![]() Whoever obtained these certificates must have had root access to the affected servers’ web container and would therefore have had full control over the servers, including the ability to sniff and tamper with data passing through them. Despite NordVPN’s efforts to downplay the breach, the publication proves without a doubt that NordVPN has been compromised at some point in the past. These certificates have now expired but were current at the time of posting. In March 2018, TLS certificates belonging to NordVPN, VikingVPN, and TorGuard web servers were posted on 8chan. NordVPN has now acknowledged the breach, stating that an attacker gained access to a rented server in Finland by exploiting an insecure remote management system left by the datacenter provider. Rather than a statement of fact, the twitterverse saw this as a challenge and it wasn’t long before a group calling itself KekSec revealed that hackers had accessed a server and leaked Nord’s OpenVPN configuration and associated private key as well as TLS certificates. The story broke after NordVPN posted a rather impulsive and foolhardy statement on Twitter. This protection is especially important since NordVPN doesn't seem to be doing enough to stop these attacks from happening.NordVPN, one of the most prominent and respected consumer VPN providers, has confirmed that one of its servers was accessed without authorisation. For most people, it’s too hard a task to keep track of scores of strong passwords, but that’s where password managers come in. If it is, they should change their passwords immediately. Readers who are NordVPN users should visit Have I Been Pwned and check to see if their email address is contained in any of the lists. All those accounts are acquired through the credential stuffing. If you look into marketplaces on the dark web or even more shady forums on a public web - you'll find hundreds of different accounts for streaming, music, games, health apps, and services sold illegally. We are working at the moment on two other measures - two-factor authentication (2FA) and smart bot-detection system to enhance rate limiting.Ĭredential stuffing is a growing problem not only for us but for almost every other digital service and website. And then we are always trying to educate our customers through our social media channels, blog, and client newsletters that they must keep their passwords unique and strong. Our security team is proactively scanning credential lists available on both public sites and the Dark Web, and, from time to time, we are trying to urge our clients to change their credentials, especially passwords. In an email sent after this post went live, a NordVPN representative wrote: It’s hard to understand why NordVPN, a company that’s in the business of providing security to users, is allowing so many of its users to fall victim to these attacks. Chief among them would be rate limiting and algorithms that detect and block unauthorized logins. NordVPN can take other measures to prevent malicious parties from logging in with users’ poorly chosen passwords. The sites increasingly are not allowing users to choose weak passwords in the first place or credentials that have been exposed in online dumps in the past. When the sites find credentials that match those of their users, the sites notify the users and require a password reset. Many services such as Google and Facebook proactively sift through credential lists available on both public sites and the Dark Web. I’d argue that NordVPN shares the bulk of responsibility for the high incidence of compromised accounts on its site. Security practitioners almost universally recommend people choose a long, random password that is unique for every account. For users, the error is choosing easy-to-guess passwords and using them on multiple sites. Rather, these lists are the result of mistakes both on the part of users and NordVPN. ![]() ![]() The lists also don’t indicate that the breach disclosed 11 days ago was worse than the company said it was. It’s important for readers to know these lists don’t signal a breach on any NordVPN servers. Attackers typically use automated scripts to carry out these attacks. That’s the term for attacks that take credentials divulged in one leak to break into other accounts that use the same username and password. These common traits mean that the most likely way these passwords became public is through credential stuffing. Others appear to be surnames, sometimes with two or three numbers tacked onto the end. In other cases, they’re words found in most dictionaries. In some cases, they’re the string of characters to the left of the sign in the email address. Without exception, all of the plain-text passwords are weak.
0 Comments
Leave a Reply. |