by kenneth_reitz on 8/10/16, 2:41 AM with 117 comments
by dsacco on 8/10/16, 3:44 AM
>>In this instance, though, the attack vector was DNS. My account at the not-so-incredibly-common DNSimple.com did not use a highly secure password. I didn’t think it was necessary, as in my mind, the only reason that the security of an account like that would be at risk would be if I was the explicit target of an attack. Once again, I thought to myself “That’s something that only happens to other people”.
Kenneth used a randomly generated password and two-factor authentication on his GitHub account, which is great! But on DNSimple he made the decision to forego better security because it seemed unlikely to be a target.
It is not enough to use some strong passwords for the things you think are sensitive. Every weak password is a weak link in your total identity chain.
The best way to use a password manager is to never give yourself authority to make passwords unless they are randomly generated. Even if the site or account in question appears innocuous or insignificant, even if it does not allow you to make a password of your manager's default strength, commit yourself to going through this process 100% of the time.
Yes, it's a usability pain to constantly use a browser extension to log in. But that pain is nothing compared to the stress of a compromise or targeted attack.
Until password management or authentication are substantially overhauled on the web, the most optimal solution for protecting yourself is constant, militant vigilance with passwords. I don't know any of my passwords at all, and what's more, I even have randomly generated answers to security questions.
Also, where possible, use two-factor authentication. You can use SMS, Authy, Google Authenticator, a Yubikey, whatever. Just turn the damn thing on and use it if it's available to you.
by micaksica on 8/10/16, 3:39 AM
If you're a developer of a popular open-source project, this should serve as a warning to make sure you have multi-factor authentication on, yes, but it's even better to learn from this and come up with incident response plans with your core maintainer base. Ask among yourselves:
1. Do we have the ability to detect an overt breach like this one?
2. Do we have the ability to detect a covert breach (e.g. are our builds reproducible, auditable? Are our binaries signed? Do we know who our committers are?)
3. Do we have a consistent way to message users of the project of the compromise?
4. Do we have a way to deprecate/mark as tainted compromised versions of our module/package/application?
GitHub offers some technology to help in this regard. Sign your release tags, at a minimum [1]; sign your commits with developer keys if you're paranoid. [2]
As FOSS becomes more used in the enterprise, I suspect these attacks will become less of a rarity.
[1] https://news.ycombinator.com/item?id=11494997
[2] https://help.github.com/articles/signing-commits-using-gpg/
by jkaptur on 8/10/16, 4:06 AM
We know from postmortems that the error-handling code tends to be among the least-tested parts of a codebase, which leads to cascading failure. I wonder if an even wilier attacker could have leveraged the analogous failure here.
by omginternets on 8/10/16, 8:48 AM
Call me paranoid, but I have a hard time seeing the push for 2FA as anything other than a plot to collect valuable user data. As with most any good lie, it's mostly true -- 2FA does improve security -- but what happens when a company goes bankrupt and sells off it's assets?
Moreover, I can't help but to question the actual necessity of this security feature. The OP's mess could have been avoided if he'd ... you know ... systematically chosen secure passwords.
>Turn on two-factor authentication. Right now.
I'll pass, thanks.
P.S.: thanks for Requests!
by vtange on 8/10/16, 4:05 AM
• Avoid using custom DNS emails (e.g. yourname@yourdomain.com) for any login purposes. It basically opens you up for these kind of attacks (where a hacker breaks into your domain name account and forwards your custom email to his own).
Read N's story at https://medium.com/@N/how-i-lost-my-50-000-twitter-username-...
by w8rbt on 8/10/16, 10:56 AM
DNS is the foundation upon which everything else is built. And, it's been my experience that DNS and email attacks are very common.
If an attacker can compromise DNS and email, then they can compromise all the higher-level services that send password resets by email (twitter, github, facebook, whatever).
by hoodoof on 8/10/16, 6:14 AM
by caf on 8/10/16, 6:26 AM
by gregcmartin on 8/10/16, 4:02 AM
by cdnsteve on 8/10/16, 4:40 PM
It doesn't look like the authors/contributors of requests are using Github signed commits either.
by rcthompson on 8/10/16, 4:17 AM
by ghiculescu on 8/10/16, 8:47 AM
by dredmorbius on 8/10/16, 5:23 AM
(Incidentally: I'm not familiar with what the Certifi bundle is, and some quick DDGing didn't turn it up.)
As a recent convo I'd had here on HN turned up, key management is a crucial element of PKI, which includes not only SSH and PGP, but the CA-based measures: SSL and TLS.
Your web link is only as secure as the least-paranoid developer's MX registrations in your entire development toolchain.
by imikay on 8/10/16, 5:00 AM
by colemickens on 8/10/16, 3:55 AM
(edit: Oops, I guess I didn't realize the bold were hyperlinks in the article. Thanks for the pointer.)
by denfromufa on 8/10/16, 5:15 AM
Also is it possible to check if someone has 2-factor authentication?
by tedmiston on 8/10/16, 4:15 AM
by Buetol on 8/10/16, 11:01 AM
by forgotpwtomain on 8/10/16, 1:19 PM
by cmdrfred on 8/10/16, 3:38 AM
by jokoon on 8/10/16, 10:25 AM
I mean if this doesn't happen, and if government don't take steps to improve the situation in the next 10 or 15 years, won't things get worse enough that politicians notice?
by a_lifters_life on 8/10/16, 9:53 AM