Monday, September 26, 2022
HomeCyber SecurityUber and LastPass breaches – is 2FA all it’s cracked as much...

Uber and LastPass breaches – is 2FA all it’s cracked as much as be? [Audio + Text] – Bare Safety


With Doug Aamoth and Paul Ducklin.

DOUG.  Uber hacked, extra on the LastPass breach, and Firefox 105.

All that, and extra, on the Bare Safety Podcast.

[MUSICAL MODEM]

Welcome to the podcast, everyone, I’m Doug Aamoth.

With me, as all the time, is Paul Ducklin…

[DRAMATIC VOICE] …the host of Safety SOS Week, a star-studded lineup of interviews with safety consultants operating from 26-29 September 2022.


DUCK.  I just like the sound of that, Doug. [LAUGHS]


DOUG.  Sure!


DUCK.  Please be a part of us subsequent week, of us.

It’s the final week of September.

We selected that as a result of it’s the week main as much as Cybersecurity Consciousness Month – that’s not a coincidence.

So, 26, 27, 28, and 29 September 2022.

Every day there’s a 30-minute interview with one in every of 4 completely different consultants at Sophos.

We’ve obtained Fraser Howard, malware professional extraordinaire.

We’ve obtained Greg Rosenberg, who will clarify the challenges of detecting that somebody is in your community to begin with, so you possibly can head them off earlier than it goes incorrect.

There’s Peter Mackenzie from our Incident Response Crew, who will inform you some fascinating, scary, however very academic tales about attackers that he’s been despatched into bat towards.

And we wrap all of it up with Craig Jones, who will inform you tips on how to arrange a SecOps staff of your personal.

Craig is the Senior Director of Safety Operations *at Sophos itself*, Doug, so he does cybersecurity in a cybersecurity firm.

He’s a stunning chap, and effectively price listening to.

The URL is: https://sophos.com/sosweek


DOUG.  Can’t wait… I can be there!

Please be a part of me, everybody – it will likely be a rollicking good time.

And talking of a rollicking good time, it’s time for our This Week in Tech Historical past phase.

One thing that’s close to and expensive to my coronary heart – this week, on 23 September 2008, the world’s first Android telephone was launched.

It was referred to as the T-Cellular G1, and it featured a 3.2-inch flip-out display screen that exposed a full {hardware} keyboard.

It additionally had a trackball and no customary headphone jack.

Early evaluations had been combined, however hopeful.

Due to Android’s comparatively open nature, G1 went on to promote 1,000,000 handsets in six months, and at one level accounted for two-thirds of gadgets on T-Cellular’s 3G community.

I had a type of gadgets… it was one in every of my favourite telephones of all time.


DUCK.  Aaaaah, trackballs on telephones, eh?

Keep in mind the BlackBerries?

It was the factor, wasn’t it… that trackball was actually nice.


DOUG.  It was good for scrolling.


DUCK.  Then they went, “Out with transferring elements,” and it was an infrared sensor or one thing.


DOUG.  Sure.


DUCK.  How occasions change, Doug.


DOUG.  Sure… I miss it.


DUCK.  Such as you, I favored these slide-out keyboards that the early telephones had.

There’s one thing reassuring about really listening to the click-click-click.

I feel what I actually favored about it’s that once you popped out the keyboard, it didn’t obscure half the display screen.


DOUG.  Precisely!


DUCK.  It wasn’t like half the e-mail you’re studying disappeared once you wished to answer.

Which I suppose we’ve simply obtained used to now… that’s the best way of the world, I suppose.


DOUG.  That was a very long time in the past – less complicated occasions.

Let’s discuss in regards to the Firefox 105 launch.

What’s new from a safety standpoint right here, Paul?


DUCK.  Luckily, nothing that seems to be within the wild and nothing that charges a important degree of vulnerability.

However there are just a few intriguing vulnerabilities.

One through which a person internet web page that’s break up right into a bunch of separate IFRAMES may have safety permission leakage between these elements.

So, you might need a less-privileged body from a subdomain in your website, for instance, that isn’t supposed to have the ability to entry the webcam (as a result of this bug is about system permissions), but it seems to be as if you may really give you the chance to take action.

And one other related sounding bug, the place a subdomain of your web site – a weblog or a microsite or one thing like that – may really mess with cookies within the mother or father website.

Oh, and a very good outdated “stack buffer overflow when initialising graphics”… only a reminder that reminiscence bugs are nonetheless an issue!

And naturally, there’s the standard “reminiscence security bugs mounted in Firefox 105”, and within the Prolonged Help Launch, which is 102.3.

Do not forget that within the Prolonged Help Launch, the 2 numbers add collectively: 102+3 = 105.

So, the Prolonged Help Launch is every part from the primary model quantity, plus three updates price of safety fixes, however with the function fixes held again.

So get it whereas it’s recent.


DOUG.  Please do!

Let’s transfer on to the story of the century, breathlessly reported: “Uber has been hacked.”

Trying a little bit nearer at it… sure, it’s dangerous, it’s embarrassing, however it may have been a lot, a lot worse.


DUCK.  Sure, Uber has come out with a observe up report, and plainly they’re suggesting {that a} hacking group like LAPSUS$ was accountable.

We’ve spoken about LAPSUS$ on the podcast earlier than.

It’s a type of a “let’s do it for the lulz” sort of factor, the place it doesn’t look as if they’re really after promoting the information, though they may give it away free of charge or definitely embarrass the corporate with it.

As I say, the embarrassment comes from the obvious extent of the breach, luckily, quite than its depth.

It looks like the attackers wished to wander round by the community as shortly as attainable, grabbing screenshots, saying, “Hey, look, right here’s me in all types of issues”…

…together with Slack workspaces; Uber’s menace safety software program (in outdated language, the anti-virus); an AWS console; firm journey and bills.

There was a screenshot that I noticed printed that confirmed who’d put within the greatest T&E [travel and expenses] claims in current occasions. [LAUGHTER]

We snigger, however there are worker names in there, in order that’s a nasty look as a result of it’s implying that the individual may have gotten at worker information.

A vSphere digital server console; Google workspaces; and the place the place it appears the hacker really put within the “UBER HAS BEEN HACKED” in capital letters that made the headlines (it even made the Bare Safety headline).

Apparently that was posted to… (oh, expensive, Doug [LAUGHS] – it’s not humorous, but it’s)

…to Uber’s personal bug bounty service, which is a really embarrassing look.


DOUG.  It appears like somebody obtained a maintain of an Uber polo shirt and put it on, and sweet-talked their well beyond the reception desk saying, “Oh, my badge isn’t working,” or one thing, obtained into the headquarters after which simply began taking footage of stuff.

Then they wrote on the bulletin board within the worker break room that they’ve been hacked.

It appears like this individual may have been an Preliminary Entry Dealer [jargon term for hacker who steals passwords and sells them on] in the event that they actually wished to.

They might have performed so many further dangerous issues whereas they had been in there.

However they only took footage, and it was a humiliation to Uber.


DUCK.  Sure.

I feel the important thing element that we may add to your analogy of “getting by the primary safety checkpoint” is that, on the best way in, it additionally appears that they had been capable of attain into the super-secure secret cupboard the place the access-all-areas passes are stored, and purloin one.


DOUG.  Sure. [LAUGHS]


DUCK.  In different phrases, they discovered a password in a PowerShell script, on an brazenly seen community share…

…so that they solely wanted low degree entry, and that allowed them to get into what was basically the password supervisor for Uber’s networks.


DOUG.  Sure.

So it’s not that this wasn’t unavoidable.

If we get to the recommendation in your article right here, now we have a number of issues that Uber may have performed in a different way.

Beginning with: “Password managers and two-factor authentication usually are not a panacea.”

Simply because you’ve got these… that’s a safety gate, however it’s not the end-all and be-all to conserving somebody out.


DUCK.  Completely.

We’ll be speaking in regards to the LastPass breach in a minute, the place plainly the attackers didn’t really have to hassle with the 2FA aspect of issues.

They simply waited till the person that they had been shadowing had gone by that train themselves, after which “borrowed their cross”.

So, certainly, 2FA doesn’t imply, “Oh, now I don’t have to fret about outsiders getting in.”

It does make that preliminary entry a bit more durable, and should make the social engineering extra difficult and extra more likely to stand out.

However as you say, it’s a further safety gate.


DOUG.  And the following one, on the identical word, is: “When you’re in, you possibly can’t simply let individuals wander round.”

Safety belongs in every single place within the community, not simply on the edge.


DUCK.  Do I hear you saying the phrases Zero Belief, Douglas?


DOUG.  [LAUGHS] I used to be going to…


DUCK.  I do know that feels like a little bit of a gross sales schpiel, and (shock, shock) Sophos has a Zero Belief Community Entry product.

However now we have that product as a result of I feel it’s one thing that’s demanded by the best way that fashionable networks function, so that you simply solely get the entry you really want for the duty in hand.

