Dropbox reveals hack: What DevOps can learn from it
Dropbox was hacked last month. The company has now revealed more details – and there are some big surprises.
So what can we learn from the misfortune of others? An obvious lesson: Not all MFA schemes are created equal, so look to FIDO2/WebAuthn. Another is the importance of the curiously named SaaSBOM.
And it goes without saying that you shouldn’t store secrets in GitHub. In this week Secure Software Blogwatch, we say it anyway.
Your humble blogwatcher curated these blog bits for your entertainment. Not to mention: LaMDA in the 1980s.
[ Get a free SBOM and supply chain risk analysis report ]
OTP ERROR: FIDO2 FTW
What is craic? Sergiu Gatlan reports – “Dropbox reveals breach”:
“Dropbox works to secure the entire environment”
Threat actors stole 130 code repositories after gaining access to one of their GitHub accounts using employee credentials stolen in a phishing attack. … The company discovered that the attackers breached the account on October 14 when GitHub notified of suspicious activity that started a day before the alert was sent.
The successful … phishing attack … targeted multiple Dropbox employees using emails impersonating CircleCI’s continuous integration and delivery platform. … On the same phishing page, employees were also asked to “use the hardware authentication key to send a one-time password (OTP).”
In September, other GitHub users were also targeted in a similar attack that impersonated the CircleCI platform and asked them to log into their GitHub accounts. … In response to the incident, Dropbox is working to secure the entire environment using WebAuthn and hardware tokens or biometric factors.
MFA vulnerable to phishing? David Perera counts the ways – “Another Multifactor Fail”:
“Stealing Credentials in Real Time”
Add DropBox to the list of tech companies experiencing a multifactorial moment of failure. … Employees fell for a well-crafted phishing campaign that gave hackers access to internal code repositories and some personally identifying information.
The acknowledgment of the hack comes after several Silicon Valley firms have recently found that their internal security is not as hack-proof as once thought. Security experts have long recommended multi-factor authentication as protection against hackers. [But] threat actors adjust the uptake of these advices by swinging to steal credentials in real-time, along with one-time authentication codes. … So it was with Dropbox.
Oops. The Dropbox security team puts a brave face on it – “How we handled a recent phishing incident”:
“Accelerating our adoption of WebAuthn”
In today’s evolving threat landscape, people are inundated with messages and alerts, making phishing lures difficult to detect. Threat actors have moved beyond just collecting usernames and passwords, to harvesting multi-factor authentication codes as well. … Even the most skeptical, vigilant professional can fall victim to a carefully crafted message delivered in the right way at the right time.
The code opened [from GitHub] contained some credentials—primarily API keys—used by Dropbox developers. … Our security teams took immediate action to coordinate the rotation of all visible developer credentials.
Although the information accessed by this threat actor was limited, we hold ourselves to a higher standard. We apologize for falling short, and apologize for any inconvenience this may cause. One way we hope to prevent a similar incident from occurring is by accelerating the use of WebAuthn [which] is currently the gold standard. … Soon our entire environment will be secured by WebAuthn with hardware tokens or biometric factors.
What lessons are there for DevOps? abortion comes to the bone:
Why do these large cloud companies with thousands of employees have a work environment that is susceptible to basic attack techniques, such as phishing? It does not instill confidence in the rest of their infrastructure.
Good motivation, but some details would be nice. However, training is always a suggestion u/richhaynes not a fan:
A company I worked for had a breach because someone exposed their credentials. So after the mandatory training for all employees… I ran a phishing campaign to test that it had been effective.
The results were horrifying: About 20% provided valid identification. Even worse, about 70% of employees didn’t even scroll down the page to see the text in an image that said, “This is a fake website and you are being phished.”
When I presented the results to the C-suite, one admitted to providing credentials, and all said they didn’t see the photo. I didn’t stay much longer.
How well did Dropbox handle it? Steve Gibson Poaches a Curate’s Egg – “Something for Everyone”:
I think they handled it pretty well. But there are some lessons to be learned. [It’s] yet another example of a large security and network savvy organization being successfully attacked and breached – even in the face of knowing this was going on.
Their email filters… failed just enough to allow fake phishing attacks to reach their employees. And note that these were code developers – not, say, less sophisticated clerical … workers.
The more complex an organization’s setup is – that is, the greater the number of additional services an organization uses – the greater their “phishing email attack surface”. The modern trend is products as managed services, where companies increasingly contract for an increasing number [SaaS] services instead of rolling their own in-house. … Sounds great, but remember all the downstream damage that the SolarWinds breach created. … And also remember all the dental offices and hospital services that were hit by crippling ransomware then [SaaS] was broken?
A great point. And someone like John P. Mello Jr. expands – “SaaSBOM … SBOMs in the SaaS era”:
Software lists (SBOM) have become a hot topic. [But] how can SBOMs be developed for vendor-driven deployment models, such as … SaaS? … Here are five reasons why your organization should consider a SaaSBOM:
SaaSBOMs provide fresh information about apps running in the cloud. … SaaSBOMs make the service components more transparent to users. … SaaSBOMs help security teams understand all dependencies—not just libraries. … SaaSBOMs add a new level of software security assurance for vendors. … SaaSBOMs will become a requirement in the software industry.
However, there are those who believe that SaaSBOM proliferation faces strong headwinds. The frequency with which the components change in a SaaSBOM is a challenge and can even change from customer to customer. … Some questions need to be answered before software publishers take on the huge engineering costs needed to maintain SaaSBOMs.
Back to the MFA question, u/Needed_tak_9475 feels like a broken record:
This is again why I will continue to say that 2FA is not “hack” proof. I’m impressed by how many people think that because they have 2FA that they can’t be phished or “hacked”. People need to stop thinking that 2FA is a magic cure.
But sdfhbdf challenges the response: [You’re fired—Ed.]
Using a hardware key like the Yubikey would prevent such an attack since the challenge response in the browser communication with the key contains the domain (which I assume was different) and therefore would not be able to generate the correct OTP. … I’m guessing that they, or their vendor, CircleCI … had an older implementation … that might just depend on the string being generated … without a challenge response.
WebAuthn [is] a good successor. This should definitely prevent such an attack vector
Meanwhile, u/Goatlens eye rolls furiously:
Imagine that. Large companies do not proactively protect their network and instead take reactive action when ****ed.
Alternate AI history
Previously in And finally
You have read Secure Software Blogwatch by Richie Jennings. Richi curates the best blog posts, the coolest forums and the weirdest websites… so you don’t have to. Hate mail can be addressed @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past results are no guarantee of future results. Do not stare into the laser with the remaining eye. E&OE. 30.
Image sauce: June Ohwada (cc:by; smoothed and cropped)
*** This is a Security Bloggers Network syndicated blog from ReversingLabs Blog written by Richi Jennings. Read the original post at: