
On Cybersecurity and Being Targeted - kenneth_reitz
http://www.kennethreitz.org/essays/on-cybersecurity-and-being-targeted
======
dsacco
I applaud the fast response, especially contacting a security engineer to be
removed from the GitHub organization. One particular bit stuck out to me.

>> _In this instance, though, the attack vector was DNS. My account at the
not-so-incredibly-common DNSimple.com did not use a highly secure password. I
didn’t think it was necessary, as in my mind, the only reason that the
security of an account like that would be at risk would be if I was the
explicit target of an attack. Once again, I thought to myself “That’s
something that only happens to other people”._

Kenneth used a randomly generated password and two-factor authentication on
his GitHub account, which is great! But on DNSimple he made the decision to
forego better security because it seemed unlikely to be a target.

It is not enough to use _some_ strong passwords for the things you _think_ are
sensitive. Every weak password is a weak link in your total identity chain.

The best way to use a password manager is to never give yourself authority to
make passwords unless they are randomly generated. Even if the site or account
in question appears innocuous or insignificant, even if it does not allow you
to make a password of your manager's default strength, _commit yourself to
going through this process 100% of the time._

Yes, it's a usability pain to constantly use a browser extension to log in.
But that pain is nothing compared to the stress of a compromise or targeted
attack.

Until password management or authentication are substantially overhauled on
the web, the most optimal solution for protecting yourself is constant,
militant vigilance with passwords. I don't know any of my passwords at all,
and what's more, I even have randomly generated answers to security questions.

Also, where possible, use two-factor authentication. You can use SMS, Authy,
Google Authenticator, a Yubikey, whatever. Just turn the damn thing on and use
it if it's available to you.

~~~
andersonmvd
>> You can use SMS

Well, it's not recommended:

>> Due to the risk that SMS messages may be intercepted or redirected,
implementers of new systems SHOULD carefully consider alternative
authenticators. If the out of band verification is to be made using a SMS
message on a public mobile telephone network, the verifier SHALL verify that
the pre-registered telephone number being used is actually associated with a
mobile network and not with a VoIP (or other software-based) service. It then
sends the SMS message to the pre-registered telephone number. Changing the
pre-registered telephone number SHALL NOT be possible without two-factor
authentication at the time of the change. OOB using SMS is deprecated, and may
no longer be allowed in future releases of this guidance.

Source: NIST
([https://pages.nist.gov/800-63-3/sp800-63b.html](https://pages.nist.gov/800-63-3/sp800-63b.html))

~~~
bigiain
[http://www.itnews.com.au/news/telcos-declare-sms-unsafe-
for-...](http://www.itnews.com.au/news/telcos-declare-sms-unsafe-for-bank-
transactions-322194)

The telco industry tells the banking industry not to consider SMS secure...

~~~
mtgx
So they are finally admitting that SS7 is a huge security problem to the point
they have to recommend everyone not to use it for 2FA anymore....but they are
not going to try and fix SS7.

~~~
rsync
Isn't migrating to a pure LTE network a legitimate option to fixing SS7 ?

Not that I think we'll be rid of SS7 even a decade from now, but there is a
reasonable path to take, yes ?

~~~
cmdrfred
My idea is get rid of minutes and text and simply have data on your phone.
Then you can use the call/sms service of your choice to provide those features
over https. Basically unbundle the whole deal. The carriers would never go for
it but I think it would work.

~~~
bigiain
I've got a nephew who sort-of does that with an iPod touch. It doesn't even
have a cellular data connection - he relies on glomming on to free wifi at
school/home/friend's houses/the library/the shopping mall/wherever, and gets
iMessage and Skype only when he's got wifi - which is "good enough" for him to
not even bother upgrading to a phone with a pre-paid account... (He's even
managed to convince his Mom to leave the wifi hotspot on her phone running all
the time, so he can make/receive calls in the car...)

------
micaksica
Good on Kenneth for being quick on the draw. I love 'requests'.

If you're a developer of a popular open-source project, this should serve as a
warning to make sure you have multi-factor authentication on, yes, but it's
even better to learn from this and come up with incident response plans with
your core maintainer base. Ask among yourselves:

1\. Do we have the ability to detect an overt breach like this one?

2\. Do we have the ability to detect a covert breach (e.g. are our builds
reproducible, auditable? Are our binaries signed? Do we know who our
committers are?)

3\. Do we have a consistent way to message users of the project of the
compromise?

4\. Do we have a way to deprecate/mark as tainted compromised versions of our
module/package/application?

GitHub offers some technology to help in this regard. Sign your release tags,
at a minimum [1]; sign your commits with developer keys if you're paranoid.
[2]

As FOSS becomes more used in the enterprise, I suspect these attacks will
become less of a rarity.

[1]
[https://news.ycombinator.com/item?id=11494997](https://news.ycombinator.com/item?id=11494997)

[2] [https://help.github.com/articles/signing-commits-using-
gpg/](https://help.github.com/articles/signing-commits-using-gpg/)

------
jkaptur
It's odd not to examine the "contacted a friend at GitHub" part. On the one
hand, it's all too common to see this as the only escalation path at a modern
tech company. On the other hand, at companies without strong internal
controls, it raises the question of how to authenticate yourself to the friend
at the company - especially in what the author describes as a stressful 10
minutes.

We know from postmortems that the error-handling code tends to be among the
least-tested parts of a codebase, which leads to cascading failure. I wonder
if an even wilier attacker could have leveraged the analogous failure here.

~~~
micaksica
> It's odd not to examine the "contacted a friend at GitHub" part.

Authentication aside: what does somebody do to talk to GitHub if you _don 't_
have a friend at GitHub that's willing to chat with you? Would Kenneth have
been given the Source IP address of the attacker if he didn't know someone
there?

~~~
hueving
>what does somebody do to talk to GitHub if you don't have a friend at GitHub
that's willing to chat with you?

Write a blog post on Medium with the perfect click-bait title to make it go
viral. Hope a github engineer reads it and gets back to you.

~~~
beberlei
Github has a support system and from my experience they reply quite fast.

------
omginternets
Oh boy another plug for 2FA. I won't deny the obvious security advantages it
confers, but that well has been poisoned a long time ago.

Call me paranoid, but I have a hard time seeing the push for 2FA as anything
other than a plot to collect valuable user data. As with most any good lie,
it's mostly true -- 2FA _does_ improve security -- but what happens when a
company goes bankrupt and sells off it's assets?

Moreover, I can't help but to question the actual _necessity_ of this security
feature. The OP's mess could have been avoided if he'd ... you know ...
_systematically_ chosen secure passwords.

>Turn on two-factor authentication. Right now.

I'll pass, thanks.

P.S.: thanks for Requests!

~~~
vmateixeira
_Call me paranoid, but I have a hard time seeing the push for 2FA as anything
other than a plot to collect valuable user data_

Exactly. Mostly when I see companies like Google, Facebook, etc constantly
trying to _trick_ me to activate it. And yes, I say _trick_ : The option to
ignore/skip is always hidden/disguised, totally ignoring the UX and
accessibility needs.

This and the fact that the input text fields already have my phone number
populated on them ...and are just waiting for my consent.. this does not
inspire trust, no.

~~~
romaniv
Another interesting thing most people don't realize is that if you switch IP
addresses Google demands _a_ phone number for Gmail login, even if the account
has no 2FA and no phone number was specified initially. "Give us _some_ phone
number to log in". Isn't that strange from security perspective?

------
vtange
Kenneth should repeat N's big takeaway:

• Avoid using custom DNS emails (e.g. yourname@yourdomain.com) for any login
purposes. It basically opens you up for these kind of attacks (where a hacker
breaks into your domain name account and forwards your custom email to his
own).

Read N's story at [https://medium.com/@N/how-i-lost-my-50-000-twitter-
username-...](https://medium.com/@N/how-i-lost-my-50-000-twitter-
username-24eb09e026dd#.ler9o3cmg)

~~~
mplewis
But I don't want to use @gmail.com because that ties me down to the vendor.

