Cloud company has been hacked. It services major companies like Santander, Ticket master and many, many more.

[Gromett]

Bad one.

Hackers steal “significant volume” of data from hundreds of Snowflake customers

Given shortcomings of Snowflake and its customers, there's plenty of blame to go around.

arstechnica.com

 

[Gromett]

Oh, and people are saying the cloud company wasn't hacked, and they are not to blame.

They didn't enforce two factor auth for admin or dev accounts. That makes them complicit in my opinion.

 

[rolosroller]

 

[Gellyneck]

It's about time MFA is made mandatory and company directors are forced to have mandatory insurance for data breaches in place.

Let's stop shutting the stable door after the herd of horses are out the stable, through the paddock and onto the M1!

 

[Gromett]

It's about time MFA is made mandatory and company directors are forced to have mandatory insurance for data breaches in place.

Let's stop shutting the stable door after the herd of horses are out the stable, through the paddock and onto the M1!

Not necessary across the board. For instance compulsory 2FA for fun would be overkill. But for the admin account ok.

Really for large services all staff should be forced to use 2FA. Google and Microsoft did it and in both cases their incidence of breaches collapsed overnight.

This article from 2018 was when I finally commited to yubi keys. As usual with Krebs a very interesting read.

Google: Security Keys Neutralized Employee Phishing – Krebs on Security

^{_{Subscribers  do not see these advertisements}}

 

[Gellyneck]

Not necessary across the board. For instance compulsory 2FA for fun would be overkill. But for the admin account ok.

Really for large services all staff should be forced to use 2FA. Google and Microsoft did it and in both cases their incidence of breaches collapsed overnight.

This article from 2018 was when I finally commited to yubi keys. As usual with Krebs a very interesting read.

Google: Security Keys Neutralized Employee Phishing – Krebs on Security

I know you talk frequently about Yubi keys and wonder what you think would be an appropriate "personal" key and where available from?

 

[Gromett]

I know you talk frequently about Yubi keys and wonder what you think would be an appropriate "personal" key and where available from?

Any of them that would work for the devices you have.
Even the basic one does the 2FA stuff.

But you need to choose one based on USB A or C? NFC or not? etc.

I know this may make you throw your hands in the air and give up. But it is worth figuring out and you only have to do it once.

https://support.yubico.com/hc/en-us/articles/4403770046354-How-to-select-the-correct-YubiKey

My personal choice now would be to buy a USB C with NFC.
I would buy a USB A to C adapter. This way I would have the most options covered.


After my mum recently got hacked, she has now bought a YubiKey and loves the simplicity. Although registering it with services is a pain at times, she loves the fact that she just touches it and she is in. And it has removed the fear of being hacked again.

 

[Carpmart]

Oh, and people are saying the cloud company wasn't hacked, and they are not to blame.

They didn't enforce two factor auth for admin or dev accounts. That makes them complicit in my opinion.

Fire the CISO immediately! Most of them are ‘kin useless!

 

[starquake]

After my mum recently got hacked, she has now bought a YubiKey and loves the simplicity. Although registering it with services is a pain at times, she loves the fact that she just touches it and she is in. And it has removed the fear of being hacked again.

TBH my advise is to buy 2 yubikeys, register BOTH with all cloud providers and then if you lose one it's no issue, other is in safe.

I'm a complex one though as we also have old school PGP(well GPG but PGP is what everyone calls them) keys on the Yubikey for code related signing activity, with those keys only existing on yubikeys so need insertation for ANY code operation on github. That is overcomplex to setup to be honest, but it does make my code repositorys and github completely bulletproof. This paragraph limits which Ubikeys I can use personally to the more expensive one.

I have two of the Yubikey 4 NFC models myself (usb a) as at moment I only have a single laptop with usb-c. I suspect I'll swap for 2 USB-C models at time I get a new laptop with usb C ports (unlike many IT people I dont use a mac).

 

[Gromett]

TBH my advise is to buy 2 yubikeys, register BOTH with all cloud providers and then if you lose one it's no issue, other is in safe.

Excellent advice. You can have a cheap one for the backup though.

^{_{Subscribers  do not see these advertisements}}

 

[starquake]

Fire the CISO immediately! Most of them are ‘kin useless!

TBH I think this is harsh. Even in banks there is a backdoor account in most cases without 2FA to be used in case 2FA is broken. Microsoft have done this many times in last year, and their geo-fenching has also broken.

Clear guidance from regulators is you need one backdoor like above in a vault somewhere precisely so you can (timely) fix 2FA issues when it breaks. You usually have to except it from geo-fenceing for same reason as you clearly need to fix geo-fencing if for a few hours Microsoft detects all your staff from say India in their error... (I can't remember the country, but they literally impossible travellered an entire clients tenant a few months ago ... making the backdoor to turn off impossible traveller detection vital in that case.