Originally published at: https://boingboing.net/2019/10/22/hackers-be-hacking-nordvpn-se.html

…

Row erupts over who to blame after NordVPN says: One of our servers was hacked via remote management tool

Someone made a very good point in the comments of that register article…

If you aren’t the hardware OS admin & don’t control physical access to the hardware you can’t claim it’s secure.

Nord are renting server time from 3rd party server farms to host VPNs because to do it properly would cost too much in buildings, hardware & staff. Beancounters strike again.

Isn’t this the case for all VPN services? The point is no less valid with those either but given the fact VPN business is going through the roof due to government snooping we might be facing a rude awakening.

And in other news hackers hack hackers

I’m curious to see how the BB Store spins this news in its next attempt to plug NordVPN. I have no hope this will spur the development of some scruples in its shameless shilling for all manner of crap.

Ha, I used NordVPN precisely because I couldn’t remember seeing it in the rotating wheel of VPNs that BB shilled for created an opportunity for awareness of the wonderful thing it is. Not that I was under any illusion that sponsored posts meant a given VPN was good OR bad, or any different under the skin from the last version; I’m just spiteful that way, and the VPN ads in particular got to be a bit much.

So, serious question for the group: as someone who’s sunk money into this and is stuck for another year or so on my subscription, should I care? I get why absolutely I should care so much in the abstract. But on a scale of 1 to 10, with 1 being “a cosmic ray striking just the right bit on just the right server will make it theoretically possible for a malicious agent to learn the hash value of your middle initial” and 10 being “your nudes have already been forwarded to your grandma,” where is this?

I’m guessing another case of “admin/admin”.

It largely depends on why you use a VPN. If you’re using it for anonymity then it could matter. If you’re using it for breaking geo locks on streaming services or to prevent an overly aggressive ISP from messing with your traffic then assuming the hackers didn’t do the same you’re probably fine.

Now if the hackers were able to use a MITM attack to then leverage another attack on you then you could be hacked with malware and all that could entail.

If security is your concern and you’re only concerned with web communications then hopefully you’re already using https for everything and it won’t matter.

I’ve never trusted VPNs. Then again, I don’t believe ANYTHING you do online is secure, no matter how protected you dream you might be. An extreme position? Maybe. Then again, just wait for tomorrow’s revelations!

It’s Somebody Else’s Computer with multiple levels of indirection. Too bad that so much of the net is insecure by design, and that there are so many vested interests who want to keep it that way.

Youtubers who depend on their sponsorship are devastated

That’s not a good point, it’s a copout.

Virtualization and containerization solve these issues. Your bare metal OS should be as minimal as possible and completely locked down, and your data encrypted-at-rest so even if someone were to get physical server access and try to reboot it into any sort of admin mode, it does them no good, and the console won’t either because your very few accounts have strong passwords.

I have worked with too many organizations who ignore system-level security then try to claim it’s too hard to do properly as the reason to not even try. Just because your workload is virtualized doesn’t mean you can’t defend against compromise of the physical server itself, even if the physical server is viewed as a hostile actor.

Fair enough and that’s all well and good in an ideal world but it assumes the admins have shown due diligence and sufficiently locked it down. I do think the point is a good one though because if you don’t manage your own hardware but outsource it to a third party then you simply cannot guarantee security, as has been shown here, where it seems the provider having an insecure remote management system in place was a really dumb oversight. And that’s the major issue with VPNs here, they have servers all over the world but how much trust are they placing in those providers? Are they audited?

And if there ends up being a rivalry between the two groups with hacking carried out in revenge, then you will see that hackers hackers hack, hack hackers.

I wonder if any of them are based in Buffalo.

That’s just it - that doesn’t hold up under scrutiny.

When we talk about “remote management systems”, we’re talking about 3 possibilities, more or less:

1. remote KVM-like access, that gives you physical access to the server as if you were at the keyboard
2. remote agent access - some tool running on your (virtualized or otherwise) OS integrates with the provider and lets them do stuff, or
3. your workload is virtualized, and the management tool gives access to the bare-metal OS or system underneath.

All thee of these scenarios can (and should!) be mitigated, and none create a situation where you “canot guarantee security”.

For scenario 1, we don’t run our worker nodes with terminals running on the console (Because they’re worker nodes, they’re disposable, we wouldn’t troubleshoot unreachable nodes, we’d wipe them and either get new hardware or reformat), so the attack vector there is for someone to power-cycle the server and intercept the OS loading. Except 1) you (should) notice your server going down and 2) your data should be encrypted until the OS loads and decrypts it. So this scenario shouldn’t cause you to be compromised.

For scenario 2, this would mean the NordVPN folks had a daemon running on their server and failed to disable it. I will give them the benefit of the doubt that they did not do this, because there’s really no excuse for this scenario in any reasonable environment.

For scenario 3, any traffic should be encrypted, including your traffic to your datastore. your underlying OS shouldn’t have keys to view it, requiring either access to your virtualized guest or container, both of which should fire off alerts when they are accessed, so even if someone were able to infiltrate the server this way, you should be able to immediately destroy the instance and lock down the data.

And this is all out-of-the-box technologies - I would fully expect a VPN company to be able to go beyond this bare minimum of protection with some engineering around their specific applications and transports.

Instead, it seems much more likely that they just didn’t consider the effect of scenario 1 (possibly leading to scenario 3) and didn’t plan for it. Which is, frankly, inexcusable for an org specifically selling transport security.

Back to “Tunnel Bear!!!” plugs? (those old LTT videos)

There is always PIA…

Out of curiosity, how would this work in practice? For example, suppose you rent a dedicated cloud VPS from Huawei (very cheap BTW), and image it with a headless Linux system dedicated to operating your microwave oven camera, or running a forum, or whatever. How do you keep Huawei from plugging a LSI ADM3A into the machine’s RS232 port and watching what you’re doing? Or does the headless image make that impossible?

The default consoles are served by the getty processes in Linux. If you don’t run them, there is no login.

Also disabling /dev/keyboard and /dev/console (aloas them to /dev/null) and ensure that systemd isn’t listening for ctrl-alt-delete, and the sysreq key is disabled will help too.

This is a simplified generic example, but tasks along these lines will be what’s required.

I am afraid I don’t get the Buffalo comment.