And, if you consider it, that doesn’t simply profit the corporate that’s dividing up its community.

It’s additionally good for customers, as a result of it means they will’t make unlucky blunders though they suppose they’re attempting to do the precise factor.


DOUG.  And we additionally discuss: “Common cybersecurity measurement and testing”.

When you’re not in a position to do this in-house, take into account hiring it out, since you want eyes on this across the clock.


DUCK.  Sure.

Two cliches, if I’ll, Doug?


DOUG.  Chances are you’ll. [LAUGHS]


DUCK.  Cybersecurity is a journey, not a vacation spot.

You regularly need to revisit to ensure [A] that you simply did appropriately what you supposed, and [B] that what you deliberate to do yesterday remains to be a legitimate and helpful defence in the present day.

And the thought of getting any individual that will help you overview what’s occurring, notably once you suppose one thing dangerous has simply occurred, is it signifies that you don’t find yourself with safety incidents being main distractions to your common IT and Safety Operations staff.

Distractions may really be intentionally seeded by the crooks to behave as a distraction for the assault that they’ve obtained deliberate for later…


DOUG.  After which lastly, we spherical ited out with a few ideas to your employees: “Arrange a cyber safety hotline to your employees to report incidents”, and belief them that will help you out by reporting such incidents.


DUCK.  Sure.

Lots of people have determined that individuals are the most important downside.

I feel that’s the incorrect method to take a look at it.

Individuals are, in actual fact, among the finest methods that you could discover issues that you simply didn’t anticipate.

It’s all the time the issues that you simply didn’t anticipate that can catch you out, as a result of should you had anticipated them, you’d most likely have prevented them within the first place!

Take the aim of turning everybody in your organisation into eyes and ears to your personal safety staff.


DOUG.  Excellent!

And we’ve obtained extra Uber protection.

Paul, you and Chester Wisniewski did an ideal minisode, S3 Ep100.5.

Pure thunder, if I’ll.

It’s referred to as: Uber breach – An professional speaks.

You’ll be able to hear Paul and Chet speaking about this explicit breach in a little bit bit extra depth:


DUCK.  I feel a very powerful factor that got here out of that minisode of the podcast is what you alluded to earlier, “What if this had been an Preliminary Entry Dealer?”

In different phrases, in the event that they went in particularly to get the passwords and obtained out quietly.

This sort of broad-but-shallow assault is definitely surprisingly frequent, and in lots of instances, as you prompt, the issue is that you simply don’t realise it’s occurred.

These crooks exit of their solution to preserve as quiet as attainable, and the thought is that they take all these entry passwords, entry tokens, data they’ve obtained…

…and promote it on the darkweb for different crooks who need to do very particular issues in particular elements of your community.


DOUG.  All proper, we are going to keep on the breach prepare, however we’re simply going to change vehicles on the prepare.

We’re going to stroll throughout and watch out to not fall out onto the platform… however we’re going to get into the LastPass automotive.

They’ve obtained a publish mortem out.

They nonetheless don’t understand how the criminals obtained in, however at the least they admitted it.

And it looks like it wasn’t essentially for the lulz… thus related however completely different to the Uber breach.


DUCK.  Certainly, plainly this one, you may say, was deeper however narrower.

I feel the report is an efficient instance of tips on how to present data that’s really helpful after an assault.

As you say, they appear to have come out with data that makes it clear what they suppose occurred.

They admitted to the “recognized unknowns”.

For instance, they stated, “It seems to be as if the crooks implanted malware that was capable of masquerade as a developer who had already logged in with their password and 2FA code.”

They figured that out, however they don’t understand how that implant occurred within the first place, they usually had been respectable sufficient to say they didn’t know.

And I feel that’s fairly good, quite than simply going, “Oh, effectively, we’ve positively mounted all the issues and this gained’t occur once more.”

If I had been a LastPass person, it could make me extra inclined to imagine the opposite issues that I’ve to depend on them to state…

…particularly that the event community the place their code was stolen is separate from their different networks, in order that the attackers weren’t capable of attain out and get issues like buyer information or password hashes.

And I’m additionally inclined to just accept LastPass’s clarification (as a result of they’re capable of justify it) that even when the crooks *had* been capable of bounce from the developer community to the cloud storage elements of the community, and even when that they had been capable of run off with password hashes, it could have been very tough for them to do something with it.

As a result of LastPass merely doesn’t know your grasp password.

And so they have a little bit diagram that explains why they imagine that to be the case.

