Source: securityboulevard.com – Author: Richi Jennings
The analytics firm kept big organizations’ secrets in an insecure AWS bucket. The government says victims include the “critical infrastructure sector.”
Sisense, a service provider to huge companies including Nasdaq, Verizon and Air Canada, has lost control of its customers’ credentials and access tokens. The Cybersecurity and Infrastructure Security Agency warned users of the service to drop everything and rotate or reset their secrets.
Sources say Sisense stopped storing secrets securely. In today’s SB Blogwatch, we facepalm hard.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Sweet Friends.
A Hard-Coded Credential Catastrophe
What’s the craic, Zack? Mr. Whittaker broke the story: US government urges Sisense customers to reset credentials
“Passwords and private keys”
CISA is warning Sisense customers to reset their credentials and secrets. … The exact nature of the cybersecurity incident is not clear yet. … News of the incident first emerged on Wednesday after … Brian Krebs published a note sent by Sisense [CISO] Sangram Dash urging customers to “rotate any credentials that you use within your Sisense application.”
…
Sisense counts Air Canada, PagerDuty, Philips Healthcare, Skullcandy and Verizon as its customers, as well as thousands of other organizations. … Founded in 2004, [it] develops business intelligence and data analytics software for big companies … by tapping directly into their existing technologies and cloud systems. Companies like Sisense rely on using credentials, such as passwords and private keys, to access a customer’s various stores of data for analysis. With access to these credentials, an attacker could potentially also access a customer’s data.
Let’s hear more from Brian. All aboard the Krebs cycle: Why CISA is Warning CISOs
“Sisense declined to comment”
The breach appears to have started when the attackers somehow gained access to the company’s Gitlab code repository, and in that repository was a token or credential that gave the bad guys access to Sisense’s Amazon S3 buckets. … The attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.
…
Unknown attackers now have all of the credentials that Sisense customers used in their dashboards. … It may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials. … The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers.
…
Sisense declined to comment: … “They have told me that they don’t wish to respond,” … a public relations firm working with Sisense … said in an emailed reply.
Horse’s mouth? Sisense CISO Sangram Dash rolls out the ol’ we take security seriously shtick:
“Paramount importance”
We are taking this matter seriously and our investigation remains ongoing. … We have a dedicated response team on standby.
…
Customers must reset any keys, tokens, or other credentials in their environment used within the Sisense application. … We give paramount importance to security and are committed to our customers’ success.
Can you explain it like I’m five? EdwardDiego offers a colorful metaphor:
This feels ridiculous in this day and age. … You left the key for the place where you stored everyone else’s keys out in the relative open. … Say you keep your guns in a gun-safe in your garage, and then hang the key for the safe in the garage. With a sign saying “gun safe key.”
…
But if the AWS secrets weren’t just hanging on the wall, then progressing from Gitlab compromise to S3 compromise would a) be harder and b) take longer, both of which increase the chance of discovery. … If you care about the security of your guns and/or customer data, don’t leave the key hanging about in plain sight as a good first step. Make them compromise multiple things, not just one thing.
Defense in depth, people! Canberra1 calls it “unforgivable:”
Writing credentials down or hardcoded in scripts is just as negligent as writing down passwords on post-it notes. … Real companies like RSA did do things properly, but still had state based actors doing incredible attacks — even a decade ago!
Heaps of companies are still using dumb FTP, not SFTP, with hardcoded script passwords. One day we will have time generated 2 factor authentication everywhere, but not today.
It’s 2024. Do you know where your secrets are stored? Here’s Admiral Snackbär:
It’s wild … that we need a company whose entire purpose is to provide an overview of all the bandaids your company has, while seemingly being able to compromise every single one of these bandaids—just because one dev had a bad day a few months ago. The state of enterprise security is abysmal.
What a mess. Evan Roberts sees it through a crisis-management lens:
This is not just a technical issue. Comms teams should be connecting with their IT and engineering colleagues to understand:
1) if their organization uses Sisense,
2) if the proper remedial actions have or are being taken, and
3) what reactive comms they need to start considering now if widespread exposure has in fact taken place.
As we’ve seen with these digital supply chain issues in the past, those that move fast and bring together the right IT, InfoSec, Legal and Communications experts are best positioned to weather a potentially resultant crisis.
How did this happen? Truth be told, TruthBeTold tells their truth: [You’re fired—Ed.]
This is a bit surprising … but it sounds like Sisense has been in some turmoil now for a couple of years. … The company has been through a couple cycles of reorgs and mass layoffs.
Meanwhile, reaperducer breaks out the dabber:
“Certain information”—check!
“We take this seriously”—check!
“Abundance of caution”—check!
Cloud buckets—check!
Declined to comment—check!
It’s like playing Modern IT Security Bingo.
And Finally:
Our favorite box-headed DJs return to form
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Recent Articles By Author
Original Post URL: https://securityboulevard.com/2024/04/sisense-cisa-warning-richixbw/
Category & Tags: API Security,Application Security,AppSec,CISO Suite,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,Deep Fake and Other Social Engineering Tactics,DevOps,DevSecOps,Digital Transformation,Editorial Calendar,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Industry Spotlight,Insider Threats,Most Read This Week,Network Security,News,Popular Post,Regulatory Compliance,Securing Open Source,Securing the Cloud,Security Awareness,Security Boulevard (Original),Security Operations,Social – Facebook,Social – LinkedIn,Social – X,Social Engineering,Software Supply Chain Security,Spotlight,Threats & Breaches,Vulnerabilities,Zero-Trust,Amazon Web Services (AWS),aws,AWS access keys,AWS bucket,cisa,CISA Advisories,CISA Advisory,CISA Alert,CISA warning,CISA.gov,depth,NSA/CISA,Sangram Dash,SB Blogwatch,Sisense – API Security,Application Security,AppSec,CISO Suite,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,Deep Fake and Other Social Engineering Tactics,DevOps,DevSecOps,Digital Transformation,Editorial Calendar,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Industry Spotlight,Insider Threats,Most Read This Week,Network Security,News,Popular Post,Regulatory Compliance,Securing Open Source,Securing the Cloud,Security Awareness,Security Boulevard (Original),Security Operations,Social – Facebook,Social – LinkedIn,Social – X,Social Engineering,Software Supply Chain Security,Spotlight,Threats & Breaches,Vulnerabilities,Zero-Trust,Amazon Web Services (AWS),aws,AWS access keys,AWS bucket,cisa,CISA Advisories,CISA Advisory,CISA Alert,CISA warning,CISA.gov,depth,NSA/CISA,Sangram Dash,SB Blogwatch,Sisense
