“Whether you’re a designer, coder or non-technical participant, you identify yourself in Slack so everyone understands exactly where to find each skill,” Nouri says. They also leveraged the Donut app for Slack to introduce possible teammates and schedule virtual coffees. This Slack-driven strategy led to diverse groups, giving the hackathon a competitive advantage that brought higher quality outcomes for each challenge. In addition to setting a foundation for success prior to the event, Slack channels kept things organised and running smoothly during the hackathon, including: “It’s not uncommon to have a team of business analysts and designers who come up with an amazing idea.” Saving time and encouraging creativity with Slack “It’s very important in hackathons to have team diversity,” Nouri says.#ask-a-mentor, open for anyone to ask questions.The same threat actor targeted 136 other companies. That was the case with the August breach of security provider Twilio. Threat actors frequently hack one company and use the data or access they obtain to breach that company's customers or partners. The Internet relies on a massive ecosystem of content delivery networks, authentication services, software development tool makers, and other companies. It’s possible, too, that some or all of these breaches are related. It wouldn’t be surprising if Slack or CircleCI updated its advisories to disclose further access to customer data or more sensitive parts of their networks. Remember the LastPass advisory from August? It, too, used the opaque phrase “security incident” and said “no customer data was accessed,” only to reveal the true extent on the last major business day of 2022. The advisory stresses that its customers weren’t affected and that “the threat actor did not access other areas of Slack’s environment, including the production environment, and they did not access other Slack resources or customer data.”Ĭustomers should take the statement with a generous helping of brine. From there, the intruders downloaded private code repositories. Adding to the lack of forthrightness: The company embedded the HTML tag in the post in an attempt to prevent search engines from indexing the alert.Īfter obtaining the Slack employee tokens, the threat actor misused them to gain access to the company’s external GitHub account. Like the CircleCI disclosure, the Slack alert also steers clear of concrete language and instead uses the passive phrase “were stolen and misused” without saying how. It’s clear Slack wasn’t in a hurry for the event to become widely known. It’s dated December 31, but the Internet Archives didn’t see it until Thursday, five days later. Slack’s advisory, meanwhile, is similarly opaque. That’s plenty of time to collect an unimaginable amount of some of the industry’s most sensitive data. Taking the statements together, it’s not a stretch to suspect threat actors were active inside CircleCI’s systems for two weeks. Exhibit B: the advice that customers check internal logs for unauthorized access between December 21 and January 4. Exhibit A is the statement: “At this point, we are confident that there are no unauthorized actors active in our systems,” suggesting that network intruders were active earlier. Its advisory never used the words “breach,” “compromise,” or “intrusion,” but that’s almost certainly what happened. A lack of transparencyĬircleCI is still tight-lipped about precisely what happened. The potential exposure of all those secrets-which could be login credentials, access tokens, and who knows what else-could prove disastrous for the security of the entire Internet. The alert also informed customers that it had invalidated their Project API tokens, an event requiring them to go through the hassle of replacing them.ĬircleCI says it’s used by more than 1 million developers in support of 30,000 organizations and runs nearly 1 million daily jobs. On Wednesday evening, the company reported a “security incident” that prompted it to advise customers to rotate “all secrets” they store on the service. The most concerning of the two new breaches is the one hitting CircleCI. It’s not clear if all three breaches are related, but that’s certainly a possibility. Further Reading LastPass users: Your info and password vault data are now in hackers’ handsThe compromises-in Slack’s case, the theft of employee token credentials and for CircleCI, the possible exposure of all customer secrets it stores-come two weeks after password manager LastPass disclosed its own security failure: the theft of customers’ password vaults containing sensitive data in both encrypted and clear text form.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |