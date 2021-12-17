from the next-one:-santa dept.
[...] The attackers were able to bypass protections provided by HTTPS-based encryption by first using their control of the Fox-IT domain to obtain a new transport layer security certificate. The process happened in the first 10 minutes of the attack, during which time all Fox-IT email was rerouted to the attackers. With that in place, the attackers were able to decrypt all incoming traffic and to cryptographically impersonate the hijacked domain. After intercepting and reading incoming traffic, the attackers forwarded it to Fox-IT in an attempt to prevent company engineers from detecting the attack.
The detailed account underscores just how easily hacks can succeed, even against security-savvy parties with relatively robust practices in place. It wouldn't be surprising to see the same techniques succeed against scores or even hundreds of other companies that use the same industry-standard countermeasures.
Source: Hackers take control of security firm’s domain, steal secret data
(Score: 0) by Anonymous Coward on Thursday December 21, @06:56PM (4 children)
At Fox-IT you have a lot of freedom in how you carry out your job. This requires a high degree of personal responsibility but it also offers a wealth of opportunities. The main priority is that you do your job well.
(Score: 2) by Nerdfest on Thursday December 21, @07:23PM (3 children)
I don't see here how anyone didn't, really. Sometimes it's just how fast you can detect and react. Not everything is within your control for prevention.
(Score: 1, Interesting) by Anonymous Coward on Thursday December 21, @10:04PM (2 children)
Setting up 2FA with your domain registrar is within your control. If the hackers don't gain control of the domain none of the rest of the hack happens.
(Score: 2) by Nerdfest on Thursday December 21, @10:27PM (1 child)
True, if they support it.
(Score: 0) by Anonymous Coward on Friday December 22, @12:56AM
If you RTFA you'd see they commented that they purchased the domain 18 years ago, which was before their registrar offered 2FA, and they never got around to enabling the 2FA for their account.
(Score: 1, Touché) by Anonymous Coward on Thursday December 21, @07:13PM (1 child)
anything important, people where not listening in the '90's they are not listening now, the only thing they are doing is listening in...
(Score: 0) by Anonymous Coward on Friday December 22, @04:14PM
i was hoping they stole publically available data, actually.
nothing is more insulting than realizing your data was openly being sold publically and you aren't getting anything from it. It means that no one thought to draw any attention to such shameless public monetization until someone screen scraped the site and said hey look we were able to right click and save-as anyway despite your java script saying that is not allowed!
it's like those news sites that are angry that people read the news without visiting their site. my reply to that is that's ok, because they give me advertisements without me navigating to the sites hosting the ads. what's the difference?
(Score: 3, Interesting) by edIII on Thursday December 21, @08:40PM (1 child)
This is why when you wish to stop playing amateur hour, you OWN IP addresses. Either that, or have extremely good relationships with data centers capable of putting your network anywhere. Once you are reasonably assured that your IP addresses are not going to change anytime soon, you set a 3-6 MONTH TTL. That when attackers pull this shit they need to wait 3-6 months before recursive resolvers change the record to the attacker's record. With IPv6 on the horizon it will be entirely possible to own IP addresses for a lifetime.
The only drawback is that when you want to make changes that it will take 3-6 months to pull it off, which that can still work. My answer to that is to have multiple redundant systems, create new ones when necessary, and phase out old ones.
A major corporation can be pinging their registrar every 20 minutes for the records looking for any changes. In other words, constantly verify your DNS records via a 3rd party source.
Defense in Depth, not defense as an after thought.
(Score: 3, Interesting) by vux984 on Thursday December 21, @08:59PM
Sure. And what are normal size people and corporations supposed to do? I can't buy an IP address. I can't get a so-called 'extremely good relationship with data centers'.
Plus a 3 month TTL is great for security, but pretty lousy for agility. And no, a 3 month TTL doesn't guarantee the attack will take months to succeed, the new record will be active immediately. It might take months for every last device to hear about the new record, but some clients are likely to start picking up the change immediately.
"A major corporation can be pinging their registrar every 20 minutes for the records looking for any changes."
That's good advice.
(Score: 0) by Anonymous Coward on Friday December 22, @08:18AM
The initial attack was (according to the summary) not against the security specialists, but against the horribly broken CA system.
The whole function of an SSL certificate is to say "this huge corporation says that the guy you are communicating with is who he claims to be". Tell me, when was the last time any of you trusted huge corporations?
But but but, some people may say. The browser vendors say that these specific huge corporations are trustworthy, don't you trust your browser? The same browser vendors also promise to immediately remove the root certificate of any CA breaking the rules. We recently had two such cases, in one case (the worst one), nothing happened, in another, those who relied on the CA that broke the rules were given months to replace their certificates.
Protecting the income of huge corporations is more important for browser vendors than security, and that holds even when the browser vendor in question is called Mozilla (the other three are already huge corporations).
