Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

10/29/2019
10:05 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

NordVPN Lists 5 Measures to Supercharge Its Security

NordVPN signs a strategic partnership with VerSprite, a leading cybersecurity consulting firm.

October 29, 2019. In the aftermath of a security incident involving NordVPN and a third-party data center, the company is taking action to enhance its security. One of the first moves is a long-term strategic partnership with VerSprite — one of the leading cybersecurity consulting firms.

The partnership will include threat and vulnerability management, penetration testing, compliance management and assessment services. VerSprite will also help to form an independent cybersecurity advisory committee, which will consist of selected experts and oversee NordVPN’s security practices.

“We are planning to use not only our own knowledge, but to also take advice from the best cybersecurity experts and implement the best cybersecurity practices there are,” says Laura Tyrell, Head of Public Relations at NordVPN. “And this is the first of many steps we are going to take in order to bring the security of our service to a whole new level.”

According to NordVPN, they are ready to take action in five different fields to become more secure than ever. Here’s the list of the planned measures:

1. Partnership with the top cybersecurity consulting firm VerSprite. Penetration testers are a key part of NordVPN’s security efforts. Their job is to prod the infrastructure for weaknesses and mitigate the vulnerabilities. That’s why NordVPN is engaging in a long-term strategic partnership with VerSprite, a leading cybersecurity consulting firm.

 

VerSprite will work with NordVPN’s in-house team of penetration testers to challenge the infrastructure and ensure the security of customers. The main tasks covered in the new agreement include comprehensive penetration testing, intrusion handling, and source code analysis. VerSprite will also help to form an independent cybersecurity advisory committee.

2. Bug bounty program. Over the next few weeks, NordVPN is going to introduce a bug bounty program. Bug bounties reward cybersecurity experts for catching potential vulnerabilities and reporting to the developers so they can fix them. Bounty hunters will get a well-earned payout, and NordVPN users will get a service they know is scoured for bugs by thousands of people every day to make it as secure as possible.

3. Infrastructure security audit. NordVPN is planning to complete a full-scale third-party independent security audit in 2020. The audit will cover the infrastructure hardware, VPN software, backend architecture, backend source code, and internal procedures. The chosen vendor for the security audit will be announced in the future.

4. Vendor security assessment and higher security standards. NordVPN is planning to build a network of collocated servers. While still located in a data center, collocated servers are wholly owned exclusively by NordVPN. NordVPN is currently finishing its infrastructure review so that they can eliminate any exploitable vulnerabilities left by third-party server providers. NordVPN is committed to ensuring that their exclusively owned data centers maintain the highest security standards.

5. Diskless servers. NordVPN is planning to upgrade their entire infrastructure (currently featuring over 5100 servers) to RAM servers. This will allow to create a centrally controlled network where nothing is stored locally — not even an operating system. Everything the servers need to run will be provided by NordVPN’s secure central infrastructure. If anyone seizes one of these servers, they'll find an empty piece of hardware with no data or configuration files on it.

“The changes we’ve outlined will make you significantly safer every time you use our service. Every part of NordVPN will become faster, stronger, and more secure – from our infrastructure and code to our teams and our partners,” says Laura Tyrell. “That’s our promise – we owe it to you.”

What happened last week

Last week, it was announced that 1 of more than 5000 NordVPN’s servers was accessed by an unauthorized third party. The hacker managed to access this single server located in Finland because of mistakes made by the data center owner, of which NordVPN was not aware.

However, NordVPN is sure that no customer data was affected or accessed by the malicious actor, as the server did not contain any user activity logs, usernames, or passwords. NordVPN’s service as a whole was not hacked, the code was not hacked, the VPN tunnel was not breached, and the NordVPN apps stayed unaffected.

 

ABOUT NORDVPN

 

NordVPN is the world's most advanced VPN service provider, used by over 12 million internet users worldwide. NordVPN provides double VPN encryption, malware blocking, and Onion Over VPN. The product is very user-friendly, offers one of the best prices on the market, has over 5,000 servers in 60 countries worldwide, and is P2P friendly. One of the key features of NordVPN is zero-log policy. For more information: nordvpn.com.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gs_geek
50%
50%
gs_geek,
User Rank: Apprentice
12/10/2019 | 6:40:02 AM
nord vpn app
Nordvpn mod apk is best for surfing the internet privately. I am using this app for the last 4 months and it is working fine. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20898
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
CVE-2019-20899
PUBLISHED: 2020-07-13
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
CVE-2019-20900
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.
CVE-2019-20897
PUBLISHED: 2020-07-13
The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...