A few thoughts about Uber's breach Mon Sep 19 2022 Uber had a data breach, but besides saying use WebAuthn, what could they do better? Also a reflection on what changes the industry should consider. -------------------------------------------------------------------------------- A few thoughts about Uber's breach ================================== Published Sep 19, 2022 - 36 min read /-------------- Table of contents --------------\ | Table of contents | | * Officially: | | * Allegedly: | | * Who's not at fault? | | * Break the glass | | * How do you protect emergency credentials? | | * How did Uber protect emergency credentials? | | * A "fun story" | | * Uber's security history | | * What Uber could have done better | | * Conclusion | | * Uber's refreshed job postings | | * 2022-09-20 Uber's follow up | | * Another recommendation | | * Glossary | \-----------------------------------------------/ Allegedly, an eighteen-year-old spammed an employee with two-factor authentication via push notifications on an employee with a known password. They got into the VPN and scanned for servers, found a file share without any access controls, and a script that could access break-the-glass credentials. With the highest level of credentials available, they then got effective root access to Slack, AWS, Google Suite, and active directory at Uber. /------------------------------------------------------------------------------\ | Cendyne @CendyneNaga@twitter.com | |------------------------------------------------------------------------------| | 🍿for big tech company tonight Someone in IT did not take security awareness | | training. This is not developers fault at all. | | [L1] 9/16/2022 | \------------------------------------------------------------------------------/ [I1: Uber logo with text: "2016 was not enough" above] /------------------------------------------------------------------[jacobi: hi]\ | Hey there, if a certain phrase confuses you, check out the glossary at the | | bottom. Several things are explained there for those outside the tech | | community. | \------------------------------------------------------------------------------/ /[cendyne: talking]------------------------------------------------------------\ | If you're here to learn how to improve your IT and engineering security in | | light of the risks Uber experienced, you will find several recommendations | | near the end. | \------------------------------------------------------------------------------/ Officially: ----------- /------------------------------------------------------------------------------\ | Uber Comms @Uber_Comms@twitter.com | |------------------------------------------------------------------------------| | We are currently responding to a cybersecurity incident. We are in touch | | with law enforcement and will post additional updates here as they become | | available. | | [L2] [L3] 9/16/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Uber Comms @Uber_Comms@twitter.com | |------------------------------------------------------------------------------| | [I2: Photo included with tweet] | | | | [L4] 9/16/2022 | \------------------------------------------------------------------------------/ Allegedly: ---------- /------------------------------------------------------------------------------\ | Corben Leo @hacker_@twitter.com | |------------------------------------------------------------------------------| | Apparently there was an internal network share that contained powershell | | scripts... "One of the powershell scripts contained the username and | | password for a admin user in Thycotic (PAM) Using this i was able to extract | | secrets for all services, DA, DUO, Onelogin, AWS, GSuite" | | [I3: Photo included with tweet] | | | | [L5] [L6] 9/16/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Kevin Beaumont @GossiTheDog@twitter.com | |------------------------------------------------------------------------------| | Uber, what you need to know, the thread. 1) | | [I4: Photo included with tweet] | | | | [L7] [L8] 9/16/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Kevin Beaumont @GossiTheDog@twitter.com | |------------------------------------------------------------------------------| | Seriously though, ya'll should review the risk you take with the zero trust | | flat network dream you've been sold. Definitely enable number matching/ | | verified push for all logins regardless. These kind of attacks have been | | happening all year, at very large orgs. | | [I5: Photo included with tweet] | | | | [L9] 9/16/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | vx-underground @vxunderground@twitter.com | |------------------------------------------------------------------------------| | Update: A Threat Actor claims to have completely compromised Uber - they | | have posted screenshots of their AWS instance, HackerOne administration | | panel, and more. They are openly taunting and mocking @Uber [L10]. | | [I6: Photo included with tweet] | | | | [I7: Photo included with tweet] | | | | [I8: Photo included with tweet] | | | | [I9: Photo included with tweet] | | | | [L11] [L12] 9/16/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | vx-underground @vxunderground@twitter.com | |------------------------------------------------------------------------------| | @Uber [L10] They disclosed Uber's financial data 🧐 | | [I10: Photo included with tweet] | | | | [L13] 9/16/2022 | \------------------------------------------------------------------------------/ Who's not at fault? ------------------- Is the employee who got tricked at fault? We're talking about a human here, who was intentionally harassed late at night; the easy way out was to follow the attacker's prompt. Our security needs to be resilient to humans that make mistakes, and our security needs to be supportive of humans who need