I miss pwn4ge like this, but even this was kind of weak because they didn't do anything funny and also damaging, must be both
all we've gotten this decade were super quiet "state-level actors", and uninspired trolls
I want the "for the lulz" ASCII art pros dropping MIDI music while also pillaging corporations and leaking secrets
make a festival out of it.
I think its coming, a hack that incorporates the best of the latest hacks. Like making a docker disk image of content that was leaked, so that all the other hackers (including the original hacker) have plausible deniability and don't violate the CFAA
Heyo, I run Developer Advocacy at Okta. Just FYI, here's our official statement on the news:
The Okta service has not been impacted by the Verkada breach. After conducting further investigation, Okta determined that five Verkada cameras were compromised. These cameras were isolated and separate from Okta’s production and company networks. Okta does not employ facial recognition technology, and there is no evidence that any live streams were viewed during the limited access that occurred. Okta employs Verkada technology only in office entrances.
Devices such as cameras are usually isolated on their on VLAN. In addition just because you are on the network doesn't really mean anything if there is a zero trust security model.
Indeed! Here's the official Okta statement (I run Developer Advocacy at Okta):
The Okta service has not been impacted by the Verkada breach. After conducting further investigation, Okta determined that five Verkada cameras were compromised. These cameras were isolated and separate from Okta’s production and company networks. Okta does not employ facial recognition technology, and there is no evidence that any live streams were viewed during the limited access that occurred. Okta employs Verkada technology only in office entrances.
This is Cloudflare's official statement (I work for Cloudflare):
This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised. The cameras were located in offices that have been officially closed for nearly a year.
As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks. No customer data or processes have been impacted by this incident.
This incident emphasizes the importance of the Zero Trust model that Cloudflare follows and provides to customers, which ensures that if any one system or vendor is compromised, it does not compromise the entire organization. Unlike the previous castle-and-moat approach, a Zero Trust model functions more like bulkheads in a ship, making sure that a leak in one place doesn’t sink the entire ship.
Hackers gained access to over 150,000 of [Verkada]’s cameras, including cameras in Tesla factories and warehouses, Cloudflare offices, Equinox gyms, hospitals, jails, schools, police stations, and Verkada’s own offices, Bloomberg reports.
>The cameras were located in offices that have been officially closed for nearly a year.
This explanation begs the obvious question, why were they still connected to Cloudflare's internal network for nearly a year? Does Cloudflare just keep paying rent for 'officially closed' offices? Obviously this ArsonCats group is exaggerating the extent of the hack but this official explanation from Cloudflare doesn't exactly pass the sniff test either.
I don’t know about Cloudflare specifically, but almost every Cloudlfare-sized tech company in SF has had their offices closed to employees for a year. Most of them plan to reopen and are continuing to pay rent.
Under those circumstances it definitely makes sense to keep the cameras on.
I understand this and that's the point I'm trying to make here. The statement is just deflecting and downplaying the issue. What exactly does 'officially closed' mean? The office wasn't 'officially closed', it was unoccupied because of COVID. It was still paid for by Cloudflare and on it's network. The statement is purposefully misleading.
This sounds silly, of course, but it wouldn't surprise me if someone cheaped out somewhere and connected two networks that should never be connected together.
That’s kind of beside the point, any aircraft security staff involved would demand segregation. 150k random companies? Hell, 75% don’t even have security teams.
That's not good, but it's bullshit to claim, "if we wanted to we could have probably owned half the internet in like a week." I seriously doubt that any of these companies have their security cameras on the same networks as anything sensitive, let alone production infrastructure. Heck, I doubt that any have their cameras on the same networks as developer machines (which are used on public networks all the time and can have all kinds of dubious software installed on them).
If you have security cameras though, doesn't that open up a huge amount of possibilities to deepen the intrusion? Just most obviously you can watch anyone log in to anything you can see and get some credentials that way. Sounds like these offices are closed, but I'm sure there's some clever way to get someone to need to log in to some machine. Or just be patient and wait.
Hell the offices being closed and having control of the security cameras offers what sounds a lot like the start of a great way to break in quietly and get physical access. How many systems do you know that are secure if you can touch them?
You can see the resolution of the cameras in some of the account's other tweets. It's not high enough to see information on the screen. Watching keyboard inputs might be possible, but even then I doubt the framerate is high enough to get all the keys.
More importantly: at most companies, accessing sensitive systems requires more than just a username and password. Pretty much every place requires TOTP or HOTP, often via a hardware token. Many firms also restrict access to specific machines.
Yeah 2fa is a good point. You'd really hope that anything important would require it, but not sure that's universally true. Social engineering attacks become a lot easier possibly, 2fa tends to need to be overridden a lot because people lose their tokens.
I didn't see the low res cameras, that should make it harder. I wouldn't be surprised if AI or tedium (view each frame, guess and check, etc.) could still get you passwords, but yeah it's starting to sound like more of a stretch. If the cameras have sound that should help get creds too.
Note in both screenshots, copious amounts of 'mmcblk0pXX', that looks like an embedded device. Probably the same cameras this group found vulns in. The idea that those cameras somehow give access to all of cloudflare, or all of OKTA, is wrong and clickbait and sensationalist.
By the way, according to github [1] this girl is in Switzerland. There exist extradition treaties, and she is not operating under a pseudonym. These are publicly traded companies. She could very easily find herself in prison for this.
In addition to tweeting photos of families and children in private homes [0] taken from hacked cameras, she tweeted a selfie with her full face [1] on the account which claimed responsibility for this hack. Lots of people with legal recourse may be embarrassed or outraged by this breach. Joking about "doing crime" [2][3] does not play well in court. She also seems to struggle with mental illness [4]. I don't see how this ends well for her.
> if we wanted to we could have probably owned half the internet in like a week.
Oh, skids. Pop a single shell in a disposable environment in some corporate hellscape cloud infra and they think they can pwn the interwebs. I'm sure you could root some shitty Fargate container of some shitty web app in my company, too, but you literally can't get to any other network from it.
They'll be dining out on this for years on irc. (do the kids still irc? is twitter the new irc?)
Their cameras? Big deal, it is an empty building over at Okta. I thought they meant they got into an Okta cell and I was very interested to hear how that was done.
It's very interesting that both Cloudflare and Tesla have the exact same disk setup on such important systems on their corporate networks, down to the numerous strangely small partitions on MMC.
Oh, wait, neither Cloudflare nor Okta were hacked. Crappy IoT devices on their networks - quite likely isolated or untrusted - were hacked.
Frankly if these companies trusted their 'corporate networks', THAT would be the story here. But the fact that someone hacked their cameras was both posted here a few hours ago[1] and not news[2].
> quite likely isolated or untrusted - were hacked.
I disagree. From my experience there are many big corps out there that use VLANs but don't properly secure them. And even if they did I expect pivoting from these hosts would be trivial when compared to getting in externally.
Finally, these cameras aren't alone. They're often integrated into a centralized controller which has to be routable by both the cameras as well as the host/hosts required to review the footage. So even IF they were properly segmented there's still most likely a path to the 'corp' VLAN.
This is Okta's official statement (I run Developer Advocacy at Okta):
The Okta service has not been impacted by the Verkada breach. After conducting further investigation, Okta determined that five Verkada cameras were compromised. These cameras were isolated and separate from Okta’s production and company networks. Okta does not employ facial recognition technology, and there is no evidence that any live streams were viewed during the limited access that occurred. Okta employs Verkada technology only in office entrances.
reply