I mean good for them but maybe it would be even better to not have cloud-connected cameras in the office in the first place.
Regarding their zero-trust approach to networking I'm wondering what they're using to secure non-HTTP services. I know they have a product that forwards TCP traffic but I don't think you could use that for arbitrary traffic between endpoints?
They do have a process for securing other services behind Access, including arbitrary traffic and custom protocols like SSH, RDP, and SMB (although I'm not sure how much dogfooding is going on; @jgrahamc might be able to comment on that):
While Verkada may have not been the best choice, I fail to understand why remote-accessible cameras are bad? In fact, I'd say they are crucial at the level of security & monitoring needed by a company like Cloudflare.
You have to think about the trade off between not having remote accessible cameras versus having them. If you can make systems more secure by eliminating them, you can become very secure and simultaneously not very useful.
Not having remote accessible cameras would seemingly make using the cameras take longer or be less efficient. In turn, that might make detecting or tracking physical intrusions less efficient and/or less successful. Should Cloudflare take that trade off? I think it depends on their threat model.
Cloudflare's post doesn't mention it, but the Twitter account that claimed credit for the hack (and made all kinds of ridiculous boasts like "we could have owned half the internet") has been suspended.[1] Before that the owner of the account posted plenty of personal information, including selfies.[2] A Mastodon instance is where they're posting stuff now.[3]
It really seems like this person is mentally ill and it's only a matter of time before they get in trouble with law enforcement. I mean, it's standard opsec to avoid posting your mailing address on your l33t h4x0r account.[4] I realize the address is a PO box, but this is practically begging the authorities to intervene.
I would presume there's some protection in the fact that they went to the press, rather than trying to cause damage, ask for ransom money, etc. but it certainly wasn't an example of responsible disclosure either. It looked like they generally obscured faces in leaked shots.
Was there a AWS security incident relatively recently where the perpetrator also seemingly wanted their identity to be known?
I suppose any attention getting action can also be a cry for help. It is of note of a pattern emerges in conjunction with hacks of political intent / hacktivism.
While I agree that the opsec here is bad if nyancrimew doesn’t want to get arrested, I think you should disclose here, as you do in your twitter bio, that you work at Okta. Accusing the person who just breached your company of having a mental illness is not great form.
That's fair. I mean that if this person's claims are truly dubious and they seem to be seeking the spotlight, then giving them the spotlight could exacerbate their derangement. That's useless for Okta, sad for this person, and dangerous for others.
This episode brings up the psychological issues that transgender people face. It is not inappropriate to call it mental illness. This acting out against the world is a cry for help. This person admits the connection with their quote "be gay, do crime". It is possibly a response to being visibly transgender, and coping with everyone constantly reacting to you. None of this is helped by the egging-on in their social media bubble. It is not good optics, but it needs to be addressed.
To clarify, I think (or hope) this is what you're trying to say; being transgender is not a mental illness. The effects of either pretending to be cisgendered, or attempting to live life as the gender you identify can definitely lead to mental illnesses (depression, low self-worth, anxiety, etc.). I can't think of one trans person in an unaccepting household who didn't develop a few bad coping mechanism for their gender dysphoria. Luck decides if that coping mechanism leaves you scared for life (physically, mentally, socially), or if you're able to eventually unlearn it after you've gotten away from your toxic childhood environment.
> The fact that the attacker had access to a machine inside the corporate network is no better than the kind of access they’d have had if they’d connected to our corporate WiFi network.
I appreciate that they have a zero trust model, but arguably, once you have access to the network, you are one step closer to using any zero-day to get further inside.
It's good on CloudFlare that they had security beyond that which protected their customers, but it is still very bad for Verkada and CloudFlare needs to decide if they are okay continuing with a camera setup that can provide easy access to hackers to their corporate network or not, and that wasn't touched upon in the article unfortunately.
Zero trust is a good start, but claiming that it is a panacea is about as dumb as claiming that you are safe from hackers because you have strong perimeter protection. It is not just the potential for a zero-day, but the fact that direct access lets you see traffic flows and even an encrypted protocol is going to leak metadata that will tell you where to pivot and suggest potential attack vectors.
I thought the point of zero trust is there is not an inside nor an outside of the network. There are services, and those services are accessible from anywhere, so everyone is always "inside".
There can still be an inside and outside, but the inside doesn't get special privileges just because they are inside.
So it's not like each employee connects directly to the public internet and all emails, files, attachments, wikis are all exposed to the public internet and exchanged over the public internet between employees. It's likely all these are still internal to the corporate network and not accessible from the public internet. But if you are inside the network, you don't default to having access to it all either, there is an additional access control in place no matter if it is inside or not.
Now depending how confident you are on your access control layer, I have seen some companies literally expose things to the public internet and allow employees to access it without a VPN from any computer or mobile phone connected to the public internet from anywhere. I guess you can consider that on the extreme end of zero trust.
But also the question here is does CloudFlare not consider inside camera feeds (which if employees go back to office could let you look at their screens) data that should itself be secured behind their zero trust access controls?
I love how pwned corporations can now use their loss as a marketing story. "We got hacked but our product saved us! Here's how you can get hacked and live to tell the tale too, first step is just Trust Us."
EDIT: reading the comments here now, and CF is astroturfing the thread. LOL.
