>> Atlassian themselves wasn't hacked...It was a case of an employee accidentally posting credentials for Atlassian's Envoy setup in a public repository
Disagree. “Hack” typically implies malicious intent so it kind of does matter. “Leak” probably would have been more appropriate since this appears to have been the result of negligence rather than malice.
I have never in my life heard that hack comes with malicious intent. To me hacking is a generalized term for successful unauthorized computer system access.
Can you expand on this a bit? A search on the internet provides plenty of examples of this, even a search in the dictionary[1]. Along with movies[2], books[3], and typical news reporting hack/hacking/hackers has been used to indicate malicious intent.
You can debate crackers vs. hackers and that its the intent that differentiates them but its a moot point based on that very thin veil of separation. Similar to the title security researcher or pentester you only can believe whats presented publicly by that person, group or organization and you can never validate that they haven't sold access or exploits to anyone else.
I would say your generalized term would be better understood as a security audit, pentest or bug bounty which would appear to represent a non-malicious intent to gain "successful unauthorized computer system access" as defined by the contract.
"Reflecting the two types of hackers, there are two definitions of the word "hacker":
1. Originally, hacker simply meant advanced computer technology enthusiast (both hardware and software) and adherent of programming subculture; see hacker culture.[3]
2. Someone who is able to subvert computer security. If doing so for malicious purposes, the person can also be called a cracker.[4]
Today, mainstream usage of "hacker" mostly refers to computer criminals, due to the mass media usage of the word since the 1990s."
Fortunetly there is a trend to revert back to the non malicous meaning of the word. See you are commenting on a "Hacker" news site. See https://hackaday.com/
See even "DailyHacks" or "LifeHacks" in a social non technical setting, etc.
Hacking is simply fiddling with a system and making it do something that it was not designed to do.
Yeah I understand the difference between the two which is why I mentioned them. Moving back to the non-malicious meaning seems like a moot point. The layperson doesn't care about the difference only the outcome. Which in most cases is they don't know you or have a business relationship with you and you are now accessing their system. If I was working within the pentester / security researcher space I would not be doing any work outside the bounds of an explicit contract/bug bounty program, etc as any access gained would be illegal access regardless of your "supposed" intentions.
In my original comment I was looking for the OP to expand upon:
"I have never in my life heard that hack comes with malicious intent"
as that seemed odd given the books, movies and legal cases.
After giving this some more thought I think you’re right. I would even broaden your definition to include using authorized access in ways that weren’t originally intended by the computer system’s designers.
I was trying to distinguish between breaches that result from intentional exploitation (malicious or otherwise) and breaches that result from negligence. Having thought about it a bit more, these things are not actually mutually exclusive. Many intentional exploitations take advantage of dumb mistakes (e.g. posting credentials in a public repo).
As such, I take back my earlier disagreement: this is a valid use of the word “hack”.
Myself, I would agree with your earlier definition of this being a leak[1] simply using the definition. There wasn't a program created or exploit discovered that exposed previously private information, an authorized user posted to the incorrect privilege level location.
A leak by definition is something from inside. This was not. This was an exploit from outside actors that made this data available to the public.
Note the difference:
> accidentally posting credentials for Atlassian's Envoy setup in a public repository
this was a leak.
Using those credentials to then obtain other data and post them publicly-> this is the hack. A hack does not need to be complicated, just to accomplish something that was not intended.
I disagree that finding mistakingly posted credentials, logging in and performing an export task is a hack, hacking, or exploitation. All the functionality was already available as it would be for any authorized user. This is the equivalent of reading the user guide.
> Using leaked credentials to access a system that would not otherwise be accessible is >absolutely an exploit.
Can you go into this a bit more as I'm not seeing anything being exploited? Were the credentials not valid? Was exporting data not available to that authentication user? Did they elevate their permissions beyond what the original credentials provided?
If I find $20 on the street and buy a lotto ticket and win, what was exploited? I used the money to buy an item that can be purchased with money. In this example would you be saying that finding the money was the exploit or using the discovered money to buy something?
> Similarly, convincing a security guard to let you in to an area of a building that you >aren’t allowed into is also an exploit.
I agree this is an exploit, aptly named social engineering. However in this example you started with nothing and "convinced" the guard to do something.
This is different than already having the credentials. The equivalent for this example, to me, would be finding a persons office/building card and walking past the guard but I wouldn't see that as an exploit. Both the access control and guard are reacting accordingly to the expected inputs.
I would view an exploit as going beyond the intent of the built-in/existing controls.
There is an active searching for these credential leaks in the various repositoriues to then be used so this is an exploit. It shows intent, an organised way of searching for vulenrabilities and accomplishment of the task.
It's the equivalent of stalking the security guard and evasdroping on his public communications in the hope that he slips us and when drunken enough will reveal the passcode to the entrance door. Public repositories make it more easy to "stalk" in that sense, but yet it's a active search for a vulnerability, that of not not following security recomandations.
If someone intends to rob a bank doens't matter how they have obtained the vault key, when the bank was robbed.
The employee leaked the credentials, but I'd argue that finding the leaked credentials, logging in, dumping the data into a file and publishing it with a note how you pwned the company is still a hack. Not a highly skilled hack, but still a hack.
Sure, but it _does_ matter _what_ credentials were leaked, and these creds didn't secure anything particularly critical in the grand scheme of things. Sure it might suck a bit for Atlassian employees who wanted to keep the fact they worked for Atlasisan a secret, but given a lot of them walk around wearing T-Shirts with "Atlassian" on them, I don't think they do.
I suppose it's the most basic possible level of defense-in-depth that Atlassian didn't reuse those credentials, or put other sensitive operational information (that could result in a deeper breach of customer data) into their Envoy data. So it technically matters which credentials were leaked. But definitely still not a good look.
At some point it does matter how the credentials were leaked. Eventually security will succeed or fail due to the behavior of the people involved in the system (users, admins, developers, executives), no matter how much you try to engineer a solution.
Yes, they're not the same thing. First, the credentials were leaked. Then, the service was hacked using the leaked credentials. Afterwards, information obtained in the hack was leaked.
> Hacking is the act of identifying and then exploiting weaknesses in a computer system or network, usually to gain unauthorized access to personal or organizational data.
In this case, they weren't exploiting any weakness of the system thus they did not hack. Logging in is an authorized action. Who is using those credentials is another story. Clearly it is a user mistake. It's like leaking your SSN and saying people hacked your credit card.
Social engineering is social engineering. You're hacking humans if anything, but you're not hacking a system by definition. You can social engineer people for other reasons than hacking a system.
It doesn't matter how credentials were leaked.