"Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company."
Seems to suggest they committed AWS credentials into source control?
81% of all breaches now originate from compromised credentials mainly acquired from 3rd party data breaches or data leaks. Most organizations believe that 2FA and SSO are the answer but this proves that 2FA/SSO are not enough.
If the attack was conducted using login credentials found on github how does this prove that 2FA/SSO are not enough? Wouldn't 2FA have prevented easy use of these credentials?
Do you believe this kind of thing is simply unavoidable? I wonder if this could've been avoided by simply making it impossible to access data without being connected to a VPN in addition to having some sort of physical device connected to your computer.
For amazon you can use IAM roles tied to specific EC2 instances, then no credentials are ever stored, you simply make S3 API calls in your code and as long as the machine you're making them from has access to the bucket you can get to the data.
I don’t think many people intentionally commit secrets to source control. Frequently, it’s a matter of committing a bunch of work and accidentally missing the credentials you stuck in some prototype code.
I agree with ajsharp, this is completely avoidable.
Along with never committing secrets to source control, implementing 3rd party data breach and data leak monitoring is necessary as recommended in NIST 800-63B
Seems to suggest they committed AWS credentials into source control?