Online Breaches

mike · 6 January 2023 06:13

There have been a series of online breaches which have caught my attention because they involve multi-factor authentication and data encryption: two technologies which are supposed to protect a company’s customers. But, while these technologies are implemented to some degree, the latest breaches show that internal systems are not as compartmentalized as I assumed.

An employee sipping coffee somewhere logs into a fake web site and now thousands of customers have lost their secrets and source code which exposes them to breaches in the future.

I know in one case a company got lucky because a hardware token prevented an employee from giving up their login. But I am bothered by how quickly and how far attackers can get with companies who make their security posture a selling point.

I want to say this is an argument in favor of running your own infrastructure. But that comes with its own problems of maintenance, expertise, and auditing.

In the recent LastPass breach, they only lost personal information. Because of their zero knowledge architecture, the attacker could not access data encrypted by a customer’s master password. I see that not everything was lost. But I feel like it should have been more difficult to get even this far.

What do you think? Do you trust your data with cloud companies who market their security posture? What other features are missing from cloud vendors’ systems and processes that would offer better protection?

References

Slack and CircleCI | Ars Technica - January 5, 2023
Twilio and Cloudflare | Ars Technica - August 9, 2022
LastPass Update | Ars Technica - December 22, 2022
Authy, LastPass, and DoorDash | Ars Technica - August 26, 2022

gnome · 6 January 2023 09:29

Note that in Cloudflare’s case, they were not breached because they properly secured their infrastructure. The entire point of hardware keys is that you need to be physically at the location, which dramatically increases the cost of gaining unauthorized access.

Cloudflare said that three of its employees fell for the phishing scam, but that the company’s use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.

[…]

It’s impressive that despite three of its employees falling for the scam, Cloudflare kept its systems from being breached. The company’s use of hardware-based security keys that comply with the FIDO2 standard for MFA was a critical reason. Had the company relied on one-time passwords from sent text messages or even generated by an authentication app, it likely would have been a different story.

What bothers me more is that I have been to bank branches where the employees walk around with Yubikeys to access their workstations, yet they won’t do anything beyond SMS 2FA, if that for bank logins for customers.

What other features are missing from cloud vendors’ systems and processes that would offer better protection?

OPSEC will always be more important than mitigations, which is what 2FA is. If you don’t have good OPSEC, no security measure will adequately protect you from a motivated, knowledgeable, and well-financed threat. A mitigation prevented Cloudflare employees from opening the doors to their attackers, but they clearly still have a big problem. If you’re into podcasts, I recommend listening to episode 6 of Darknet Diaries , The Beirut Bank Job. Often, the problem is humans.

One issue I see with security measures is the first instinct is to take away power from users, which is why it’s no surprise that companies will always use security as a reason to introduce unpopular functionality, even if it doesn’t make sense. “Trusted Computing”, a term you’ve probably heard a lot of lately, was initially pushed by Microsoft so they could prevent you from doing things on your own computer if it didn’t serve their interests.

EDIT: In this case, a TPM with your custom keys will prevent the persistence of malware. That’s its primary security benefit. When I said companies use security to justify why a new restriction is being introduced, I didn’t intend for “trusted computing” to be an example of this. I can’t think of a good example off the top of my head, but there certainly are examples in the wild.

There’s this one scene in Mr. Robot (mild spoilers ahead)

Mr. Robot Spoilers

where Elliot sees an elderly woman working at a company. He views her as a weak link to easily gain access to the company, but when pushed, she doesn’t give him access and foists him on someone else. The implication is that she calls security on him while keeping him busy.

Not a perfect response to social engineering, but better than just folding over without confirming his credentials.

Security awareness is far more important than better software. But there should be good processes for employees to follow to overcome social engineering.