Breach happened 19 months ago. Popular VPN service is only disclosing it now.
Hackers breached a server used by popular virtual network provider NordVPN and stole encryption keys that could be used to mount decryption attacks on segments of its customer base.
A log of the commands used in the attack suggests that the hackers had root access, meaning they had almost unfettered control over the server and could read or modify just about any data stored on it. One of three private keys leaked was used to secure a digital certificate that provided HTTPS encryption for nordvpn.com. The key wasn’t set to expire until October 2018, some seven months after the March 2018 breach. Attackers could have used the compromised certificate to impersonate the nordvpn.com website or mount man-in-the-middle attacks on people visiting the real one. Details of the breach have been circulating online since at least May 2018.
Based on the command log, another of the leaked secret keys appeared to secure a private certificate authority that NordVPN used to issue digital certificates. Those certificates might be issued for other servers in NordVPN’s network or for a variety of other sensitive purposes. The name of the third certificate suggested it could also have been used for many different sensitive purposes, including securing the server that was compromised in the breach.
The revelations came as evidence surfaced suggesting that two rival VPN services, TorGuard and VikingVPN, also experienced breaches the leaked encryption keys. In a statement, TorGuard said a secret key for a transport layer security certificate for *.torguardvpnaccess.com was stolen. The theft happened in a 2017 server breach. The stolen data related to a squid proxy certificate.
TorGuard officials said on Twitter that the private key was not on the affected server and that attackers “could do nothing with those keys.” Monday’s statement went on to say TorGuard didn’t remove the compromised server until early 2018. TorGuard also said it learned of VPN breaches last May, “and in a related development we filed a legal complaint against NordVPN.
VikingVPN officials have yet to comment.
One of those keys expired on December 31, 2018, and the other went to its grave on July 10 of the same year, a company spokeswoman told me. She didn’t say what the purpose of those keys were. A cryptography feature known as perfect forward secrecy ensured that attackers couldn’t decrypt traffic simply by capturing encrypted packets as they traveled over the Internet. The keys, however, could still have been used in active attacks, in which hackers use leaked keys on their own server to intercept and decrypt data.
It was unclear how long the attackers remained present on the server or if they were able to use their highly privileged access to commit other serious offenses. Security experts said the severity of the server compromise—coupled with the theft of the keys and the lack of details from NordVPN—raised serious concerns.
Here is some of what Dan Guido, who is the CEO of security firm Trail of Bits, told me:
Compromised master secrets, like those stolen from NordVPN, can be used to decrypt the window between key renegotiations and impersonate their service to others… I don’t care what was leaked as much as the access that would have been required to reach it. We don’t know what happened, what further access was gained, or what abuse may have occurred. There are many possibilities once you have access to these types of master secrets and root server access.
Insecure remote management
In a statement issued to reporters, NordVPN officials characterized the damage that was done in the attack as limited.
The server itself did not contain any user activity logs… None of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either. The exact configuration file found on the internet by security researchers ceased to exist on March 5, 2018. This was an isolated case, no other datacenter providers we use have been affected.
The breach was the result of hackers exploiting an insecure remote-management system that administrators of a Finland-based datacenter installed on a server NordVPN leased. The unnamed datacenter, the statement said, installed the vulnerable management system without ever disclosing it to its NordVPN. NordVPN terminated its contract with the datacenter after the remote management system came to light a few months later.
NordVPN first disclosed the breach to reporters on Sunday following third-party reports like this one on Twitter. The statement said NordVPN officials didn’t disclose the breach to customers while it ensured the rest of its network wasn’t vulnerable to similar attacks.
The statement went on to refer to the TLS key as expired, even though it was valid for seven months following the breach. Company officials wrote:
The expired TLS key was taken at the same time the datacenter was exploited. However, the key couldn’t possibly have been used to decrypt the VPN traffic of any other server. On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com.
Not as hard as claimed
The suggestion that active man-in-the-middle attacks are complicated or impractical to carry out is problematic. Such attacks can be carried out on public networks or by employees of Internet services. They are precisely the type of attacks that VPNs are supposed to protect against.
