Connect with us


Avast, NordVPN Breaches Tied to Phantom User Accounts — Krebs on Security



Antivirus and security giant Avast and virtual private networking (VPN) software provider NordVPN each today disclosed months-long network intrusions that — while otherwise unrelated — shared a common cause: Forgotten or unknown user accounts that granted remote access to internal systems with little more than a password.

Based in the Czech Republic, Avast bills itself as the most popular antivirus vendor on the market, with over 435 million users. In a blog post today, Avast said it detected and addressed a breach lasting between May and October 2019 that appeared to target users of its CCleaner application, a popular Microsoft Windows cleanup and repair utility.

Avast said it took CCleaner downloads offline in September to check the integrity of the code and ensure it hadn’t been injected with malware. The company also said it invalidated the certificates used to sign previous versions of the software and pushed out a re-signed clean update of the product via automatic update on October 15. It then disabled and reset all internal user credentials.

“Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” Avast’s Jaya Baloo wrote.

This is not the first so-called “supply chain” attack on Avast: In September 2018, researchers at Cisco Talos and Morphisec disclosed that hackers had compromised the computer cleanup tool for more than a month, leading to some 2.27 million downloads of the corrupt CCleaner version.

Avast said the intrusion began when attackers used stolen credentials for a VPN service that was configured to connect to its internal network, and that the attackers were not challenged with any sort of multi-factor authentication — such as a one-time code generated by a mobile app.

“We found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA,” Baloo wrote.


Separately, NordVPN, a virtual private networking services that promises to “protect your privacy online,” confirmed reports that it had been hacked. Today’s acknowledgment and blog post mortem from Nord comes just hours after it emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN,” writes Zack Whittaker at TechCrunch.

VPN software creates an encrypted tunnel between your computer and the VPN provider, effectively blocking your ISP or anyone else on the network (aside from you and the VPN provider) from being able to tell which sites you are visiting or viewing the contents of your communications. This can offer a measure of anonymity, but the user also is placing a great deal of trust in that VPN service not to get hacked and expose this sensitive browsing data.

NordVPN’s account seems to downplay the intrusion, saying while the attackers could have used the private keys to intercept and view traffic for some of its customers’ traffic, the attackers would have been limited to eavesdropping on communications routing through just one of the company’s more than 3,000 servers.

“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” reads the NordVPN blog post. “On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”

NordVPN said the intrusion happened in March 2018 at one of its datacenters in Finland, noting that “the attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider while we were unaware that such a system existed.” NordVPN declined to name the datacenter provider, but said the provider removed the remote management account without notifying them on March 20, 2018.

“When we learned about the vulnerability the datacenter had a few months back, we immediately terminated the contract with the server provider and shredded all the servers we had been renting from them,” the company said. “We did not disclose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues. This couldn’t be done quickly due to the huge amount of servers and the complexity of our infrastructure.”

This page might need to be updated.

TechCrunch took NordVPN to task on the somewhat dismissive tone of its breach disclosure, noting that the company suffered a significant breach that went undetected for more than a year.

Kenneth White, director of the Open Crypto Audit Project, said on Twitter that based on the dumped Pastebin logs detailing the extent of the intrusion, “the attacker had full remote admin on their Finland node containers.”

“That’s God Mode folks,” White wrote. “And they didn’t log and didn’t detect it. I’d treat all their claims with great skepticism.”


Many readers are curious about whether they should enshroud all of their online communications by using a VPN. However, it’s important to understand the limitations of this technology, and to take the time to research providers before entrusting them with virtually all your browsing data — and possibly even compounding your privacy woes in the process. For a breakdown on what you should keep in mind when considering a VPN service, see this post.

Forgotten user accounts that provide remote access to internal systems — such as VPN and Remote Desktop services (RDP) — have been a persistent source of data breaches for years. Thousands of small to mid-sized brick-and-mortar businesses have been relieved of millions of customer payment card records over the years when their hacked IT contractors used the same remote access credentials at each client location.

Almost all of these breaches could have been stopped by requiring a second form of authentication in addition to a password, which can easily be stolen or phished.

The persistent supply chain attack against Avast brings to mind something I was considering the other day about the wisdom of allowing certain software to auto-update itself whenever it pleases. I’d heard from a reader who was lamenting the demise of programs like Secunia’s Personal Software Inspector and FileHippo, which allowed users to automatically download and install available updates for a broad range of third-party Windows programs.

These days, I find myself seeking out and turning off any auto-update functions in software that I install. I’d rather be alerted to new updates when I launch the program and have the ability to review what’s changing and whether anyone has experienced issues with the new version. I guess you could say years of dealing with unexpected surprises on Microsoft Patch Tuesdays has cured me of any sort of affinity I may have once had for auto-update features.

Tags: , , , , , , , , ,

Continue Reading


Travel agents say business travel most affected by Coronavirus



GREEN BAY, Wis. (WBAY) — Travelers going through Green Bay Austin Straubel International Airport are not too concerned about COVID-19.

“I do go to China, I have gone to China and I’ve been Wuhan. It doesn’t concern me a whole lot,” said Mike Callahan of Green Bay.

Others are more conscious about the flu and are taking precautions.

“Just by practicing good hygiene and making sure I’m coughing in the corner of my elbow or sneezing and washing my hands really good. I really have no concerns,” said Shawn Massey, who is heading to Houston, Texas.

Travel agents at Fox World Travel say business travelers have been most impacted by the outbreak.

“Asia is of course huge for commerce and trade and that kind of a thing, and Fox World Travel really does to do a great deal of business travel. So, that’s where we’re seeing the most cancellations right now,” said Rose Gray, Business Relations Director for Fox World Travel.

