NordVPN Security Breach - A Matter Of Trust
To trust or not to trust
Tech news abounds right now with information about NordVPN being compromised.
NordVPN Official Response
Lets start with the some critical points.
This incident occurred in March 2018
Impacted systems were compromised for around 2 months
Breach is now closed
It is unlikely specific personal information for users was accessed.
Network Snooping and content that could have facilitated man in the middle attacks could have been taken.
The point of compromise in this incident was a poorly secured server management interfaces. These common hardware interfaces (Such as iDRAC & iLO) are built in to most major brands of servers today.
My concern is not so much about the breach itself but more the way in which NordVPN have addressed the situation.
The speed of response concerns me. It should not take months to secure the internet connections used by these servers or the servers themselves. To me it suggests a weakness in their infrastructure planning for resilience and security.
It does not feel like they would have had the transparency to self-report this issue had they not been forced to.
Rather than taking ownership of a lapse or failure their comments feel like they are pushing blame onto the server hosting company.
If these were new servers which had this security hole it indicates little proactive penetration testing, for a security product / service doesn't sit well with me.
From my perception the failures of Customer Service, PR, Planning, Incident Management, and Testing are greater than that of the compromise itself. I won't be recommending NordVPN until I feel they have shown a proactive effort to be ready to address such situations in the future.