* A complete copy of an old database backup containing very early Reddit user data -- from the site’s launch in 2005 through May 2007
* Logs containing the email digests we sent between June 3 and June 17, 2018
Also of note:
"Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept."
If this doesn't put the nail in the coffin of SMS-based 2FA, I'm not sure what will.
Yeesh, what is going on with their security team over there? Years ago it was "oh, now we realize why everyone was saying that storing passwords in plaintext is a bad idea." Now it's "oh, now we realize what a bad idea SMS auth is."
So what is Reddit doing today that you and I would think, "of course, no one does that anymore 'cuz 'duh'." but they think, "nah, it's still okay."?
Here is the list of what of what they are saying they got access to: https://news.ycombinator.com/item?id=17665254
Your number can easily be stolen or redirected to get and sometimes send SMS from/to your number. Your cell phone account is the linchpin for a very extensive identity theft attack.
In May 2017, O2 Telefónica, a German mobile service provider, confirmed that cybercriminals had exploited SS7 vulnerabilities to bypass two-factor authentication (2FA) to make unauthorized withdrawals from users' bank accounts. The criminals first installed malware on people's computers, allowing them to steal online banking users' account credentials and phone numbers. Then the attackers purchased access to a fake telecom provider and set up redirects from the victims' phone numbers to lines controlled by them.
Here's a pretty hilarious and effective example where a crying baby background was used: https://www.youtube.com/watch?v=lc7scxvKQOo
Also, I am not sure I understand:
> we suspect weaknesses inherent to SMS-based 2FA to be the root cause of this incident
It seems that optaining employee login credentials was the root cause, and bypassing 2FA was the second hurdle but not the root cause.
https://www.theregister.co.uk/2016/12/06/2fa_missed_warning/
2. MITM for SMS is not hard if you can get close and requires <$500 in hardware
When NIST recommends the deprecation of a protocol you know you should've already gotten rid of it five years earlier, not keep it around for another five years.
The sooner more companies start supporting U2F and WebAuthn, the sooner more people will start buying and using hardware security keys.
Implementing TOTP: https://www.serverstack.com/blog/2013/02/21/implementing-tot...
My opinion is hardware tokens are a joke for average user security. If I can't even keep my phone around to use TOTP, I'm sure as hell not going to keep track of my U2F token.
Basically, imagine every conceivable way any human or computer might at any point interact with a plaintext signaling packet designed to be passed around the world by different companies and eventually read by people. Now attack all of them. Something somewhere will give it up.
So specific information on known attack paths is an interesting conversation, because part of the SMS 2FA security is the belief that while 1-off SMS 2FA attacks are possible, they generally don't scale, and so that puts a high cost on carrying out the SMS 2FA, or informs a limit on the value that can be protected by SMS 2FA.
So, good for reddit? Maybe yes. Good for your bank? Maybe not, but maybe yes, depending on the diligence of the customer, the robustness of anti-fraud measures, and the cost of fraud insurance.
The ROI doesn't seem that high.
Of course if you have a 0day RCE its possible to get the SMS as well. Even local malware on the computer that you're entering the code into could work if you're an identified target. Many protocol downgrade attacks are possible too, though I'd wager most developers would notice the lack of HTTPS in the browser bar.
And of course social engineering the cell phone company. Though if you call you can put a flag on your account to make it harder to transfer numbers.
https://theantisocialengineer.com/2018/07/23/sim-swap-fraud-...
A friend and I were brainstorming the design of a fraud prevention app/startup just this week and we naively thought SMS would be the way to go. Yikes!
There are other more technical weaknesses with SMS, because the phone networks themselves are also insecure. But the big issue is phone companies themselves.
Don't use SMS 2FA.
Where so many companies go wrong with SMS “2FA” is by treating it as an alternate authentication method, rather than as a second factor. If you can reset the account password over SMS then you’re boned.
Which only happens regularly in US? I have yet to heard as many cases in EU or Asia. Where you are require to proof yourself before any of these customer support staff can alter these information.
>There are other more technical weaknesses with SMS, because the phone networks themselves are also insecure. But the big issue is phone companies themselves.
