So we looked further, and what we found, chilled us to our bones: we were staring at the very moment the attacker gained the knowledge they needed.
At a public conference, where a speaker from the company was talking about infrastructure. During Q&A, the future attacker asked a few very legit, on topic questions, such as what log processing solution the company used, what would the speaker recommend? Do they run LTS, or Stable branches of a particular operating system, or do they roll their own security updates? All perfectly good, innocent questions. I asked similar questions before, too! Questions anyone could have asked.
Those questions, along with the talk before the Q&A, gave them most of the information they needed. They were able to coax an application to generate a log message that the processing tool would misparse, and everything started with that one, innocent looking message that had an extra comma.
> At a public conference, where a speaker from the company was talking about infrastructure. During Q&A, the future attacker asked a few very legit, on topic questions, such as what log processing solution the company used, what would the speaker recommend?
So what could have been an anonymous online attacker leaves his voice fingerprint and face on all the camera (security and media) recording at the public conference?
Sure, but it doesn’t state how they knew that the speaker was the attacker… perhaps this was one of the details that they couldn’t tell us about, but absent that, it is fair to question why they are so sure. Especially if the video is public and the questioner could be identified.
This raises further questions - if they aren’t worried about unmasking their attacker, why not go ahead and name & shame them in the article, instead of giving away just enough information to enable a witch-hunt?
They already had the person's name by that point. They traced the attack back to the attacker, and had already figured out they weren't an employee or associate of an employee.
As the article points out, a great many people - usually completely innocent - ask questions exactly like this.
I don't know if you assume that malicious actors wear hoodies and sunglasses and use voice-changers all the time or what, but in my experience, the best covert operations happen in plain sight.
> some data leaked back to places where they weren't meant to arrive. Including back to the attacker.
I'm curious how that can happen. They say no file was altered, so it's not a case of the logging system overwriting a file. How could information leak back out of the logging system, and back through the application through the logging functions into user-facing responses? Was the application extracting logs to present to the user for some reason?
12 comments
[ 3.0 ms ] story [ 39.4 ms ] threadSo what could have been an anonymous online attacker leaves his voice fingerprint and face on all the camera (security and media) recording at the public conference?
This raises further questions - if they aren’t worried about unmasking their attacker, why not go ahead and name & shame them in the article, instead of giving away just enough information to enable a witch-hunt?
I don't know if you assume that malicious actors wear hoodies and sunglasses and use voice-changers all the time or what, but in my experience, the best covert operations happen in plain sight.
I'm curious how that can happen. They say no file was altered, so it's not a case of the logging system overwriting a file. How could information leak back out of the logging system, and back through the application through the logging functions into user-facing responses? Was the application extracting logs to present to the user for some reason?