One of the key things to consider when you are recovering from a security incident is your response.
Some are good, some not so. Occasionally a company might issue a statement to acknowledge the incident and say that they are investigating, while others might say that they had no comment on the issue.
As a member of the press, what is always best is a detailed response to what happened. However if the European Commission has its way with 24-hour breach reporting legislation, the days of a detailed investigation and response may be fast approaching.
One incident and response that caught my eye was by managed service provider CloudFlare, whose blog detailed an attack on a customer's account. The attacker changed their DNS records and eventually accessed the CloudFlare.com email addresses, which run on Google Apps.
The blog post, published at the start of June by CEO Matthew Prince, said that CloudFlare was ‘still working with Google to investigate the details', and he suspected that a flaw in Google Apps may have been the cause. He said that CloudFlare wanted to highlight the issue ‘to make people aware that they too may be vulnerable to similar attacks'.
The details specify when the attack began and how it happened - the attacker convinced Google's account recovery systems to add a fraudulent recovery email address to the personal Gmail account – and how it could not have been a brute-force password attack.
In terms of Google Apps, Prince said that once the attacker had access to his CloudFlare.com email account, they were able to access the Google Apps administrative panel and target a particular customer and initiate a password reset request for the customer's CloudFlare.com account.
“We sent a copy of these requests to an administrative email account for debugging purposes and, ironically, to watch for invalid password reset requests. The hacker was able to access this account in Google Apps and verify the password reset. At that point, the attacker was able to log into the customer's CloudFlare account and change DNS settings to temporarily redirect the site,” he said.
Prince said that working with Google, the company was able to regain control of the Google Apps accounts, his personal Gmail account and his CloudFlare.com account and revert the change to the customer's account. After manually reviewing all other password reset requests and DNS changes it ensured that there were no other CloudFlare.com accounts that were accessed or altered.
You may think that this is a standard exercise, but Prince was open about the operation to ensure that all areas were covered and reassured users that CloudFlare has left no stone unturned.
While Prince said he was unsure how the ‘hacker was able to bypass Google's two-factor authentication on CloudFlare.com email addresses', he did admit that this was troubling, as this should have prevented the attack and later updates. Working with Google, CloudFlare found a flaw in account recovery flow and discovered that customers' API keys were present in email accounts.
He also brought in a new factor – a breach of AT&T's systems that compromised the out-of-band verification that revealed that if an attacker knows your phone number and your phone number is listed as a possible recovery method for your Google account then, at best, your Google account may only be as secure as your voicemail PIN.
He said: “In this case, we believe AT&T was compromised, potentially through social engineering of their support staff, allowing the hacker to bypass even the security of the PIN. We have removed all phone numbers as authorised Google account recovery methods.”
Through the various updates, Prince detailed the investigation as it was ongoing, with information on how the attack occurred, how customers could be impacted (probably most important) and how Google and AT&T were investigating and fixing systems as they went along.
So am I saying that all responses should be as in-depth as this? The fact is that this is not always possible, as sometimes sensitivity has to be a factor and for anyone in the public or financial sectors, there are compliance issues to meet before you speak publicly.
However giving a detailed breakdown of what happened, how it happened and what you (or third parties) have done to ensure it doesn't happen again can go a long way to reassuring customers and us in the press about your security stance.