New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Hello, may I ask a question? In a tweet, they used a leaked cert file for the nordvpn.com domain as PoC. How were they able to spoof that domain with the leaked cert file when they dont own the domain name?
Thanks!
See a FAQ here.
For me it is first not a hack, in article they wrote one datacenter in Finland and one server which was active for one month.
So no userdata breach, no database exposed, no hack at a company.
But it is intressting now to know how they run their infrastructure, using them for 6 months (free :P) and was really pissed about their huge serverfarm, but extreme poor performance on most of them, now all makes much more sense, if they just using one dedi with multiply IP's and containers, clever, but it is fraud in my opinion.
FastestVPN has just one visible server for each location (but smart load balancer) and worked for me much more constant, just the connection takes much time, but then it can run for days.
A different small and very fine one is SecureVPN
https://www.securevpn.to
They just know what they doing and it is really secure, also with Socks on most locations.
No wonder so many NordVPN sales on the /r/redditbay market...
Im talking about this tweet, where he simulated/spoofed a domain to be like nordvpn.com and installed the leaked cert and key
That was a simulation of what a "man in the middle" attack would look like.
Oh so to do that, the attacker needs to have local access to setup a local domain like that involving the host file...
But shouldnt there be some sort of fail safe against this trick like OCSP or CRL? To know that local domain is fake?
Nice blog on nordvpn site The most common types of hacking on the Internet
Damn, if they're reliable company, give us 1 years free alteast
In simple words: It makes no sense to fake being a NordVPN server when you already have access to a real one. But: any VPN server is an ideal MITM point against the users traffic.
Which leads me to my final point: I do not think that some particularly smart and diligent security researcher has uncovered this case. It's much more likely that the attacker himself had used that node long enough for his games and gave it up himself, possibly by passing some info towards the security research community.
So the bad news is that the bad guy is already done with that node after doing his thing. Whatever harm they had in mind was already done. The good news is that he/she/they are highly likely not from a western agency (NSA, etc) and saw fit to drop the dead body in front of security researcher door step to be "discovered".
Well, their customers even got much more than 1 year ... to finally learn about the grave f_ckup.
well, I'm a costumer and didn't get a single day more
Actually reading what has been written might be helpful. You should try it.
I mean, the server that got pwnt was literally a VPN server. You don't get more "user data" than that. The data that's been compromised by that is far more harmful than any customer database is ever going to be; it's literally a dump of people's network traffic.
Didn't the data center deleted the proof of the management tool, and Nordvpn only knew about it for only 2 months? Also, as the hacker/hackers had access to one server, and NordVPN changes the connection through servers every 5 minutes I think, so if they could they just saw 5 minutes of traffic, really shitty but still not THAT bad.
Honestly thought about asking for a refund, but as they are moving to ram, with an addition of the bug bounty program, gonna give them a chance..
Just to be clear I am a nordvpn user, but only for a year, so the hack does not affect me
"Third-party vendor did it!" excuse is so 2005. Also, lol @ renting underlying hardware for core security infrastructure.
No, that makes sense and is in fact the basis for VPN prices normal people can pay.
Explanation: What do they gain by having their own hardware there? In between nothing and hardly anything. The decisive fact doesn't change: the hot point is who as physical access to the system?
BUT: A good VPN provider will check both the DC and the server they rent. Incl. IPMI - both of which NordVPN obviously did not do.
A really serious VPN provider might even send one of their own people to the DC.
There is a world of difference between DC jacking up hardware THEY own and hardware YOU own, without permission.
Somebody would be shopping around for a criminal lawyer right about now if those boxes were owned by NordVPN and were accessed by DC personnel, without a support ticket, to expose IPMI to public.
There's also a world of difference between buying/financing thousands of servers, shipping them to the DC and setting them up -and- simply use a readily available dedi.
Plus: You usually get one (1) network link/cable for a dedi and even if you get A+B those are for payload. Most/many servers however need a dedicated port connected for BMC. With a rented dedi you get the whole things ready to go.
To expect that the DC protected IPMI access reasonably was OK. To blindly trust it was done properly however was not.
Not if you do it right. I seriously doubt that they were leasing $50K dedi for $200/mo.
I agree with you - it is reasonable to assume that DC team had more than two brain cells firing on one cylinder. And without right access you can't even audit IPMI configuration on a dedi.
But that's the risk/liability you assume when you lease equipment. And in a race to the bottom(line), sometimes you get what you pay for.