NordVPN Breach: How Secure are VPNs?
I think the reason that we see people making a big deal out of it and why we've seen it hit the press like it has, is because of what these VPN providers represent. The breach itself was pretty minor. I mean, it's not that big a deal. It's probably the least interesting one I've ever read.
Somebody left remote access to the data center, somebody got access to the data center, and they were able to compromise a single server out of thousands that Nord VPN operates. And for those users that depend on that for their - you know to remain anonymous, to get around nation-states that are trying to shut them up and for making sure that I can stream my favorite TV shows by looking like I'm coming from the US - it's important for somebody.
But the trust that's put into those VPN providers is a big deal, and I think that's why it's important. I think they're taking good steps, and I think they've been transparent. I know from my respect this wouldn't scare me away from Nord VPN, in fact, it probably does the opposite. A little scare is probably good, helps them think of this differently. They obviously understand their importance and their role that they're playing and they're taking some good steps to counteract this. I think the key piece is that - how does this affect people's confidence in VPN service as opposed to how much of - technically, you know technically and from a business - and its business impact.
. They're on two different scales. Technical, on the technical merit, it's a minor incident. Given. But on - in terms of its publicity, it does undermine people's confidence. So just reading a quick article on PC Mag, they say we are rating - they had chosen to rate NordVPN up there as a five-star VPN service? Now they have lowered it to four-star. Security becomes a competitive advantage at some point, especially when you're in this VPN business. The better security, the better anonymity that you can offer to your users.
That's a competitive advantage, and I think they'll take - the others will follow suit or they will lose business. There is an independent estimated number of users who may have been affected is up to 200. Right. NordVPN's policy is, they keep zero records, so no audits. That's the key, unique selling point. But I agree with Ash, one of the things is that trusted provider you're already going to the lengths of saying, "Hey, we're not we're not - we're not gonna collect logs, we're not going to," or you know, "We're going to not perform audits of what you're looking at" and all those things which are really cool, but they should take them to the next step and say, "You know what?
How Secure are VPNs?
Even expired private keys and things like that you know, it's probably worth investing in HSMs to protect those keys on hardware so that nobody can ever extract them, its impossible." I'll put it this way, I'm not scared away from Nord VPN - in fact, reading the response and understanding their transparency through this whole thing, I would probably be more likely to use the following this incident than less likely. Yeah, I think it comes across as a more responsible provider. Yeah, I think the impact of this was actually pretty low.
Which is fortunate for them, right? Because some of these things can have a major impact and can destroy your business. They got fortunate because the impact was low, they're trying to let people know, "hey the impact of this was low;" basically was no - no user data was compromised, no traffic was compromised. They had other security practices in place that - that data wasn't being stored, logs weren't being stored on there. They had other mitigating factors in place that prevented a worse outcome.
But they also recognize that "hey this - it's still not good enough, and we're going to take additional steps now to make sure something like this doesn't happen again." These steps won't make them a hundred percent secure, and the ten steps that come after the next one won't make them a hundred - I mean, at the end of the day it's an arms race for security, and at some point, if you have a service that's available on the internet and it's open to the internet, eventually it's gonna get attacked and it could be compromised and it could be because of something completely out of your control like a data center that leaves the door unlocked or it could be because of upstream libraries.
None of these companies are writing every bit of code themselves in-house, they're all relying on other libraries that come from upstream and any compromise in any of those could result. So it's all about mitigating factors. How much risk can you mitigate and a good, you know I think this is a good example that they had already had steps in place to mitigate a lot of that risk because they're not storing user data the way that they're routing VPN traffic. Even though this compromise was there, it didn't expose any of those. It didn't expose usernames and passwords, so I think that's a good thing.
And you know, in this specific case like Justin said, they were very lucky because the data center provider - the least provider, actually - realized the breach and they fixed it on their end by deleting the vulnerable account, within two weeks. So you know, let's say they were lucky. But they didn't tell their customers fora year. [Laughs] And It probably just came up in a meeting. It's like "oh yeah, remember that?" "By the way..." Everybody's like, "shut up, shut up shut up." [Laughs] "We're not telling people about that!" Oops. Someone had already spilled the beans. It's crazy that this happens in the way it did, but absolutely, there are multiple attack vectors so absolutely spot-on, Justin
They've been lucky, but there was a good defense in that some of the practices already being followed by this provider worked in their favor because they didn't store any of the user information. Yeah, at the end of the day, at the end of the day, crap happens. We put these computers on networks and they're gonna be targeted, they're gonna be hacked. Some of its just opportunity and some of it's not. I think the better measure is how a company is responding to those and being transparent with it, and it seems like they've done a good job.
For more information about Nord VPN check out this article CLICK HERE
Do you want to know about Surfshark VPN Check out this article CLICK HERE
If you want to know about CyberGhost VPN Check out this article CLICK HERE
If you want to know about Express VPN Check out this article CLICK HERE
If you want to Double up internet speed then check out this article CLICK HERE
If you want to build your own VPN Check out this article CLICK HERE
No comments: