I applaud the fast response, especially contacting a security engineer to be removed from the GitHub organization. One particular bit stuck out to me.<p>>><i>In this instance, though, the attack vector was DNS. My account at the not-so-incredibly-common DNSimple.com did not use a highly secure password. I didn’t think it was necessary, as in my mind, the only reason that the security of an account like that would be at risk would be if I was the explicit target of an attack. Once again, I thought to myself “That’s something that only happens to other people”.</i><p>Kenneth used a randomly generated password and two-factor authentication on his GitHub account, which is great! But on DNSimple he made the decision to forego better security because it seemed unlikely to be a target.<p>It is not enough to use <i>some</i> strong passwords for the things you <i>think</i> are sensitive. Every weak password is a weak link in your total identity chain.<p>The best way to use a password manager is to never give yourself authority to make passwords unless they are randomly generated. Even if the site or account in question appears innocuous or insignificant, even if it does not allow you to make a password of your manager's default strength, <i>commit yourself to going through this process 100% of the time.</i><p>Yes, it's a usability pain to constantly use a browser extension to log in. But that pain is nothing compared to the stress of a compromise or targeted attack.<p>Until password management or authentication are substantially overhauled on the web, the most optimal solution for protecting yourself is constant, militant vigilance with passwords. I don't know any of my passwords at all, and what's more, I even have randomly generated answers to security questions.<p>Also, where possible, use two-factor authentication. You can use SMS, Authy, Google Authenticator, a Yubikey, whatever. Just turn the damn thing on and use it if it's available to you.
Good on Kenneth for being quick on the draw. I love 'requests'.<p>If you're a developer of a popular open-source project, this should serve as a warning to make sure you have multi-factor authentication on, yes, but it's even better to learn from this and come up with incident response plans with your core maintainer base. Ask among yourselves:<p>1. Do we have the ability to detect an overt breach like this one?<p>2. Do we have the ability to detect a covert breach (e.g. are our builds reproducible, auditable? Are our binaries signed? Do we know who our committers are?)<p>3. Do we have a consistent way to message users of the project of the compromise?<p>4. Do we have a way to deprecate/mark as tainted compromised versions of our module/package/application?<p>GitHub offers some technology to help in this regard. Sign your release tags, at a minimum [1]; sign your commits with developer keys if you're paranoid. [2]<p>As FOSS becomes more used in the enterprise, I suspect these attacks will become less of a rarity.<p>[1] <a href="https://news.ycombinator.com/item?id=11494997" rel="nofollow">https://news.ycombinator.com/item?id=11494997</a><p>[2] <a href="https://help.github.com/articles/signing-commits-using-gpg/" rel="nofollow">https://help.github.com/articles/signing-commits-using-gpg/</a>
It's odd not to examine the "contacted a friend at GitHub" part. On the one hand, it's all too common to see this as the only escalation path at a modern tech company. On the other hand, at companies without strong internal controls, it raises the question of how to authenticate yourself to the friend at the company - especially in what the author describes as a stressful 10 minutes.<p>We know from postmortems that the error-handling code tends to be among the least-tested parts of a codebase, which leads to cascading failure. I wonder if an even wilier attacker could have leveraged the analogous failure here.
Oh boy another plug for 2FA. I won't deny the obvious security advantages it confers, but that well has been poisoned a long time ago.<p>Call me paranoid, but I have a hard time seeing the push for 2FA as anything other than a plot to collect valuable user data. As with most any good lie, it's mostly true -- 2FA <i>does</i> improve security -- but what happens when a company goes bankrupt and sells off it's assets?<p>Moreover, I can't help but to question the actual <i>necessity</i> of this security feature. The OP's mess could have been avoided if he'd ... you know ... <i>systematically</i> chosen secure passwords.<p>>Turn on two-factor authentication. Right now.<p>I'll pass, thanks.<p>P.S.: thanks for Requests!
Kenneth should repeat N's big takeaway:<p>• Avoid using custom DNS emails (e.g. yourname@yourdomain.com) for any login purposes. It basically opens you up for these kind of attacks (where a hacker breaks into your domain name account and forwards your custom email to his own).<p>Read N's story at <a href="https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd#.ler9o3cmg" rel="nofollow">https://medium.com/@N/how-i-lost-my-50-000-twitter-username-...</a>
Some domain registrars/DNS management services support multi-factor authentication. If yours does not, you should migrate to one that does.<p>DNS is the foundation upon which everything else is built. And, it's been my experience that DNS and email attacks are very common.<p>If an attacker can compromise DNS and email, then they can compromise all the higher-level services that send password resets by email (twitter, github, facebook, whatever).
It'd be nice if you could flip a setting on GitHub so that password-reset emails are encrypted with a GPG key. They already have an interface for uploading GPG keys.
Thanks for sharing your story Kenneth. Unfortunately it will be a common one... Maintainers of open source projects will be increasingly target by sophisticated hacking teams, sometimes government funded. They will often win but the best thing you can do for yourself and your users is to practice good security hygiene and this story is a perfect example why. Strong random passwords everywhere (no repeated passwords) and 2-factor auth should be the minimum. Thankfully there are plenty of free apps out there that help you manage this process. Nobody can have perfect security but you can easily raise the bar high enough to force an attacker to move elsewhere. Also the Op's password was most likely taken from the recently leaked LinkedIn breach (educated guess).
Github authors - Sign your commits and tags with a PGP signature.
<a href="https://help.github.com/articles/signing-commits-using-gpg/" rel="nofollow">https://help.github.com/articles/signing-commits-using-gpg/</a><p>It doesn't look like the authors/contributors of requests are using Github signed commits either.
Kind of related, does anyone know if it's possible to mandate two factor auth across a github organisation? I know you can see if it's enabled on your users list but that's a bit arduous. Seems like any one user not having 2fa enabled would be the weakest link other wise.
Looking at the two best guesses: a reasonable assumption, <i>if</i> the Certifi bundle was in fact the target of this attack, is that <i>some consumer of that bundle</i> is that true target of this attack.<p>(Incidentally: I'm not familiar with what the Certifi bundle <i>is</i>, and some quick DDGing didn't turn it up.)<p>As a recent convo I'd had here on HN turned up, <i>key management is a crucial element of PKI</i>, which includes not only SSH and PGP, <i>but the CA-based measures</i>: SSL and TLS.<p>Your web link is only as secure as the least-paranoid developer's MX registrations in your entire development toolchain.
Yes, you should enable two-factor authentication for all your import accounts. My iCloud account was compromised two months ago, after that I turned on two-factor auth for all my important accounts.
Does anyone know the Twitter handle in question? I'm curious to read about that incident.<p>(edit: Oops, I guess I didn't realize the bold were hyperlinks in the article. Thanks for the pointer.)
Is it possible to enforce two-factor authentication for all developers with merge rights on github?<p>Also is it possible to check if someone has 2-factor authentication?
I would be nice if the popular packages would have to be audited by the community before being pushed, would make it harder to do attacks with with such a large possible target (all the tech companies).
Don't insurance companies require you to make any kind of internet security audit ?<p>I mean if this doesn't happen, and if government don't take steps to improve the situation in the next 10 or 15 years, won't things get worse enough that politicians notice?