“Intercepting TLS traffic isn’t as hard as they make it seem,” said a security consultant who uses the handle hexdefined and has spent the past 36 hours analyzing the data exposed in the breach. “There are tools to do it, and I was able to set up a Web server using their TLS key with two lines of configuration. The attacker would need to be able to intercept the victim’s traffic (e.g. on public Wi-Fi).”
Note also that the statement says only that the expired TLS key couldn’t have been used to decrypt VPN traffic of any other server. The statement makes no mention of the other two keys and what type of access they allowed. The compromise of a private certificate authority could be especially severe because it might allow the attackers to compromise multiple keys that are generated by the CA.
Putting all your eggs in one basket
VPNs put all of a computer’s Internet traffic into a single encrypted tunnel that’s only decrypted and sent to its final destination after it reaches one of the provider’s servers. That puts the VPN provider in the position of seeing huge amounts of its customers’ online habits and metadata, including server IP addresses, SNI information, and any traffic that isn’t encrypted.
The VPN provider has received recommendations and favorable reviews from CNET, TechRadar, and PCMag. But not everyone has been so sanguine. Kenneth White, a senior network engineer specializing in VPNs, has long listed NordVPN and TorGuard as two of the VPNs to reject because, among other things, they post pre-shared keys online.
Until more information is available, it’s hard to say precisely how people who use NordVPN should respond. At a minimum, users should press NordVPN to provide many more details about the breach and the keys and any other data that were leaked. Kenneth White, meanwhile, suggested people move off the service altogether.
“I have recommended against most consumer VPN services for years, including NordVPN,” he told me. “[The services’] incident response and attempted PR spin here has only enforced that opinion. They have recklessly put activists lives at risk in the process. They are downplaying the seriousness of an incident they didn’t even detect, in which attackers had unfettered admin LXC ‘god mode’ access. And they only notified customers when reporters reached out to them for comment.”
Apple head of security accused of offering iPads as bribes for concealed gun permits
A California grand jury has indicted Apple’s head of global security on charges that he tried to bribe Santa Clara County officials to procure firearms (CCW) licenses, according to a news release. Santa Clara district attorney Jeff Rosen alleges that Thomas Moyer offered 200 iPads — worth about $70,000 — to Capt. James Jensen and Undersheriff Rick Sung in the Santa Clara County sheriff’s office, in exchange for four concealed firearms licenses for Apple employees.
The charges came after a two-year investigation. “In the case of four CCW licenses withheld from Apple employees, Undersheriff Sung and Cpt. Jensen managed to extract from Thomas Moyer a promise that Apple would donate iPads to the Sheriff’s Office,” Rosen said in the news release. The iPads were never delivered, according to Rosen’s office, because Sung and Moyer became aware in 2019 that the district attorney was executing a search warrant for the sheriff department’s CCW records.
Moyer’s attorney, Ed Swanson, said in a statement emailed to The Verge that his client is innocent of the charges filed against him, adding he believed Moyer was “collateral damage” in a dispute between the Santa Clara sheriff and district attorneys’ offices. “He did nothing wrong and has acted with the highest integrity throughout his career,” Swanson said. “We have no doubt he will be acquitted at trial.”
“We expect all of our employees to conduct themselves with integrity,” an Apple spokesperson said in a statement to Ars Technica. “After learning of the allegations, we conducted a thorough internal investigation and found no wrongdoing.”
According to Bloomberg News, Moyer has been at Apple for about 15 years and has been its head of global security since November 2018. He wrote a memo in 2018 warning Apple employees about the potential consequences of leaking information to the media, which he wrote “can become part of your personal and professional identity forever.”
Be Very Sparing in Allowing Site Notifications
An increasing number of websites are asking visitors to approve “notifications,” browser modifications that periodically display messages on the user’s mobile or desktop device. In many cases these notifications are benign, but several dodgy firms are paying site owners to install their notification scripts and then selling that communications pathway to scammers and online hucksters.
When a website you visit asks permission to send notifications and you approve the request, the resulting messages that pop up appear outside of the browser. For example, on Microsoft Windows systems they typically show up in the bottom right corner of the screen — just above the system clock. These so-called “push notifications” rely on an Internet standard designed to work similarly across different operating systems and web browsers.
But many users may not fully grasp what they are consenting to when they approve notifications, or how to tell the difference between a notification sent by a website and one made to appear like an alert from the operating system or another program that’s already installed on the device.