compassion. /------------------------------------------------------------------------------\ | Ian Coldwater 📦💥 @IanColdwater@twitter.com | |------------------------------------------------------------------------------| | If phishing a single employee can lead to everything in your infrastructure | | being compromised that easily, that employee is not to blame | | [L14] 9/16/2022 | \------------------------------------------------------------------------------/ The fact that this keeps happening and is enabled by the biggest companies out there needs to be recognized and changed. /------------------------------------------------------------------------------\ | william light @wrl@twitter.com | |------------------------------------------------------------------------------| | hey @Microsoft [L15] fuck you | | [I11: Photo included with tweet] | | | | [L16] 9/10/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | william light @wrl@twitter.com | |------------------------------------------------------------------------------| | YOU CANNOT MAKE THIS SHIT UP | | [I12: Photo included with tweet] | | | | [L17] 9/10/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Cendyne @CendyneNaga@twitter.com | |------------------------------------------------------------------------------| | Literally how to exclude accessibility needs people, old people, fatigued | | people, someone who just wants a burger but can't figure out why their card | | is rejected people, you know: a human? | | [L18] 9/10/2022 | \------------------------------------------------------------------------------/ This issue is not new, it is not a surprise; the abuse that opened the perimeter at Uber has been perpetuated through big companies selling insecure security. /------------------------------------------------------------------------------\ | Steve Elovitz @SElovitz@twitter.com | |------------------------------------------------------------------------------| | Seeing an increasing amount of abuse of MFA prompt "push" notifications. | | Attackers are simply spamming it until the users approve. Suggest disabling | | push in favor of pin, or something like @Yubico [L19] for simplicity. In the | | meantime, alert on volume of push attempts per account. | | [L20] 2/26/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Duo Security | |------------------------------------------------------------------------------| | [I13: Video: Authenticate with Duo Push on iPhone - Duo Security] | | | | Authenticate with Duo Push on iPhone - Duo Security [L21] 1/9/2023 | \------------------------------------------------------------------------------/ /[cendyne: break-windows]------------------------------------------------------\ | Whether or not Duo Security was specifically a gateway in the Uber incident | | is irrelevant. The technique of push-based approval is demonstratively | | unsafe. | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Clerk @ClerkDev@twitter.com | |------------------------------------------------------------------------------| | 1. After @jack [L22] was infamously hacked through a SIM-swap attack 2019, | | much of the world moved away from SMS-based one-time passwords (OTPs) The | | apparent @uber [L23] hack may lead to a similar decline in Magic Links... | | here's what you need to know 👇 | | [L24] 9/16/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Matt Kane @ascorbic@twitter.com | |------------------------------------------------------------------------------| | @ClerkDev [L25] @jack [L22] @Uber [L10] Surely the real answer is to require | | FIDO2? That would've stopped this entirely. | | [L26] 9/16/2022 | \------------------------------------------------------------------------------/ /[cendyne: ssssh]--------------------------------------------------------------\ | I mention WebAuthn, others mention FIDO2. For this discussion these mean the | | same thing: using a security key or built-in chip to authenticate. | \------------------------------------------------------------------------------/ /[cendyne: ceiling]------------------------------------------------------------\ | Check out Push notification two-factor auth considered harmful [L27] where | | Xe Iaso [L28] and I propose that WebAuthn would have cut out the weakness | | that compromised Uber's security perimeter. | \------------------------------------------------------------------------------/ /------------------------------------------------------------[jacobi: bullshit]\ | Everyone, even you, talks about improving security on the perimeter. That is | | not what made this incident so bad. Where's the beef? | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Jiro Su | |------------------------------------------------------------------------------| | [I14: Video: Where's the Beef?] | | | | Where's the Beef? [L29] 1/9/2023 | \------------------------------------------------------------------------------/ Break the glass --------------- Allegedly, the attacker got break-the-glass credentials, which gave them access to literally everything their most senior IT personnel should have access to on a limited basis. /------------------------------------------------------[jacobi: do-you-mean-me]\ | What are "break-the-glass" credentials for? | \------------------------------------------------------------------------------/ "Break the glass" credentials and accounts are used in rare circumstances outside the normal day-to-day operations. Here's an example of an emergency where a break-the-glass activity is fine. As an IT administrator, you were just locked outside your account, and something requires immediate attention that cannot wait. All other IT administrators of equal or greater authorization are unavailable and you are unable to reset your account's status. You reach to break-the-glass to restore your own access, and then you return to your account to continue