Hacker News new | ask | show | jobs
by ggreer 1922 days ago
A later tweet claims they got access through a vulnerability in the Verkada security cameras used by these companies: https://twitter.com/nyancrimew/status/1369442432639770624

That's not good, but it's bullshit to claim, "if we wanted to we could have probably owned half the internet in like a week." I seriously doubt that any of these companies have their security cameras on the same networks as anything sensitive, let alone production infrastructure. Heck, I doubt that any have their cameras on the same networks as developer machines (which are used on public networks all the time and can have all kinds of dubious software installed on them).
2 comments
kadoban 1922 days ago
If you have security cameras though, doesn't that open up a huge amount of possibilities to deepen the intrusion? Just most obviously you can watch anyone log in to anything you can see and get some credentials that way. Sounds like these offices are closed, but I'm sure there's some clever way to get someone to need to log in to some machine. Or just be patient and wait.

Hell the offices being closed and having control of the security cameras offers what sounds a lot like the start of a great way to break in quietly and get physical access. How many systems do you know that are secure if you can touch them?

link
ggreer 1922 days ago
You can see the resolution of the cameras in some of the account's other tweets. It's not high enough to see information on the screen. Watching keyboard inputs might be possible, but even then I doubt the framerate is high enough to get all the keys.

More importantly: at most companies, accessing sensitive systems requires more than just a username and password. Pretty much every place requires TOTP or HOTP, often via a hardware token. Many firms also restrict access to specific machines.

link
kentonv 1922 days ago
Pretty much everything at Cloudflare requires, at the very least, a physical security key (e.g. yubikey) to get access.
link
kadoban 1922 days ago
Yeah 2fa is a good point. You'd really hope that anything important would require it, but not sure that's universally true. Social engineering attacks become a lot easier possibly, 2fa tends to need to be overridden a lot because people lose their tokens.

I didn't see the low res cameras, that should make it harder. I wouldn't be surprised if AI or tedium (view each frame, guess and check, etc.) could still get you passwords, but yeah it's starting to sound like more of a stretch. If the cameras have sound that should help get creds too.

link
ImprovedSilence 1920 days ago
That twitter account is now suspended. Would it be in relation to them tweeting about this breach..?
link