How do hackers get passwords? Sometimes, they just ask.

Massive 2023 hack was easily preventable, Clorox says.

See full article...

 

[piranah]

Whoopsies.

After reading the timeline linked, how is it they didnt have even the most basic backup plans? Over a month to get systems back online is a glaring hole in management.

 

[darren_duncan]

One detail that stands out is that the Cognizant person was even able to read the current password, such as to read it out. They should be able to reset sure, but never read the current one.

 

[SeanJW]

One detail that stands out is that the Cognizant person was even able to read the current password, such as to read it out. They should be able to reset sure, but never read the current one.

They read it out because they literally just set it. That’s the point of a password reset. Though normally your first password reset should go through a “secure” channel automatically (eg. designated phone number or recovery email address). The help desk could be limited to changing those with an oversight process.

 

[MessPanda]

Surely there's a "reasonable expectation" on the Clorox side that the vendor won't do dumb shit, regardless of how specific the terms of the contract were, right?

 

[evan_s]

Surely there's a "reasonable expectation" on the Clorox side that the vendor won't do dumb shit, regardless of how specific the terms of the contract were, right?

Legally I'm sure you could make that argument that it doesn't follow industry standards or minimum basic security requirements but I'd assume that opens up the potential for legal debate on what industry standard are or what minimum basic security requirements are. Saying you broke the spelled out terms of the contract and potentially even lied about following them on top of that is likely a much stronger legal argument. They can still try legal arguments about the definitions in the contract or the wording of the contract but that's a fair bit narrower scope than industry standards or minimum basic security requirements. Doesn't matter what other people may or may not be doing. The Contract says you will do X and you didn't do X.

 

[sbradford26]

Legally I'm sure you could make that argument that it doesn't follow industry standards or minimum basic security requirements but I'd assume that opens up the potential for legal debate on what industry standard are or what minimum basic security requirements are. Saying you broke the spelled out terms of the contract and potentially even lied about following them on top of that is likely a much stronger legal argument. They can still try legal arguments about the definitions in the contract or the wording of the contract but that's a fair bit narrower scope than industry standards or minimum basic security requirements. Doesn't matter what other people may or may not be doing. The Contract says you will do X and you didn't do X.

From the lawsuit the complaints are:

COMPLAINT FOR:
1. BREACH OF CONTRACT
2. BREACH OF THE COVENANT OF GOOD FAITH AND FAIRDEALING
3. GROSS NEGLIGENCE
4. INTENTIONAL MISREPRESENTATION

I think they are basically lumping that into gross negligence.

 

[marsilies]

They read it out because they literally just set it. That’s the point of a password reset. Though normally your first password reset should go through a “secure” channel automatically (eg. designated phone number or recovery email address). The help desk could be limited to changing those with an oversight process.

From the three transcripts, one is a password reset, one is an MFA reset, but the first reads like the rep just reading the existing password. To wit:

Cybercriminal: I don’t have a password, so I can’t connect.
Cognizant Agent: Oh, ok. Ok. So let me provide the password to you ok?
Cybercriminal: Alright. Yep. Yeah, what’s the password?
Cognizant Agent: Just a minute. So it starts with the word "Welcome"...

Not that this bypassed the normal password reset procedure:

When a purported Clorox employee called the service desk, protocol demanded that the employee use an internal verification and self-reset password tool called MyID. If that wasn't possible, the service desk should have verified the person's identity using their manager's name and the user's MyID username, after which the password could be reset but the manager and employee would both be notified by email.

So it seems like the MyID passwords were clearly visible to the service desk.

 

[evan_s]

From the three transcripts, one is a password reset, one is an MFA reset, but the first reads like the rep just reading the existing password. To wit:



Not that this bypassed the normal password reset procedure:


So it seems like the MyID passwords were clearly visible to the service desk.

I think the first one is also just a password. Starts with Welcome seems like the sort of default password that they would have set after a password reset. They don't specifically request a password reset and the service desk doesn't say that they did it but I'd hope that they did just reset the password without making it clear. If they can actually see the currently set password that's a whole different level of security failure.

 

[marsilies]

If they can actually see the currently set password that's a whole different level of security failure.

OK, I found a copy of the complaint:
https://www.documentcloud.org/documents/26025404-clorox-versus-cognizant-complaint/

From the complaint:

On August 11, 2023, the cybercriminal first called the Service Desk requesting a reset of Employee 1’s password “for Okta,” which was an identity management tool Clorox used to authenticate access to its network. The Agent responded by asking the cybercriminal to connect to Clorox’s virtual private network (“VPN”).

45. The cybercriminal stated that he could not connect to the VPN without a password, at which point the Agent unilaterally reset Employee 1’s Clorox password without any further questioning or identity verification, in direct violation of Clorox’s credential support procedures.

So Clorox, in the complaint, characterizes it as a password reset.

 

[Random_stranger]

Obvious analogy fail, and you should feel bad.

I feel so very terrible.

Clorox IT likely gets many hundreds of calls per day, and the CIO could easily have someone audit the security of the service periodically by having someone call and request various account changes. This is what a competent CIO would do on a regular basis.

OTOH, I use a towing service once every ~10 years. Auditing them to make sure they're competent is not really an option. BUT ... AAA doesn't actually do the towing; they contract with others for this. And if they contract with someone who severely fucks up and turns out to be incapable of properly towing a car, then it is in fact THEIR fault (not the car owner's).

You don't think AAA will then turn around and have the towing company pay all penalties if they mess up? Does AAA have towing staff on board? How do they vet every single local towing company? Do they make them tow a car to prove it? Seems unlikely - they just give them expectations of response time, "no damages", courteous, etc, and expect that to be followed. And if the towing company messes up, they are expected to pay any damages.