performing your duties. Here's an example of a non-emergency where a break-the-glass activity is fine. As an IT or DevOps administrator, you need to provision a new AWS account for a new engineering team product. The company only creates a new product once a year and master payer account / management account is otherwise limited and off limits. You break-the-glass to access the management account to create a new account for the product, you document the new account's root user in a secured place, and set up SSO access to this account for the new team. Afterwards, you log out of the management account and continue performing your duties. /-------------------------------------------------------------[jacobi: excited]\ | That makes a lot of sense! But who should have this level of access? | \------------------------------------------------------------------------------/ /[cendyne: think]--------------------------------------------------------------\ | These credentials should be restricted to seniors that have a justified | | reason to have these credentials, who have trust in the organization, and | | who have consistently demonstrated attention to detail in stressful | | circumstances. | \------------------------------------------------------------------------------/ /[cendyne: corporate-drone]----------------------------------------------------\ | A new hire in IT should not be able to access break-the-glass credentials. | \------------------------------------------------------------------------------/ /[cendyne: macro]--------------------------------------------------------------\ | The CEO is the biggest target and should not have access to break-the-glass | | credentials. | \------------------------------------------------------------------------------/ /[cendyne: watching-you]-------------------------------------------------------\ | A random person of any rank or position or lack of position should not have | | access to break-the-glass credentials. | \------------------------------------------------------------------------------/ Credentials to break-the-glass accounts are arguably the most important secret material to secure for an organization. It allows an organization to respond to an emergency and to respond to infrequent requirements that require risky access to complete. How do you protect emergency credentials? ----------------------------------------- If you want a product, the key words to search are: Privileged Account Management. Uber specifically relied upon Thycotic. There are others too, but in short these technology solutions have at least these features: * Unified repository for shared account credentials with excessive permissions. * Independent (or SSO) authentication of employee access. * Independent authorization to credentials. * Auditing of all access to each credential. A less technological solution would be to store a static password on a Yubikey and throw it in a safe. Yes, people do this, and I think it is far better than leaving break-the-glass credentials in a public location like Uber. [I15: Yubikey static password screen] /[cendyne: youtube]------------------------------------------------------------\ | Speaking of throwing credentials in a safe, check out how DNSSEC started in | | the video below! The ceremony itself is pretty boring, but the planning to | | make a system resilient to nuclear warfare, collusion, and individual death | | is neat to consider. | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | ICANN | |------------------------------------------------------------------------------| | Youtube Video [L30] | | KSK Key Signing Ceremony (16 Jun 10) [L31] 1/9/2023 | \------------------------------------------------------------------------------/ /[cendyne: laser-eyes]---------------------------------------------------------\ | This is an issue for crypto-currency too. People have died or disappeared | | while holding some perceived value that will never be recovered. Distributed | | autonomous organizations have had all perceived assets transferred because | | key material and authorization is not properly distributed among different | | people with different access controls in different physical locations. Alas: | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Robert Leshner @rleshner@twitter.com | |------------------------------------------------------------------------------| | Crypto is bound to repeat every mistake learned over the past hundred years | | in finance | | [L32] 6/11/2022 | \------------------------------------------------------------------------------/ Should you go with a safe, have some sort of immutable log strategy in place where you document the date, the reason you accessed the key material, and which key material you accessed. Maybe even go old school and fax evidence of your activity to a third party who files it away in case of forensic analysis. /[cendyne: vibrating]----------------------------------------------------------\ | Speaking of forensic analysis, here's a paranoid tip that may save you after | | a breach occurs. If you're ever doing something funky or unusual, like | | running an SSM command to disable MFA on a host, then create a ticket and | | assign it to yourself. | \------------------------------------------------------------------------------/ /[cendyne: blep]---------------------------------------------------------------\ | If it takes longer than a few minutes to do your task, then document the | | steps you took and for what purpose. When the changes are completed or | | reversed, then close the ticket. You are covering your rear. In the event | | something happens months down the line, an auditor or forensic analyst will | | see your ticket and not blame you for the breach. | \------------------------------------------------------------------------------/ Lastly, and out of good practice, whoever has access to the keys on an ongoing basis should be separate from the person who momentarily uses the keys. If you need help in person, it is usually up to the Chief Information Security Officer (CISO) to provide privileged access to you for a short amount of time. In my opinion, a CISO should not be using the credentials. Their authority should be to delegate access, not to act with access. So, in a way, Thycotic is a virtual extension to CISO. As a Privileged Account Management product, Thycotic is fulfilling the role of delegating authorized access to an authenticated person and auditing the action. So is Thycotic at fault? I think not. /[cendyne: shrug]--------------------------------------------------------------\ | I'm not shilling them either. I have no experience with Thycotic or | | alternatives. The use case here seems interesting. | \------------------------------------------------------------------------------/ How did Uber protect emergency credentials? ------------------------------------------- Again, this is based on alleged information. /[cendyne: citation-needed]----------------------------------------------------\ | I do not work for Uber, never have worked for Uber, I do not know anyone | | inside Uber and have contacted no one who works at Uber to verify. | \------------------------------------------------------------------------------/ Here's what I would expect a sane CISO to implement with a privileged account management (PAM) product: * Users authenticate with the PAM through an SSO provider. * All staff besides the CISO and their immediate deputies have limited authorization to resources within the PAM. * Any disaster recovery credential for the PAM is stored securely in a place that can only be accessed by the CISO and their immediate deputies. /-------------------------[cendyne: potato-for-brains]-------------------------\ \------------------------------------------------------------------------------/ Instead, Uber had a potato-for-brains PAM admin put their credentials in a script for Thycotic on a file share that any employee with legitimate VPN access could have accessed and then abused. /------------------------------------------------------------------------------\ | Michael Koczwara @MichalKoczwara@twitter.com | |------------------------------------------------------------------------------| | Simple graph mapped to MITRE ATT@CK and TA TTPs used to breach UBER | | whimsical.com/uber-breach-7JNtVoq4Tu73kBXzoisuiQ [L33] | | [I16: Photo included with tweet] | | | | [L34] 9/18/2022 | \------------------------------------------------------------------------------/ A "fun story" ^^^^^^^^^^^^^ /[cendyne: shocked]------------------------------------------------------------\ | I got into security because my employer was breached. I used to be just | | another backend-focused developer. While on vacation at a furry convention | | of all places, I get a ping from my boss. | \------------------------------------------------------------------------------/ /--------------------------------------------------------------[aquos: concern]\ | Boss: "Hey, did you spin up big GPU servers and call them analytics?" | \------------------------------------------------------------------------------/ /[cendyne: muffled-screaming]--------------------------------------------------\ | I replied, "No." But I knew what it meant. I took a deep breath and | | continued to enjoy my vacation. | \------------------------------------------------------------------------------/ /[cendyne: tired-desk]---------------------------------------------------------\ | The rest of the team worked until 2 AM rotating every credential. | | Credentials for every service were in plain text in the database, bank | | numbers for partners were in there too. At least we did not store credit | | card numbers, just tokens. | \------------------------------------------------------------------------------/ /[cendyne: cough]--------------------------------------------------------------\ | Except for the credit card processor credentials. Those were hard coded. | \------------------------------------------------------------------------------/ /[cendyne: proud]--------------------------------------------------------------\ | Ultimately it came to me to figure out how to encrypt necessary data at | | rest, to secure our credentials for future use and rotation, and to promote | | a secure development and cloud environment. | \------------------------------------------------------------------------------/ /---------------------------------------------------------------[aquos: scream]\ | Boss: How did this happen!? | \------------------------------------------------------------------------------/ /[cendyne: well-heck]----------------------------------------------------------\ | The CEO was targeted. He re-used his Slack password somewhere else where | | their passwords were breached and recovered. The attacker got into his Slack | | account and found that marketing shared the root AWS credentials in the | | clear to each other to upload to S3. The attacker got into AWS, cloned the | | database from a snapshot and changed its root password. The attacker dumped | | the data out of our account with an EC2 box. And then months later they spun | | up Ethereum miners because why not. | \------------------------------------------------------------------------------/ /--------------------------------------------------------------[aquos: tap-tap]\ | Boss: Coincidentally, I was reviewing our AWS spend a few days later and | | freaked out at the estimated AWS bill. | \------------------------------------------------------------------------------/ There are similarities. My breach and Uber's 2022 breach had unrestricted credentials in the clear where any employee could have found them. Now I am the one who delegates authority to our AWS account. The rest of the company's IT infra is outside of my reach under the CIO. I may not be a CISO, but I think my experience and responsibilities are getting close. I am also interested in this, but I'm not sure yet on if I should jump into it. Uber's security history ----------------------- /------------------------------------------------------------------------------\ | Energy and Commerce Committee @EnergyCommerce@twitter.com | |------------------------------------------------------------------------------| | RM @FrankPallone [L35] 's statement on Uber's failure to protect the data of | | 57 million consumers 📱🚗 💳 👎 | | [I17: Photo included with tweet] | | | | [L36] 11/22/2017 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Evan Price @_evanp@twitter.com | |------------------------------------------------------------------------------| | .