating - it was clear they had no answer for it and their entire sales push was based on "We're Cisco, buy from us, or else"
I did have a good laugh(*) when a Cisco seller offered us "fantastic 90% discounts off list price" - then took umberage when I pointed out that I could buy the exact same kit cheaper off the shelf from Insight and other brands for half that.
(*) Loudly, in their faces. BT Inet didn't like that.
Speaking from experience, Marconi, Nortel helped a small startup company in Oxfordshire (we bought both Nortel and Marconi). That startup is now based in the USA and the old Marconi plant is no longer, not sure about the Nortel plant in Paignton.
Even back then the largest client for optoelectronics was Huawei, but you don't need to compromise the switch, you can quite easily tap directly into the fibre connect at the point where the amplifiers are based. You may think that fibre can transmit to some near infinite distance but there is an actual physical limit to how far it can go before you need to boost the signal again. At this point you can then take a small tap, ostensibly to check the signal strength prior to boosting, but there's no reason why you couldn't redirect a copy of the signal to any intelligence service at that point. All completely invisible to the rest of the network.
More likely a reference to code found on CISCO equipment, obviously written by insiders, that was not supposed to be there and added hidden functionality useful to the 5 eyes community; FACT and not lost on China who have specifically mentioned CISCO in past official statments. And 'we' have the gall to moan about Huawei. STAY PARANOID, STAY SAFE.
5 Eyes taps cables, they don’t really require equipment manufacturers to put in backdoors to make accessing the data easier - the possible exception being some NSA mandated encryption algorithms with known weaknesses, but as they were using NSA validated libraries and present across the industry, again Cisco only get the attention due to quantity. There have been well written backdoors for Cisco and other firewall manufacturers, but they required custom firmware. Beyond that, there have been bugs, but the vast majority could be mitigated by OS protections (ie ACLs) or defence in depth (ie separating management plane traffic to a specific interface/network and firewalls between untrusted networks and trusted networks).
And given Huaweis past, I’m unsurprised they have moaned about Cisco code quality...
"5 Eyes taps cables, they don’t really require equipment manufacturers to put in backdoors to make accessing the data easier"
I've worked in Telcos and can assure you that you're incorrect.
Companies which won't play ball on inserting backdoors are the companies which get "national security orders" prohibiting their products being used in XYZ country.
Don't forget: https://www.youtube.com/watch?v=1efOs0BsE0g
"5 Eyes taps cables
I've worked in Telcos and can assure you that you're incorrect."
Oh yes they do - it's a practice that dates back since analogue lines. At least they do at international entry points in Australia, New Zealand and the UK.
I'm less certain of the tap locations in the US and Canada but assume a similar path is followed.
Hanlon's razor: Never attribute to malice that which is adequately explained by stupidity
It's all probably fine, but all it takes it one bad explanation and all trust in a company is destroyed. Even if they now come up with a reasonable explanation, we're not going to believe them. If they'd just come clean up front and said something like "yeah, it's keep alive, we just accidentally sent through some slightly sensitive headers, but we're fixing that" then there's wouldn't be much of a story here (assuming that _is_ what it is and there isn't something malicious going on).
I'm inclined to agree with you. VPNs do like to run bogus traffic to fool "deep packet inspection" by various networks.
I think the risks for us users are in the inability of verifying whether they do actually collect and retain any data although they say they don't.
Since they (mostly) don't own the domains how can they collect and retain any data?
Since they don't own the domains they could be registered by anyone, and were by the researcher in the article. NordVPN and their users have no control of any data the domain owners might store and don't even know who they are.
"Since they (mostly) don't own the domains how can they collect and retain any data?"
Because all the traffic has to go through their servers first (remember, they're a VPN, meaning they stand between you and the supposed destination). Furthermore, since they're an encryption endpoint, they can operate "outside the envelope" and are free to sniff the request before passing it on.
Sooo.... if it is accidentally leaking out, but they don't have the domains registered, then the only thing that leaks is the DNS request itself. Which oddly, looks like it _could_ have a small amount of information encoded in it. But the only entity that could reliably access that would be the folks who run the core DNS servers?
I don't understand any of this stuff btw, so I'm just throwing it out there! :D
"Never attribute to malice that which is adequately explained by stupidity"
Malicious or stupid I'd run as far away as quickly as possible if I cared.
Honestly I never understood the proliferation of VPN services. The kind of people who use the internet to post nonsense on facebook shouldn't care and the people who should IMHO should be capable of finding a howto on OpenVPN - or ToR. GCHQ considers ToR secure enough to use for their own purposes, so no reason you shouldn't.
It occurs to me that non-registered domains might still be useful if you controlled the local dns; because, when required, the domains in question might perhaps be simulated as being more existent than would normally be expected. (although feel free to offer corrections on this...)
The article said it's expecting to receive compressed content, not that it's sending compressed content... Nothing to decompress!
But anyway, who said anything about encryption? I assume "lvm"'s point was that this header can appear on any request - it doesn't hint at "expect a large payload in response".
I assume "lvm"'s point was that this header can appear on any request - it doesn't hint at "expect a large payload in response".
To be fair, I don't think the article made any claim about a "large" content-body being expected.
But I agree that "Accept-encoding: gzip" is typically added to all requests by HTTP client libraries that handle the gzip transfer-encoding. The library neither knows nor cares whether the client application anticipates a content-body.
That said, I don't think that passage is much evidence of "technical ineptness", either. Hard as it may be for lvm to believe, there are areas of technical expertise other than HTTP.
My theory is that a VPN service that needs to pay dozens (or hundreds) of big (Non-IT) Youtubers to talk up their product is probably not a VPN I would want to use. This seems to confirm it.
(Seriously, for a while you could barely watch a youtube vid without it turning into a NordVPN ad at some point)
"(Seriously, for a while you could barely watch a youtube vid without it turning into a NordVPN ad at some point)"
I assume you are referring to the ads served before/during/after the content rather than it being part of the content.
Doesn't Google determine the ads they serve you rather than the content providers? The content providers just get a share of the revenue.
"I assume you are referring to the ads served before/during/after the content rather than it being part of the content."I see NordVPN advertised quite a lot by the youtubers themselves as part of their content, not by YouTube's ad system.
I have Nord on my tablet, and often watch YT vids last thing at night, or if I wake up during the night and have trouble going back to sleep. Most topics are on bikes, gardening (and some related stuff), and Christian themes but I do have some tech stuff in there. Most of the tech related stuff are related to non-computer electronics eg power generation/regulation or water handling (yes, with electronics :) ).
I've not had one single ad for Nord, either within the vids or within the normal ad stream (at least not while I've been awake - maybe some of the people I fall asleep through talk of Nord but I've not heard it).
Perhaps it is something related to who you watch or the sort of videos you watch? Your videos are more likely to bring up those who use/talk up Nord, mine are more likely to bring up other stuff.
Jayz2cents is heavily sponsored by NordVPN, whilst LTT switched from Tunnel Bear to PIA as a sponsor a couple of eyars ago... after TunnelBear was bought out by a big name who refused to say if they would continue to offer a nologging service.
I've been using Anonine for a few years now and haven't had any issues at all... It's set up on my PC's, phones, tablets and android TV boxes.
I've personally been using Cryptostorm, which is both inexpensive and accepts cryptocurrency. The setup is token-based so renewing your subscription means updating your login information, but that's not that much of an inconvenience(if you're truly paranoid, you can get each new token from a different reseller to better cover your tracks). The nameservers also support .onion addresses natively if that's your thing.
You want to VPN because you don't trust the third-parties who are transiting your connection.
So you VPN with a random third-party who is subject to those other third-party's whims.
Great idea! Thumbs up! Well done! Top security!
A VPN is for you to place OVER an untrusted connection to form a trusted connection between two computers / network. As soon as you insert a random third-party app, or indeed VPN provider, into that connection it's even-more-untrusted than it was before, and there's another party who you have to trust entirely with all your data which - as this and many other incidents show - is a really, really, really poor idea.
And, let's be honest, to do what? Watch YouTube or BBC past geographical restrictions? It's just not worth the effort, just stop consuming their media.
Anything more nefarious, you're really an idiot to trust that intermediary with that information, you're basically flagging yourself up and THEN handing them your data on a plate.
If you want to do something "private", insert as few third-parties as possible into the trust chain. Hell, the reason I run my TV from a RPi is so that I can dial into it from abroad and do that same kind of thing, rather than have to trust anyone not-to-dob-me-in (I used to use TVPlayer.com, but half the stuff is content-restricted still EVEN THOUGH I'm paying for it... and often with Irish local programmes and adverts... I can literally do a better job with an aerial and a Raspberry Pi).
And I'll tell you something else... rent a server and pretty much nobody cares what traffic you do on it, so long as you don't flag up. You can rent a VPS or dedi for next to nothing nowadays, in any country you like, and they'll often pre-load VPN access for you.
And if you value absolute anonymity, for anything more cheeky than a bit of British TV, you can't use any connection registered to your name, or your normal desktop browser, it's as simple as that. Paying NordVPN to offer you a VPN is literally just handing your name to the authorities if you're doing anything remotely naughty anyway. If you're gonna do that, Bitcoin a dedi (plenty of people doing that), Tor the connection, access it as a "desktop" from nearby public wifi (not your home connection) and use it that way.
You can't trust even the people you pay to give you a privacy-secure VPN.
You can't use any paying service to give you a "criminally"-secure VPN.
So stop trying. Either do it yourself (a VPN device at home and a VPN in a VPS somewhere), or actually do it properly with no association to yourself whatsoever.
GCHQ/NSA/FBI/MI5/MI6/SOCA/China etc should just launch their own vpn service and be done with it. If your a brit and don't want a non sanctioned foreign nation to be prying on your data then perhaps our government comms experts could come up with a solution to keep our comms safe and in the UK and turn a coin at the same time. Solves the third party trust issue and also gives sanctioned permission to monitor the customers comms for quality purposes etc.
