back to article Q. Who's triumphantly slamming barn door shut after horse bolted at warp 9? A. NordVPN

2019 has been a bad year for NordVPN on the security front. And so, in full damage limitation mode, the private networking biz has outlined steps it is taking to improve its defenses. Steps, we note, that should have been in place to begin with, but hey, hindsight is 20-20. The VPN provider says it will undertake five …

  1. oldtaku Silver badge
    FAIL

    Remote Management SYstem

    'Creanova said NordVPN knew the remote management system was installed and that NordVPN failed to lock it down. NordVPN claimed it had no idea this God-mode-level access was present in the box'

    I know exactly how this probably happened, been there before. Someone from NordVPN wanted access to the box to debug or install something and used TeamViewer / VNC / whatever. Then they finished and didn't remove it. 'NordVPN' knew, but only that one guy knew - and he forgot. And nobody else at NordVPN had any idea. So you've got an old version of [remote access program] sitting there and someone compromised it - for instance, remember that big rash of TeamViewer hacks about two years ago?

    1. Anonymous Coward
      Anonymous Coward

      Re: Remote Management SYstem

      Yes, your scenario is probably accurate. So many management tools are being used to keep productivity up, but they aren't properly updated, documented or removed, again to keep productivity up. And then the user leaves the company or perhaps gets let go and the management tool becomes a vulnerability. Perhaps the former employee goes into disgruntled mode and sells access to the management tools he/she added to the servers.

    2. Halfmad

      Re: Remote Management SYstem

      That's entirely irrelevant, managing your assets, having a good up to date audit of what is installed on your endpoints and servers is IT management 101. You can't secure something if you don't know what you have, they didn't know. This is just one of likely many failings on their part.

      So likely they had no inventory, no vulnerability scanning, no third party patching solutions etc at a minimum.

    3. Anonymous Coward Silver badge
      Boffin

      Re: Remote Management SYstem

      It was a rented server, so more likely some form of IP KVM (iDRAC, iLO, ...) to allow remote bare-metal installs etc. Otherwise it wouldn't be described as a "god-mode-level access".

      This type of system runs at BIOS/hardware level rather than under the OS, so they wouldn't just 'notice' that it was there unless they already knew/were told.

      (Or they might have rented a virtual server and the hypervisor was compromised)

      1. rmason

        Re: Remote Management SYstem

        Yup. It was precisely this. Not teamviewer et al.

        There was a user on (ilo/idrac/etc) with a weak password, and no one was doing ilo/idrac/etc patching.

        1. phuzz Silver badge

          Re: Remote Management SYstem

          I'd still like to know exactly how access to the ilo gave an attacker full access to all the traffic.

          None of the one's I've used myself have anything like a packet sniffer built in.

          1. jelabarre59

            Re: Remote Management SYstem

            I'd still like to know exactly how access to the ilo gave an attacker full access to all the traffic.

            My guess would be they found a remote console still logged in as a root/admin. At that point it's akin to being at the physical server, (some OOB management tools will let you attach a disk image remotely).

        2. Androgynous Cow Herd

          Re: Remote Management SYstem

          Weak password?

          just guessing...maybe "root/calvin"?

  2. JohnFen

    I'm torn

    I've been considering signing up for a commercial VPN service, and Nord was one of the providers on my list. Now, I'm torn.

    On the one hand, since they've been burned it's quite likely that their service will be among the most secure such offerings as a result.

    On the other hand, the amount of time between when Nord discovered the breach and when they disclosed it was quite large. I'm not so sure I can trust them to let me know about future breaches in a timely manner.

    1. Velv
      Boffin

      Re: I'm torn

      I really dislike NordVPN's averts and their pitch for why home users need one - you probably don't need a VPN and it what it enhances in security it also detracts.

      VPNs secure point to point communication. Great if you're a business and you want to secure your staff traffic from their device into your network (i.e. it terminates inside your control). Nobody can snoop the traffic on an open part of the Internet.