So, I feel, if I had been a Final Go person, that I’d be inclined to imagine them.


DOUG.  I *am* a Final Go person, and I discovered this to be extra reassuring than not.

I wasn’t too apprehensive about this earlier than, and now I’m barely much less apprehensive, and positively not apprehensive sufficient to dump it wholesale, change all my passwords, and that sort of stuff.

So I assumed it was fairly good.


DUCK.  Certainly, one of many considerations that individuals got here out with once we first reported on this breach is, “Properly, the crooks obtained into the supply code management system. In the event that they had been capable of obtain all this mental property, what in the event that they had been capable of add some sneaky and unauthorised adjustments on the similar time?”

Perhaps they ran off with the code so they might promote the mental property, so industrial espionage was their main car…

…however what if there was a provide chain assault as effectively?

And LastPass did try to reply that query by saying, “We’ve reviewed supply code adjustments and so far as we are able to see, the attackers weren’t capable of, or didn’t, make any.”

Additionally, they clarify how even when the crooks had made adjustments, there are checks and balances that stop these adjustments simply flowing mechanically into the software program that you simply may obtain, or that their very own cloud companies may use.

In different phrases, they’ve a bodily separation between the developer community and the manufacturing community, and a full-and-proper code overview and testing course of is required every time for one thing basically to leap throughout that hole.

I discovered that reassuring.

They’ve taken precautions that make it much less possible {that a} provide chain assault within the improvement community may attain clients.

And so they seem to have gone out of their solution to confirm that no such adjustments had been made anyway.


DOUG.  Alright, there’s extra on that on nakedsecurity.sophos.com, together with a hyperlink to the LastPass briefing itself.

Allow us to now flip to one in every of our listeners!

Bare Safety Podcast listener Jonas writes in…

…and that is an oldie-but-a-goodie.

I wouldn’t have believed this myself – I’ve heard this story earlier than in numerous contexts, and I really witnessed this as I used to be working as a pc technician again within the early 2000s.

It is a actual downside, and it occurs.

Jonas writes:

“In within the early Nineties, our laptop classroom had plenty of Apple Macintosh Classics with the three.5-inch floppy drives.

In these days, once you wanted to put in issues, you probably did so with a bunch of disks – Insert disk 1; Insert disk 2; and so forth.

Properly, one in every of my classmates took the set up directions too actually.

She began with the primary diskette, and after some time the set up course of instructed her to ‘Please insert disk 2’, and he or she did.”

Simply let that sit there for a little bit bit…


DUCK.  [LAUGHS A BIT TOO LOUDLY] We shouldn’t snigger, eh?

The directions may have been clearer!


DOUG.  Jonas continues:

“When retelling the story, she stated, ‘The second disk was a bit more durable to get in, however I managed to drive it in. But it surely nonetheless stored asking for the second disk.’

So she didn’t perceive why it nonetheless wanted disk 2 when she had already inserted disk 1 *and* disk 2… and it was fairly arduous to get the 2 disks out.

And even then, the floppy drive by no means labored once more on that Mac anyway.

It wanted to get replaced, however the entire class realized you wanted to take away the earlier disk earlier than inserting the following one.”


DUCK.  Properly, there you’ve got it!


DOUG.  I all the time keep in mind my days as a technician at CompUSA.

We had a counter.

Individuals would lug their desktop computer systems in, put the desktop up on the counter, and inform us what was incorrect.

I noticed a buyer are available and instantly noticed a diskette wedged within the 3.5-inch floppy drive, and I assumed. “Oh my God. I’ve heard this story. I’ve examine it on the web and I’m lastly experiencing it in actual life.”

It didn’t get all the best way in, however they managed to midway jam a second diskette into the floppy drive, they usually couldn’t get it out.

So we needed to open the case of the pc, disconnect and unscrew the floppy drive, pull the floppy drive out of the entrance of the pc, after which it took a few us to dislodge that diskette.

And, after all, the disk drive had to get replaced…

Thanks very a lot, Jonas, for sending that in.

If in case you have an fascinating story, remark or query you’d wish to submit, we’d like to learn it on the podcast.

You’ll be able to e-mail ideas@sophos.com, you possibly can touch upon any one in every of our articles, or you possibly can hit us up on social: @NakedSecurity.

That’s our present for in the present day.

Thanks very a lot for listening.

For Paul Ducklin, I’m Doug Aamoth, reminding you till subsequent time to…


BOTH.  Keep safe!

[MUSICAL MODEM]

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular