Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 08-Jun-2024 11:15:47 JST Kevin Beaumont

   Another Snowflake customer breach: https://techcrunch.com/2024/06/07/snowflake-ticketmaster-lendingtree-customer-data-breach/

   • GreenSkyOverMe (Monika) repeated this.
   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 09-Jun-2024 23:51:02 JST Kevin Beaumont

     in reply to

     One thing I didn't know until recently is Snowflake has a massive fanbase, Apple and Amiga style - if you critique Snowflake in any way people flip tables. The comments on my blog are fun. I mean, the clue is in the product name, really.

     GreenSkyOverMe (Monika) repeated this.
   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 09-Jun-2024 23:51:49 JST Kevin Beaumont

     in reply to

     IMHO it's fair to call out Snowflake's authentication isn't very good - it's the worst SaaS MFA solution I've seen as it has no top level, easy switch for org wide MFA enforcement.

     Combined with putting all customers under *.snowflakecomputing.com sub domain is why their customers are getting owned - infostealers are just full of creds ready to go.

     I gather Snowflake are discussing changes to fix, don't tell the fanboys (and yes, they're all dudes).

   • Embed this notice
     Ankit Pati (ankitpati@mastodon.social)'s status on Monday, 10-Jun-2024 00:13:15 JST Ankit Pati

     in reply to

     @GossiTheDog

     > putting all customers under *.snowflakecomputing.com sub domain

     How else would you have them handle it? Nearly all SaaS providers do exactly this.

     A popular one you might have come across is *.github.io.

     (Not a fanboy; I just work for another SaaS vendor and would like to know if we’re doing anything terribly wrong.)

   • Embed this notice
     Ankit Pati (ankitpati@mastodon.social)'s status on Monday, 10-Jun-2024 00:23:25 JST Ankit Pati

     @GossiTheDog Yes, the auth part I understood.

     It’s the subdomain part I didn’t get, and I’m worried we’re doing the same thing. If it’s something bad and preventable, I’d like to get the right eyes on the problem ideally before it blows up.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 10-Jun-2024 23:36:53 JST Kevin Beaumont

     in reply to

     Mandiant have informed 165 organisations they may have had data exfiltration from their Snowflake hosted databases

     https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 11-Jun-2024 20:55:24 JST Kevin Beaumont

     in reply to

     Pure Storage have been breached via Snowflake. https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/Security_Bulletins/topics/concept/c_Security_Bulletin_for_Unauthorized_Access_to_Telemetry_Information.html

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 11-Jun-2024 21:04:53 JST Kevin Beaumont

     in reply to

     Kinda interesting - Mandiant notified Snowflake that over 100 customers had data exfil issues, and Snowflake’s share price immediately began to tank in sells offs - before the incident was made public.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 11-Jun-2024 21:54:55 JST Kevin Beaumont

     in reply to

     ✅ won a game of Call of Duty
     ✅ hacked the world’s largest companies
     ✅ used an infostealer

     Can’t wait for these guys to have super secure Microsoft Recall, which is definitely encrypted from the user 🤪🤪🫡

     https://www.bleepingcomputer.com/news/security/pure-storage-confirms-data-breach-after-snowflake-account-hack/

     GreenSkyOverMe (Monika) repeated this.
   • Embed this notice
     Apicultor 🐝 (apicultor@hachyderm.io)'s status on Wednesday, 12-Jun-2024 03:54:26 JST Apicultor 🐝

     in reply to

     @GossiTheDog According to your timeline and the market data my own brokerage gives me access to, I see a nice big selloff the day after Mandiant notified Snowflake and the FBI, which is the day before the data popped up for sale.

     Insider trading? That's unpossible!

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 13-Jun-2024 06:48:22 JST Kevin Beaumont

     in reply to

     Snowflake have told customers "We are also developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies, especially for privileged Snowflake customer accounts."

     Good! They also say the attack was "not caused by a vulnerability, misconfiguration, or breach of its product". Just happy little bad MFA.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 18-Jun-2024 00:43:06 JST Kevin Beaumont

     in reply to

     Nice: "In a phone call this week, Jones (Snowflake CISO) told WIRED that Snowflake is working on giving its customers the ability to mandate that users of their accounts employ multifactor authentication going forward, “and then we’ll be looking in the future to [make the] default MFA,” he says."

     This will be a great outcome for Snowflake customers and Snowflake itself. I know Snowflake got big mad at me for pointing it out, but that was a prime weakness in their MFA.

     https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 18-Jun-2024 01:50:01 JST Kevin Beaumont

     in reply to

     The Hudson Rock blog archive earlier in this thread on Internet Archive has also been removed.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 18-Jun-2024 01:56:04 JST Kevin Beaumont

     in reply to

     The Hudson Rock blog on Snowflake, archived elsewhere: https://archive.ph/2024.06.01-023241/https://www.hudsonrock.com/blog/snowflake-massive-breach-access-through-infostealer-infection

   • Embed this notice
     Michael Kohne (mhkohne@mastodon.social)'s status on Tuesday, 18-Jun-2024 04:12:44 JST Michael Kohne

     in reply to

     @GossiTheDog Do we know why it got removed? Did Snowflake C&D them? And if so, why, is there anything manifestly untrue in it? (Looked to me from the archive that HR was careful to state that this was all 'claimed by the hacker', not proven facts).

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 18-Jun-2024 04:28:20 JST Kevin Beaumont

     in reply to

     65 page PDF on searching for Snowflake malicious activity: https://services.google.com/fh/files/misc/snowflake-threat-hunting-guide.pdf

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 25-Jun-2024 04:43:59 JST Kevin Beaumont

     in reply to

     When Snowflake allows orgs to easily mandate MFA across their users, I plan to answer this forum post from 2019. https://community.snowflake.com/s/question/0D50Z00008ugjwISAQ/is-there-a-way-to-force-all-users-to-use-mfa

   • Embed this notice
     Zack Whittaker (zackwhittaker@mastodon.social)'s status on Tuesday, 25-Jun-2024 05:20:45 JST Zack Whittaker

     in reply to

     @GossiTheDog "I would also like to have a setting that enforces MFA. Hopefully this can be implemented soon," said Bas... *two years ago*.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 28-Jun-2024 00:15:32 JST Kevin Beaumont

     in reply to

     Cisco has a look across the wider infostealer problem, using Snowflake as a jumping off point: https://blog.talosintelligence.com/infostealer-landscape-facilitates-breaches/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 28-Jun-2024 00:19:03 JST Kevin Beaumont

     in reply to

     I think SaaS providers who provide their own authentication have a responsibility to provide robust, *enforceable* MFA for their customers - so if an org wants all their users to require MFA, they can and it’s just an easy tick box.

     Some SaaS providers aren’t doing this - - and it’s the reason infostealer logs are such a problem. Their angle is customer is solely responsible, but as a counterpoint: see how that is working out for Snowflake.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 10-Jul-2024 07:29:40 JST Kevin Beaumont

     in reply to

     Snowflake have rolled out MFA changes:

     - A new authentication policy that requires MFA for all users in a Snowflake account

     - prompting for user-level MFA setup

     - Snowflake Trust Center for monitoring adherence to MFA policies

     This solves all the inherent product weaknesses from the prior setup, they did a good job.

     https://www.snowflake.com/blog/snowflake-admins-enforce-mandatory-mfa/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 12-Jul-2024 19:40:00 JST Kevin Beaumont

     in reply to

     AT&T become latest org caught up in Snowflake incident - they’ve had phone call records and text messages stolen for nearly all customers. https://www.404media.co/hackers-steal-text-and-call-records-of-nearly-all-at-t-customers/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 12-Jul-2024 20:23:00 JST Kevin Beaumont

     in reply to

     The person who got arrested for this is likely a kid btw, there’s a bunch on Telegram who operate with terrible OPSEC.

     Turns out yeeting your most sensitive data into a “cloud AI platform” with no enforceable (at the time) MFA was a bad idea.

   • Embed this notice
     Paul Bailey (paulbailey@mas.to)'s status on Friday, 12-Jul-2024 21:26:22 JST Paul Bailey

     in reply to

     @GossiTheDog It’s still completely wild to me that an org as big as that isn’t just using SSO with SAML/OIDC.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 13-Jul-2024 00:41:46 JST Kevin Beaumont

     in reply to

     An observation - AT&T, which today announced the biggest data breach of any telco worldwide ever - is down 0.35% on stock market

     Snowflake, who own the SaaS platform, are down another 2%, 15% down over 3 months

     Each breach has driven Snowflake’s share price down, but not their customer’s share price

     In other words: 2024 reality, if you’re a SaaS provider, infostealers and cyber crime groups are a competitor - you have to be shit hot at authentication (even if it inconveniences the customer)

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 13-Jul-2024 03:08:09 JST Kevin Beaumont

     in reply to

     Advanced Auto Parts have confirmed 2.8 million people impacted in their Snowflake breach. https://www.helpnetsecurity.com/2024/07/12/breach-snowflake-mfa/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 13-Jul-2024 03:46:30 JST Kevin Beaumont

     in reply to

     The AT&T Snowflake database wasn’t a law enforcement database, that is false.

     They’re a major Snowflake customer, they put CDR in to do data analysis.

     They subscribe to Snowflake Telecom Data Cloud and push petabytes of data in, as do other telcos. Snowflake had no way to mandate MFA on local accounts.

   • Embed this notice
     Cadmus 🌲 (camless@m.ai6yr.org)'s status on Saturday, 13-Jul-2024 03:51:22 JST Cadmus 🌲

     in reply to

     @GossiTheDog CDR stands for?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Aug-2024 16:44:06 JST Kevin Beaumont

     in reply to

     The latest Snowflake quarterly results dropped on Wednesday so I looked at their investor presentation, to see what they said about the security incident.

     Nothing.

     The company's net loss widened to $317 million, from $227 million during the same period a year earlier but this isn’t unusual, they have had accelerated losses for some time.

   • Embed this notice
     Marcus Hutchins :verified: (malwaretech@infosec.exchange)'s status on Friday, 23-Aug-2024 16:58:30 JST Marcus Hutchins :verified:

     in reply to

     @GossiTheDog Is it really a security incident though? There was no evidence snowflake itself was breached

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 15-Sep-2024 07:40:58 JST Kevin Beaumont

     in reply to

     More smart changes by Snowflake

     MFA enforced on all accounts and all new sign ups

     Long term plan to go passwordless for authentication (or rather no single factor password auth)

     https://www.snowflake.com/en/blog/multi-factor-identification-default/

   • Embed this notice
     Guelfo Alexander Ghibellini (guelfoalexander@cyberplace.social)'s status on Sunday, 15-Sep-2024 17:53:39 JST Guelfo Alexander Ghibellini

     in reply to

     @GossiTheDog this passwordless thing is the email with the magic link, like StreamYard?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 04-Nov-2024 22:24:11 JST Kevin Beaumont

     in reply to

     Paywall'd article, but a fun look at infostealers and how they played a part in the Snowflake happy little cyber incident earlier this year https://www.404media.co/inside-the-massive-crime-industry-that-is-hacking-billion-dollar-companies-copy-2/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 05-Nov-2024 21:47:04 JST Kevin Beaumont

     in reply to

     The alleged Snowflake hacker behind the 160 odd happy little cyber incidents has been arrested in Canada. If it’s him he probably shouldn’t have admitted it to a reporter. https://www.404media.co/suspected-snowflake-hacker-arrested-in-canada/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 06-Nov-2024 02:51:02 JST Kevin Beaumont

     in reply to

     there's so many wtf moments in this story about the alleged Snowflake hacker, lol

     https://krebsonsecurity.com/2024/11/canadian-man-arrested-in-snowflake-data-extortions/

   • Embed this notice
     Ulrich_the_Elder, 🇨🇦,🇺🇦 (ulrich_the_elder@thecanadian.social)'s status on Wednesday, 06-Nov-2024 05:24:10 JST Ulrich_the_Elder, 🇨🇦,🇺🇦

     in reply to

     @GossiTheDog fuck your paywall. If this is important let me see it. If not fuck off.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 09-Dec-2024 21:39:29 JST Kevin Beaumont

     in reply to

     I should loop this in for more crazy on the Snowflake non-incident incident, where a bunch of teens ran around the poor security at both Snowflake and Snowflake's customers.

     https://www.wsj.com/tech/cybersecurity/hacking-brian-krebs-snowflake-waifu-49b87fce?st=Pubz4o

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 01-Jan-2025 03:17:18 JST Kevin Beaumont

     in reply to

     • BrianKrebs

     Boggles the mind that nation state China managed to get into various US telcos.. and so did a 20 year old kid, who had to be doxxed by @briankrebs to even get arrested.

     I'm hoping this one goes to trial so the feds are forced to reveal what happened - as I understand it, various telcos exported CDRs - call record data - and put it into Snowflake Telco Cloud, which didn't have a feature to require MFA for every telco user account, and some users forgot to enable it.

     https://krebsonsecurity.com/2024/12/u-s-army-soldier-arrested-in-att-verizon-extortions/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 01-Jan-2025 03:28:20 JST Kevin Beaumont

     in reply to

     Snowflake incidents explained (the design has since changed)