@Uber [L10] : "Oh hey, Mark had to testify at Congress because he didn't | | address their data breach... Maybe we should send our users a quick email?" | | [I18: Photo included with tweet] | | | | [L37] 4/13/2018 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Katie🌻Moussouris (she/her) @k8em0@twitter.com | |------------------------------------------------------------------------------| | @TPioreck [L38] So, you mean the same as is going on right now? I mean, I | | literally was called to testify before Congress last year regarding a breach | | cover-up done by Uber, with the extortion/hush money paid via a complicit | | bug bounty platform. Corps already underreport, it's why the regs exist | | [L39] 7/14/2019 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Catalin Cimpanu @campuscodi@twitter.com | |------------------------------------------------------------------------------| | BREAKING: Former Uber CSO charged for covering up the company's 2016 | | security breach www.zdnet.com/article/former-uber-cso-charged-for-2016-hack- | | cover-up/ [L40] | | [I19: Photo included with tweet] | | | | [L41] 8/20/2020 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Patrick C Miller @PatrickCMiller@twitter.com | |------------------------------------------------------------------------------| | Former Uber CSO Faces New Charge for 2016 Breach j.mp/33ZyEor [L42] | | [L43] 12/26/2021 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Tom Warren @tomwarren@twitter.com | |------------------------------------------------------------------------------| | Uber has been hacked, and it looks bad. The hacker got in through social | | engineering and allegedly found a network share full of Microsoft PowerShell | | scripts that included Uber admin usernames and passwords to let them breach | | AWS, G Suite, and more 🥲 www.theverge.com/2022/9/16/23356213/uber-hack-teen | | -slack-google-cloud-credentials-powershell [L44] | | [L45] 9/16/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Meghan Bobrowsky @MeghanBobrowsky@twitter.com | |------------------------------------------------------------------------------| | This AM, I’m listening to the trial of former Uber exec who’s facing | | criminal obstruction charges for his role in paying hackers who breached the | | company in 2016. Uber’s CEO is expected to testify today. ICYMI, Uber is now | | responding to another breach: www.wsj.com/articles/uber-says-responding-to- | | cybersecurity-incident-11663299504 [L46] | | [L47] 9/16/2022 | \------------------------------------------------------------------------------/ In short, Uber had a breach, the CISO at the time covered it up and paid a ransom, and then got thrown under the bus as a criminal. Now Uber is having another breach because the CISO or someone with equivalent access left their credentials in the clear. /------------------------------------------------------------------------------\ | _MG_ @_MG_@twitter.com | |------------------------------------------------------------------------------| | Lots of screenshots going around about Uber but this one shows how wide the | | hack is. "Security Response Break Glass Service Account" password 🔥 | | [I20: Photo included with tweet] | | | | [L48] [L49] 9/16/2022 | \------------------------------------------------------------------------------/ /[cendyne: no-bad]-------------------------------------------------------------\ | In the above screenshot, the credential passwords are human-generated. That | | to me is a big no no and reveals that they are set once and forgotten for | | years. | \------------------------------------------------------------------------------/ What Uber could have done better -------------------------------- /[cendyne: public-speaking]----------------------------------------------------\ | The following is completely my opinion, based on my experience and what I | | witness in the industry. I have not executed these recommendations myself | | and I do not know the difficulty or burden that these recommendations | | impose. However, I hope that the baseline for security in our industry | | improves by sharing my opinion. | \------------------------------------------------------------------------------/ Perimeter security would be improved by using WebAuthn and hardware tokens for all employees and contractors. The use of push-based two-factor authentication is dangerous because the human can be harassed. Device profiles should be a requirement on the perimeter. A certificate specific to the device (and hopefully bound to its trusted platform module) will reduce the likelihood of perimeter compromise. Account lockouts should be the norm when a two-factor fails several times in a row. I recommend five failures. Yubikey FIPS security tokens lock out WebAuthn after three failures. Allegedly the failure was performed over a hundred times to harass the employee who gave in and approved the attacker's access. Hard-coded credentials must be avoided. IT and engineering should be