{"id":606906,"date":"2023-02-11T07:49:11","date_gmt":"2023-02-11T13:49:11","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/02\/11\/this-weeks-reddit-breach-shows-companys-security-is-still-woefully-inadequate\/"},"modified":"2023-02-11T07:49:11","modified_gmt":"2023-02-11T13:49:11","slug":"this-weeks-reddit-breach-shows-companys-security-is-still-woefully-inadequate","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/02\/11\/this-weeks-reddit-breach-shows-companys-security-is-still-woefully-inadequate\/","title":{"rendered":"This week\u2019s Reddit breach shows company\u2019s security is (still) woefully inadequate"},"content":{"rendered":"
\n

\n GOT FIDO? \u2014
\n<\/h4>\n

This week’s intrusion into Reddit’s network didn’t have to happen, but it did.<\/h2>\n
\n

\n Dan Goodin<\/span><\/a>
\n –

\n
\n \"This
\n

Getty Images<\/p>\n<\/figcaption><\/figure>\n

Popular discussion website Reddit proved this week that its security still isn\u2019t up to snuff when it disclosed yet another security breach that was the result of an attack that successfully phished an employee\u2019s login credentials.<\/p>\n

In a post<\/a> published Thursday, Reddit Chief Technical Officer Chris “KeyserSosa” Slowe said that after the breach of the employee account, the attacker accessed source code, internal documents, internal dashboards, business systems, and contact details for hundreds of Reddit employees. An investigation into the breach over the past few days, Slowe said, hasn\u2019t turned up any evidence that the company\u2019s primary production systems or that user password data was accessed.<\/p>\n

\u201cOn late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees,\u201d Slowe wrote. \u201cAs in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.\u201d<\/p>\n

A single employee fell for the scam, and with that, Reddit was breached.<\/p>\n

It\u2019s not the first time a successful credential phishing campaign has led to the breach of Reddit\u2019s network. In 2018, a successful phishing attack<\/a> on another Reddit employee resulted in the theft of a mountain of sensitive user data, including cryptographically salted and hashed password data, the corresponding user names, email addresses, and all user content, including private messages.\n<\/p>\n

In that earlier breach, the phished employee\u2019s account was protected by a weak form of two-factor authentication (2FA) that relied on one-time passwords (OTP) sent in an SMS text. Security practitioners have frowned on SMS-based 2FA for years because it\u2019s vulnerable to several attack techniques. One is so-called SIM swapping, in which attackers take control of a targeted phone number by tricking the mobile carrier into transferring it. The other phishes the OTP.<\/p>\n

When Reddit officials disclosed the 2018 breach, they said that the experience taught them that \u201cSMS-based authentication is not nearly as secure as we would hope\u201d and, \u201cWe point this out to encourage everyone here to move to token-based 2FA.\u201d<\/p>\n

Fast-forward a few years and it\u2019s obvious Reddit still hasn\u2019t learned the right lessons about securing employee authentication processes. Reddit didn\u2019t disclose what kind of 2FA system it uses now, but the admission that the attacker was successful in stealing the employee\u2019s second-factor tokens tells us everything we need to know\u2014that the discussion site continues to use 2FA that\u2019s woefully susceptible to credential phishing attacks.<\/p>\n

The reason for this susceptibility can vary. In some cases the tokens are based on pushes that employees receive during the login process, usually immediately after entering their passwords. The push requires an employee to click a link or a “yes” button. When an employee enters the password into a phishing site, they have every expectation of receiving the push. Because the site looks genuine, the employee has no reason not to click the link or button.<\/p>\n

OTPs generated by an authenticator app such as Authy or Google Authenticator are similarly vulnerable. The fake site not only phishes the password, but also the OTP. A fast-fingered attacker, or an automated relay on the other end of the website, quickly enters the data into the real employee portal. With that, the targeted company is breached.<\/p>\n

The best form of 2FA available now complies with an industry standard known as FIDO<\/a> (Fast Identity Online). The standard allows for multiple forms of 2FA that require a physical piece of hardware, most often a phone, to be near the device logging in to the account. Since the phishers logging in to the employee account are miles or continents away from the authenticating device, the 2FA fails.\n<\/p>\n

FIDO 2FA can be made even stronger if, besides proving possession of the enrolled device, the user must also provide a facial scan or fingerprint to the authenticator device. This measure allows for 3FA (a password, possession of a physical key, and a fingerprint or facial scan). Since the biometrics never leave the authenticating device (since it relies on the fingerprint or face reader on the phone), there\u2019s no privacy risk to the employee.<\/p>\n

Last year, the world got a real-world case study in the contrast between 2FA with OTPs and FIDO. Credential phishers used a convincing impostor of the employee portal for the communication platform Twilio and a real-time relay to ensure the credentials were entered into the real Twilio site before the OTP expired (typically, OTPs are valid for a minute or less after they’re issued). After tricking one or more employees into entering their credentials, the attackers were in and proceeded to steal sensitive user data.\n<\/p>\n

Around the same time, content delivery network Cloudflare was hit by the same phishing campaign<\/a>. While three employees were tricked into entering their credentials into the fake Cloudflare portal, the attack failed for one simple reason: rather than relying on OTPs for 2FA, the company used FIDO.<\/p>\n

To be fair to Reddit, there\u2019s no shortage of organizations that rely on 2FA that\u2019s vulnerable to credential phishing. But as already noted, Reddit has been down this path before. The company vowed to learn from its 2018 intrusion, but clearly it drew the wrong lesson. The right lesson is: FIDO 2FA is immune to credential phishing. OTPs and pushes aren\u2019t.<\/p>\n

Reddit representatives didn\u2019t respond to an email seeking comment for this post.<\/p>\n

People who are trying to decide what service to use and are being courted by sales teams or ads from multiple competing providers would do well to ask if the provider\u2019s 2FA systems are FIDO-compliant. Everything else being equal, the provider using FIDO to prevent network breaches is hands down the best option.<\/p>\n<\/p><\/div>\n

Read More<\/a>
\n Dan Goodin<\/p>\n","protected":false},"excerpt":{"rendered":"

GOT FIDO? \u2014 This week’s intrusion into Reddit’s network didn’t have to happen, but it did. Dan Goodin – Feb 10, 2023 10:01 pm UTC Getty Images Popular discussion website Reddit proved this week that its security still isn\u2019t up to snuff when it disclosed yet another security breach that was the result of an<\/p>\n","protected":false},"author":1,"featured_media":606907,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[239,46,169],"tags":[],"class_list":{"0":"post-606906","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-reddit","8":"category-technology","9":"category-weeks"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/606906","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=606906"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/606906\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/606907"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=606906"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=606906"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=606906"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}