Это видео недоступно.
Сожалеем об этом.
This might be the biggest hack ever...
HTML-код
- Опубликовано: 11 июл 2024
- The AT&T hack is terrifying. Snowflake being the cause is even MORE terrifying. 110 million or more were compromised.
SOURCES
techcrunch.com/2024/07/12/att...
Ty Ph4se0n3 for the edit!
Not sure why the government is concerned at all… “it’s just the metadata” right? That’s what they claim is no biggie to store
They're concerned we'll realize what they can do with metadata.
If like Theo said it is the call logs and each number can be uniquely identified its a massive leak. It would be possible to build a network of connected numbers.
The type of linking is exactly what social networks do, and is the reason Meta (facebook) don’t charge for WhatsApp.
It is such valuable data in the right hands
i’m just happy the Feds are being more eu like and actually defending our data rigbts
You must all be criminals… otherwise you’ve got nothing to worry about?
@@NithinJune Is that what you think they are doing protecting are rights? No, they are defending ATT meta data that they charge for, they stole revenue from ATT. The same data they sell to the government.
keving fang will have a field day. a roblox outage video just dropped and now AT&T hack? As modern vintage gamer would say: "Mistakes were made"
"Data Warehouses were a mistake"
-Everyone in AI
It's insane that that sort of data wasn't at least 2FA'd, locked to specific IP addresses for access and allowed an individual user to pull all the raw data.
I run a site that allows businesses to store a lot of privacy sensitive information. It is my experience that most users hate 2FA, and using it leads to more support interactions. Since a couple of years we enforce the use of 2FA, but it has been a real struggle. Users simply don't understand the risks, or don't care.
We also allow users to lock their IP, but hardly anyone uses this option. We don't even require users to understand what an IP address is, for them to use it.
We also have a permissions system, and that seems to work somewhat better at preventing users from getting too much power, like exporting bulk data. We use job descriptions to set these permissions and I think that users are sensitive to the status that these jobs descriptions imply: "I'm a manager, but I'll let you just be a sales rep.". There's a clear hierarchy, and that helps.
@@user-np8oz3zh1s A lot of that gets much simpler if you just require password manager usage, it lets you use one time login codes for most stuff. Passkeys could be an option too. For the IPs what I meant was that there should be a whitelist of IPs from which the server allows connections such that it is impossible to connect from outside your own corporate network which drastically increases the difficulty of a compromise. Obviously you can have a continuum here, someone looking at a few reports might not need much by way of security but someone who could, as in this case, export the entire corporate database, absolutely should be required to have a physical passkey and if they are not able to use one I'd argue they shouldn't have access to the entire corporate database.
You are right though, different permissions require different security levels.
@@user-np8oz3zh1s your use case may make sense, but for a cloud service provider whose users are supposed to be technical using 2FA or other more advanced methods should be a requirement
GiB = Gibibyte and TiB = Tebibyte, not the same as Gigabyte and Terabyte.
The question is why do we tolerate storing this information forever?
Because most of us are sedated by modern life with video games, pron, endless online entertainment, and of course drugs.
AT&T has been showing they have a terrible understanding of security. its been breach after breach.
not forcing your employees to utilize strong passwords and/or MFA is just beyond wild to me.
as you've said, they'll likely go after the employee but in all honesty they should strengthen their security protocols and SOP's because this will just continue to happen.
People saying 2fa 2fa! password, password! Just know that 99.5% of the things do have proper protection, its that sneaky 0.05% that doesn't have protection. You protect 2000 endpoints properly, but it only takes 1 to mess you over
In this day and age, with 2FA available, passcodes etc, these companies should be held legally liable for these data breaches for not enforcing proper security protocols, and jail time is required imo for being negligent, vs just a slap on the wrist with a fines. I've seen other articles, like from Bloomberg, saying these breaches undermines national security. If you're storing sensitive data for millions of people, you are 100% responsible for protecting and securing it.
Honestly, if you didn't have general 2fa, I would at least expect a second level of authentication enforced for data exports...
In one of my recent projects, if you are logged in as admin, you don't have actual admin access before you reenter your password to elevate your session, at which point it expires in 5 minutes of inactivity.
That way at least session hijacking is reduced to minimal...
For other commenters, this is referred to as JIT elevation or JIT provisioning aka Just In Time
This is about leaked service account keys, which typically don't have 2 factor, because they are used by machines that need to access the platform on a daily.
What is lacking in these systems is a way to automatically refresh these keys so that any leaked keys can no longer be abused.
This isn't caused by folks leaking there personal creds
The issue here for Snowflakes is that it recently happened in end of May 2024 and at that time it was already one of the largest data breach ever. To have another of such breach less than 2 month after is really not good
Just shows how important 2FA is, especially in today's age...
If you're an AT&T customer, be extra warry of numbers you don't recognize. Also keep an eye out on communications from AT&T to learn more about what they may be offering to customers impacted by the breach.
I hate businesses naming themselves with technology.
Like aight, my next company will be called for DNS will just be called Router, or LLM, or just flatout naming it REACT Inc.?
Damn your content quality is top notch. I thought this video had millions of views until i saw it had like thousands.
Aside from the account being breached, why did the system allow data to be exported out to the public internet?
These big companies keep cutting corners to save costs with these third party vendors and the government is letting do this shit.
*Battened down, not buttoned down.
Love your vids Theo. Watch you most, if not every day. The use of words like terrified and scary are starting to get to be a lot. This one is kinda scary, but in some other cases, it feels a bit too much like the fear mongering that the tv “news” networks use.
Anyway, just my opinion. Thanks for the good content man!
well now its something else...
Hopefully they won't be fined too much for it 😂
I don't think you will have to worry about that.
Haha
why tf are they even keeping these records in the first place?
Wow, I like that t-shirt.
I’m wondering how snowflake does not recognize unknown ip or location where user is logging in.
wait aws has 2 factor authentication
"6 views, bro fell off"
it posted 2mins ago lol
On a Saturday...
you look five years younger on your days off
Let me guess.... They didn't have 2FA setup. ( EDIT: I should finish the video before I comment. MY bad)
Was attack of the pokemone fans again?
TL:DW; don't use Snowflake
I literally just finished an event at their local office. Funny...
It’s not solely snakeflow’s fault. It’s mainly AT&T’s fault
TLDR , use SSO , Okta or Duo with snowflake, always
Theo being an web app dev , please bring your head out of your arse. In AWS also loosing an API key is enough to get access to s3
I find the “I don’t expect you to know what Snowflake is” attitude from app developers very weird. Snowflake is industry standard DW, and used in small - med businesses as well as megacorps.
Well, There are people interested in cybersecurity who doesn't work with bigdata and cloud services.
Is this a commercial for AWS? You should host at home on a local network before going cloud provider.
Yeah this is terrible that a whole DB can be accessed by one account without MFA set up, but I fear more a world where I have to sit at a computer and press my yubi-key for each layer of required MFA that underlying services depend on. MFA exists in spite of JWT, so we cannot simply reduce a potential MFA authentication chain to a single authentication. MFA is based on distrust of outside credentials. If you remove the option to automate then the computer becomes pen & paper. I'm against mandated MFA without having a super MFA that authenticates multiple layers of MFA.