fsebugoutzone.org:9999

       Post AdTmckX3H51AzgqJ1M by jomo@mstdn.io
 (DIR) More posts by jomo@mstdn.io
 (DIR) Post #AdTbCp58dYQS51DlPk by lorenzofb@infosec.exchange
       2024-01-03T16:44:42Z
       
       0 likes, 0 repeats
       
       NEW: 23andMe is blaming customers for the data breach that affected 6.9 million customers.We saw a letter 23andMe sent to a group of victims  that is suing the company, which shows what strategy the company will use in these lawsuits: blame the victims.NEW: 23andMe is blaming customers for the data breach that affected 6.9 million customers.We saw a letter 23andMe sent to a group of victims that is suing the company, which shows what strategy the company will use in these lawsuits: blame the victims.“Users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” the letter reads. “Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures.” https://techcrunch.com/2024/01/03/23andme-tells-victims-its-their-fault-that-their-data-was-breached/
       
 (DIR) Post #AdTbCq6EqwtrEik9lg by jomo@mstdn.io
       2024-01-03T17:53:52Z
       
       2 likes, 0 repeats
       
       @lorenzofb hot take: they are not wrong. If what they said is true, 23AndMe was not hacked, customers decided not to use 2FA and then use a known password, and did allow to share data with other customers. This is the customers&#39; fault.23AndMe did however not use standard security practices such as enforcing MFA, and it&#39;s right to blame them for that.
       
 (DIR) Post #AdTbLUYSKFx91S4GAK by feld@bikeshed.party
       2024-01-03T17:56:44.350276Z
       
       2 likes, 0 repeats
       
       @jomo @lorenzofb agreed, it was a credential stuffing attack. no 2FA and they just used a giant list of emails and passwords and logged into any account they could. 23&amp;Me should have had some rate limiting and alerts for this, but c&#39;est la vie, right?maybe customers shouldn&#39;t reuse passwords or something idk
       
 (DIR) Post #AdTmcjVF6JybnmzLYu by ret2bed@infosec.exchange
       2024-01-03T19:43:31Z
       
       0 likes, 0 repeats
       
       @feld @jomo @lorenzofb I disagree. Maybe if the data of the affected user was the only data available when logging into an account but they have broken into a bunch of accounts and then stole further data from genetic matches iirc. Not preventing that kind of data theft when one of the parties did not have 2fa enabled is hardly the fault of the user but completely on the platform. This should not have been possible for accounts that don&#39;t have basic 2FA enabled.
       
 (DIR) Post #AdTmckX3H51AzgqJ1M by jomo@mstdn.io
       2024-01-03T20:01:31Z
       
       0 likes, 0 repeats
       
       @ret2bed @feld @lorenzofb these people agreed to share their data with whoever the company decided to be genetic relatives, a.k.a. a bunch of random people from the internet.
       
 (DIR) Post #AdTmclNA9KhZbJDvFI by feld@bikeshed.party
       2024-01-03T20:06:00.425949Z
       
       2 likes, 1 repeats
       
       @jomo @ret2bed @lorenzofb Has anyone in this thread other than myself actually created a 23 and me account and submitted a saliva sample and saw exactly what the platform offered and what data was really in your account? I feel like everyone commenting on this issue has no idea what was in there and if it had any value in the first place?It&#39;s a shitty social media site cosplaying as a medical utility.
       
 (DIR) Post #AdTtX4WYjNjawKqt9M by ret2bed@infosec.exchange
       2024-01-03T21:13:56Z
       
       0 likes, 0 repeats
       
       @feld @jomo @lorenzofb what do you mean? It states that your ancestry reports as well as additional information &quot;including genetic variants related to health&quot; are shared with genetic relatives if you enable the related feature.How even the most basic ancestry information can be used in the wrong hands is not that hard to imagine.https://www.wired.com/story/23andme-credential-stuffing-data-stolen/ And I would think the fact that it states only genetic relatives receive this kind of data would be enough to reassure users that the data was reasonably safe. Again imo access to that feature should have been restricted to user accounts with a certain minimum level of security, including 2FA.
       
 (DIR) Post #AdTtX5U79xNBv2iRyi by feld@bikeshed.party
       2024-01-03T21:23:24.735374Z
       
       0 likes, 0 repeats
       
       @ret2bed @jomo @lorenzofb it&#39;s not even good ancestry information. They sequenced a few of your genes and made some good guesses through statistical analysis about who your ancestors were. That&#39;s it.The data stolen is equivalent to Mr O&#39;Connor of Boston having a private Twitter profile someone hacked and saw the &quot;Kiss me I&#39;m Irish&quot; posts and now they know you&#39;re Irish. Congratu-fucking-lations on figuring that out. It was a real mystery.As an attacker the most valuable information here is your social graph so they can try to scam you by claiming to be your distant relatives. They already do that on Facebook; my mom gets messages all the time from scammers who pretend to be my childhood neighbors with their real pictures and everything. Which is crazy because the real people have real Facebook profiles but Facebook lets these scammers get away with this crap and of course my mom falls for it so I have to stop her from sending money to these jerks, but I digress...23&amp;Me tried to claim I&#39;m like 1% Ashkenazi Jew which is 100% false, so what are these attackers really getting anyway? They don&#39;t get your raw DNA. They get the equivalent of a palm reading from a digital fortune teller.
       