Gray says she’s finding many travelers are hesitant about booking a trip or going one they already have planned.

She says the agency has been getting more questions from people asking about what’s covered under travel insurance if they do want to cancel a trip.

“A covered reason is going to be death in the immediate family, sickness of you or one of your travel companions, those types of things. Fear of traveling to a destination is not a covered reason in most cases,” said Gray.

One tool international travelers can use to put their minds at ease is STEP, the smart traveler enrollment program.

“If the U.S. government were to send an empty plane, which they are in some cases, to go and get quarantined passengers off of a ship, the government would know where you are,” said Gray.

Gray says they have also been able to work with travel companies to make sure the money you put down on a trip won’t go to waste.

“Maybe you’re dealing with a tour company that does more than just Asia, and they’re saying alright, we can’t give you the money back, but can we put it on a Europe trip or can we put it on another destination,” said Gray. So we’re trying to work with the vendors and they’re being quite gracious.”

According to the World Health Organization, no new countries have reported cases of Coronavirus in the last 24 hours.

Travel experts say to check the following sites to keep up to date on the latest travel impacts due to the illness:

Center for Disease Control and Prevention

Continue Reading


Mai Tai Bar thanks customers for 20 years of business



Posted: Updated:

HONOLULU (KHON2) – One of Hawaii’s favorite night life spots is closing this Sunday.

Olive Garden has filed for a permit to do work in the space where the Mai Tai Bar and Bubba Gumps is located at Ala Moana Center. Employees were told that the lease for the restaurants will not be renewed.

The Mai Tai Bar has been a local favorite for the past 20 years. The staff wants to thank its loyal customers for all the support.

“It’s a great feeling when you hear people say I come here every week, every day on my vacation, I’ve met my husband here and so we just want to thank everyone for their support year after year the bands the promoters the sponsors that have made us who we are today,” said Teresa Morales, Manager at the Mai Tai Bar.

Details are still developing on exactly what will occupy the space where the Mai Tai Bar is currently located.

Continue Reading


Kickstarter becomes first tech company to unionize



  • Kickstarter employees have unionized, making them the first full-time employees at a tech company to do so as more across the industry look to organize.
  • Workers voted 46-37 in favor of unionizing after a heated back and forth with management that included the firing of two workers leading the organizing efforts.
  • “We support and respect this decision, and we are proud of the fair and democratic process that got us here,” Kickstarter CEO Aziz Hasan said in an emailed statement.
  • Visit Business Insider’s homepage for more stories.

Kickstarter employees have officially unionized after a vote was tallied Tuesday, marking the first full-time workers at a tech company to do so as more across the industry look to organize.

The historic 46-37 vote in favor of unionizing comes after a contentious process, which involved the firing of two Kickstarter employees who were leading the efforts. The employees then filed a complaint with the National Labor Relations Board, which has yet to resolve, according to Vice.

“We are so truly grateful to everyone who has supported us along the way,” the union said in a tweet, mentioning the Office and Professional Employees International Union and its local chapter through which the group unionized. “And to all tech and creative workers looking to fight for your rights, this is only just the beginning!” 

“We support and respect this decision, and we are proud of the fair and democratic process that got us here. We’ve worked hard over the last decade to build a different kind of company, one that measures its success by how well it achieves its mission: helping to bring creative projects to life,” Kickstarter CEO Aziz Hasan said in an emailed statement.

Kickstarter employees announced their union drive publicly last March, under the name Kickstarter United, on the same day that co-founder Perry Chen resigned as CEO. Chen had a history of turmoil at the company. He left the company in 2013, but reassumed the CEO title in 2017. A year after his return, 50 of Kickstarter’s 120 employees had left and employees told BuzzFeed News that Chen’s management style was the reason for it.

Kickstarter had been dealing with tensions that employees said arose from Chen’s heavy-handed management style as well as internal disagreement over a decision to remove a project from the site after right-wing news site Breitbart claimed the project violated the Kickstarter terms of service, according to Slate.

Last September, Kickstarter fired Clarissa Redwine and Taylor Moore, two longtime employees who had been leading the union drive. CEO Aziz Hasan wrote in a blog post that neither were fired for their organizing efforts, but also said that “the union framework is inherently adversarial.” Redwine’s termination ultimately led her to file a complaint with the NLRB. Employees have also accused the company of taking various steps to thwart their efforts to unionize.

“So many people worked incredibly hard to earn Kickstarter’s employees a seat at the table, and now they have one. Kickstarter is now a place for collective action through and through,” Redwine said on Twitter after the vote was announced Tuesday, adding that “the vote was close. Management did a great job busting.”

While Kickstarter United is the first union of full-time white collar employees at a major tech company, workers across the industry have been ramping up organizing efforts over the past several years.

Over 2,000 cafeteria workers at Google’s Bay Area offices voted to join a union last December and Google contract workers in Pittsburgh voted to unionize last August, while Chicago employees of the food delivery service Instacart also unionized earlier this month, according to Motherboard. Several digital media outlets, including BuzzFeed News, Gizmodo Media Group, and podcast producer Gimlet, have also recognized employee unions in the past year.

Short of unionizing, workers at major tech companies have organized around issues such as controversial company policies, pay and benefit disparities, sexual harassment, and various types of discrimination. Thousands of Google workers staged a walkout in 2018 over the company’s record on sexual misconduct, while others protested last year after Google fired several employees involved in organizing efforts as tensions within the company continue to simmer.

Employees at Amazon spoke out about the company’s impact on the environment and its warehouse employees striked last year during its busy “Prime Day” over working conditions. In recent months, Microsoft employees went as far as to resign over the company’s work with Immigration Customs and Enforcement.

Continue Reading


Copyright © 2019