You are here
Home > Be Aware > Post NordVPN Data Exposure: Using Domain Threat Intelligence to Prevent MitM Attacks

Post NordVPN Data Exposure: Using Domain Threat Intelligence to Prevent MitM Attacks

I’ve used this TIP as a sanity check on our dns and server configurations, though it’s complicated by our use of Cloudflare for CDN and additional security. Might be useful to you too…:

[…] When a service that promises to protect user data and identity gets hacked, the incident highlights the increasing boldness and sophistication of attackers. With the possibility of MitM attacks as a result of TLS certificate and private key exposure, what can help stop adversaries from launching attacks on any VPN service providers’ clients?

Domain threat intelligence is a possible line of defense to consider. Threat Intelligence Platform (TIP), for instance, can assess the integrity of a domain before it is allowed to connect to a computer or server that houses confidential data.

NordVPN could, for instance, run its domain through TIP to identify vulnerabilities, misconfigurations, and open ports that attackers can exploit.

The results showed that its site has redirects. To ensure its domain’s integrity, it needs to check that these redirects do not lead to malicious sites or hosts. Attackers are known for using redirects to obtain data they are not authorized to view to their own servers or sites.

The domain analysis also gave out several Secure Sockets Layer (SSL) warnings that may be worth looking into. NordVPN can, for instance, consider setting its HTTP Public Key Pinning (HPKP) headers to protect against impersonation by attackers using wrongly issued or fraudulent certificates. It can also set its TLSA parameters to bind X.509 certificates to Domain Name System (DNS) names using DNS Security Extensions (DNSSEC).

A check on its mail servers also warned that Domain-Based Message Authentication, Reporting, and Conformance (DMARC) is not configured. When properly set up, this email validation system can provide an extra layer of defense against spoofing. It’s intended to combat specific techniques often used in phishing and spam attacks such as forging senders’ addresses.

Apart from identifying potential security gaps in its IT infrastructure, NordVPN can also use a domain threat intelligence platform to authenticate logins to its systems that contain sensitive client and employee data. Quick queries on the tool can help it spot unauthorized users on its network.


Original article here

Peter Glock
Over 30 years of designing, building and managing telecoms and IT services. Primarily working with large enterprise and professional services businesses in Asia, North America, continental Europe and the UK. Information security professional, secret physics nerd.

Similar Articles

Leave a Reply

%d bloggers like this: