Reddit reveals breach as attacker circumvents staff’s 2FA

Tomáš Foltýn

The company has learned the hard way that there are better ways to deliver two-factor authentication than via text messages

Reddit has announced that a hacker has broken into some of its systems and accessed some user data, including an old database backup copy containing user credentials, email addresses, and messages. Additionally, the breach affected the usernames and associated email addresses of “redditors” who received email digests this past June, according to an announcement by the site’s chief technology officer Christopher Slowe.

The incident took place between June 14-18, with the company learning about it on June 19. “Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again,” said Slowe.

So what exactly was compromised? For one thing, a database backup containing cryptographically salted and hashed password data from the period between the site’s launch in 2005 and May 2007. Also accessed were user names, associated email addresses, and all of the users’ messages, including private ones, up until May 2007. To be sure, the site was a much, much smaller place back then.

In its response to the breach, Reddit is resetting the passwords on the accounts of users who it believes may have been affected. Needless to say, people who still use the same password elsewhere should change their credentials on the other sites, too.

Additionally, the hack also compromised email digests that the site sent out to users between June 3-17 of this year. These digests connect a user name to the corresponding email address, thus potentially exposing the users’ anonymity, while also containing suggested posts from selected subreddits to which the users subscribe.

SMS 2FA hardly a hurdle

One thing that stands out in this incident is that the attacker broke into the cloud hosting and source-code repository accounts of several Reddit employees despite the fact that they use SMS-based two-factor authentication (2FA).

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA,” wrote Slowe.

Security professionals have, in fact, advised against using text messages as the second factor due to their susceptibility to various threats. Hardware tokens and authenticator apps are more secure alternatives.

The site found solace in the fact that “the attacker did not gain write access to Reddit systems”. “[T]hey gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems,” said the site.

https://www.welivesecurity.com/2018/08/02/reddit-reveals-breach-staffs-2fa/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

HP offers rewards for hacking its printers

Tomáš Foltýn

But don’t get too excited just yet: the first-of-its-kind bug bounty program for printers is invite-only for now

Researchers can earn up to $10,000 for identifying security flaws in printers made by HP in what is the first bug bounty program aimed specifically at printers, according to an announcement by the tech giant on Tuesday.

The payouts will depend on the severity of the flaw discovered, and HP may also make a “good faith payment” for reporting a vulnerability that the firm has identified before. Security Week said that the researchers have been told to hone in on firmware-level bugs.

HP’s initiative is a nod to the fact that security threats go beyond computers to include any device connected to a network. Indeed, internet-connected printers can be a serious security liability. Attackers can not only steal sensitive data from them or coerce printers into revealing users’ administrator passwords, but they can also use the devices as jumping-off points for further compromises of networks. Printers can also be corralled into botnets, as has happened with Mirai.

HP highlighted its commitment to ensuring the highest level of printer security in order to lessen the risk of such threats. “As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” HP’s Chief Technologist of Print Security Shivaun Albright was quoted as saying. “HP is committed to engineering the most secure printers in the world,” she added.

Dark Reading wrote that HP’s focus on printer security is also because – compared to flaws in other Internet-of-Things (IoT) devices – vulnerabilities in printers have generally been on the back burner. “There’s a big focus on connected devices like Web cameras or smart TVs, which are highly relatable to everyone, but not printers necessarily,” Albright was quoted as saying. “That said, printers may be the most common IoT device an individual uses.”

Meanwhile, CNET quoted Albright as saying that the bug-hunting program had actually been quietly launched in May. Thirty-four researchers signed up back then, and one of them has already received $10,000 for finding a serious loophole in HP’s printers. The program is invite-only, so that it allows for easier management of incoming vulnerabilities. HP aims to make the program public in the future, however.

The initiative is backed up by security crowdsourcing company Bugcrowd, which will manage the vulnerability reporting and verification, as well as handle which researchers are invited to join. HP also quoted the firm’s recent report, which stated that the total print vulnerabilities across the industry have increased 21% during the past year.

The researchers who have been chosen to participate in the initiative have been provided with remote access to 15 printers, which are isolated in HP’s offices. “From their computers at home, they can poke at and pry into these machines to find hidden vulnerabilities,” wrote CNET.

https://www.welivesecurity.com/2018/08/01/hp-offers-rewards-hacking-printers/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29