Hacker News new | ask | show | jobs
by KirinDave 2618 days ago
Why aren't people reporting the fact that Matrix.org actually lost control of their network a second time within hours of their first all clear sounding?

I feel like this is an important part of the story for anyone looking for teachable infosec moments.
3 comments
bifrost 2618 days ago
I guess I technically glossed over that but I did say "One of the more interesting pieces of this was how Ansible was used to keep the attacker in the system". The attacker was persisted via CM and their public repo, I'm actually surprised this doesn't happen more often.
link
bifrost 2618 days ago
I should clarify this comment a bit since it seems to be the most controversial.

When I say the attacker was persisted via CM, I'm pointing at his own notes, nodding to broken CM, the requirements of supporting the CM and availability of the config files.

I also sanity checked the sshd_config file on my systems, they're all set to a sane default:

"AuthorizedKeysFile .ssh/authorized_keys"

FWIW I prefer to treat CM data as "valuable" information for this reason.

link
driminicus 2618 days ago
Because the second tine was a dns hijack, not a network compromise. I'm a little fuzzy on the details, but it had something to do with cloudflares API not revoking some access token.

Either way, a DNS hijack is not great, but not nearly as bad as the initial compromise.

link
bifrost 2618 days ago
It wasn't CloudFlare's API not revoking a token, they just didn't revoke all the tokens. Basically human error.

"The API key was known compromised in the original attack, and during the rebuild the key was theoretically replaced. However, unfortunately only personal keys were rotated, enabling the defacement."

link
KirinDave 2618 days ago
See, I'd like to know more too.
link
Arathorn 2618 days ago
The rebuilt infra wasn’t compromised; what happened was that we rotated the cloudflare API key whilst logged into CF with a personal account but then masquerading as the master admin user. Turns out that rotating the API key rotates your personal one, not the one you’re masquerading as, and we didn’t think to manually compare the secret before confirming it had the right value. Hence the attacker was able to briefly hijack DNS to their defacement site until we fixed it.

We will write this up in a full postmortem in the next 1-2 weeks.

link