NordVPN to overhaul security after breach


By Dylan Bushell-Embling
Monday, 04 November, 2019


NordVPN to overhaul security after breach

VPN provider NordVPN has revealed plans to implement new security measures following an attack in early 2018 involving hackers stealing an expired TLS certificate key to access a NordVPN server.

As detailed by the company, the breach involved attackers exploiting vulnerability in a third-party data centre's server in Finland that was being used by the company.

The breach appears to have first taken place on 5 March 2018, and restricted when the compromised secure management account being used by the attackers was deleted on 20 March. But NordVPN was unaware of the breach until April this year, at which point NordVPN shredded the server.

According to the company, no user credentials were affected, and there are no signs that the intruder attempted to monitor user traffic in any way.

The purloined TLS keys cannot be used to decrypt any encrypted NordVPN traffic, but could in extraordinary circumstances be used to attack a single user with a targeted and highly sophisticated man-in-the-middle attack, NordVPN said.

Because two other VPN providers were also affected by the breach, the company does not believe the incident was a targeted attack on NordVPN.

The company has announced a five-point plan to beef up its security and improve its ability to detect and respond to attacks.

First, the company has partnered with US cybersecurity consultancy VerSprite and is assembling a committee of cybersecurity experts to oversee the transformation.

VerSprite will also work with NordVPN's in-house team of penetration testers to conduct testing, intrusion handling, vendor risk assessment and source code analysis.

Second, NordVPN will, over the next two weeks, introduce a bug bounty program, and third the company plans to commission a full-scale third-party independent security audit next year. The audit will cover infrastructure hardware, VPN software, backend architecture and source code, and internal procedures.

Fourth, the company plans to lift its vendor security assessment standards, and to build a network of co-located servers owned exclusively by NordVPN.

Finally, the company plans to eventually upgrade its entire infrastructure to diskless RAM servers, allowing the company to create an environment where nothing is stored locally, even the servers' operating systems.

Image credit: ©stock.adobe.com/au/spaxiax

Related News

NBN Co extends 40% higher CVC offer

NBN Co has extended its offer of 40% higher CVC capacity for its retail service provider...

NBN Co raises $6.1bn in private financing

NBN Co has secured $6.1bn in private sector financing to help the company start the process of...

NBN Co announces $150m COVID-19 relief fund

NBN Co plans to support RSPs in offering targeted relief packages for low-income families with...


  • All content Copyright © 2020 Westwick-Farrow Pty Ltd