What am I supposed to use then?

~~~
dredmorbius
I'm rather not a fan of Google in general, and particularly not these days
(though they're hardly the only tech company backing the TPP).

That said: on account of size, targeting, procedures, and what I find are
generally fairly diligent employees on the tech side (design, products, ads,
and gov't rel'n are another story), you're probably as safe with Google as
with any other large vendor.

That said, the basic problem here -- getting locked out of your account or
profile, or allowing the wrong person in -- is a _HYUUUGE_ problem. And the
2nd Amendment people can't do anything about it either, to continue the
allusion....

I wrote of my own "I've been locked out of a Google account" account, well,
twice. It's been pretty annoying (particularly as I'm paranoid and don't trust
Google to know who I really am, because reasons). It's been resolved within a
few days, though it leaves me scratching my head a bit.

As I noted the first time, and have adopted as a slogan for this type of
event, "Who are you is the most expensive question in information technology.
No matter how you get it wrong, you're fucked." See:
[https://redd.it/2w618r](https://redd.it/2w618r)
[https://redd.it/3mo7l6](https://redd.it/3mo7l6)

Unfortunately, that issue is paired with another, also sloganed and given to
much use: _Data are liability._

If you hold data about people, or state they consider important (e.g., a
widely used codebase), or other elements, then you've got control point others
may well find they wish to avail themselves of.

I _don 't_ have solutions to either of these problems (I'm paranoid, not
narcissitically delusional). I can see the shapes of possible solutions,
including reducing attack services and possibly having a more widely
distributed and socially-integrated identity verification mechanism. Or
offering far more services as stateless and without locally-maintained data,
at least in cleartext.

Better notifications, recovery, and encryption methods for mail would also
help -- capture of email accounts would matter far less if they were encrypted
to keys held only by the user (and _absolutely_ not on the control path
involved in accessing or specifying them, such as MXs).

~~~
ComodoHacker
>It's been resolved within a few days

Could you share a way to resolve it? I've been in such situation recently. I
was forced to change VPN I used for long time to access my Gmail account. And
I haven't 2FA enabled because I didn't want to give out my phone number.

~~~
dredmorbius
In one case, personal appeal to a Googler.

In another, fallback/recovery ultimately worked, but I needed to try from
several devices.

The "security questions" proved worse than useless. Unless exercised
periodically, I think people forget or lose the answers (or even questions).
Worsee, vendors change their strategies.

Seveeral of my Google IDs started from entirely different services, with
different rules. And privacy guidelines. E.g., YouTube's old "never use your
real name" advice.

How quaint!

Identity is weird.

------
w8rbt
Some domain registrars/DNS management services support multi-factor
authentication. If yours does not, you should migrate to one that does.

DNS is the foundation upon which everything else is built. And, it's been my
experience that DNS and email attacks are very common.

If an attacker can compromise DNS and email, then they can compromise all the
higher-level services that send password resets by email (twitter, github,
facebook, whatever).

------
hoodoof
I'm still trying to wrap my head around DigitalOcean emailing me the root
password to my new instances.

~~~
noja
If DigitalOcean and your mail server both talk TLS, what's the problem?

~~~
bigiain
Some random old bit of Cisco gear sitting anywhere in between with it's
default configuration set to strip out STARTTLS commands...

[http://www.cisco.com/c/en/us/about/security-
center/intellige...](http://www.cisco.com/c/en/us/about/security-
center/intelligence/asa-esmtp-starttls.html)

"When Cisco ASA is configured for ESMTP inspection, the ASA is not able to
examine the TLS session because it is encrypted. Therefore the ASA will
prevent the establishment of the STARTTLS session and allow the SMTP endpoints
to determine whether the SMTP session should continue in clear text (that is,
with no privacy)."

(I once billed a client just over $30k to investigate/diagnose/resolve that
problem - there was a piece of Cisco gear on the edge of their network that
nobody ever admitted to even knowing existed which was stripping out the
STARTTLS instruction between a webapp running inside their own datacenter and
their own 3rd party mail service - and everybody was pointing their fingers at
_me_ for the mail not coming through encrypted... Twitch. Twitch. Twitch...)

