CircleCI says hackers stole encryption keys and customers’ source code

There shouldn&#x27;t be any coming back from this. There are failures on multiple levels here &amp; CircleCI demonstrated no one should keep any sensitive data with them.<p>&gt; Zuber said that while customer data was encrypted, the cybercriminals also obtained the encryption keys able to decrypt customer data.<p>...what? why did this engineer have access to <i>everything</i>? Does CircleCI know what minimum access policies are for?

&quot;some&quot; means &quot;all&quot; from Australia&#x27;s recent intrusions (Optus, Telstra). They can say &quot;some&quot; when the people at the top responsible for reporting only want a sample. It&#x27;s PR.

I honestly can&#x27;t think of a worse result of a hack of a CI&#x2F;CD service than source code of companies being stolen. In my mind, this is akin to the Okta breach a while back, a ton of companies being hit hard through no fault of their own all at once.<p>I can appreciate the want to diversify services so that secrets&#x2F;env are separate from code, but I think I would honestly trust the behemoth that is Github with both.<p>That being said, my company still uses Okta, so freebies and mulligans are certainly still tolerated when it comes to data breaches.

Laptop security aside (this is a hard problem and good solutions can often be detrimental in other ways) there should have been way, way more auditing around access to customer repos. The fact that it took so long to both mitigate further access and to understand the rough scope of the hack is concerning.<p>More broadly... it shouldn&#x27;t be that easy to get encryption keys to everyone&#x27;s secret env variables used for CI jobs.

Joke&#x27;s on them my source code is terrible

Seems like everyone gets hacked eventually. Like, I&#x27;m sure CircleCI had security experts they hired. I don&#x27;t doubt that they took things seriously and made sure they followed best practices. But that&#x27;s not good enough. You will still get hacked. What do we do about this?

Would hardware security keys protect from this? If you already have a session token on a site (and that site doesn&#x27;t somehow restrict the session token to only being used on the machine that generated it? Which afaik isn&#x27;t possible) then it&#x27;s too late, yes?

The sad part is, the damage this does to companies won&#x27;t be felt for years (which is how long it&#x27;ll take someone to take the stolen source code, analyze it, and make a convincingly-distinct clone), so companies will think that nothing came of this, and they&#x27;ll keep using CircleCI (and other similar platforms which put everyone&#x27;s eggs in the same basket, how appealing to hackers that must be).

How could a stolen session token even be useful. I have to log into tools every day, if I change IPs at all I have to re-authenticate, and all prod access needs to be approved and has a finite lifespan.<p>How could a CI company be that negligent. They should be leading this stuff from a best practice point of view.

Whilst slightly off-topic, curious if they published, or if anyone knows, what OS the compromised employee machine was running?

I worked for an anti-virus company. There are tools that check if your malware can avoid detection by the major virus scanners. As such, the recommendation is never to rely on a virus scanners alone to protect critical assets.

I think the CTO has played it pretty well, his recent blog post is kind of &quot;transparent&quot; enough to sound like they care, but very quick to rush everyone back to normality with a kind of &quot;nothing to see here&quot; attitude.<p>&quot;Thanks customers for the support&quot; is almost a patronizing thing to say IMO. They should at least offer compensation financially for this and as others have said, his recent update has left more questions unanswered for me.<p>The way I see it, I&#x27;m done as a customer, just need the time to migrate away.

What is interesting here is CircleCI is SOC2 Type 2 compliant. The whole narrative changes if CircleCI was only a self hosted solution and the hack would have happened by one of the customer employees. I&#x27;m sure no one would have blamed CircleCI. I dont know if this employee had remote access to all the self hosted enterprise customers too, then that&#x27;s true lapse on CircleCIs part.

I hate to be that guy but this news highlights some blatantly incompetent security protocols (especially key management) by a company that we should expect better from. Even something as simple as a Vault (HashiCorp) cluster with decentralized key shares would’ve prevented this. I’m really disappointed in CircleCI. There’s no way I’d trust them after this.

There’s nothing in this article that says customer source code was accessed or stolen. Is that an error with the title?

Oh man, I feel so lucky that I&#x27;ve switched exclusively to Github actions late 2020, no good news from CircleCI since then.

From the circleCI blogpost[1]: &quot;Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location&quot;<p>I haven&#x27;t seen much discussion on how this specific attacker entrypoint can be mitigated. So I&#x27;m going to make a naive attempt in this comment.<p>How about storing the client&#x27;s IP address in the session cookie. Then whenever the server recieves the cookie, it compares the client&#x27;s IP address against the one stored in the session cookie. The server denies the login if there&#x27;s a mismatch. The cookie would of-course have to be signed(hmac etc) so that it is tamper proof.<p>One problem with this is that client IP addresses are easily spoofed[2].<p>So, instead of storing the client&#x27;s IP address; how about we instead store the clients&#x27; SSL fingerprints[3][4]. I haven&#x27;t looked much into the literature, but I think those fingerprints are hard to spoof.<p>1. <a href="https:&#x2F;&#x2F;circleci.com&#x2F;blog&#x2F;jan-4-2023-incident-report&#x2F;" rel="nofollow">https:&#x2F;&#x2F;circleci.com&#x2F;blog&#x2F;jan-4-2023-incident-report&#x2F;</a><p>2. <a href="https:&#x2F;&#x2F;adam-p.ca&#x2F;blog&#x2F;2022&#x2F;03&#x2F;x-forwarded-for&#x2F;" rel="nofollow">https:&#x2F;&#x2F;adam-p.ca&#x2F;blog&#x2F;2022&#x2F;03&#x2F;x-forwarded-for&#x2F;</a><p>3. <a href="https:&#x2F;&#x2F;github.com&#x2F;salesforce&#x2F;hassh">https:&#x2F;&#x2F;github.com&#x2F;salesforce&#x2F;hassh</a><p>4. <a href="https:&#x2F;&#x2F;github.com&#x2F;salesforce&#x2F;ja3">https:&#x2F;&#x2F;github.com&#x2F;salesforce&#x2F;ja3</a>

So from exploit to reaching the news it took almost a month. That&#x27;s a large window of opportunity.

This is a super critical hack, looks really bad for CircleCI. But I don&#x27;t see any negative news much elsewhere. They will move on.<p>Also, maybe that localised build system running on an old server for each team seem to be not a bad idea to reduce the blast radius when eventually a hack happens. These providers are supposed to be the gatekeepers and experts who one leaves the tedious and critical work to. If they are just being a leaky cauldron, maybe not bad to cook in my old pot at home.

<a href="https:&#x2F;&#x2F;archive.today&#x2F;uvvVx" rel="nofollow">https:&#x2F;&#x2F;archive.today&#x2F;uvvVx</a>

What operating system is running on that malware-d laptop ? 90% chance it&#x27;s Windows 10 ?

If you make everything open source...

A hack of a CI&#x2F;CD (Continuous Integration&#x2F;Continuous Deployment) service can have a significant impact on the companies that use it. In this scenario, an attacker would gain unauthorized access to the CI&#x2F;CD service&#x27;s servers, potentially stealing sensitive information such as source code for various companies&#x27; software projects. This type of incident is similar to the Okta breach