Jump to content
Banner by ~ Ice Princess Silky
  • entries
    44
  • comments
    128
  • views
    13,955

The Nord VPN hack

Troblems

Entry posted by Troblems

995 views

 Share

Nord VPN has verified that it was compromised in March 2018. VPNs have been making money hand over fist with deceptive marketing practices, as they basically advertise that they are a one stop shop for all of your online safety needs, and that's just not true. It's kind of like owning a house. You can't just put a lock on your front door and call it good. It depends on the neighborhood you live in, how often you're home, if you trust your neighbors, etc. You'll want to have several layers of security, and you never want to be the worst, or best house in the neighborhood. You always want to be somewhere in the middle to avoid being targeted. I could go on about physical security all day, but I won't because this isn't about that.

So how VPNs work in that they rent servers all over the world, and those servers create a tunnel between you and that server that basically makes it hard for your ISP to see. It also makes it hard for your router to see, so that makes it a good choice if you're on an unsecured router say at a coffee shop or hotel. Now that means that you're going to have to trust your VPN provider more than your ISP, so there's always a trade off. One good thing is that most VPNs take cryptocurrency, so if you really don't want to be tracked, you can go the crypto route. That's on you.

I chose to subscribe to Nord personally a few years back. I'm going into cybersecurity, so I figured a VPN is probably a good thing to have. I was choosing between two, Nord and Express. Express is a bit more expressive, but tends to have a bit quicker connection. Both are outside the five eyes, and Nord was cheaper, so I went with it. Always pay for your VPNs.

Now, the reason why the Nord hack seems like it's not that big of a deal, it was in Finland on a rented server, with an asymmetric key, so it's not like it could have been used indefinitely. I personally don't connect to Finland. What's the big deal? Well, it was more than a year and a half ago. I know it can take a while to figure out if a company even has been compromised, but Nord said they found out about it "a few months ago". You need to let people know about that shit. That's just unacceptable. Additionally, if the service is touting itself as your one stop shop for all your safety needs online, step up your game, and actually be secure. Don't be gross. It's a serious violation of the trust of people who know better, and especially those that don't.

TechCrunch has a great article on the entire thing for anyone who is interested. Tom Scott also has an incredible video about VPNs, and he even wrote a more honest commercial about them. I don't agree with everything he said in the video, especially because intercepting network traffic at a coffee shop is still a very real threat, but overall, it's very well done.

This is just a really short overview of my thoughts because I could talk about this stuff for hours, but I've seen people's eyes glaze over when I start talking VPNs, online safety, securing your house, etc.

  • Brohoof 3
 Share

9 Comments

Recommended Comments

Pentium100

The problem with VPNs is that it all comes down to trust.

Is there any way to know that the VPN provider does not sniff your traffic? No. They may do it for fun or the server may be hacked or someone may force them to sniff the traffic, you will never know.

Using your own VPN works great for the public Wi-Fi (I do this when I need to use public Wi-Fi for something more than just watching a Youtube video), but obviously your home ISP will still see the traffic.

OK, so maybe I can rent a VDS, pay for it with anonymous cryptocurrency and run my own VPN there? Well, the hosting company can still sniff my traffic and grab my keys (just dump the memory of the virtual machine).

Renting a physical server would be better, but is expensive and the provider can still sniff part of the traffic (and now you do not have the advantage of sharing the same external IP with other clients of the VPN service). On the other hand, VPN services may be more tempting targets for people who might want to sniff your traffic (as hacking one server gives you access to the data of many people).

  • Brohoof 1
Link to comment
Splashee

Our family was attacked by a law firm in another country for illegal downloading of movies off the internet, with the proof taken from logs off our ISP. It was a new law in Europe a few years back to force ISP to release information, like IP and home addresses for their customers (something that was protected before).

Of course the demands of this attack were a scam as equivalent to any email spamming of the past (and future), only going directly into our real mail instead. Our ISP was too afraid to keep their customers safe. Nothing happened of course after all of this, but many people tried to get VPNs so they wouldn't be attacked again.