They see our traffic anyway so probably not to hard to roll out.
This post has been deleted by its author
"but why would their client send keep-alive messages outside the VPN"
The three potential VALID reasons I can think of (there maybe more):
- they maybe recording DNS/HTTPS response metrics for quality control/debug purposes. This may or may not have reached production quality code.
- it maybe used to determine network reachability. i.e. reliably determining if you have connectivity to DNS inside the tunnel/outside the tunnel and if failing over to another NordVPN server site is required. If this is the case, it's not well thought through - they should own the DNS zone not just make one up...
- it maybe used to determine if you are using NordVPN DNS servers or another providers to identify if you are potentially leaking browsing details via DNS outside of NordVPN
The less valid reason is that it was a test feature that was accidentally deployed to production without full awareness from operational staff. This would also explain the apparent confusion.
They did much the same for me. I was asked by friends moved from overseas to look through some and I did spend some time looking into them. Nord did beat out the others even though their advertising campaign raised flags with me.
I gave my results to these people and they settled on Nord. I also use the app on a couple of my machines for now for monitoring/testing, and I am seeing a concern with this machine in that while I run Devuan, the Nord app is now insisting on SystemD as a dependency.
Nord people take note : I do not consider that multitentacled blob to be safe, and that is a black mark for the future. While Nord requires systemd it is put into the category of "cannot be trusted".
Not using Nord, and not defending them but:
Might it be that it's looking desperately for SysD's systemd-resolved.service and/ or openvpn.service but can't find? (which are crap BTW because they leak DNS like a bucket without a bottom, but hey...). Then again, it could also be that something in Devuan points in the wrong direction (e.g. whatever "networkmanager" you're using..?). Did you see this behaviour also with other VPNs, e.g. an open/ free (academic) one for test purposes?
Might it be that it's looking desperately for SysD's systemd-resolved.service and/ or openvpn.service but can't find?
Nope.
There is a pending update on the system. I had flagged it to go through but saw systemd come up in the list of "other stuff that will be installed". I'd do a screenshot but that machine is 50 miles away tonight and I ain't giving up my weekend just to check that :)
...in the list of "other stuff that will be installed"...
Hmmm, that indeed sound like a dependency thing, something calling for sysD to be installed.
And yes, you're absolutely right. Week end has other priorities! --- --- --->
Real life experience shows however, that brain utilising/ wrecking issues are best left until Monday afternoon... ☺
While Nord requires systemd it is put into the category of "cannot be trusted".
A lot of folks don't trust systemd because of complexity. I don't trust it because it's too unreliable to entrust with something like a VPN connection.
I've had many punch-ups with systemd over the years, but last weekend was more like the Freezer Ambush in terms of property destruction. And it didn't even stop to answer the telephone.
A lot of folks don't trust systemd because of complexity. I don't trust it because it's too unreliable to entrust with something like a VPN connection.
It's complex, tries to do too much (vs the old "Do one thing and do it well", lots of potential for security issues.
And the people leading the project don't exactly portray an attitude that fills me with confidence either.
If I wanted those issues I'd be running Windows!
If your redirect garbage domains in house to your own server, change GET to the POST in the handling code and return a cookie and then the log can get much more interesting. A list of potential cookie names can be found in the VPN memory image and the thing gets chatty.
Someone needs to hack a dns local resolver like named/bind to do something useful with regex patterns. It would be so cool to be able to be able to tell it "add regexzone /^[a-z0-9]{32,64}/ ; file local_capture"
Trivially easy for GCHQ/NSA etc to detect the pattern in these requests, extract the metadata and build up a database of who is using NordVPN. Then correlate the IP with other sources and build up a target list for dropping a ‘package’ onto the PC.
In all likelihood the emitted domains like f5d599a39d02caef1984e95fdc606f838893ffc5[dot]com encode information, maybe the CPU so they know which black door on the Intel management interface to exploit.
Hm, Laura Tyrell. I wonder if her father is Eldon Tyrell of the infamous Tyrell Corporation? Maybe she's trying to cover for some sort of new auto-tracking communications built into their replicants. This would be a cheaper method of tracking them rather than having a blade runner hunt and retire them.
"Yup, plenty of unique user information there – and that gzip string looks rather like the client is expecting to receive a payload from the server. Curiouser and curiouser."
I think you may be overthinking things here. Accept Encoding: gzip simply means that the user agent will accept a reply that's compressed using gzip.
For example if I have a website, I can use gzip compression to reduce the amount of data that's sent down the link. However the browser does need to indicate that it will accept that compression type, otherwise the web pages are sent in an uncompressed form.
I have denied manually each attempt from NordVPN to connect to this kind of URLs, and I have selected the rules in the LittleSnitch conf and use "export conf" which counts the number of rules.
Each if there is a connection to a URL, it tries 3 times to
- [dot] com
- [dot] info
- [dot] xyz
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