educated that a better alternative is to prompt for credentials in the script or to perform a brief SSO handshake. Ongoing education for this situation should be regularly covered and reference examples available to use. IT should adopt source control and use tools like GitGuardian [L50] to scan and detect credentials in scripts so the credential is invalidated as soon as possible. Human made credentials must be avoided, especially for disaster recovery and emergency use. It is not unheard of that these credentials might even be single use. A culture of using generated passwords should be adopted at all depths. Secret scanners can detect and alert high entropy generated passwords. Use this to your advantage. Credential rotation should be regularly performed for shared accounts, including disaster recovery accounts (and a backup account in case that is destroyed). This should involve a documented process with verification steps to ensure it is smoothly executed and meets expectations. Documentation of credential rotations should be performed and preserved. /[cendyne: ych-bite]-----------------------------------------------------------\ | I do not believe that credential rotation should be a requirement for | | individual accounts. Current unauthorized or former employees may abuse long | | lived credentials for shared accounts. | \------------------------------------------------------------------------------/ Privileged Account Management break-the-glass credentials must be protected and upon use queued for immediate rotation. The use of these credentials should set off alarms and be very visible. /[cendyne: heard-you-were-talking]---------------------------------------------\ | Also, any break-the-glass credentials to a privileged account management | | product should produce an on-call page / call to several parties. Consider | | this a fire drill for a very real fire that happened at Uber. | \------------------------------------------------------------------------------/ Penetration tests should be regularly performed by multiple vendors with access to the internal and application network. Uber should place multiple flags (capture the flag style) in their infrastructure, services, source code, application containers, logs, chat rooms, etc. to measure coverage that each vendor achieved as a simulation of what an attacker could have found. Honeypot credentials should be included in the privileged account management product, their retrieval should cause an on-call system to page / call the CISO, the on-call, and a situation manager. Conclusion ---------- The industry needs something like OWASP [L51] that provides ongoing risk assessment and guidance for CISOs and CIOs in informing their security policies. Turns out, we have MITRE ATT&CK [L52] ! Unfortunately, I personally find MITRE ATT&CK to be overwhelming. Its incredible trove of techniques, detection strategies, and mitigations could be made more accessible to senior officers. As an example, T1611 - Escape to Host [L53] eloquently describes the issue, examples of tools or malware that causes an issue, mitigations like read-only containers and pod security policies, and detection strategies like process spawn monitoring on container hosts. I can understand this because of my background as a developer, DevOps administrator, and AWS infrastructure subject matter expert. Not every CISO has that technical knowledge. Likewise, I could not gauge anything in this repository that involves Active Directory. Some CISOs do have that experience. I have heard from G Mark Hardy [L54] on CISO Tradecraft [L55] that CISOs often lack staff. Given the spectrum of issues on MITRE ATT&CK, I believe that we need guidance and recommendations on what specialties should report to a CISO to discover, formulate, enact, and verify security policies from information and application security. Just as a CEO has reports for marketing, finance, sales, human resources, and so on, there are too many possible issues for one person as CISO to successfully grapple with security. This needs to be recognized and supported by chief officers, investors, and executive boards if we are to see an improvement. /[cendyne: angel]--------------------------------------------------------------\ | Hey! I've since given recommendations to my organization. Check out how to | | convince leadership to improve security [L56], where I share my personal | | experience with leadership. I found that my approach needed some refinement | | and it reminded me how important trust is with the chief officers. | \------------------------------------------------------------------------------/ Uber's refreshed job postings ----------------------------- Security is expensive. It is seen as a cost center. Until something like this happens. Unlike Patreon, maybe Uber learned that they need to hire more security people. /------------------------------------------------------------------------------\ | Whitney Merrill @wbm312@twitter.com | |------------------------------------------------------------------------------| | Whoa @Patreon [L57] laid off their ENTIRE security team. Wouldn’t trust my | | data there. Also there’s some amazing talent to scoop up. | | [L58] 9/8/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Cendyne @CendyneNaga@twitter.com | |------------------------------------------------------------------------------| | Firing your security team is dumb. You cannot outsource your risk. Any | | sufficiently large business should have security staff to reduce risk. "Oops | | we got busted and leaked all our customer data" cannot be followed by | | "Because so and so at another company didn't do their job" | | [L59] 9/8/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Malik Mesellem @MME_IT@twitter.com | |------------------------------------------------------------------------------| | Fact: an organization's budget for cyber security increases only after an | | incident 🥹 #cybersecurity [L60] #hacking [L61] | | [I21: Photo included with tweet] | | | | [L62] 9/19/2022 | \------------------------------------------------------------------------------/ /[cendyne: i-dunno-man-im-just-a]----------------------------------------------\ | This may be a complete coincidence. Job postings are re-posted regularly to | | appear fresh. | \------------------------------------------------------------------------------/ You cannot delegate or outsource responsibility for risk. It is on you to protect the value of your organization and the privacy of your employees and customers. Today, it is on you to convince investors and the board that security teams are worth the expense. Tomorrow, maybe investors and the board will see things differently. Who knows. 