Salesloft Drift, VPNs and Roundup

Intro

Kyle Fox here again covering the week of September 1st to the 7th. We have two main stories this week: one is the obvious big news story of the Salesloft Drift breach, the other is some musings on consumer VPN products and some of their potential risks. And as always, a roundup.

Salesloft Drift

It was disclosed last week that a Salesforce app integration called Salesloft Drift had been breached and data was being stolen. The list of affected companies is pretty vast, including Google, Palo Alto Networks, Bugcrowd, Hacker One, Workday, Qualys and Cloudflare.

Salesloft Drift is an AI chat application to allow for AI-assisted self-service for customers of companies using the Salesforce platform as a ticketing system or CRM. Because of the scope of the data, the application would need to be able to assist customers, it would typically have access to all of the customer case records for the organization that was using it. Some customers may have limited access to prevent it from accessing certain customers accounts or record types. Many customers of Salesforce do not store all of their customer data in Salesforce and have other data storage integrations or analysis systems that Salesloft Drift would not have had direct access to.

According to Salesloft and Mandiant, the breach started when attackers gained access to Salesloft's GitHub accounts an used that access to locate and use access tokens to pivot to Salesloft's AWS environment. Attackers were looking for access tokens of Salesloft customers so that they could gain access to the customer's data environments and locate valuable data to steal. This included customer AWS and Snowflake tokens. According to reports, the group responsible appears to be one known as the ShinyHunters. The strategy appears to have been to steal data and blackmail companies into paying for that data not to be released publicly.

Cautionary Tales on VPNs

You can’t spend any significant time watching YouTube these days without seeing an ad for VPN services from companies like NordVPN or others. These ads typically tout that VPNs will protect you from hackers, viruses and other attacks and allow you to access other countries versions of services like Netflix. I have always been really skeptical of these VPN services. I have only used them to obfuscate traffic I send over WiFi at conferences like DEF CON and do not believe any of the other touted benefits.

There are clear problems with using a VPN service. The first problem is that you may make the distance data has to travel for a service like Netflix much longer, which slows it down and makes services worse. Companies like Google and Netflix spend a lot of effort in positioning their content servers as near to customers as possible in regional or service provider data centers. Another downside is that while it obfuscates what your accessing from your ISP, it concentrates all that information in the VPN company. The VPN company is likely not a regulated utility like an ISP may be. Depending on where you are, you are just depending on your trust in the VPN company not to sell your data. Since some of these VPNs are "free," that does beg the question of how are they making money?

A recent study highlighted another potential thread in the consumer VPN sphere, it noted that a large number of providers can be tied back to China's People's Liberation Army. This presents yet another potential downside to VPNs. You may be trying to hide your activity from one authoritarian state and by doing so, handing it over to another authoritarian state. This has been a constant threat undercutting the original VPN of this category, Tor, with talk about how intelligence services have been sponsoring exit nodes to try and surveil the network.

There is also the treat that the VPN software itself presents. It has to be installed on your system with a significant amount of privileges to be able to redirect all your traffic through the tunnel, so this means it pretty much has full access to the system. Popular VPN software also comes with a browser plugin, often with a password manager. This means the software can record everything you do in the browser. It can also possibly have all of your passwords. Even if it doesn’t have a password manager, if it has a lot of access to the browser, it can record passwords when you give it access.

So, I guess the take home lesson on all this is that consumer VPNs present a pretty large risk. If you need to use one, you will want to fully evaluate that risk. It might be prudent to avoid using services that require you to use their software, or create a multi-layered tunnel strategy with the outside layer being one of these VPN services and the inside layer being a service you control like a WireGuard tunnel back to a system you control.

Roundup

• This week's YouTube recommendation is McNallyOfficial, a channel made up entirely of quick picking and bypassing of locks, including some you'd think would be pretty secure.
• Speaking of locks, Marc Weber-Tobias has come out with a new book: On Locks and Insecurity Engineering, Deviant Ollam has provided a review.
• Star Wars geeks will celebrate the term "clanker" becoming a mainstream slur against AI.
• Here's an interesting discussion of known plaintext attacks in World War II.
• As part of its latest Anti-Trust case, a judge has ruled that Google can keep Chrome, but must avoid exclusive contracts.