Why CISA Is Warning CISOs About a Breach At Sisense (krebsonsecurity.com) 14
An anonymous reader quotes a report from KrebsOnSecurity: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening. New York City based Sisense has more than 1,000 customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that "certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)" In its alert, CISA said it was working with private industry partners to respond to a recent compromise discovered by independent security researchers involving Sisense.
Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company's code repository at Gitlab, and that in that repository was a token or credential that gave the bad guys access to Sisense's Amazon S3 buckets in the cloud. Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.
The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers. It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards. The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time -- sometimes indefinitely. And depending on which service we're talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials. Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that they've previously entrusted to Sisense. "If they are hosting customer data on a third-party system like Amazon, it better damn well be encrypted," said Nicholas Weaver, a researcher at University of California, Berkeley's International Computer Science Institute (ICSI) and lecturer at UC Davis. "If they are telling people to rest credentials, that means it was not encrypted. So mistake number one is leaving Amazon credentials in your Git archive. Mistake number two is using S3 without using encryption on top of it. The former is bad but forgivable, but the latter given their business is unforgivable."
Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company's code repository at Gitlab, and that in that repository was a token or credential that gave the bad guys access to Sisense's Amazon S3 buckets in the cloud. Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.
The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers. It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards. The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time -- sometimes indefinitely. And depending on which service we're talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials. Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that they've previously entrusted to Sisense. "If they are hosting customer data on a third-party system like Amazon, it better damn well be encrypted," said Nicholas Weaver, a researcher at University of California, Berkeley's International Computer Science Institute (ICSI) and lecturer at UC Davis. "If they are telling people to rest credentials, that means it was not encrypted. So mistake number one is leaving Amazon credentials in your Git archive. Mistake number two is using S3 without using encryption on top of it. The former is bad but forgivable, but the latter given their business is unforgivable."
Solved in the 1990s (Score:4, Informative)
The monitoring of hardware,server software and databases was figured out in the 1990s.
1) No, you don't get to install an agent on my server machine
2) No. you don't get an administrator login to the server machine, database server or app server software
3) No, you don't get to put your log files on a server machine
4) No, you don't get to access the local disk of a server machine
5) No, you only get to run SQL SELECT queries against the database server and install no objects on the database server
6) No, you don't get to store your results outside of our server room or send transactions/stream data through an external third-party service provider
7) No, your monitoring activities should take up less than 1% of the server machine's processing power
8) No, you can't use email as your data streaming platform
9) No, you can't do port scanning on our network to auto-discover hardware, database servers or app software
Just because it's cloud doesn't mean that a version of some or all of the above points can't be made too.
Re: (Score:2)
Was it solved? I was there and I don't think it was solved. I have been burned by using things like WhatsUp and Kiwi discovered that for example a sqlserver was still handling logins and responding to "select 1" just fine. This was the early 2000s not the 90s but the a lot of tools were 90s vintage.
Never mind two application servers were continually trying to run and re-run and couple long procedures in transactions that triggered mutual locking issues causing both to be killed, and the transaction rolled
Shady Sales Guys (Score:3)
Unforgivable (Score:3)
Stop hosting sensitive information in the cloud! (Score:4)
Geezus. Rule #1 of the internet should be "Do not host private information in the cloud you idiot!"
This is less of a slam against AWS and more against the idiocy of trying to save money by outsourcing to third parties who do not have your best interests in mind. They want money, they provide you the tools, it's up to you to use them correctly or you shouldn't be using their service at all.
And I have to say this over and over to people who are like "I'll just pay someone else less money to do what you're doing", "yeah, and where's your support and maintenance contract for that cheaper thing? Where are they? Where are their servers?" Cause sure, it might be 1/10th the cost to outsource to south/southeast asia, but they do not share the same culture about privacy and security north america does, at all.
If you are outsourcing where your customer data is located to the cloud, you have utterly failed, and your business should probably go bankrupt.
Re: (Score:1)
Three card monte (Score:2)
The cloud is just introducing new services faster than your customers find out how bad, poorly designed and costly to implement/maintain solutions on your existing cloud services.
Google: "Cloud repatriation"
Headline is OK (Score:5, Funny)
But it's not quite as good as "She sells sea shells by the seashore".
Re: (Score:2)
Beat me to it.
Actually it comes out "She shells shee sells by the sheshore".
CISA, CISO, Sisense (Score:5, Funny)
Now read it again in the voice of Bigguth Dickuth: https://www.youtube.com/watch?... [youtube.com]
Related story (Score:3)
On Thursday, Microsoft confirmed Russian hackers gained access [cnn.com] to emails between itself and government agencies via a breach of Microsoft's email system. Information potentially exposed included login information, usernames, and passwords.
“At this time, we are not aware of any agency production environments that have experienced a compromise as a result of a credential exposure,” Goldstein said. In other words, a CISA official told CNN, there is no evidence yet that the hackers had used the stolen credentials to successfully break into federal computer systems that are actively in use.
. . .
The same Russian group was behind the infamous breach of several US agency email systems using software made by US contractor SolarWinds, which was revealed in 2020. The hackers had access for months to the unclassified email accounts at the departments of Homeland Security and Justice, among other agencies, before the spying operation was discovered.
Since Sisense says it doesn't know how it was compromised, there is the possibility this breach, or ones which came before it, were used.
rest credentials? (Score:2)
And they didn't... (Score:1)