      If you're a home user doing your banking, shopping, etc, a) the traffic is already encrypted by the bank (https), and b), tunnelling on a VPN from your device to a VPN exit point in Finland then crossing the open Internet to your bank actually makes the routing worse.

      There are valid use cases for home users of VPNs, but it's not what they say on the adverts. Consider carefully before you part with good money for a commercial VPN service. You might have a valid use case, or you might be spending money to reduce your security.

      1. Sir Runcible Spoon

        Re: I'm torn

        "tunnelling on a VPN from your device to a VPN exit point in Finland"

        I haven't looked into their service in detail, but I'd be surprised if their only exit nodes were in Finland.

        1. Velv
          Boffin

          Re: I'm torn

          Yes, indeed Nord boast 5145 servers in 59 countries. I was merely singling Finland out as it was mentioned in the article and I wanted to make it clear it was outside the UK so actually sending traffic out of the country to re-enter it via the open Internet.

      2. Pascal Monett Silver badge

        Re: I'm torn

        As far as I'm concerned, for the home user there is most likely only one use case : viewing videos when your IP is deemed unworthy of being granted the privilege.

        What's that, BBC ? You don't want me to check out that short informational video you made on <some subject> ? Fine, I fire up TunnelBear, choose the UK as my exit point, and I can view the video now.

        I'm not saying I do it all day long, but it's an available solution to a problem that should not exist in the first place.

        Apart from that though, I have no idea why I would want to use a VPN all day long.

        1. Jon Blund

          Re: I'm torn

          @pascal monett Have you tried that in practice? I find the BBC cleverer than that, there are other ways of working out where you are like asking your browser, and Google is always ready to spill the beans...

          1. FrogsAndChips Silver badge

            Re: I'm torn

            Not tried with the BBC, but I've found TunnelBear generally quite effective at letting me access geo-restricted websites.

      3. JohnFen

        Re: I'm torn

        My use case is quite specific -- I use a VPN that I run myself to secure my mobile and WiFi communications, and in terms of general security, I'm quite comfortable with that solution. However, it doesn't protect me from snooping by my ISP. In order to do that, I need a VPN that is run on the other side of my internet connection, thus my consideration of using a commercial service.

        I don't actually care about things like protection from hackers, being able to appear to be in a different geographical area, or bypassing controls. I just want to hide from my ISP.

        1. Chris Parsons

          Re: I'm torn

          Agreed. We no longer live in a free society and our governments are not to be trusted.

        2. Anonymous Coward Silver badge
          Boffin

          Re: I'm torn

          Using a commercial VPN service might hide you from one ISP, but it exposes you to TWO different ISPs (the VPN provider and their internet provider).

          OK, you might have specific reasons for wanting to hide your traffic from your local ISP, but make sure you are aware of the caveats.

    2. Jon Blund

      Re: I'm torn

      Avira Phantom is pretty good. You can choose which country you want to pop up in. Once in a while the traffic can get a bit spotty but mostly it works with no problem.

    3. Anonymous Coward
      Anonymous Coward

      Re: I'm torn

      At least you aren't the next part of the song...lying naked on the floor. That's the current NordVPN subscribers.

    4. Anonymous Coward
      Anonymous Coward

      Re: I'm torn

      I went with 'cyberghost' - not happy - no incoming connections allowed, and they switched off ip6 without warning (for an "upgrade" that didn't happen for at least the 4 weeks after that I was with them before I jumped ship.)

      I'm now with "airvpn" - less exit nodes than many of the others, but still plenty.

      They also position themselves as being passionate about their system - rather than simply a commercial operation - something I obviously took with a pinch of salt initially, but has since shown to appear accurate.

      They also fund other open-source privacy products https://airvpn.org/mission/

      Incoming ports and Ip6 are supported. (though the ip6 is NATted which some software may have issues with)

  3. Jason Hindle

    One of the weaker commercial VPNs - they need to improve

    Nord didn’t work at all during a holiday to China. Admittedly, the first week (Golden Week holiday) was a little sensitive, but Express VPN recovered quickly enough for the following week.

  4. cantankerous swineherd

    sacked them a while ago, the app only worked on 1 out of 2 phones, wouldn't work on windows 10 or zorin.

    firefox doh does all I need at the moment at least.

    1. JohnFen

      "firefox doh does all I need at the moment at least"

      Are you sure? Your entire use of the internet is through your browser?

  5. Anonymous Coward
    IT Angle

    Just out of curiousity....

    Does anyone have any suggestions for good consumer VPN services? I have kicked around getting one for awhile, and I had considered Nord VPN, but got turned off after this latest security breach.

    So does anyone have some suggestions for a good consumer VPN, just to protect household-level browsing?

    1. Velv
      Boffin

      Re: Just out of curiousity....

      I've replied to a previous comment that adding a VPN might not be what you need. Protecting household-level browsing might introduce snooping in other places and make your browsing both slower and less secure.

      For what its worth I use VyprVPN and haven't had any problems. I use it to place my "Internet" connection in other countries so I can access local content such as news sites (many US news sites block European access). I don't have it turned on for general browsing.

      Unless the VPN provider has terminations inside the network of where you're browsing to then the traffic will still flow across the open Internet somewhere, and given the way spooks work, they're more likely to try and capture traffic exiting VPN concentrators than the general traffic from home users modem.

      I know there will be some people who disagree with the above, people who think there is benefit in encrypting everything over a VPN as well as https and other secured connections. They are entitled to their opinion, and there are people and countries where a VPN is required.

      1. Baldrickk

        Re: Just out of curiousity....

        I'll note that if you want to use public wifi, then a VPN is recommended.

        I set up my own personal one back to my home network that I use for this, so my browsing on wifi out of the house may as well be on my home network, but the key point is that I'm protected from traffic on the public wifi from being snooped on.

        1. JohnFen

          Re: Just out of curiousity....

          "I'll note that if you want to use public wifi, then a VPN is recommended"

          I think that's understating things a bit. I'd say it's highly advised, if not mandatory. And not just for open WiFi APs, but also for cell system data connections and password-protected WiFi APs that are run by businesses (hotels, etc.)

    2. Aristotles slow and dimwitted horse

      Re: Just out of curiousity....

      I do a lot of freelance work from home, and I've used AirVPN for the last 3 years as a SOHO solution and have had no issues with them. I have it configured as a service on my office router so everything on the network behind it benefits from it - whether it needs to or not.

      They are not the biggest, fastest or "noisiest" in terms of advertising. But the fact that it was set up by a group of European journalists to protect their own communications in the face of ever intrusive surveillance tells me they are in it for the right reasons.

      Whatever you do though, don't use or sign up to a free VPN service - they have to make their money somehow, so have a guess how they do it? Also, I'd advise against using any browsers that claim to have a built in VPN such as Opera - as they are not a true VPNs as I understand them to be.

      Best of luck.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just out of curiousity....

        +1 for airvpn, as I posted in a reply above.

      2. katrinab Silver badge

        Re: Just out of curiousity....

        If you want to access torrent sites that are blocked by your ISP. Opera is fine. Use another browser for everything else though.

    3. Anonymous Coward
      Anonymous Coward

      Re: Just out of curiousity....

      Proton seems to be pretty good. They have a very active support community too.

    4. silent_count

      Re: Just out of curiousity....

      Hi Marketing Hack,

      If it's any help, I use AirVPN at work and NordVPN at home and haven't had issues with either.

      I intend to stay with NordVPN for home use on the basis that they know they're one major screw-up away from not having a business. This gives them a great incentive to get their house in order, which it appears they're trying to do.

      If you'd like a comparison list

      https://torrentfreak.com/which-vpn-services-keep-you-anonymous-in-2019/

    5. Adair Silver badge

      Re: Just out of curiousity....

      I also use Nord at home, and on mobile occasionally. No real issues on either; I'm certainly not going to stop using their service, not on account of this snafu anyway.

      1. MrReynolds2U

        Re: Just out of curiousity....

        This is not a SNUFU!

