Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Why CISA Is Warning CISOs About a Breach At Sisense (krebsonsecurity.com) 14

An anonymous reader quotes a report from KrebsOnSecurity: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening. New York City based Sisense has more than 1,000 customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that "certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)" In its alert, CISA said it was working with private industry partners to respond to a recent compromise discovered by independent security researchers involving Sisense.

Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company's code repository at Gitlab, and that in that repository was a token or credential that gave the bad guys access to Sisense's Amazon S3 buckets in the cloud. Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.

The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers. It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards. The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time -- sometimes indefinitely. And depending on which service we're talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials. Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that they've previously entrusted to Sisense.
"If they are hosting customer data on a third-party system like Amazon, it better damn well be encrypted," said Nicholas Weaver, a researcher at University of California, Berkeley's International Computer Science Institute (ICSI) and lecturer at UC Davis. "If they are telling people to rest credentials, that means it was not encrypted. So mistake number one is leaving Amazon credentials in your Git archive. Mistake number two is using S3 without using encryption on top of it. The former is bad but forgivable, but the latter given their business is unforgivable."
This discussion has been archived. No new comments can be posted.

Why CISA Is Warning CISOs About a Breach At Sisense

Comments Filter:
  • by keltor ( 99721 ) * on Thursday April 11, 2024 @11:25PM (#64388358)
    Sooo, these sales guys swore up and down their stuff was solid as a vise, but they gave me the security architect heebie jeebies and I said "nope". At least initial reports seems to suggest I was right.
    • Writing credentials down, or hardcoded in scripts is just as negligent as writing down passwords on post-it notes. Paper and in a safe better. SMS'ing them is just as bad. Real companies like RSA did do things properly, but still had state based actors doing incredible attacks - even a decade ago! Heaps of companies are still using dumb FTP, not SFTP with hardcoded script passwords. One day we will have time generated 2 factor authentication everywhere - but not today.
  • by Kisai ( 213879 ) on Friday April 12, 2024 @12:14AM (#64388406)

    Geezus. Rule #1 of the internet should be "Do not host private information in the cloud you idiot!"

    This is less of a slam against AWS and more against the idiocy of trying to save money by outsourcing to third parties who do not have your best interests in mind. They want money, they provide you the tools, it's up to you to use them correctly or you shouldn't be using their service at all.

    And I have to say this over and over to people who are like "I'll just pay someone else less money to do what you're doing", "yeah, and where's your support and maintenance contract for that cheaper thing? Where are they? Where are their servers?" Cause sure, it might be 1/10th the cost to outsource to south/southeast asia, but they do not share the same culture about privacy and security north america does, at all.

    If you are outsourcing where your customer data is located to the cloud, you have utterly failed, and your business should probably go bankrupt.

    • Remember Pentagon shifted a dozen billions of dollars cloud contracts from Microsoft to Amazon, so Microsoft prolly is behind this breach pushing Amazon toward the cliff, but better question is, what kind of OS that company is using to connect Amazon's cloud servers? Does it have telemetry, ads, spyware, AI, client side scanning, and full of proprietaries?
      • The cloud is just introducing new services faster than your customers find out how bad, poorly designed and costly to implement/maintain solutions on your existing cloud services.

        Google: "Cloud repatriation"

  • by sjames ( 1099 ) on Friday April 12, 2024 @12:35AM (#64388422) Homepage Journal

    But it's not quite as good as "She sells sea shells by the seashore".

  • by VeryFluffyBunny ( 5037285 ) on Friday April 12, 2024 @02:04AM (#64388482)
    Well, if CISA is warning CISOs about Sisense, then Sisense is bad for CISOs because CISA saw Sisense selling security services that CISA thought CISOs should see are so not secure, so it makes sense that CISA should warn CISOs about Sisense.

    Now read it again in the voice of Bigguth Dickuth: https://www.youtube.com/watch?... [youtube.com]
  • by quonset ( 4839537 ) on Friday April 12, 2024 @05:39AM (#64388714)

    On Thursday, Microsoft confirmed Russian hackers gained access [cnn.com] to emails between itself and government agencies via a breach of Microsoft's email system. Information potentially exposed included login information, usernames, and passwords.

    “At this time, we are not aware of any agency production environments that have experienced a compromise as a result of a credential exposure,” Goldstein said. In other words, a CISA official told CNN, there is no evidence yet that the hackers had used the stolen credentials to successfully break into federal computer systems that are actively in use.
    . . .
    The same Russian group was behind the infamous breach of several US agency email systems using software made by US contractor SolarWinds, which was revealed in 2020. The hackers had access for months to the unclassified email accounts at the departments of Homeland Security and Justice, among other agencies, before the spying operation was discovered.

    Since Sisense says it doesn't know how it was compromised, there is the possibility this breach, or ones which came before it, were used.

  • Is their editor ChatGPT?
  • - Scan their repos for secrets - Restrict the use of the usr/role to their own VPCs or IP CIDRs. - Monitor use of their tokens for things like new IP sources or locations - Monitor their S3 activity to detect possible exfiltration and - Have a process ready to quickly shut down access to their buckets in an incident

Pascal is not a high-level language. -- Steven Feiner

Working...