12 comments

[ 3.0 ms ] story [ 39.4 ms ] thread
Excerpt:

    So we looked further, and what we found, chilled us to our bones: we were staring at the very moment the attacker gained the knowledge they needed.

    At a public conference, where a speaker from the company was talking about infrastructure. During Q&A, the future attacker asked a few very legit, on topic questions, such as what log processing solution the company used, what would the speaker recommend? Do they run LTS, or Stable branches of a particular operating system, or do they roll their own security updates? All perfectly good, innocent questions. I asked similar questions before, too! Questions anyone could have asked.

    Those questions, along with the talk before the Q&A, gave them most of the information they needed. They were able to coax an application to generate a log message that the processing tool would misparse, and everything started with that one, innocent looking message that had an extra comma.
(comment deleted)
(comment deleted)
> At a public conference, where a speaker from the company was talking about infrastructure. During Q&A, the future attacker asked a few very legit, on topic questions, such as what log processing solution the company used, what would the speaker recommend?

So what could have been an anonymous online attacker leaves his voice fingerprint and face on all the camera (security and media) recording at the public conference?

Or maybe the questions were innocent and legitimate, but another listener realised the value of the answers?
The article says "During Q&A, the future attacker asked a few very legit, on topic questions".
Sure, but it doesn’t state how they knew that the speaker was the attacker… perhaps this was one of the details that they couldn’t tell us about, but absent that, it is fair to question why they are so sure. Especially if the video is public and the questioner could be identified.

This raises further questions - if they aren’t worried about unmasking their attacker, why not go ahead and name & shame them in the article, instead of giving away just enough information to enable a witch-hunt?

(comment deleted)
They already had the person's name by that point. They traced the attack back to the attacker, and had already figured out they weren't an employee or associate of an employee.
As the article points out, a great many people - usually completely innocent - ask questions exactly like this.

I don't know if you assume that malicious actors wear hoodies and sunglasses and use voice-changers all the time or what, but in my experience, the best covert operations happen in plain sight.

Scary. I remember an old cPanel bug where a php error log ended up publicly accessible, you can guess the rest...
> some data leaked back to places where they weren't meant to arrive. Including back to the attacker.

I'm curious how that can happen. They say no file was altered, so it's not a case of the logging system overwriting a file. How could information leak back out of the logging system, and back through the application through the logging functions into user-facing responses? Was the application extracting logs to present to the user for some reason?