Breaches against security firms Avast and NordVPN; criticism over ‘Inaction Fraud’; and a US congressman jokes he’s as bad with passcodes as Kanye West

Under lock and key

Breaches against security companies dominated the security headlines as well as the cybersecurity chat on social media this week.

News surfaced that the (expired) private keys from NordVPN leaked, meaning anyone might have been able to set up a server with those keys and impersonate the VPN service provider, infosec Twitter warned.

NordVPN, which disputes this assertion, has played down the significance of the incident.

Critics were quick to point out that news of the breach came just days after overblown (and later withdrawn) marketing claims by NordVPN on social media that VPNs prevent hackers from stealing users’ online lives – an assertion that ignores the danger of phishing and much besides which VPNs alone do little to combat.

Rival VPN vendors TorGuard fell prey to a similar digital certificate breach, as a Daily Swig article explaining the related breaches and their possible impact explains.

Separately, Avast said that attackers had breached its internal network through a compromised VPN profile and stolen credentials.

The security software maker said that it thwarted the attack, which it reckons represented a follow-up to a high-profile attack in 2017 that resulted in the contamination of official CCleaner downloads.

Avast earned praise from many in the security community for its transparency in disclosing details of the breach on its systems, the latest in a growing list of such attacks.

Some expressed concerns that security vendors were still not doing enough to protect their own systems from attack.

The Gray Lady ditches infosec chief role

The New York Times scrapped its infosec director role this week, making respected security practitioner Runa Sandvik redundant in the process.

During her three and a half years as senior director of information security at the NYT, Sandvik established a secure drop system for confidential tips.

The paper still has a (reduced) contingent of competent security people keeping NYT reporters and their sources safe but making Sandvik redundant (as part of an apparent cost-cutting exercise) has nonetheless been criticized by the security community as a big step backwards.

Many expressed the confident hope that Sandvik would quickly find alternative employment.

Inaction fraud

Elsewhere this week, questions have been raised about whether British victims of cybercrime are getting the support they deserve from Action Fraud, the national fraud reporting center.

Concerns focus on the treatment of victims’ reports by staff at the externally managed helpline, who were caught referring to victims as “morons” and “psychos” and fobbing people off with excuses in a recent undercover probe by The Times newspaper.

Workers, often young and inexperienced, are asked to decide whether reports about victims (often in distress at losing large sums of money) should be treated as crimes or filed as less serious “information reports”, which are almost invariably not looked into again.

More recently a senior police officer, who requested anonymity, told consumer group Which? that of the approximately 650 reports filed to Action Fraud each month from within his force’s area, only 10 cases were passed onto it for investigation.

These figures are typical of those from across the country, The Register reported this week.

A parody Twitter account for Action Fraud (@InactionFraudUK) has been created, as an attempt to publicize the issue.

Power play

Last year, Kanye West famously revealed the PIN code of his phone to the entire world during an Oval Office meeting with President Trump. Surrounded by a crowded press corps, the rapper was captured tapping in ‘000000’ to unlock his iPhone.

This week, Congressman Lance Gooden made an almost identical security faux pas in revealing his phone password was ‘111111’.

The incident took place during a Congressional hearing was captured by the world’s television cameras and posted on Reddit, where it provoked a lively discussion.

Gooden made a joke of been caught out with an easily guessable password, choosing to disregard the part that hacking played in the 2016 US presidential election cycle or the sensitivity of the communications the first-term congressman handles.