I have beeb wondering if these are patchable? Or requires Hardware replacement?
[0] https://www.washingtonpost.com/news/the-switch/wp/2014/12/18...
[1] https://www.theregister.co.uk/2017/07/10/att_falls_for_hacke...
One one hand it's hilariously insecure to begin with, especially now lots of it gets trucked over the internet. On the other hand, there's a number of companies selling access and associated services for trivial amounts of money.
https://theantisocialengineer.com/2018/07/23/sim-swap-fraud-...
Just tried it myself, it works.
One way to help protect you is to visit your carrier's retail store and have them turn off online access to your account and require all changes to your account to be done in person with a valid government ID. This should make it more difficult for number porting attacks but they can still sniff the SMS message when goes over the cell network. As far as I know, mobile network control messages aren't protected.
Like this: https://c7.alamy.com/comp/CYGATP/online-banking-security-chi...
Wells Fargo supports RSA SecurID tokens.
Source : I have one.
However, they also support SMS as an alternative. I'm not sure if SMS can be disabled..
Did you have an account 11 years ago? Did you vote on anything embarrassing, or send any compromising messages? How sure are you?
I don't even know the answer to those questions for myself.
If they did require an email address, they could restore their database backups to retrieve that information.
From the standpoint of the person who took the data it is likely boring enough that it's not even worth the effort to restore the database.
Given the existence of more pressing problems I really can't do more than shrug.
How is it that Reddit’s security team is continually learning security lessons that have been common knowledge among non-technical people for 5+ years? They seem to treat their production systems more carelessly than the average person treats their Nintendo switch account.
Who are these non-technical people that you know that are not only using MFA but also know that SMS is insecure for MFA?
Rather than putting them down I'm happy they're willing to share and bring knowledge, that some communities already know, to even more people.
Anyone who reads pretty much any mainstream newspaper? At this point it would be easier to name mainstream media publications that haven’t covered this issue extensively. E.g. just google:
site:nytimes.com sms hijacking
site:wsj.com sms hijacking
site:latimes.com sms hijacking
Not to mention the fact that it’s been discussed on Reddit itself hundreds of times. And on the front page of HN dozens of times as well. E.g.:
Additionally, it can take some time to change security standards in a large company. Most companies that are not in high compliance environments focus their engineering efforts on features.
You should talk to non-technical people when you get some time.
* A complete copy of an old database backup containing user data from launch in 2005 through May 2007 including:
-usernames,
-salted/hashed passwords,
-e-mails,
-all content including private messages
* Internal logs
* configuration files
* other employee workspace files [?]
If "workspace files" meant "home directory", that's the big holy shit moment. People keep all kinds of stupid shit in home directories. SSH keys. Browser profiles. E-mail cache. Private keys for TLS certificates. Logs. Logs with secrets. Literally anything that's supposedly secret and used to run things.
Put user home directories on an NFS mount and I can basically own your whole company.
Are you implying that it's stupid to keep SSH keys in one's home dir?
Given how the report is structured, it seems like the amount of leaked data is purposefully being hidden behind red herring info about SMS 2FA that is not important to users who want to know where they stand.
When this DB is leaked, there should be more than enough weak passwords to both pwn and dox many, many reddit users. Do we know the encryption scheme reddit used to encrypt their password database involved in the leak?
Also, how is it that Reddit gained a head of security 2.5 months ago? Who was in charge of this prior to that date?
At the time of this backup, it would have been SHA1. Here's the relevant hashing code:
https://github.com/reddit-archive/reddit/blob/4778b17e939e11...
Edit: reddit's confirmed this here: https://www.reddit.com/r/announcements/comments/93qnm5/we_ha...
However, the fact that private messages were stolen is... I mean, it is just mind boggling to me. There has to be so much shit in there.
Yubikey 4 / Feitian looks interesting, but it seems it only works in Chrome with Gmail etc. etc.
Anyone have any thoughts on solutions that include Safari on Mac and/or iOS? The NEO claims NFC support but I doubt that works on iOS.