This is evident by the apparent scale of the infrastructure behind a relatively new company based in Montenegro called PushWelcome, which advertises the ability for site owners to monetize traffic from their visitors. The company’s site currently is ranked by Alexa.com as among the top 2,000 sites in terms of Internet traffic globally.
Website publishers who sign up with PushWelcome are asked to include a small script on their page which prompts visitors to approve notifications. In many cases, the notification approval requests themselves are deceptive — disguised as prompts to click “OK” to view video material, or as “CAPTCHA” requests designed to distinguish automated bot traffic from real visitors.
Approving notifications from a site that uses PushWelcome allows any of the company’s advertising partners to display whatever messages they choose, whenever they wish to, and in real-time. And almost invariably, those messages include misleading notifications about security risks on the user’s system, prompts to install other software, ads for dating sites, erectile disfunction medications, and dubious investment opportunities.
That’s according to a deep analysis of the PushWelcome network compiled by Indelible LLC, a cybersecurity firm based in Portland, Ore. Frank Angiolelli, vice president of security at Indelible, said rogue notifications can be abused for credential phishing, as well as foisting malware and other unwanted applications on users.
“This method is currently being used to deliver something akin to adware or click fraud type activity,” Angiolelli said. “The concerning aspect of this is that it is so very undetected by endpoint security programs, and there is a real risk this activity can be used for much more nefarious purposes.”
Angiolelli said the external Internet addresses, browser user agents and other telemetry tied to people who’ve accepted notifications is known to PushWelcome, which could give them the ability to target individual organizations and users with any number of fake system prompts.
Indelible also found browser modifications enabled by PushWelcome are poorly detected by antivirus and security products, although he noted Malwarebytes reliably flags as dangerous publisher sites that are associated with the notifications.
Indeed, Malwarebytes’ Pieter Arntz warned about malicious browser push notifications in a January 2019 blog post. That post includes detailed instructions on how to tell which sites you’ve allowed to send notifications, and how to remove them.
KrebsOnSecurity installed PushWelcome’s notifications on a brand new Windows test machine, and found that very soon after the system was peppered with alerts about malware threats supposedly found on the system. One notification was an ad for Norton antivirus; the other was for McAfee. Clicking either ultimately led to “buy now” pages at either Norton.com or McAfee.com.
It seems likely that PushWelcome and/or some of its advertisers are trying to generate commissions for referring customers to purchase antivirus products at these companies. McAfee has not yet responded to requests for comment. Norton issued the following statement:
“We do not believe this actor to be an affiliate of NortonLifeLock. We are continuing to investigate this matter. NortonLifeLock takes affiliate fraud and abuse seriously and monitors ongoing compliance. When an affiliate partner abuses its responsibilities and violates our agreements, we take necessary action to remove these affiliate partners from the program and swiftly terminate our relationships. Additionally, any potential commissions earned as a result of abuse are not paid. Furthermore, NortonLifeLock sends notification to all of our affiliate partner networks about the affiliate’s abuse to ensure the affiliate is not eligible to participate in any NortonLifeLock programs in the future.”
Requests for comment sent to PushWelcome via email were returned as undeliverable. Requests submitted through the contact form on the company’s website also failed to send.
While scammy notifications may not be the most urgent threat facing Internet users today, most people are probably unaware of how this communications pathway can be abused.
What’s more, dodgy notification networks could be used for less conspicuous and sneakier purposes, including spreading fake news and malware masquerading as update notices from the user’s operating system. I hope it’s clear that regardless of which browser, device or operating system you use, it’s a good idea to be judicious about which sites you allow to serve notifications.
If you’d like to prevent sites from ever presenting notification requests, check out this guide, which has instructions for disabling notification prompts in Chrome, Firefox and Safari. Doing this for any devices you manage on behalf of friends, colleagues or family members might end up saving everyone a lot of headache down the road.
How to Secure IoT Devices–Right Now
IoT devices are not going away any time soon. The estimates vary widely as to how many devices are currently in use, and how many devices will be deployed in the next few years, but the one thing that everybody seems to agree on is that IoT adoption is on the rise. The other thing people seem to agree on is that it is critical to secure IoT devices–using long-term and short-term strategies.