        Their core businesss is supposed to be protecting your internet traffic and they can't protect their own network. Given the list of screw-ups, I would be walking away... but I'd also be getting refunds as their service is not fit for purpose.

    6. katrinab Silver badge

      Re: Just out of curiousity....

      Depends what you want a VPN service for.

      If it is for security, just remember that all a VPN service does is increase the attack surface.

      If it is to access geo-locked content, which is about the only real use case for a public VPN service, does security matter that much?

      1. Anonymous Coward
        Anonymous Coward

        Re: Just out of curiousity....

        Used PIA (private internet access) for a few years

        Their windows app was faulty, it often stuck at 100% CPU, however they did support openvpn.

        Dropped them when BBC started to block it and the refused to do anything

        Now using PureVPN, app is slightly annoying that it has separate modes for privacy,filesharing,streaming etc - not clear why.

        But it does still work with BBC iplayer

        1. MrReynolds2U

          Re: Just out of curiousity....

          FYI: you can use PureVPN with built-in VPN software on phones and computers. You don't need to use their APP.

    7. Hol314

      Re: Just out of curiousity....

      "That One Privacy Guy" who's behind "That One Privacy Site" seems legit. As he points out, most sites reviewing VPNs also publish VPN adverts, which you may think is a bit of a problem, whereas his site has no ads whatsoever - he's not opposed to donations if some of his readers are so inclined....

      Also his reviews of VPNs are pretty comprehensive, if not always very up to date.

      I went with his top choice "Mullvad" and I'm fairly happy with it, though it does not fool the BBC.

  6. Anonymous Coward
    Anonymous Coward

    Our "almost secure" product sounds just right for you

    Sign up today.

    Send US$59.99 via the post today!

    1. MrReynolds2U

      Re: Our "almost secure" product sounds just right for you

      nah, send us your credit card details written in invisible ink

  7. Anonymous Coward
    Anonymous Coward

    Pentests, audits, and RAM-only servers part of lockdown plan

    what they propose indicates due diligence and all the bullshit spilled over the internets in recent years has been just that - bullshit, i.e. none. But hey, millions of positive reviews can not be wrong ;)

    If I were sensible, I would want to ask why I should believe that the latest whitewashing campaign should be for real? But then, they needn't worry, it's going to be more than sufficient to convince millions of suckers around the world to continue using their "service". Not only because it's a one-click operation, but also, because it's got six star ratings (out of five) on "independent industry sites" for its "stellar proactive anti-probing shield approach", etc., etc.

    1. Halfmad

      Re: Pentests, audits, and RAM-only servers part of lockdown plan

      It also highlights that due diligence wasn't being done prior to this.

  8. Peter Prof Fox

    Was broken. Is dishonest

    Right, so the object of a VPN is that middle P.

    Like the insulation on electric wires that's what the P is.

    Except the insulation wasn't insulating.

    (Let's forget the how it happened: Let's look at what happened next.)

    So when the cock-up that shouldn't have happened who did anything?

    Nobody at Nord. Their dedicated sales team kept on pushing their product.

    Now we have a PR offensive (Who guessed? Nord is the Richard Branson/Elon Musk of VPNs.)

    Reputation? Register readers will eschew Nord but the great unwashed will carry on.

  9. mr-slappy

    Raspberry Pi VPN

    A few years ago I set up a VPN server on a Raspberry Pi, using OpenVPN. The instructions I used were here: https://www.bbc.co.uk/news/technology-33548728 (although I'd go for something more recent now as it relies on a now-deprecated version of OpenVPN). I can access it from my iPhone and MacBook when I'm out and about.

    It was quite complicated and it took me a while to get it working, but all the better for that! I mainly did it to learn about how VPNs work. However it comes in handy when I'm abroad and want to watch something on the BBC (for which I have paid a licence fee of course). I also use it when I'm signed on to a public wifi network (mainly to feel a little smug rather than to protect myself against crims).

  10. carl0s

    I'm not even sure it's right to call them virtual private networks. There's not much private about these public tunnel services that use VPN protocols. Perhaps they should just be renamed as tunnel services.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like