hngopher.com

       [HN Gopher] About the March 8 and 9, 2021 Verkada camera hack
       ___________________________________________________________________
        
       About the March 8 and 9, 2021 Verkada camera hack
        
       Author : jgrahamc
       Score  : 55 points
       Date   : 2021-03-10 20:46 UTC (2 hours ago)
        
 (HTM) web link (blog.cloudflare.com)
 (TXT) w3m dump (blog.cloudflare.com)
        
       | deft wrote:
       | I love how pwned corporations can now use their loss as a
       | marketing story. "We got hacked but our product saved us! Here's
       | how you can get hacked and live to tell the tale too, first step
       | is just Trust Us." EDIT: reading the comments here now, and CF is
       | astroturfing the thread. LOL.
        
       | stefan_ wrote:
       | I guess its really "zero trust" for everyone but the security
       | cameras from a 3rd party vendor that are on a network which can
       | be leveraged into _remote shell access to the cameras_. Like..
       | you forgot to zero trust the cameras?
       | 
       | Maybe before selling us on the product, try Verkada? They seem to
       | have a need.
        
       | ThePhysicist wrote:
       | I mean good for them but maybe it would be even better to not
       | have cloud-connected cameras in the office in the first place.
       | 
       | Regarding their zero-trust approach to networking I'm wondering
       | what they're using to secure non-HTTP services. I know they have
       | a product that forwards TCP traffic but I don't think you could
       | use that for arbitrary traffic between endpoints?
        
         | yunohn wrote:
         | >> cloud-connected cameras in the office
         | 
         | While Verkada may have not been the best choice, I fail to
         | understand why remote-accessible cameras are bad? In fact, I'd
         | say they are crucial at the level of security & monitoring
         | needed by a company like Cloudflare.
        
           | pmlnr wrote:
           | > why remote-accessible cameras are bad
           | 
           | Because that access is not as limited as it sounds, that's
           | why.
        
             | ALittleLight wrote:
             | You have to think about the trade off between not having
             | remote accessible cameras versus having them. If you can
             | make systems more secure by eliminating them, you can
             | become very secure and simultaneously not very useful.
             | 
             | Not having remote accessible cameras would seemingly make
             | using the cameras take longer or be less efficient. In
             | turn, that might make detecting or tracking physical
             | intrusions less efficient and/or less successful. Should
             | Cloudflare take that trade off? I think it depends on their
             | threat model.
        
         | nmldiegues wrote:
         | Besides the sibling pointing out to Cloudflare Access, there is
         | also a new way that allows for arbitrary TCP traffic to be
         | routed through Cloudflare network in a Zero Trust fashion:
         | https://developers.cloudflare.com/cloudflare-one/tutorials/w...
        
         | judge2020 wrote:
         | They do have a process for securing other services behind
         | Access, including arbitrary traffic and custom protocols like
         | SSH, RDP, and SMB (although I'm not sure how much dogfooding is
         | going on; @jgrahamc might be able to comment on that):
         | 
         | https://developers.cloudflare.com/cloudflare-one/application...
        
       | ggreer wrote:
       | Related HN threads: https://news.ycombinator.com/item?id=26406969
       | https://news.ycombinator.com/item?id=26405056
       | 
       | Cloudflare's post doesn't mention it, but the Twitter account
       | that claimed credit for the hack (and made all kinds of
       | ridiculous boasts like "we could have owned half the internet")
       | has been suspended.[1] Before that the owner of the account
       | posted plenty of personal information, including selfies.[2] A
       | Mastodon instance is where they're posting stuff now.[3]
       | 
       | It really seems like this person is mentally ill and it's only a
       | matter of time before they get in trouble with law enforcement. I
       | mean, it's standard opsec to avoid posting your mailing address
       | on your l33t h4x0r account.[4] I realize the address is a PO box,
       | but this is practically begging the authorities to intervene.
       | 
       | 1. https://twitter.com/nyancrimew
       | 
       | 2. https://archive.is/8IJ8G
       | 
       | 3. https://notbird.site/@deletescape
       | 
       | 4. https://notbird.site/@deletescape/105548475573915843
        
       | didibus wrote:
       | > The fact that the attacker had access to a machine inside the
       | corporate network is no better than the kind of access they'd
       | have had if they'd connected to our corporate WiFi network.
       | 
       | I appreciate that they have a zero trust model, but arguably,
       | once you have access to the network, you are one step closer to
       | using any zero-day to get further inside.
       | 
       | It's good on CloudFlare that they had security beyond that which
       | protected their customers, but it is still very bad for Verkada
       | and CloudFlare needs to decide if they are okay continuing with a
       | camera setup that can provide easy access to hackers to their
       | corporate network or not, and that wasn't touched upon in the
       | article unfortunately.
        
       | tedunangst wrote:
       | Rule of thumb for claim evaluation: if it's not necessary to
       | elaborate or speculate about something, it's not necessary to
       | announce it either.
        
       ___________________________________________________________________
       (page generated 2021-03-10 23:01 UTC)