Most of the time, 2FA means using a token generator, such as Google Authenticator, Authy, or similar. They are just apps. This is much safer than SMS because one would need physical access to your unlocked phone to generate a token.
In cases where server security was breached and databases (or database backups or dumps) were accessed, if the TOTP seeds were part of the database (not sure how likely that is, but I'm guessing it's likely), then TOTP is doing nothing for security.
TOTP protects against things like credential stuffing and weak passwords, and is safer than SMS (no hijacking/intercepting), but for database security breaches things aren't so cut and dry.
I wonder if there should be a TOTP-like app which you still register with a site when you first log in or create your account, and which codes are sent to when new logins are needed, but which uses a more secure communication channel than SMS. This gives you the best of both worlds, no? One-time codes not generated from a single plain text seed, communicated to a known client over a secure channel, to prove the initial user is still in possession of the known client?
You can protect your TOTP/HOTP seeds on the YubiKey using a PIN (which I would recommend anyone to do). This is supported in all the Yubico Authenticator clients.
But: When your YubiKey is stolen/lost, your TOTP/HOTP seeds are gone for good. Make sure you have recovery codes stored in a safe place, e.g. your password manager.
Try this: Go to your own site backup for whatever you've got, be it a personal disk backup or something you made for a customer or friend or whatnot. Now, tell me which files might contain sensitive information to third parties. I'll wait.
This isn't "hygine". This is "we have a 11 year old backup mounted somewhere that we all forgot about and we honestly don't know what's in it". Yeah, it sounds dumb, but it's not reasonably avoidable by internet pontification regarding "best practices" unless your "best practices" involve eidetic memories or time machines.
There is just no excuse for that, it serves no business purpose, ancient backups that have no recovery value should not be online if they are kept at all. This incident shows an appalling lack of care by reddit technical leadership. Obviously they are not systematically tracking and reviewing the data they keep. Given this incident I would not be the least bit surprised if they have copies of this and that all over the place with no awareness or oversight.
While looking at GDPR compliance, I came across a guide that said "backups are kept for as long as it will take you to notice the missing data and restore it. Exported data kept for longer than this is an archive".
That helped me realise I really shouldn't be keeping 5-year-old database backups for some systems; a few months is plenty sufficient time for us to notice any corruption. As part of that clear-out, I searched for and deleted many old mysql-backup-2012-just-in-case.tar.gz from /root and similar places.
It doesn't sound like IP address data was compromised, but I wouldn't be surprised.
Edit: 12 years, not 13.
-------------------------------
Account credentials from 2007 compromised
from reddit
[A] sent 35 minutes ago
Hi,
TL;DR: As part of the security incident described here, we've determined that your account credentials may have been compromised. You'll need to reset your password to continue using Reddit. Details below.
On June 19, Reddit was alerted about a security incident during which an attacker gained access to account credentials from 2007 (usernames + salted password hashes).
We're messaging you because your Reddit account credentials were among the data that was accessed.
If there's a chance the credentials relate to your current password, we'll prompt you to reset the password on your Reddit account. Also, think about whether you still use the password you used on Reddit 11 years ago on any other sites today. If there's a chance the credentials relate to the password you're currently using on Reddit, we'll make you reset your Reddit account password. You can find more information about the incident in the announcement post linked above. If you have other questions not answered there, feel free to contact us at contact@reddit.com.
Got on thefacebook as well in 2005 because the college kids in my classes (taking for fun as an adult) told me I needed to be on there to get invited to parties and so they could write on my wall. Good times.
wow...
He started before the hack happened
Stripe use it for logging into your business's account.
HMRC (the UK government tax office) also uses it for logging in.
Various banks and financial services I use in a personal capacity rely on secondary phone authentication to set up things like new recipients for paying bills online.
They said they only got R access instead of RW access.
«Old salted and hashed passwords» This sentence mean: All hashed were readable. It also mean, if they are still needed on their servers, that they are probably still in use. It would had been easy to salt this hashes.
First fix holes, then redesign...
Using it as a security measure is a mistake.
Seems just as possible as hijacking your phone.
Uh huh.