I also thought this rode the line a little bit on the marketing side and maybe a tad light on the security incident response side.
It’s okay to name the products and why they are used but the posts lacks some subtlety.
Reminds me of podcasts where the guest gets into talking about their product / company way too early instead of focusing discussion on the problem space in general.
CF's blog post is terrible because they are saying "hacking our junky outsourced cameras doesn't give you access to anything else" without addressing the risk that all the rest of their stuff may be as junky as the cameras that they completely failed to audit the security of.
I honestly don't see how CloudFlare is a "pwned corporation" in this situation. Their security vendor got pwned. Nothing from CloudFlare was accessed other than security footage (from the vendor).
You don't get to say you robbed a bank because you were able to walk into the lobby after hours.
> You don't get to say you robbed a bank because you were able to walk into the lobby after hours.
This was absolutely a breach of a device on their corporate network and should be treated as such. Just because the network wasn't interesting, doesn't mean the breach didn't happen.
I have sympathy for their IR team because this would just be a random Tuesday had it not made it to the press.
I guess its really "zero trust" for everyone but the security cameras from a 3rd party vendor that are on a network which can be leveraged into remote shell access to the cameras. Like.. you forgot to zero trust the cameras?
Maybe before selling us on the product, try Verkada? They seem to have a need.
35 comments
[ 3.2 ms ] story [ 83.8 ms ] threadRegarding their zero-trust approach to networking I'm wondering what they're using to secure non-HTTP services. I know they have a product that forwards TCP traffic but I don't think you could use that for arbitrary traffic between endpoints?
https://developers.cloudflare.com/cloudflare-one/application...
While Verkada may have not been the best choice, I fail to understand why remote-accessible cameras are bad? In fact, I'd say they are crucial at the level of security & monitoring needed by a company like Cloudflare.
Because that access is not as limited as it sounds, that's why.
Not having remote accessible cameras would seemingly make using the cameras take longer or be less efficient. In turn, that might make detecting or tracking physical intrusions less efficient and/or less successful. Should Cloudflare take that trade off? I think it depends on their threat model.
Cloudflare's post doesn't mention it, but the Twitter account that claimed credit for the hack (and made all kinds of ridiculous boasts like "we could have owned half the internet") has been suspended.[1] Before that the owner of the account posted plenty of personal information, including selfies.[2] A Mastodon instance is where they're posting stuff now.[3]
It really seems like this person is mentally ill and it's only a matter of time before they get in trouble with law enforcement. I mean, it's standard opsec to avoid posting your mailing address on your l33t h4x0r account.[4] I realize the address is a PO box, but this is practically begging the authorities to intervene.
1. https://twitter.com/nyancrimew
2. https://archive.is/8IJ8G
3. https://notbird.site/@deletescape
4. https://notbird.site/@deletescape/105548475573915843
I suppose any attention getting action can also be a cry for help. It is of note of a pattern emerges in conjunction with hacks of political intent / hacktivism.
It could be from a rival hacker, an innocent doxxed third party, or just completely fabricated to send investigators down a rabbit hole.
Sharing potentially personal details at this point is irresponsible and just leads to witch hunts.
The same person who leaked 20GB of Intel data? https://securityboulevard.com/2020/08/intel-leak-20gb-of-sec...
He isn't even trying to hide and does everything in the open. Like this IG https://instagram.com/deletescape
He lives in Switzerland. Does Switzerland not care about shady internet things like this?
https://www.bloomberg.com/news/articles/2021-03-12/swiss-pol...
I appreciate that they have a zero trust model, but arguably, once you have access to the network, you are one step closer to using any zero-day to get further inside.
It's good on CloudFlare that they had security beyond that which protected their customers, but it is still very bad for Verkada and CloudFlare needs to decide if they are okay continuing with a camera setup that can provide easy access to hackers to their corporate network or not, and that wasn't touched upon in the article unfortunately.
There can still be an inside and outside, but the inside doesn't get special privileges just because they are inside.
So it's not like each employee connects directly to the public internet and all emails, files, attachments, wikis are all exposed to the public internet and exchanged over the public internet between employees. It's likely all these are still internal to the corporate network and not accessible from the public internet. But if you are inside the network, you don't default to having access to it all either, there is an additional access control in place no matter if it is inside or not.
Now depending how confident you are on your access control layer, I have seen some companies literally expose things to the public internet and allow employees to access it without a VPN from any computer or mobile phone connected to the public internet from anywhere. I guess you can consider that on the extreme end of zero trust.
But also the question here is does CloudFlare not consider inside camera feeds (which if employees go back to office could let you look at their screens) data that should itself be secured behind their zero trust access controls?
It’s okay to name the products and why they are used but the posts lacks some subtlety.
Reminds me of podcasts where the guest gets into talking about their product / company way too early instead of focusing discussion on the problem space in general.
You don't get to say you robbed a bank because you were able to walk into the lobby after hours.
This was absolutely a breach of a device on their corporate network and should be treated as such. Just because the network wasn't interesting, doesn't mean the breach didn't happen.
I have sympathy for their IR team because this would just be a random Tuesday had it not made it to the press.
Maybe before selling us on the product, try Verkada? They seem to have a need.
The cameras trusted the Verkada password that Verkada gave to a couple of random teenagers on the internet.