NordVPN
terminated its contract with a Finnish data center provider following a breach
last year.
After the
breach was revealed in a nasty Twitter fight on October 20, the company has
only now publicly admitted that it was the victim of an attack.
NordVPN
boasted: "No hacker can steal your life online. (If you use VPN)."
In response,
hacker group KekSec revealed that another group had broken into NordVPN and
attached links as evidence.
NordVPN has
since deleted its tweets, but the company says it has known the hack for months
but has not released the information.
A spokesman
said in a statement on his website: “We did not disclose the exploit
immediately because we had to ensure that none of our infrastructure could be
prone to similar problems.
"This
could not be done quickly due to the large number of servers & the
complexity of our infrastructure."
Blame Game
The data
center provider that operates the allegedly compromised facility is Finland's
Oy Creanova Hosting Solutions Ltd, reports Bloomberg.
The hackers
used a poorly protected remote management system built into an unidentified
server in Creanova's data center in Helsinki. The attack occurred in March
through an insecure remote management system and an expired private key (TLS
key) was taken.
Because the
TLS Key has been stolen, there is a fear that it may be used to create spoofed
NordVPN servers and collect personal information from incoming traffic.
Nord blames
Creanova for sloppy security and says he was unaware of accounts linked to the
remote management system, but the data center provider says Nord is just trying
to change responsibility.
NordVPN
claims that Creanova noticed the activity but did not inform Nord - instead,
its technicians discovered an open account and unauthorized use of its server
"a few months ago" - which led to an audit of the entire company. Network
on its thousands of servers.
DCD
contacted Creanova for further comments, but did not respond at the time of
publication.
Company
Terms and Conditions page states: "Oy Crea Nova Hosting Solutions LTD
cannot maintain the server if the client has exclusive administrator rights.
Therefore, the client will have sole responsibility for the content and
security of the server. The client assumes the obligation configure and maintain
your servers so that the security, integrity, and availability of networks,
other servers, as well as third party software and data from Oy Crea Nova
Hosting Solutions LTD, are not endangered.
"It is
your obligation to install security software, regularly obtain information
about known security holes, and close known security holes. If Oy Crea Nova
Hosting Solutions LTD provides security or maintenance programs, this will not
relieve you of your obligation."
Lesson Learned?
NordVPN has
12 million users worldwide, but the company estimates that only 50 to 200
clients used the breached server.
He says he
is not underestimating the security threat.
In the
statement, he said he had learned some hard lessons: "Although only 1 of
the more than 3,000 servers we had at the time was affected, we are not trying
to undermine the severity of the problem.
"We
failed to hire an untrusted server provider and we should have done better to
ensure the security of our clients.
"We are
taking all the necessary means to improve our security."
This
includes a security audit and an independent external audit of your
infrastructure next year.
No comments:
Post a Comment