fwd:cloudsecSet your alarms!
Tickets go live in 3 hours at 9 AM PT! https://eventbrite.com/e/fwdcloudsec-2023-tickets-556255303587
2nd batch goes live at 9PM PT for our friends in other timezones
| Cloud | Attack |
| Cloud | Defense |
| Cloud | Incident Response |
houston
- 60 Followers
- 167 Following
- 27 Posts
cloud abuser
Christophe 
In case you missed it, @houston @rami and myself documented and analyzed all the cloud security breaches we could find from 2022.
https://securitylabs.datadoghq.com/articles/public-cloud-breaches-2022-mccarthy-hopkins/
Spoiler: SSRF to IMDS, leaked static credentials, public storage buckets.
Scott PiperI like the explanation of cloud terminology by @jcfarris in his interview on Screaming in the Cloud . AWS has accounts because it grew out of Amazon retail and that's what you used to buy underwear. GCP has projects because of their developer first mentality. Azure has subscriptions because their focus is on how they'll charge you. https://www.lastweekinaws.com/podcast/screaming-in-the-cloud/Solving-for-Cloud-Security-at-Scale-with-Chris-Farris/
Firstly, I am a fan of Password Managers.
However, calling them Password Managers is softening the risk of what people actual store in them. Maybe a better mouthful-of-a-name would be Personal Secret Storage or Cloud Based Personal Secret Storage. Password storage is a popular use case, but so is storing keys of all types, notes, etc.
If your company doesn’t prevent usage of a non-mandated password manager, then the LastPass breach is a much bigger deal; even bigger than shops that use LastPass Enterprise. Unless it was fully blocked, there is a very non zero chance your employees past and present used Lastpass. And likely you do not have any insight into what they stored or how strong their vault password is or was.
How do you triage that? Rotate every secret in the company? Some companies take years to rotate even the simplest service account password as they have long lost track of who created it or what it’s used for; and are too operationally risk adverse to scream test. More than likely, companies will choose to ignore it.
These are not at all new issues, but they aren’t the kinds of things that win accolades or innovative awards for solving. Where is the cavalry?
I can’t believe nobody asked for my thoughts on the LastPass breach(sarcasm).
Firstly any company that holds anything that even resembles sensitive data should be using data perimeter concepts to prevent their cloud storage from being accessed without a deeper foothold.
Secondly, organizations that use LastPass have a lot of work ahead of them, but not nearly as much as companies who have not mandated a password manager and allow employees to decide. There are easily dozens or 1000’s of current and FORMER employees who didn’t have any mandate for strong “management passwords” or MFA. And the company has NO IDEA, no way to get the vaults, no way to explain this to regulators..
And finally, the intermixing of company and personal secrets in a password manager seems extremely dangerous in hindsight. I would highly recommend discouraging this type of co-mingling or sadly, some draconian policy where companies declare any password manager accessed from a company owned or managed device or network is subject to inspection by the company (yuck).
Firstly any company that holds anything that even resembles sensitive data should be using data perimeter concepts to prevent their cloud storage from being accessed without a deeper foothold.
Secondly, organizations that use LastPass have a lot of work ahead of them, but not nearly as much as companies who have not mandated a password manager and allow employees to decide. There are easily dozens or 1000’s of current and FORMER employees who didn’t have any mandate for strong “management passwords” or MFA. And the company has NO IDEA, no way to get the vaults, no way to explain this to regulators..
And finally, the intermixing of company and personal secrets in a password manager seems extremely dangerous in hindsight. I would highly recommend discouraging this type of co-mingling or sadly, some draconian policy where companies declare any password manager accessed from a company owned or managed device or network is subject to inspection by the company (yuck).
Permiso's got a write-up on an attacker targeting what appears to be public jupiter notebooks to steal AWS creds (but not all victims are on AWS and the infection vector is unknown). https://permiso.io/blog/s/christmas-cloud-cred-harvesting-campaign/
🗓️ December 24th #AdventOfCloudSecurity
Together with @houston and @rami we wrote an analysis of over 50 publicly disclosed cloud breaches of 2022!
https://securitylabs.datadoghq.com/articles/public-cloud-breaches-2022-mccarthy-hopkins/
Merry Christmas to everyone who celebrates it!