NordVPN to overhaul security after breach

By Dylan Bushell-Embling
Monday, 04 November, 2019

VPN provider NordVPN has revealed plans to implement new security measures following an attack in early 2018 involving hackers stealing an expired TLS certificate key to access a NordVPN server.

As detailed by the company, the breach involved attackers exploiting vulnerability in a third-party data centre's server in Finland that was being used by the company.

The breach appears to have first taken place on 5 March 2018, and restricted when the compromised secure management account being used by the attackers was deleted on 20 March. But NordVPN was unaware of the breach until April this year, at which point NordVPN shredded the server.

According to the company, no user credentials were affected, and there are no signs that the intruder attempted to monitor user traffic in any way.

The purloined TLS keys cannot be used to decrypt any encrypted NordVPN traffic, but could in extraordinary circumstances be used to attack a single user with a targeted and highly sophisticated man-in-the-middle attack, NordVPN said.

Because two other VPN providers were also affected by the breach, the company does not believe the incident was a targeted attack on NordVPN.

The company has announced a five-point plan to beef up its security and improve its ability to detect and respond to attacks.

First, the company has partnered with US cybersecurity consultancy VerSprite and is assembling a committee of cybersecurity experts to oversee the transformation.

VerSprite will also work with NordVPN's in-house team of penetration testers to conduct testing, intrusion handling, vendor risk assessment and source code analysis.

Second, NordVPN will, over the next two weeks, introduce a bug bounty program, and third the company plans to commission a full-scale third-party independent security audit next year. The audit will cover infrastructure hardware, VPN software, backend architecture and source code, and internal procedures.

Fourth, the company plans to lift its vendor security assessment standards, and to build a network of co-located servers owned exclusively by NordVPN.

Finally, the company plans to eventually upgrade its entire infrastructure to diskless RAM servers, allowing the company to create an environment where nothing is stored locally, even the servers' operating systems.

Image credit: ©stock.adobe.com/au/spaxiax