~~~
noja
Ah. So we need more of that Postini option to require STARTTLS is successful.

------
caf
It'd be nice if you could flip a setting on GitHub so that password-reset
emails are encrypted with a GPG key. They already have an interface for
uploading GPG keys.

------
gregcmartin
Thanks for sharing your story Kenneth. Unfortunately it will be a common
one... Maintainers of open source projects will be increasingly target by
sophisticated hacking teams, sometimes government funded. They will often win
but the best thing you can do for yourself and your users is to practice good
security hygiene and this story is a perfect example why. Strong random
passwords everywhere (no repeated passwords) and 2-factor auth should be the
minimum. Thankfully there are plenty of free apps out there that help you
manage this process. Nobody can have perfect security but you can easily raise
the bar high enough to force an attacker to move elsewhere. Also the Op's
password was most likely taken from the recently leaked LinkedIn breach
(educated guess).

------
cdnsteve
Github authors - Sign your commits and tags with a PGP signature.
[https://help.github.com/articles/signing-commits-using-
gpg/](https://help.github.com/articles/signing-commits-using-gpg/)

It doesn't look like the authors/contributors of requests are using Github
signed commits either.

------
rcthompson
Is there a comprehensive list somewhere of which websites/services support 2FA
and where to go to enable it on each one?

~~~
kobayashi
Yes :)

[https://twofactorauth.org](https://twofactorauth.org)

~~~
rcthompson
Thanks, that's just what I was looking for!

------
ghiculescu
Kind of related, does anyone know if it's possible to mandate two factor auth
across a github organisation? I know you can see if it's enabled on your users
list but that's a bit arduous. Seems like any one user not having 2fa enabled
would be the weakest link other wise.

------
dredmorbius
Looking at the two best guesses: a reasonable assumption, _if_ the Certifi
bundle was in fact the target of this attack, is that _some consumer of that
bundle_ is that true target of this attack.

(Incidentally: I'm not familiar with what the Certifi bundle _is_ , and some
quick DDGing didn't turn it up.)

As a recent convo I'd had here on HN turned up, _key management is a crucial
element of PKI_ , which includes not only SSH and PGP, _but the CA-based
measures_ : SSL and TLS.

Your web link is only as secure as the least-paranoid developer's MX
registrations in your entire development toolchain.

------
imikay
Yes, you should enable two-factor authentication for all your import accounts.
My iCloud account was compromised two months ago, after that I turned on two-
factor auth for all my important accounts.

------
colemickens
Does anyone know the Twitter handle in question? I'm curious to read about
that incident.

(edit: Oops, I guess I didn't realize the bold were hyperlinks in the article.
Thanks for the pointer.)

~~~
coderholic
Yes, it's @n. This is linked from the article: [https://medium.com/@N/how-i-
lost-my-50-000-twitter-username-...](https://medium.com/@N/how-i-lost-
my-50-000-twitter-username-24eb09e026dd#.elq4omaz5)

------
denfromufa
Is it possible to enforce two-factor authentication for all developers with
merge rights on github?

Also is it possible to check if someone has 2-factor authentication?

~~~
snowwolf
In an organisation on github you can see all members who don't have 2FA
(indicated by a red !) - [https://github.com/orgs/<org-
name>/people](https://github.com/orgs/<org-name>/people)

No way to mandate 2FA yet though.

------
tedmiston
Would using 2FA on the DNS provider have prevented this? It's unclear to me
how exactly the attacker got into DNSsimple.

~~~
Buge
Password reuse with some other site that had it's database stolen.

------
Buetol
I would be nice if the popular packages would have to be audited by the
community before being pushed, would make it harder to do attacks with with
such a large possible target (all the tech companies).

------
forgotpwtomain
Wait a minute, why does requests come with a cert bundle?

------
cmdrfred
Just wanted to say I love requests. Thanks for it.

------
jokoon
Don't insurance companies require you to make any kind of internet security
audit ?

I mean if this doesn't happen, and if government don't take steps to improve
the situation in the next 10 or 15 years, won't things get worse enough that
politicians notice?

------
a_lifters_life
Thanks for sharing!