2022-09-20 Uber's follow up --------------------------- Uber provided a Security Update [L63] which describes their perspective on what happened. * A password was compromised and likely bought on the darkweb. * The target relented and accepted the push notification. * The attacker got access to other accounts within the perimiter. * The attacker defaced internal resources. Uber says they rapidly responded to the event with existing monitoring and evicted the attacker from their network and resources. They followed several good practices in a breach such as rotating shared secrets, voiding all sessions, etc.. Uber currently believes the threat did not get customer data. Uber has requested help from authorities to investigate. Another recommendation ---------------------- For Active Directory and Duo users, number matching is a feature in their respective applications. /------------------------------------------------------------------------------\ | Kevin Beaumont @GossiTheDog@twitter.com | |------------------------------------------------------------------------------| | A reminder to orgs using Azure MFA (incl. O365) to implement Number | | Matching, if using another MFA solution consider disabling push requests. | | docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa- | | number-match [L64] | | [L65] 6/29/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Kevin Beaumont @GossiTheDog@twitter.com | |------------------------------------------------------------------------------| | Duo now offers number matching, it’s called Duo Verified Push - I would | | strongly recommend orgs who use Duo go back and enable this. duo.com/docs/ | | policy [L66] | | [I22: Photo included with tweet] | | | | [L67] 8/17/2022 | \------------------------------------------------------------------------------/ Number matching makes the second factor authentication two-way. A push notification with an accept button is one way. What makes this two-way is the user enters the server's presented random code into their app which has already been trusted by the multi-authentication provider. /------------------------------------------------------------[jacobi: thinking]\ | But, I have to wonder, can that code be scraped and presented through a well | | made phishing experience? | \------------------------------------------------------------------------------/ /[cendyne: concern]------------------------------------------------------------\ | It is an improvement, but it looks like it can be man-in-the-middled to me. | \------------------------------------------------------------------------------/ Glossary -------- To assist those who are interested in this event but lack some of the vocabulary, here's a glossary of select terms and phrases that mostly cover what you need to understand. Multi Factor Authentication (MFA): Authentication that involves a second or third factor, such as a one time pass code from a device Powershell (): A technology by microsoft to automate behavior on microsoft platforms with a script (like python but their own language). Magic Links (): A link is sent to you through email to open, access to the email is a pseudo second factor. Fast Identity Online (2) (FIDO2): FIDO a specification that involves a secure device or chip to attest unique device identity. SIM Swap Attack (): Someone just walks up to a store or calls over the phone to a phone company claiming to be you and they get your number switched over to their phone. That way they can receive your text messages. Sometimes One-Time-Passcodes are sent over text messages to be a second factor, except the underlying device that is tied to you can be swapped to someone else. DNS Security Extensions (DNSSEC): DNSSEC is an active standard, set of infrastructure, and a group of people who implement security behind the scenes to ensure that websites you connect to are the websites you intended to connect to. For example, if someone swapped out discovery dot com and you went there to log in, you would want to be sure you were communicating to the correct website with your sensitive data. (This is in addition to HTTPS.) Yubikey (): Yubikey is a branded secure hardware token by Yubico. It attests user identity with FIDO2. It also has a button that if you push will spew a code that acts like a one-time-passcode, however there are issues with one time passcodes like this. Simple Systems Manager (SSM): An amazon technology which integrates with servers to provide reliable and reproducible administrative access and changes to servers at scale. A command that runs on SSM is something that changes the settings on a server through amazon. Privileged Access Management (PAM): A methodology and set of technologies that deal with securing access to resources which are powerful. MITRE ATT&CK (): MITRE ATT&CK is a repository by MITRE that documents known threats and how those threats compromise systems. Tactics Techniques and Procedures (TTP): MITRE ATT&CK publishes TTPs. They include discovery and mitigation