back to article Cloudflare sheds more light on Thanksgiving security breach in which tokens, source code accessed by suspected spies

Cloudflare has just detailed how suspected government spies gained access to its internal Atlassian installation using credentials stolen via a security breach at Okta in October. In a write-up on Thursday, CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas said the Atlassian intrusion was detected all the …

  1. ldo

    Re: “incorrectly believed those tokens were unused”

    Key management can be a complex issue. Imagine an SSH client key gets compromised, or retired, or otherwise invalidated: are you sufficiently on top of your machine inventory to be able to go through every authorized_keys file to be sure that key has been scrubbed from all of them?

    Remember, it’s not just real machines, but virtual ones and containers as well.

    1. Bebu
      Windows

      Re: “incorrectly believed those tokens were unused”

      《Key management can be a complex issue. Imagine an SSH client key gets compromised, or retired, or otherwise invalidated: are you sufficiently on top of your machine inventory to be able to go through every authorized_keys file to be sure that key has been scrubbed from all of them?

      Remember, it’s not just real machines, but virtual ones and containers as well.》

      I think this is one reason ssh certificate based authentication is recommended. Just a lot of work to set up a SSH CA and issue/renew certs for a smallish site.

      1. ldo

        Re: “incorrectly believed those tokens were unused”

        Or better still, use Kerberos. That is what it was designed for. Any compromised key can be immediately invalidated, without having to wait for any expiry interval (longer than a few minutes, anyway).

  2. Kevin McMurtrie Silver badge

    "This attack was performed by a nation-state attacker"

    Probably a long-term customer too.

  3. sev.monster Silver badge
    Boffin

    12,000 repositories? Even Code Jesus would be taken aback. If they actually clone and audit their dependencies, which is the only reason why I can imagine there are so many, I will be thoroughly impressed.

    1. Peter Mount

      That number could be accurate, more so in today's age with micro-services.

      Also, that might be a total figure. For example, instead of creating a branch on a repository, a developer forks it into their own account to work on it before filing a PR to merge it back to the core repository increasing the overall repository count.

  4. Anonymous Coward
    Anonymous Coward

    Am I reading this correctly?

    Despite being hacked as a result of Okta's lapse in 2022, Cloudflare got hacked again as a result of an Okta lapse, and apparently this time because Okta let it be known that nothing important had been compromised?

    Why are companies still using Okta for access management, or any aspect of security?

    1. Decimal5446

      Re: Am I reading this correctly?

      Probably because if we cancel every place that get's hacked we would have no options left. The fact you get hacked isn't a problem. It's a about how fast you can detect and respond and shut it down. It's super naive to think places won't be hacked. Best to assume everywhere will get their turn. It's the amount of turns that should inform your decision to move on. I won't touch LastPass as far as I can chuck them at this point for example.

      1. sev.monster Silver badge

        Re: Am I reading this correctly?

        Precisely this. Every major nation state with outside interests is doing something in regards to cyberwarfare, it's just the norm now. And even if it isn't the big hitters like that, there are plenty of smaller criminal organizations that want a piece of the pie. Breaching and selling access, mercenary work, or directly exploiting victims—there are hundreds of them. Even single script kiddies or disgruntled employees in the right place at the right time can mean data being exfiltrated.

        LastPass in particular is why I self-host Bitwarden.

        1. anothercynic Silver badge

          Re: Am I reading this correctly?

          This is also why I refuse to migrate to 'cloud-hosted' solutions like LastPass or the new 1Password services. Nope, nope, nope.

          1. sev.monster Silver badge

            Re: Am I reading this correctly?

            I actually do recommend Bitwarden. I didn't care for it at first for self hosting because the project is huge, but Vaultwarden changed my mind. Much less by way of dependencies and works with all Bitwarden clients. The Vaultwarden + official clients ecosystem does everything I need.

    2. yoganmahew

      Re: Am I reading this correctly?

      Okta also appears to be economical with the truth in the number of customers affected. It turns out it was all customers...

      A security organisation that follows a legal/marketing FUD campaign disclosure method is not to be trusted.

      https://techcrunch.com/2023/11/29/okta-admits-hackers-accessed-data-on-all-customers-during-recent-breach/?guccounter=1

  5. Crypto Monad Silver badge

    Credit where credit's due

    Cloudflare are always up-front with detailed reports about things happening on their network, both good and bad. They let others learn from what they're doing.

    1. sev.monster Silver badge

      Re: Credit where credit's due

      I really like the people there, but I do not like how much centralized power they have. One wrong move and 80% of the modern Internet could be MITMed without the end user knowing.

      Of course, the same goes for Akamai and other major CDNs, as well as cloud providers, but the threat is not as big for them because the attack complexity is suitably larger with all the disparity in hosting solutions. Meanwhile Cloudflare is the epitome of "hold my certs, bro".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like