If you've been following technology-based content on YouTube in recent months you'll be familiar with NordVPN. The Panama-based Virtual Private Network service provider - located in the Central American nation due to its liberal data retention regulations - has splashed the cash to advertise on major tech channels and as a result become an almost household name. They promote the service's anonymity provisions, offering an encrypted connection between home and remote servers around the world that retain no communication data logs and prevents snooping by ISPs, governments and rogue internet hotspots. That message has been driven exceptionally successfully.
So it was with some surprise that a prolonged security breach of one of their servers - owned and operated out of Finland by a 3rd party - was revealed; not, it should be said, through an official release, but rather due to the investigative work of white-hat hackers. The server was compromised between January and March of 2018 according to follow-up statements made to TechCrunch, and could allegedly have allowed malicious parties to generate their own servers imitating NordVPN.
The severity of this breach has been the subject of much debate, as has the vulnerability and necessity of other VPN services, but one aspect that drew broad condemnation was NordVPN's lack of disclosure. Security firms have to toe a fine line between consumer demands for openness and a natural inclination towards secrecy, particularly when government regulatory pressure is thrown into the mix, and in this instance they appear to have got it wrong. The backlash was swift, with even some influencer partners suspending contracts until they were satisfied NordVPN got the message.
In a statement issued today the firm outline new security measures they're putting into place to mitigate against similar problems.
1. Partnership with the top cybersecurity consulting firm VerSprite. Penetration testers are a key part of NordVPN’s security efforts. Their job is to prod the infrastructure for weaknesses and mitigate the vulnerabilities. That’s why NordVPN is engaging in a long-term strategic partnership with VerSprite, a leading cybersecurity consulting firm.
VerSprite will work with NordVPN’s in-house team of penetration testers to challenge the infrastructure and ensure the security of customers. The main tasks covered in the new agreement include comprehensive penetration testing, intrusion handling, and source code analysis. VerSprite will also help to form an independent cybersecurity advisory committee.
2. Bug bounty program. Over the next few weeks, NordVPN is going to introduce a bug bounty program. Bug bounties reward cybersecurity experts for catching potential vulnerabilities and reporting to the developers so they can fix them. Bounty hunters will get a well-earned payout, and NordVPN users will get a service they know is scoured for bugs by thousands of people every day to make it as secure as possible.
3. Infrastructure security audit. NordVPN is planning to complete a full-scale third-party independent security audit in 2020. The audit will cover the infrastructure hardware, VPN software, backend architecture, backend source code, and internal procedures. The chosen vendor for the security audit will be announced in the future.
4. Vendor security assessment and higher security standards. NordVPN is planning to build a network of collocated servers. While still located in a data center, collocated servers are wholly owned exclusively by NordVPN. NordVPN is currently finishing its infrastructure review so that they can eliminate any exploitable vulnerabilities left by third-party server providers. NordVPN is committed to ensuring that their exclusively owned data centers maintain the highest security standards.
5. Diskless servers. NordVPN is planning to upgrade their entire infrastructure (currently featuring over 5100 servers) to RAM servers. This will allow to create a centrally controlled network where nothing is stored locally — not even an operating system. Everything the servers need to run will be provided by NordVPN’s secure central infrastructure. If anyone seizes one of these servers, they'll find an empty piece of hardware with no data or configuration files on it.
VerSprite will work with NordVPN’s in-house team of penetration testers to challenge the infrastructure and ensure the security of customers. The main tasks covered in the new agreement include comprehensive penetration testing, intrusion handling, and source code analysis. VerSprite will also help to form an independent cybersecurity advisory committee.
2. Bug bounty program. Over the next few weeks, NordVPN is going to introduce a bug bounty program. Bug bounties reward cybersecurity experts for catching potential vulnerabilities and reporting to the developers so they can fix them. Bounty hunters will get a well-earned payout, and NordVPN users will get a service they know is scoured for bugs by thousands of people every day to make it as secure as possible.
3. Infrastructure security audit. NordVPN is planning to complete a full-scale third-party independent security audit in 2020. The audit will cover the infrastructure hardware, VPN software, backend architecture, backend source code, and internal procedures. The chosen vendor for the security audit will be announced in the future.
4. Vendor security assessment and higher security standards. NordVPN is planning to build a network of collocated servers. While still located in a data center, collocated servers are wholly owned exclusively by NordVPN. NordVPN is currently finishing its infrastructure review so that they can eliminate any exploitable vulnerabilities left by third-party server providers. NordVPN is committed to ensuring that their exclusively owned data centers maintain the highest security standards.
5. Diskless servers. NordVPN is planning to upgrade their entire infrastructure (currently featuring over 5100 servers) to RAM servers. This will allow to create a centrally controlled network where nothing is stored locally — not even an operating system. Everything the servers need to run will be provided by NordVPN’s secure central infrastructure. If anyone seizes one of these servers, they'll find an empty piece of hardware with no data or configuration files on it.
NordVPN then go on to minimise the scale of the 2018 breach, correctly identifying it as involving only a sole server compared to over 3000 secure ones in daily operation, and downplaying the risk of customer data leaks. But that, as you've already guessed, doesn't address the lack of disclosure of the breach's occurrence and how that had undermined consumer trust.
Security breaches happen. Some of the largest institutions on the planet have suffered from them, despite multi-billion dollar budgets and exceptionally sensitive records being held. There is one central aspect that unifies them all however: if you're a commercial entity and you choose not to disclose a breach, tech-savvy members of the public will come down on you like a tonne of bricks. Failing to understand that can erode any good-will you may have painstakingly built, no matter how many auditors you employ to oversee your systems.
This saga is likely to run and run. But despite these issues (which also affect other service providers), VPN options will only increase in popularity as video content services fragment into multiple time and region-locked subscription plans. Because let's face facts - acts that breach copyright or standard streaming terms of service are major motivators for the wide-spread use of VPNs.
SOURCES: TechCrunch, via Press Release