Early on, many IoT vendors rushed their products to market with seemingly no concern about security. Things seem to be getting better, but IoT’s reputation for being insecure has been firmly cemented. That makes IoT devices a big target, so it makes sense to consider what you can do–right now–to keep secure IoT devices.
1. Perform a password audit.
The very first thing I recommend doing to secure IoT devices is to perform a password audit against all of your IoT devices. While it is important to determine whether any of your devices are using weak passwords, it is far more important to test for default password use. Remember, nearly every device manufacturer posts its manuals online, and these manuals almost always list the default password for the device. Anyone can get access to this information, and default passwords are often a starting point for those who seek to compromise IoT devices.
Ideally, each of your IoT devices should be equipped with a random, but complex password. After all, if all of your devices share a common password, an attacker could conceivably acquire that password and take control of all of the devices. This is especially troubling since there are stories of attackers who have managed to get IoT devices to function as botnets.
2. Review the end user agreement.
One of the things that I never hear anyone talk about with regard to IoT security is the importance of reviewing the end user agreement. That’s the agreement that the manufacturer displays on screen when you initially configure the device. If you simply click OK to accept the agreement without reading it–so you can finish the deployment and get on with your day–you really don’t know what you have just agreed to. Given the extent to which devices have become known for spying, it may be worth taking the time to review the end user agreement for your devices and make sure that the device is not compromising sensitive information. If you’re not comfortable with something in the end user agreement, it may be worth adopting a competing vendor’s product.
3. Keep firmware up to date.
Just as software vendors routinely release patches for their products, reputable IoT vendors will occasionally release firmware updates to secure IoT devices. It is important to download, test and deploy these firmware updates just as you would any other patch.
4. Disable unnecessary features.
In some cases, you can enhance your security by disabling unnecessary features. To determine what’s really necessary and what’s not, spend time reviewing the feature sets of the IoT devices that you use.
Obviously, some devices are far more feature-rich than others. An IP-enabled industrial sensor, for instance, probably has few, if any, ancillary features. On the other hand, devices that are oriented more toward the end user tend to be feature-rich. In some cases, disabling even a single feature can significantly improve the device’s overall security.
For example, like many other people, I have a Wi-Fi enabled, smart thermostat in my home. This thermostat has a remote access feature that lets me remotely monitor the temperature in my home and make adjustments if necessary. I have disabled the thermostat’s remote access feature–not because I’m worried about a hacker setting the air conditioner to run at full blast, but because an attacker who gains access to the thermostat could conceivably use it as a platform for launching an attack against other devices on the network.
5. Put segmentation to use.
My goal for this blog post was to focus on immediate actions that can be taken in an effort to secure IoT devices. Even so, I just couldn’t conclude the post without mentioning segmentation. Segmentation takes some planning, so it doesn’t really qualify as something that you can do right now. Even so, segmentation is one of the most important things that you can do to keep your IoT devices secure, so I wanted to be sure to mention it.
When possible, place your IoT devices on isolated network segments. The smart thermostat I mentioned is connected to a dedicated Wi-Fi network that services only the connected devices in my home. Using this dedicated network prevents IoT devices from accessing sensitive data such as the files stored on my laptop.
Even if you cannot completely isolate a device, you may be able to use firewall and routing policies to restrict a device’s communications. For example, if a particular device communicates with a backend SQL Server, you should look for ways to prevent the device from ever communicating with anything else (with the possible exception of a management PC). This can go a long way toward keeping the device secure while also preventing data leakage.
Tech News4 days ago
Shola Akinlade: Paystack’s maturity relied on a community of hard and smart workers
The Motivator4 days ago
GOOGLE’S TASK MATE WILL ALLOW YOU TO EARN MONEY BY DOING “SIMPLE” THINGS!
The Future4 days ago
Xbox App May Come to Smart TVs in the Next 12 Months: Phil Spencer
Systems4 days ago
Next Galaxy Z Flip to sport 120Hz display and narrower frame says leakster
The Motivator3 days ago
Monster Hunter: The Movie content is coming to Monster Hunter: The Game
Security3 days ago
Apple head of security accused of offering iPads as bribes for concealed gun permits
Research4 days ago
Part human, part machine: is Apple turning us all into cyborgs?
Internet4 days ago
Snap to pay video creators $1 million daily