Click Studios Asks Customers To Stop Tweeting About Its Passwordstate Data Breach (techcrunch.com) 14
Australian security software house Click Studios has told customers not to post emails sent by the company about its data breach, which allowed malicious hackers to push a malicious update to its flagship enterprise password manager Passwordstate to steal customer passwords. TechCrunch reports: Last week, the company told customers to "commence resetting all passwords" stored in its flagship password manager after the hackers pushed the malicious update to customers over a 28-hour window between April 20-22. The malicious update was designed to contact the attacker's servers to retrieve malware designed to steal and send the password manager's contents back to the attackers. In an email to customers, Click Studios did not say how the attackers compromised the password manager's update feature, but included a link to a security fix.
But news of the breach only became public after Danish cybersecurity firm CSIS Group published a blog post with details of the attack hours after Click Studios emailed its customers. Click Studios claims Passwordstate is used by "more than 29,000 customers," including in the Fortune 500, government, banking, defense and aerospace, and most major industries.
In an update on its website, Click Studios said in a Wednesday advisory that customers are "requested not to post Click Studios correspondence on Social Media." The email adds: "It is expected that the bad actor is actively monitoring Social Media, looking for information they can use to their advantage, for related attacks." "It is expected the bad actor is actively monitoring social media for information on the compromise and exploit. It is important customers do not post information on Social Media that can be used by the bad actor. This has happened with phishing emails being sent that replicate Click Studios email content," the company said. The report says Click Studios has remained extremely tightlipped about the situation. The company has refused to comment or respond to questions; it's also unclear if the company has disclosed the breach to U.S. and EU authorities, which require companies to disclose data breach incidents or face hefty fines.
But news of the breach only became public after Danish cybersecurity firm CSIS Group published a blog post with details of the attack hours after Click Studios emailed its customers. Click Studios claims Passwordstate is used by "more than 29,000 customers," including in the Fortune 500, government, banking, defense and aerospace, and most major industries.
In an update on its website, Click Studios said in a Wednesday advisory that customers are "requested not to post Click Studios correspondence on Social Media." The email adds: "It is expected that the bad actor is actively monitoring Social Media, looking for information they can use to their advantage, for related attacks." "It is expected the bad actor is actively monitoring social media for information on the compromise and exploit. It is important customers do not post information on Social Media that can be used by the bad actor. This has happened with phishing emails being sent that replicate Click Studios email content," the company said. The report says Click Studios has remained extremely tightlipped about the situation. The company has refused to comment or respond to questions; it's also unclear if the company has disclosed the breach to U.S. and EU authorities, which require companies to disclose data breach incidents or face hefty fines.
RSS feed isn't updating. (Score:2)
Just FYI /. workers, the RSS feed [slashdot.org] is not keeping up with stories. Please fix this.
Pot, Kettle.. (Score:2)
Click, asked to stop Tweeting.
Riiight.
"He started it."
If you want to be treated honest and fair (Score:5, Insightful)
Trying to hide your fuck-ups behind "don't tell your mother or it will hurt your brothers and sisters" went out in the eighth grade.
Lack of signed update packages (Score:2)
This whole things seems to boil down to "we didn't sign our update packages and don't want to look stupid"
Thankfully we didn't get hit by the issue, but we are looking at alternatives.
Please don't tell the world... (Score:3)
...how fucking stupid we are.
Strisand Effect anyone? (Score:3, Interesting)
It seems like a bunch of companies want to tool around in the PW manager business. However, PW managers need to be secure from end to end, and stuff like using vetted libraries so they don't victimized by supply chain attacks is something that goes without saying.
A PW manager isn't that hard to do. Rule 1, all the encryption goes in the client, all authentication in the server. The best method I've seen is how both 1Password and Codebook do it. They not just use a user ID and password, but have a third 256 key as a sync key, which the user is instructed to save aside, print as part of an emergency kit. This second key ensures that if someone grabs the password database on the servers, they can't just brute force everyone's data by guessing pass phrases. They would have to figure out what that key the user is using (either compromise an endpoint or try attacking the user directly), or break AES, in order to get the stored data. It goes without saying to have the entire client signed and every piece vetted. This means a dev can't cheap out, grab some library from $DEITY knows where and have it part of the prerequisites. In fact, ideally a PW manager binary should be statically linked on UNIX systems, or as a single executable like what VMWare ThinApp provides. That, plus a redundant update mechanism, either using the operating systems update process, or fetch a GPG signed manifest over a HTTPS connection, fetch the patches and the GPG sig files, then compare the patch name, SHA sum, and length to the manifest, as well as checking if the signature file works.
For keeping signing keys secure, HSMs are not expensive. Yubikey was giving away YubiKey HSM models at a conference, and one can find other ways to guard private keys from outside attack. Hell, one could use a Raspberry Pi with a Zymbit HAT, which would work for executable packages.
Trying to shush customers is only going to make things worse. IMHO, I know I would not be using Passwordstate because of this mess, just because there are many other good, proven solutions, by people who know what they are doing, be it 1Password, BitWarden, Hashicorp Vault, Thycotic, or many others, which have security in depth, and don't play around when it comes to updates.
There is a magical fix. (Score:2)
May i remind you all on the magical powers of pen and paper.
Yes, for some reason people thought it was funny to give it a bad rep, due to yellow notes sticking on monitors. In practice, it's very hard to hack unless the hacker is physically at your private property and knows where to look.
Stop being so lazy. There's no excuse for it, apart saying 'i believe anything companies and commercials tell me'. Don't trust your own computer to protect your own computer - it's a flawed concept.
Contract Management - Invoice adjustment (Score:3)
In other news... (Score:3)
Twitter reports a 500% increase in tweets about Click's password data breach.
Keep on Posting (Score:2)
I'm glad customers were posting about it. Because of that I was aware of the issue for almost a day before I was contacted by the company.
Social media is the only way to find out? (Score:3)
Because no bad actor would ever have a customer account so that they could directly acquire intelligence concerning the company's activities and also copies of company emails for use in their phishing attempts.
Dear company, you must think that those bad actors are as stupid as you.
Stop tweeting about WHAT? (Score:2)
Oh, the DATA BREACH.
See also: Streisand Effect.