Archive for January 17, 2023

Twitter Sued Over Data Breach

Posted in Commentary with tags on January 17, 2023 by itnerd

From the “It sucks to be Elon right now” department comes news that a lawsuit has been filed over the Twitter data breach that has recently come to light:

New York state resident Stephen Gerber claims his personal information was among the cache of data obtained by hackers between 2021 and 2022. He sued Friday in San Francisco federal court seeking class-action status for all those whose information was leaked.

Gerber blames a defect in Twitter’s application programming interface (API) that allowed cybercriminals to obtain usernames, emails and phone numbers of users of the social media website.

In January, an anonymous user on the hacker site BreachForums published a database that they claimed to contain basic information on hundreds of millions of Twitter users. Twitter said in a blog post that there was “no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems.”

“The data is likely a collection of data already publicly available online through different sources,” the company said.

Gerber claims in the complaint that Twitter “seemingly buried its head in the sand” and says the company may have tried to hide the magnitude of the leak.

Twitter “to this day, has inexplicably failed to notify or contact the victims of this particular API exploitation,” Gerber said.

Gerber is seeking unspecified monetary damages, likely to exceed $5 million, and court orders requiring Twitter to hire third-party security auditors to test and audit its systems as well as to implement and maintain a security program designed to protect the confidentiality of the users.

Forget about the what if’s in regards to if this guy wins. The fact is that this will spawn other lawsuits that Elon and Twitter will have to defend against. And the fact this that Elon and Twitter are both incredibly unfocused at the moment. Which means that their ability to give each lawsuit the time and attention it needs is going to be way less than it should be. That in turn means that the odds that Twitter will have to pay up big time increase.

Take it from me, Elon’s going to wish that he never bought this company.

CircleCI Pwned With Potentially Huge Negative Downstream Effects

Posted in Commentary with tags on January 17, 2023 by itnerd

CircleCI, a company that develops testing and deployment tools for software engineers, has shared details about how hackers broke into its systems last month and compromised customer data. CircleCI chief technology officer Rob Zuber said hackers gained access to its networks after infecting an employee’s laptop with malware. And here’s what happened next:

On December 29, 2022, we were alerted to suspicious GitHub OAuth activity by one of our customers. This notification kicked off a deeper review by CircleCI’s security team with GitHub.

On December 30, 2022, we learned that this customer’s GitHub OAuth token had been compromised by an unauthorized third party. Although that customer was able to quickly resolve the issue, out of an abundance of caution, on December 31, 2022, we proactively initiated the process of rotating all GitHub OAuth tokens on behalf of our customers. Despite working with GitHub to increase API rate limits, the rotation process took time. While it was not clear at this point whether other customers were impacted, we continued to expand the scope of our analysis.

By January 4, 2023, our internal investigation had determined the scope of the intrusion by the unauthorized third party and the entry path of the attack. To date, we have learned that an unauthorized third party leveraged malware deployed to a CircleCI engineer’s laptop in order to steal a valid, 2FA-backed SSO session. This machine was compromised on December 16, 2022. The malware was not detected by our antivirus software. Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems.

Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys. We have reason to believe that the unauthorized third party engaged in reconnaissance activity on December 19, 2022. On December 22, 2022, exfiltration occurred, and that is our last record of unauthorized activity in our production systems. Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data.

Clearly the threat actors knew who to target to get what they wanted. That’s scary. The company has put out a security alert that has been consistently updated since this incident happened. I’d spend some time reading this if you are using CircleCI products. An example of this is that Datadog’s RPM GPG signing keys and its passphrases were exposed during this breach. Anyone who uses their products, and any vendor who uses those products are potentially at risk.

Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi had this to say: 

“Another day, another software supply chain attack. It’s clear that this type of threat isn’t going away. Targeting a developer tool and delivery platform, like CircleCI, was clearly intended to fly under the radar and slip into other development environments. In this case, they were able to gain access to Datadog’s environment meaning that its RPM GPG signing machine identities were exposed. Fortunately, Datadog has responded quickly to rotate the impacted identities and it doesn’t appear that they’ve been abused. But if an attacker had seized this opportunity, then it would have given them a very powerful weapon – potentially allowing them to spread across Datadog’s customer networks by enabling them to sign and send malware while appearing completely trusted. This could have had serious repercussions.

“This incident demonstrates the growing risk of attacks targeted at developers, machine identities and modern development pipelines. When combined with the speed of modern development, widespread use of automation and use of the cloud, an attacker with access to powerful machine identities can create ripples fast which are extremely hard to protect against or remediate. In a machine-driven world, having a control plane to manage the lifecycle of your machine identities is essential. As this incident shows, you can be doing all the right things and still find yourself exposed. All businesses – whether they be a software publisher, or a consumer of software – need to be able to automate controls that say who and what can and can’t be trusted, and to have the agility to respond to change.”

This isn’t a trivial hack and should not be treated as such. If you’re reliant on CircleCI products, you should be ensuring that you are not exposed. And you should double check with your vendors that they have done their due diligence as well.

Should You Buy The New Mac mini or MacBook Pro Models?

Posted in Commentary with tags on January 17, 2023 by itnerd

Today, Apple released the new 14″ and 16″ MacBook Pros along with the new Mac mini, and all of them have been upgraded to M2 class processors. The question is, should you upgrade to them if you own another Apple Mac. The answer is “it depends.” First, let me cover the improvements:

  • The M2 Max processor that is used in the MacBook Pros now scales to 96GB of RAM. 98% of you reading this have no practical need to have this much RAM in a MacBook Pro.
  • All the new hardware comes with Bluetooth 5.3 and WiFi 6E
  • In the M2 Pro and M2 Max MacBook Pros along with the M2 Pro Mac mini, you now get HDMI 2.1 which gives you an 8K display at 60Hz or a 4K resolution at 240Hz.
  • The MacBook Pros get one extra hour of battery life under Apple’s rather interesting testing protocol.
  • You get 20% more performance according to Apple. But I would wait for third party benchmarks to confirm or deny that.

Now with that out of the way, here’s my advice:

  • In terms of the Mac mini, completely ignore the M2 Pro model. Once you spec it up to 512gb and 32gb ram, you’re at the same price as the Mac Studio. Yes the Mac Studio is slightly slower in theory, it’s a better buy at the present time.
  • If you have an Intel Mac mini, upgrade immediately to the M2 version. Also I should note that in terms of the M2 model of the Mac mini, with the price cut that Apple did on this model, it’s a compelling buy. If you have an M1 version of the Mac mini, I wouldn’t upgrade as you likely won’t see the performance gains in real world use.
  • If you own an M1 Pro or M1 Max MacBook Pro, there’s zero reason to upgrade. This is a minor spec bump. You’re not going to see any significant performance upgrades by going out and buying one of these new M2 Pro or M2 Max MacBooks. But if you have an Intel MacBook Pro, you should upgrade immediately to the M2 Pro or the M2 Max versions.

Did I miss out on anything here when it comes to these new Macs? I’d be interested in hearing about what I did miss and what other thoughts that you have. Please leave a comment below and let me know your thoughts.

You’ve Got Mail: New Phishing Attack impersonates DHL for User Credentials

Posted in Commentary with tags on January 17, 2023 by itnerd

Armorblox has released its latest research that dives into the details of a credential phishing attack that spoofed the international shipping, courier services and transportation company, DHL. 

These emails, targeting more than 10,000 mailboxes of a private institution within the education industry, bypassed both native Microsoft Office 365 Email security and Exchange Online Protection (EOP) email security layers.

How it works: In this attack, end users were presented with an email that resembled a notification from DHL, notifying recipients about a parcel sent by a customer that needed to be rerouted to the correct delivery address. Users were encouraged to view the attached document and confirm the destination address of the parcel shipment by providing Microsoft login credentials. Unknowingly, the provided sensitive information entered on the fake login page was sent straight to the attackers. 

You can read the research here.