 (DIR) Post #AdTuAtO5YWzlz2sUEK by buherator@infosec.place
       2024-01-03T21:25:54.257118Z
       
       0 likes, 0 repeats
       
       @ret2bed @feld @jomo @lorenzofb I&#39;m genuinely curious if there is some standard risk assessment practice to take into account that compromise of n% of users would provide access to data of, say (n^2)% of users (that function obviously doesn&#39;t work but you get the idea)?Same question whether there are best practices for determining a threshold for &quot;enforce MFA&quot; or is it just &quot;if you got breached, you definitely should&#39;ve enforced it&quot;?
       
 (DIR) Post #AdTuAuj2a7Li8JgjWi by feld@bikeshed.party
       2024-01-03T21:30:38.447581Z
       
       0 likes, 0 repeats
       
       @buherator @lorenzofb @ret2bed @jomo I&#39;m not sure what would have been the best way to see this enforced. Obviously if you think your user data is in any way valuable and private you should be enforcing MFA. But due to the business of 23&amp;Me I&#39;m not certain what is really applicable to them?If they were processing payments themselves there&#39;s PCI DSS but I don&#39;t think that&#39;s going to be enforcing MFA; they won&#39;t even care about user accounts themselves, just how payment information is stored.SOX2 is basically &quot;you documented what you do and you demonstrated to our auditor that what you wrote down is true&quot;There may be something else but I haven&#39;t been involved in any tech audits in a long time 🤨
       
 (DIR) Post #AdTvjngaqVe6OFk6C0 by buherator@infosec.place
       2024-01-03T21:43:29.276075Z
       
       0 likes, 0 repeats
       
       @feld @lorenzofb @ret2bed @jomo Sure, regulatory compliance most probably won&#39;t go into this detail, but if we expect companies to make the right calls it seems fair to have some pointers for them about what &quot;right&quot; actually means. Maybe requiring an extra special character in all passwords would&#39;ve also mitigated all this, but I don&#39;t think that would&#39;ve been the right way to go.
       
 (DIR) Post #AdTvjoryRgLM3q4hZQ by feld@bikeshed.party
       2024-01-03T21:48:09.042732Z
       
       0 likes, 0 repeats
       
       @buherator @lorenzofb @ret2bed @jomo oh, well in that case we really do have pointers about what the &quot;right&quot; thing to do is: the NIST guidelines like 800-63B and their presentations on MFA, etc. These are basically &quot;Public Service Announcements&quot; about cybersecurity straight from the govhttps://pages.nist.gov/800-63-3/sp800-63b.htmlhttps://pages.nist.gov/800-63-3/sp800-63-3.htmlhttps://csrc.nist.gov/csrc/media/Presentations/2022/multi-factor-authentication-and-sp-800-63-digital/images-media/Federal_Cybersecurity_and_Privacy_Forum_15Feb2022_NIST_Update_Multi-Factor_Authentication_and_SP800-63_Digital_Identity_%20Guidelines.pdf
       
 (DIR) Post #AdTxRQlfW40U0TU7pg by buherator@infosec.place
       2024-01-03T21:56:12.575410Z
       
       1 likes, 0 repeats
       
       @feld @lorenzofb @ret2bed @jomo Ahh of course, AAL&#39;s! The fact that they didn&#39;t come to my mind is a proof that I&#39;m doing this holiday thing right... Thanks, this mostly settles the question, although I still find the question of &quot;cascading impact&quot; interesting - I&#39;ll probably read up on 800-63 again about this!
       
 (DIR) Post #AdU4Tzp4qwTGzCFXUG by Moon@shitposter.club
       2024-01-03T23:26:14.605783Z
       
       0 likes, 0 repeats
       
       @feld @lorenzofb @jomo people who reused passwords are suing?
       
 (DIR) Post #AdU8oSL8w5h72TGAEa by feld@bikeshed.party
       2024-01-04T00:14:36.701449Z
       
       0 likes, 0 repeats
       
       @Moon @lorenzofb @jomo yeah AFAIK the entire data exfiltration was done with a list of hacked usernames/passwords that were from other sites, not a vulnerability in the 23&amp;Me website
       
 (DIR) Post #AdUA0ZfZbvIzCT9rWa by Moon@shitposter.club
       2024-01-04T00:28:09.973035Z
       
       0 likes, 0 repeats
       
       @buherator @feld @lorenzofb @ret2bed @jomo that is a business concern not a regulatory concern in almost all cases, it&#39;s going to be highly contextual to the value of the information and the tolerance for MFA inconvenience your customer base has.