
Hacker Bribed 'Roblox' Insider to Access User Data - danso
https://www.vice.com/en_us/article/qj4ddw/hacker-bribed-roblox-insider-accessed-user-data-reset-passwords
======
UI_at_80x24
The real takeaway from this:

Do your threat models include your staff? Of course, nobody has admin access.

Do your threat models include your staff accessing restricted information that
they need to access? How do you stop somebody from doing their job?

IME this is a great interview question to ask potential employers. The rabbit
hole that you are required to go down will open eyes.

The answer is: you can't. But how you mitigate damage (with data silos) and
engage in disaster recovery after the fact puts you in excellent condition to
weather any storm.

~~~
umvi
This is why security is an onerous black hole.

Security folks always condescendingly lambaste companies not using best
practices, but security is literally the worst. It's an infinitely deep hole
of money, time, and CPU cycles.

If you create a startup with security best practices you'll never get anything
done because you have to build everything in a way such that you don't trust
anyone, including your own staff. So now your staff have ball and chains
shackled to their ankles to prevent them from misbehaving (but also preventing
them from having agility).

It's 100x cheaper and easier to do the cheapest 80% of security, and then hope
that you don't get exploited by the other 20%.

~~~
mox1
You say black hole, us security people call it a "hard problem".

I mean lots of IT things are or end up being black holes.

I will say though, usually, attitudes like yours end up causing more problems
than they solve (casual dismissal of security in general, more of a bother,
doesn't stop everyone, waste of time, etc. etc.)

I like to think of security like this: My goal is to make it as hard and
annoying as possible for bad guys to do bad things to the systems I'm
responsible for. Yes, black hole, but my (infinite) glass is half-full.

~~~
umvi
The problem with security is that there is never "enough." It's a game of cat
and mouse that will consume ever increasing amounts of time, money, and
electricity until the end of time. Time, money, and electricity that could be
spent on other things. Pretty soon I expect 50% of my electricity to be
uselessly devoted to spectre mitigation and other security concerns instead
of, you know, computing useful stuff.

Yes, I get we live in a world where bad people take advantage of others,
making security necessary.

But if security people had their way, hobbyists wouldn't be allowed to hack
together a side project without first hiring a $100k/year security specialist.

> My goal is to make it as hard and annoying as possible for bad guys to do
> bad things to the systems I'm responsible for.

By making it hard and annoying for the good guys to do their job as well. I
know it's all necessary, but you can't deny that. Having to beg and plead with
the IT security gatekeepers every time I want to [open a port for a
webserver/install some package/etc] is more onerous than me having sudo
privileges, especially when IT tickets take 2-3 days to resolve. And that's
just one example. Anything security related is usually a pain. HTTPS is much
more painful than HTTP, for example.

~~~
saagarjha
Security is a trade off. Everyone knows that the most secure computer is one
that you never turn on; the job of your security team is to strike a balance
that is better than that.

~~~
TeMPOraL
> _the job of your security team is to strike a balance that is better than
> that._

There are two ways to strike a balance. A cooperative way, and a competitive
way. A cooperative way is when all sides get together and hammer out an
optimal solution, and then implement it in agreement. A competitive way is
when everyone pushes to maximize their interest, and through the fighting, an
equilibrium establishes itself[0].

I think GP is complaining about security teams that approach their job in a
competitive manner, instead of a cooperative one.

\--

[0] - You'll note that this is how competitive markets work; this both makes
them a robust decision-making mechanism, and an incredibly wasteful one.

~~~
whatshisface
Firms in competitive markets don't fight, fighting would be if one firm's
products somehow un-manufactured another firm's products. So, the defense
industry, and nothing else. They hurt _each other_ 's bottom lines, but help
society as a whole by collaborating to produce more of whatever it is they're
selling.

~~~
TeMPOraL
> _fighting would be if one firm 's products somehow un-manufactured another
> firm's products_

They absolutely do, and would do it much more if most ways of doing that
weren't strictly illegal. A particularly notorious, legal way of
unmanufacturing your competitor's product is when both yours and theirs rely
on a common component - so you can buy out the entire supply of that component
to prevent your competitor from releasing a similar product after you. Off the
top of my head, Apple did that with these mini hard drives for iPods.

A more common example of fighting is advertising, which becomes a zero-sum
game when the market for a product category saturates.

------
ChrisArchitect

      This is Mr. Eddie Vedder, from
      Accounting. I just had a power surge here at
      home that wiped out a file I was working on.
      Listen, I'm in big trouble, do you know
      anything about computers?
    
      Right, well my BLT drive on my computer just
      went AWOL, and I've got this big project due
      tomorrow for Mr. Kawasaki, and if I don't get
      it in, he's gonna ask me to commit Hari Kari...
    
      Yeah, well, you know these Japanese management
      techniques.
      Could you, uh, read me the number on the
      modem?
    

_\--Dade social engineers a security guy over the phone in Hackers_

~~~
function_seven
For those on mobile:

> This is Mr. Eddie Vedder, from Accounting. I just had a power surge here at
> home that wiped out a file I was working on. Listen, I'm in big trouble, do
> you know anything about computers?

> Right, well my BLT drive on my computer just went AWOL, and I've got this
> big project due tomorrow for Mr. Kawasaki, and if I don't get it in, he's
> gonna ask me to commit Hari Kari...

> Yeah, well, you know these Japanese management techniques. Could you, uh,
> read me the number on the modem?

------
rietta
I'll be using this example for years to come with clients who push back on why
certain logging and alerting functionality has to be part of customer service
related user stories as an acceptance criteria! There is always the insider
threat!

~~~
rietta
Seriously. This fits directly one of my go to examples of a user story that
needs security constraints:

"As customer service, I need to be able to help my customer regain access to
their account easily so that they can continue to do business with us."

I'm teaching a group of developers about Risk Assessment and threat modeling
on Wednesday. This is perfect timing to enhance the lesson slides with this
story and have them think about "Fraud Against People Assets".

As customer service, I need to be able to help my customer regain access to
their account easily so that they can continue to do business with us.

Security Threat: Customer service agents may use their trusted access for
fraudulent, purposes.

Compensating Controls / Acceptance Criteria

1\. Software should log all customer service actions and write to a file that
is kept for 1 year for review

2\. Users should be informed that their actions are logged in clear, bold
language when accessing customer portal

3\. Notify customers at already known contact when anything about their
account is changed by customer service portal

------
VikingCoder
Step 1, audit everything.

Step 2, have a Red Team that's trying to do sneaky things. Make sure you can
catch them.

Is this not obvious?

I mean, it's as obvious to me as "if it's important, back it up," and "if you
don't test backups, they're not backups."

Roblox Corporation raised $150M at a $2.5B valuation, in 2018. [1]

That's big enough that they should understand these rules and follow them.

[1] [https://variety.com/2018/gaming/news/roblox-investor-
funding...](https://variety.com/2018/gaming/news/roblox-investor-
funding-1202926691/)

~~~
techntoke
How is this data not covered under COPPA? Most people I know that play Roblox
are under 13 years old.

------
dgrin91
Does it really count as a 'hacker' if it was just a straight up bribe? Where
is the hacking here?

~~~
munchbunny
I’d categorize this under social engineering, so... probably counts.

But the terminology issue seems like a surface detail. The attack vector
(bribing an insider with front door access to customer data) is a pretty big
and actively exploited class of organizational vulnerabilities, so it’s a
security problem anyway.

~~~
mc32
It is a security problem but it’s not hacking. Default passwords are security
problems but they’re also not hacking. Overhearing conversations in an airport
or bar or whatever where sensitive information is disclosed is a security risk
but also isn’t hacking.

~~~
wolco
These are all examples of hacking. Finding a way in is the goal it can be a
clever way but sometimes doing the obvious is more clever.

~~~
umvi
So is torturing a password out of someone hacking? I suppose if the torture
method involves a hacksaw.

~~~
danso
Hacking imho implies a workaround or circumvention that has a certain degree
of cost-effectiveness and an indirect angle of attack (e.g. many types of
remote exploits). For example, I don't know if I'd consider a brute force
calculation of a password to be "hacking", if the cost and time of computing
resources outweighed the potential gain. And while hacking a user's arm off
might be more "cost-effective" (to put it coldly) than brute forcing their
password, it essentially requires the resources and opportunity to have very
direct physical access – in the same way that blowing off a bank vault door
with explosives doesn't feel like "hacking".

But in any case, I don't think bribery as an effective attack vector for a
service as big as Roblox is so self-evident that it lacks cleverness or
insight. It's not just the work of finding someone with access privileges
(could be as "easy" as searching LinkedIn for people listing Roblox as an
employer), but also knowing what to bargain for (e.g. account credentials
versus "give me the password of the richest Roblox player"), _and_ having the
confidence that the system would allow me essentially unfettered access (i.e.
weak access-control policies and threat detection).

Logically, if bribery is such a straightforward and cost-effective attack,
then people would be going hard all the time bribing insider employees at a
bank. Yet if I had the money and time and willingness for illegal behavior,
I'm not at all certain what unauthorized access I could get from any bank
employee, nevermind how far I'd get undetected.

To put it another way, "legitimate" hacks usually reveal major substantive
ways that a system can/should be hardened. I think it's pretty obvious how
Roblox's access-control and auditing should be hardened after this kind of
intrusion. How would a company realistically improve its security after
learning a user's own account was compromised after the user was tortured into
giving away their credentials?

------
mschuster91
And this is why you should not make backend services accessible from the wide
Internet, only from a 2-factor secured VPN or corporate internal network.

It's utterly amazing how many companies got hacked by this oversight.

~~~
madjam002
Why not just make the back office require 2fa? No need for a VPN

~~~
mschuster91
Simple: because an Internet-accessible backend will always be a prime target
for hackers. RCE exploits, API endpoints where the developer forgot or
misconfigured the authorization checks, credential spoofing/phishing... keep
that stuff on the real intranet and a whole class of attacks simply vanishes.

~~~
madjam002
And a VPN isn't subject to exploits or misconfiguration either?

I'd much rather put my back office behind a 2fa in the browser than use a VPN,
it's a far better user experience. Using an off the shelf reverse proxy or
commercial solution mitigates to some extent the risk of developers messing up
the auth, but both a VPN and proxy can be misconfigured.

[https://cloud.google.com/beyondcorp](https://cloud.google.com/beyondcorp)

~~~
robotnikman
I would argue that making sure a VPN is correctly configured is easier than
making sure every single backend service is configured correctly and patched
against all known vulnerabilities. Overall I think its best to keep those
things on the company intranet and only accessible remotely via VPN, while
further limiting the employee to have access only to the services they need on
the network

Even better though, why not use both 2fa and locking such improtant services
to the intranet or behind a VPN

------
annoyingnoob
Does Roblox pay the folks with access to this system a living wage? Why was it
so easy to sway someone in this group?

~~~
Nextgrid
This is the main problem and it isn't specific to Roblox; mobile carriers have
the same attack vector when it comes to fraudulent SIM swaps.

------
ipnon
The boundary between cyber criminal and smooth criminal has always been
blurred. Consider the social engineering prerequisite for LOVE-LETTER-FOR-
YOU.txt.vbs. No one remembers his other worms because nobody opens malware.sh.

------
notadev
Back in the days of AOL, before phishing became mainstream, it was all about
getting the leetest screen names or wielding power over inferior "hacking"
rivals. One of the easiest ways was to befriend college kids who worked as
CSRs and eventually extract enough info to call in and reset the password.
That eventually stopped working so well when AOL added auditing to their
customer support activities. History repeats itself!

------
quijoteuniv
Online criminal = hacker That is probably the use of the word for most people

------
lihaciudaniel
To prove a point that these people use Microsoft framework for their back back
end development.

------
al_chemist
Does that mean Jeff Bezos is potentially the strongest hacker?

~~~
lihaciudaniel
doing illegal stuff for money and bribes existed since antiquity it's just
human nature