I was looking into a VPN for myself, but all evidence pointed to the VPN providers being the actual people who were framing us in the first place. What a twist, huh?

  • Brohoof 1
Link to comment
Troblems
2 hours ago, Pentium100 said:

for fun

I wouldn't go that far, but everyone is selling your information. Your data is a commodity. Setting up your own tunnels is always the best idea, but not everyone has that know how. Let's face it, there is no way to be completely anonymous on the internet. Services like TOR are a step in the right direction, but then there's the possibility of human error, along with things like keystroke cadence. If someone wants to find you, they will. The thing is that I don't want to go down super spoopy territory where I'm afraid of everything, and everyone is after me. My uncle and dad are both like that, and it makes me sad for them. So rather than going that route, I do what I can to protect myself and my family, and enjoy life to the best of my ability. Leaks, hacks, and other breaches happen, it's how companies attempt to deal with it after that make their costumers trust them afterwards. Nord clearly did a bad job, and now they're getting called out, as they should.

Link to comment
Here No Longer

When it comes to VPNs, I find The Hated One's video on it rather informative:

 

His answer in a nutshell is that VPNs are a good idea, but A, you have to really research the VPN you're getting into, and B, you can't just use a VPN alone and think that you're perfectly safe and anonymous. Just using a VPN alone isn't really going to make you all that much safer, because only the traffic TO the VPN is actually encrypted. After that, it could easily be hacked/forced from the VPN. The best thing to do is to layer it with other measures like using DuckDuckGo instead of Google and Firefox instead of Chrome/IE and the et cetera. And also, DON'T. Use. Facebook. I mean he has an entire video on how you can stay perfectly safe and anonymous on the internet, but this is conversation is about VPNs.

Link to comment
Ashen Pathfinder

I'm happy you posted this as I've been considering whether or not it's worth it to get a VPN. I'm still not there yet, but the more I'll know the better I'll be off in any case.

Link to comment
Pentium100
3 hours ago, Bas said:

I read about that some VPNs are still vulnerable to something called DNS leak. I don't know any specifics, but it was called a security issue.

DNS leak works like this: by default, your computer uses the DNS cache of your router and your router uses the DNS servers of your ISP. So, even if you run VPN software on your PC, if you try to go to some site, your PC sends a request to your router, which sends it to the DNS servers of your ISP, not over VPN.

To avoid that you would need to configure the PC to use some other DNS servers, like 1.1.1.1 - the requests would then go inside the tunnel.

4 hours ago, Bas said:

being unattractive enough in order to get tracked for reasonable resources spent

The problem is that VPN services may provide good targets for tracking - if you manage to hack or otherwise get access to the servers, you can track a lot of their customers easily.

3 hours ago, Spider Demon said:

And also, DON'T. Use. Facebook.

Oh yea, I have that blocked in my router as even without an account it can still track you.

4 hours ago, Jetset Troblems said:

Services like TOR are a step in the right direction, but then there's the possibility of human error, along with things like keystroke cadence.

Yes, if TOR works as advertised, then great care must be taken when using it as it is rather easy to screw up and leak your real IP.

Link to comment
Troblems

It’s looking like I should have possibly made this a topic rather than a blog. Oh well. 

@Spider Demon While I haven’t seen that particular video, I do really enjoy The Hated One. He tends to be a bit...Overly cautious, but I still appreciate his point of view. I agree. Facebook and it’s other companies are not a good place to be. That includes Instagram, and particularly WhatsApp.

@Pentium100 I agree 100%. TOR is absolutely a use at your own risk type of service. Things like don’t be stupid and log into any account. Don’t resize your window. But aside from that, you never know who you’re connecting to in those three hops, and that’s what makes me hesitant to use it.

Link to comment
Pentium100
20 minutes ago, Jetset Troblems said:

But aside from that, you never know who you’re connecting to in those three hops, and that’s what makes me hesitant to use it.

At least TOR can protect you from one of the hops trying to spy on you. A regular VPN service does not and is much easier to trace.

  • Brohoof 2
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Join the herd!

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...