Serveur d'impression

Chronique de NordVPN | TechRadar – Bien choisir son serveur d impression

Le 14 mai 2020 - 39 minutes de lecture

Note de l'éditeur: Suivant le server hack that NordVPN suffered in 2018, we sent the firm a list of questions which were answered candidly.

1. "Evidence of the breach first appeared on March 5th, 2018, but we were unaware of it at that time. Further evidence suggests that this is around when the breach is likely to have occurred." What is the 'further evidence' that March 5th 'is around when the breach is likely to have occurred', and how can you conclude, even on the balance of probabilities, that there wasn't an earlier breach? Do you have an estimate of how many customers used the affected server?

NordVPN: March 5th was the last day when such configuration file existed. Later our configuration was changed, so the config file would have looked differently. And the server itself was built on January 31st. We believe that the discussion on 8chan was the cause for someone to start looking for vulnerabilities of different VPN service providers, and that discussion started on March 5th. We don’t know the exact time of the event, and we can’t tell how many people were connected to that server as we don’t keep any logs. We can only guess: our raw estimate is something around 20 to 70 active sessions.

2. "The breach was made possible by poor configuration on a third-party datacenter’s part that we were never notified of." What was this 'poor configuration'?

There was an undisclosed IPMI (Intelligent Platform Management Interface) account left to access the server. That account was breached, and therefore the server was accessed.

3. "There are no signs that the intruder attempted to monitor user traffic in any way." That signs would you expect to find? If the intruder did monitor user traffic, what would they have been able to see?

There were no changes made to our configuration, no additional processes running, no additional files left on the server. Such configurational changes were necessary to inspect the traffic. In theory, after running certain commands, a third party could have seen the real-time activity, which would look like traffic observed by a regular ISP. That means traffic traveling between the server and a bunch of different websites.

4. "The incident effectively showed that the affected server did not contain any user activity logs." How did the incident show that?

If any user-data had been kept on a server, it would have very likely been downloaded and provided to the public. However, assumptions aside, configuration file downloaded from one of the competitors’ servers displays real-time sessions and some user information, while our configuration file does not.

5. "The intruder did find and acquire a TLS key that has already expired." When did the key expire? (The sentence as written suggests only that it's expired now, but I'm wondering if the author meant 'had already expired' by the date of the attack.)

The TLS key expired on 10/7/2018. However, the TLS key can not be used to decrypt the traffic.

6. "We then immediately launched a thorough internal audit of our entire infrastructure. We had to ensure that no other server could possibly be exploited this way." What did this audit uncover? For example, how many other servers had remote management systems installed?

We have audited more than 4000 of our servers. Most of our servers had a remote management system installed. However, the system itself is not an issue if it is patched and unavailable for public access (from the internet). We found few servers that could have potentially be at risk and either patched them or removed them.

7. "…we raised our standards even further for current and future datacenter partners to ensure that no similar breaches could ever happen again." What can you tell us about these standards?

We made sure that no datacenters we use have unpatched or undisclosed IPMI access. Each new server built is encrypted, so no readable data can be accessed even if a server is accessed without authorization through a remote management system. Also, we have a lot of plans to improve our security.

Commentaires

Laisser un commentaire

Votre commentaire sera révisé par les administrateurs si besoin.