Ok, so the breach was via an employee's Github account that wasn't secured with 2FA. I understand that would have given them access to the source code for 8tracks, but HOW did they get access to database credentials?? I would have assumed best practice would dictate that database server IP addresses and access credentials would have been in a configuration file that is NOT checked into version control??
Most companies go to great lengths to extract credentials, keys and other sensitive information into some sort of environment file, don't they?
Unless they had a copy of their database in text/JSON/XML format uploaded to version control as well??
> However, it did allow access to a system containing a backup of database tables, including this user data.
Sounds like they store backups with git and push them to GitHub (presumably Git LFS). Someone should tell them that Git is not a backup solution. It's also possible they were using some backup service that uses GitHub SSO (not sure if that's better or worse).
It's good to see they finally took advantage of GitHub's feature that restricts user access to an organisation if they don't have 2FA. Every organisation should enforce that.
8tracks could have a backup system that uses Github as the identity provider, the backup data wouldn't have to reside in a repo on Github. As a PSA to others using Github organizations and allowing login via Github, there is a setting you can turn on to require MFA for all the members of the org.
FYI, you can limit access to repos to accounts that have 2FA enabled. I'm encouraging clients to enable that option. Users can't accept an invite to the repo until they turn on 2FA.
It's perfectly reasonable to put your credentials and configuration into a VCS if any secrets are in ansible vault or something similar.
I reckon they either stuffed it all in as plain text or someone got hold of their source code and found a stupid hole in it and just read the database file off the front end somewhere. It's not unusual for the unclued to stick a database dump on a front facing web server with a "secret url" and just pull that down with curl or something.
It's really never reasonable. Even if your VCS is already secure, inserting credentials means bringing it up to spec with actual credential storage policy, even if that means inconvenience to the developers - and if it's not inconvenient, your policy is probably too lax in the first place. There should be a total separation of concern between your code and user credentials.
Ansible vault, separate repository to the code and you're fine. You're up shit creek if you lose your code too unless you're 100% perfect so there is no distinction in policy.
Hell if you're using vault you might as well chuck the config in with the code. The vault key distribution is what needs to be controlled.
There is a real difference in company impact between leaking your code and your credentials. If your code and credential policies are the same, your company has a serious problem of priorities, since it's either not protecting credentials enough, or it's slowing down developers too much.
But Google/Facebook/whatever can trivially link all of your accounts through the SSO (and when you access your accounts). Of course, Google can get some of that information from GMail and both can get it from tracking (and GP was talking about the other way around), but it is something to consider.
At least the passwords were hashed. I wonder what hash they used though. I'm tempted to bet good money it's going to be an inadequate one like SHA1 or a completely broken one like MD5.
When the purpose of hashing is protection of passwords, MD5, SHA1, SHA256, etc. are all effectively equally broken. MD5 vs. SHA1 makes no real difference here.
You can usually tell a company's security posture when they say "all passwords were hashed and salted" without listing the hashing algorithm. If they're using an algorithm actually suited for password hashing, like bcrypt, they'll usually state the name of the algorithm.
To be honest I know that MD5 vs SHA1 or SHA512 is irrelevant in terms of password hashing, but personally seeing SHA512 would make me laugh a little less than MD5. Both are inadequate for this particular use-case, but at least seeing the modern hash would mean they tried to do the right thing.
SHA-1 and MD5 are susceptible to collisions, not pre-image attacks, so replacing either with SHA-256 wouldn't really impact this scenario. The real question is whether they used iterated hashing (and to what degree), peppering, a keyed hash, or something else that would slow down a dictionary attack.
While "inadequate" and "completely broken" are totally valid qualifiers for those hashing algorithms, the way in which they are broken doesn't affect sha1crypt or md5crypt (only a pre-image attack would break them, collisions are bad but not enough). That doesn't mean you should use them though (you should use bcrypt or similar).
I think it's relevant to GGP's use of "completely broken" - collisions are far less useful than actually extracting the password string, since one is transferable and has long-term potential, and the other will probably lose all its value pretty quickly, especially with a change of salt.
Absolutely not, it ties all of your information together trivially. People should just use password managers with a unique password for each website. Then you don't really about one site's bad security meaning that your security on another site is ruined (with SSO that's also an issue, you just trust the SSO provider more explicitly). You only care about whether data was accessed or modified with a particular service.
Most people (e.g not hackernews readers) only care about how easy it is. Assuming that most people would prefer to simply use existing authentication services is accurate and not remotely absolute (even if it makes some of us cringe).
Most people (e.g not hackernews readers) only care about how easy it is. Assuming that most people would prefer to simply use existing authentication services is accurate (even if it makes some of us cringe).
Most companies go to great lengths to extract credentials, keys and other sensitive information into some sort of environment file, don't they?
Unless they had a copy of their database in text/JSON/XML format uploaded to version control as well??