recommendations. -------------------------------------------------------------------------------- Chief Information Officer (CIO): A senior level executive that is responsible for managing access to information and its distribution on computers. Often the CIO is responsible for the budget and management of vendor relationships that enable an organization with computers. The IT department usually reports to the CIO and the CIO delegates authority to the IT department to act. Privileged Access Management (PAM): MITRE ATT&CK (): DNS Security Extensions (DNSSEC): Open Web Application Security Project (OWASP): A nonprofit group that produces regular security risk documents, such as OWASP Top Ten [L68], to inform and guide application security to a more secure future. Chief Information Security Officer (CISO): A senior level executive that is responsible for developing and implementing security policies for their organization. Often, a CISO has purchasing authority for products and services, but does not directly manage people. Instead, a CISO must demonstrate political acuteness to motivate an organization to adopt and implement his or her policies. When a CISO is fired after a security incident, they are often called a "Chief Infosec Scapegoat Officer." Simple Systems Manager (SSM): Multi Factor Authentication (MFA): Fast Identity Online (2) (FIDO2): Chief Executive Officer (CEO): The big chungus. Tactics Techniques and Procedures (TTP): [L1]: https://twitter.com/CendyneNaga/status/1570605979791937541 [L2]: https://twitter.com/Uber_Comms/status/1570584747071639552 [L3]: https://archive.ph/nDk0I [L4]: https://twitter.com/Uber_Comms/status/1570829232246509569 [L5]: https://twitter.com/hacker_/status/1570582547415068672 [L6]: https://archive.ph/Np7HD [L7]: https://twitter.com/GossiTheDog/status/1570717994397073410 [L8]: https://archive.ph/JCN2N [L9]: https://twitter.com/GossiTheDog/status/1570735740275027973 [L10]: https://twitter.com/Uber [L11]: https://twitter.com/vxunderground/status/1570597582417821703 [L12]: https://archive.ph/Xbn7Y [L13]: https://twitter.com/vxunderground/status/1570598055560482817 [L14]: https://twitter.com/IanColdwater/status/1570706570794897409 [L15]: https://twitter.com/Microsoft [L16]: https://twitter.com/wrl/status/1568474176989667328 [L17]: https://twitter.com/wrl/status/1568474378886578176 [L18]: https://twitter.com/CendyneNaga/status/1568652758223388673 [L19]: https://twitter.com/Yubico [L20]: https://twitter.com/SElovitz/status/1497598379622293504 [L21]: https://www.youtube.com/watch?v=rv12VryxlcE [L22]: https://twitter.com/jack [L23]: https://twitter.com/uber [L24]: https://twitter.com/ClerkDev/status/1570902894593069056 [L25]: https://twitter.com/ClerkDev [L26]: https://twitter.com/ascorbic/status/1570911021342269441 [L27]: https://xeiaso.net/blog/push-2fa-considered-harmful [L28]: https://xeiaso.net/ [L29]: https://www.youtube.com/watch?v=Ug75diEyiA0 [L30]: https://youtu.be/b9j-sfP9GUU [L31]: https://www.youtube.com/watch?v=b9j-sfP9GUU [L32]: https://twitter.com/rleshner/status/1535709984645951488 [L33]: https://whimsical.com/uber-breach-7JNtVoq4Tu73kBXzoisuiQ [L34]: https://twitter.com/MichalKoczwara/status/1571432800787759104 [L35]: https://twitter.com/FrankPallone [L36]: https://twitter.com/EnergyCommerce/status/933350092639232001 [L37]: https://twitter.com/_evanp/status/984880627827671041 [L38]: https://twitter.com/TPioreck [L39]: https://twitter.com/k8em0/status/1150467535201898496 [L40]: https://www.zdnet.com/article/former-uber-cso-charged-for-2016-hack-cover -up/ [L41]: https://twitter.com/campuscodi/status/1296551035591417861 [L42]: https://j.mp/33ZyEor [L43]: https://twitter.com/PatrickCMiller/status/1475107906785841156 [L44]: https://www.theverge.com/2022/9/16/23356213/uber-hack-teen-slack-google- cloud-credentials-powershell [L45]: https://twitter.com/tomwarren/status/1570697543159533568 [L46]: https://www.wsj.com/articles/uber-says-responding-to-cybersecurity- incident-11663299504 [L47]: https://twitter.com/MeghanBobrowsky/status/1570807031241797632 [L48]: https://twitter.com/_MG_/status/1570626240499032065 [L49]: https://archive.ph/G9Rzg [L50]: https://www.gitguardian.com/ [L51]: https://owasp.org/ [L52]: https://attack.mitre.org/ [L53]: https://attack.mitre.org/techniques/T1611/ [L54]: https://www.linkedin.com/in/gmarkhardy/ [L55]: https://www.cisotradecraft.com/ [L56]: /posts/2022-09-26-how-to-convince-leadership-to-improve-security.html [L57]: https://twitter.com/Patreon [L58]: https://twitter.com/wbm312/status/1567974063578185728 [L59]: https://twitter.com/CendyneNaga/status/1568017692321251348 [L60]: https://twitter.com/hashtag/cybersecurity [L61]: https://twitter.com/hashtag/hacking [L62]: https://twitter.com/MME_IT/status/1571820654911000576 [L63]: https://www.uber.com/newsroom/security-update/ [L64]: https://docs.microsoft.com/en-us/azure/active-directory/authentication/ how-to-mfa-number-match [L65]: https://twitter.com/GossiTheDog/status/1542104482905001990 [L66]: https://duo.com/docs/policy [L67]: https://twitter.com/GossiTheDog/status/1559933630608248837 [L68]: https://owasp.org/www-project-top-ten/ [I1]: https://c.cdyn.dev/Iv0Vt1dX [I2]: https://c.cdyn.dev/wBykxvWJ [I3]: https://c.cdyn.dev/Tis8TxEh [I4]: https://c.cdyn.dev/RsmzBg8c [I5]: https://c.cdyn.dev/-Rc89uNQ [I6]: https://c.cdyn.dev/q6w4hoVw [I7]: https://c.cdyn.dev/sxxONgOG [I8]: https://c.cdyn.dev/sA-GxX7S [I9]: https://c.cdyn.dev/4iAu37_S [I10]: https://c.cdyn.dev/CtC-cV2j [I11]: https://c.cdyn.dev/IdkUXYvy [I12]: https://c.cdyn.dev/hiUMSyMC [I13]: https://c.cdyn.dev/femtuvvZ [I14]: https://c.cdyn.dev/c_CDwgih [I15]: https://c.cdyn.dev/I2_5aHUn [I16]: https://c.cdyn.dev/Mg46bKrM [I17]: https://c.cdyn.dev/IL9EdFDa [I18]: https://c.cdyn.dev/7IhpA_DC [I19]: https://c.cdyn.dev/uK6WK0pE [I20]: https://c.cdyn.dev/UdfqFg7F [I21]: https://c.cdyn.dev/TkW2vh0D [I22]: https://c.cdyn.dev/21U5x_6P