Attackers essentially broke into the Twitch house and cleaned out everything. Following least-privilege access principles and encrypted datasets will help others avoid that scenario.

twitch, cyber security

Credit: Dreamstime

No company wants to see its crown jewels exposed to the elements, yet this is what happened to the Amazon-owned online streaming platform Twitch on October 6 when 125GB of its data was posted on 4Chan.

Twitch, via a Tweet, acknowledged the breach, “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”

In an October 6 blog post, the company blamed “an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.” Thus, Twitch pointed the finger for the posting of the 125GB of sensitive internal information to an external third party and not toward a malevolent insider.

What exactly went out the door and onto 4Chan? According to Video Games Chronicle, which first reported on the breach, the following data sets were exposed:

  • The entirety of Twitch’s source code with commit history “going back to its early beginnings”
  • Creator payout reports from 2019
  • Mobile, desktop, and console Twitch clients
  • Proprietary SDKs and internal AWS services used by Twitch
  • “Every other property that Twitch owns” including IGDB and CurseForge
  • An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
  • Twitch internal red-teaming tools

The service forced an update of all users’ stream keys on October 7. Since then, it’s been radio silence on the Twitch blog front.

The importance of least-privilege access

The misconfiguration of a server, leaving a direct pathway to the unprotected crown jewels of Twitch, raises questions surrounding the basic concepts of least-privilege access.

Cymulate’s cyber evangelist David Klein observes how it is not a good idea for CISOs to “have everything, including source code, accounting records to streamers, encrypted passwords, and unreleased projects to compete with Valve/Steam accessible. This is bad. Basic least privileges for administrators, internal segmentation, and understanding where your data is and who has access are of paramount importance.”

From the distant lens that we share from the outside looking in, questions CISOs should be asking themselves include:

  • Are the crown jewels that I am tasked to protect adequately protected?
  • Does Klein’s observation on ease of access trumping security apply?
  • Are our datasets encrypted, with the keys provided to those with demonstrated access and only when that access is necessary?

“Your currency (data) has a value in the market so protection against theft and misuse begins at the point of creation (currency) and travels with the currency,” notes CEO of Active Cypher Michael Quinn.

“Companies risk the brand, clients and trust when the currency is devalued. A good example: Full disk encryption does not protect you when your data is done ‘resting’ and is on the move again. We need to understand that data (currency) has many states in its lifecycle that require encryption (at rest, in transit, in storage, in use or being created).”

Quinn concludes with advice for CISOs, “the architecture of end-to-end encryption is a moving target, the endpoint is the data not a location, device, or service.

"Can you go beyond the encryption of your currency/data and eliminate the risks of allowing your currency to travel even as cypher bits? The process exists and when applied ensures that the currency/data lifecycle is both secure and under the ownership, stewardship, and management of a “secure data supply chain.”

The streaming service is now faced with the knowledge that any pending vulnerabilities in their source code that were on the proverbial to-do list are at risk of detection by any interested miscreant with an eye toward attacking the streaming service downstream and must be mitigated, posthaste.

Twitch’s misconfigured server speaks to the risk presented by the devices and machines in each company’s ecosystem. The breadth of data exposed crosses many professional disciplines, software engineering, UX, production, accounting, and customer care, which suggests a modicum of knowledge of Twitch and its internal processes, procedures, and data segmentation rules.

How the “malicious third party” (external or insider) who compromised Twitch was able to traverse the ecosystem of the service has not yet been made public. It is something, should it be made available, CISOs will be well served to take on board and assimilate the lessons into their instance. Klein says what many CISOs may be thinking, “If this isn’t an insider, then the situation is worse.”

Internet Explorer Channel Network


LATEST NEWS

NEWS RELATED

How deepfakes enhance social engineering and authentication threats

Cyber criminals are investing in deepfake technology to make social engineering and authentication bypass campaigns more effective.

Read more: How deepfakes enhance social engineering and authentication threats

Cloud security not keeping pace with changing APAC landscape

McAfee report shows that four countries in the region – India, Australia, Japan, and Singapore – are the most vulnerable in 2021, and it may get worse due to talent shortage

Read more: Cloud security not keeping pace with changing APAC landscape

Fortifying DNS security can better protect the healthcare sector

The large amounts of patient and insurance data used in healthcare has made the industry attractive to cyber breaches. DNS is one of the mostly commonly used attack vectors. How can we prevent them?

Read more: Fortifying DNS security can better protect the healthcare sector

3 steps partners should take to mitigate against renewed Nobelium threat

Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organisations integral to the global IT supply chain.

Read more: 3 steps partners should take to mitigate against renewed Nobelium threat

Reddit CISO Allison Miller builds trust through transparency

Miller joined the social media company in February 2021, assuming a range of responsibilities, from security and privacy to trust and safety, that reflect broadening of the CISO position itself -- a role she summarises as “keeping shenanigans from impacting a good user experience".

Read more: Reddit CISO Allison Miller builds trust through transparency

Should APAC businesses start moving to Zero Trust now?

The Zero Trust framework will enable an organisation to have full visibility of their networks and detect any unusual activity in a timely manner.

Read more: Should APAC businesses start moving to Zero Trust now?

Decline in ransomware claims could spark change for cyber insurance

New research indicates that ransomware attack and payment claims are in decline as resiliency takes priority for organisations.

Read more: Decline in ransomware claims could spark change for cyber insurance

Server-side request forgery attacks explained and how to defend against them

Server-side request forgery attacks can grant unauthorised access to web servers or cause damage and disruption. Defending against them can be relatively easy.

Read more: Server-side request forgery attacks explained and how to defend against them

Microsoft's very bad year for security: A timeline

How shape-shifting threat actors complicate attack attribution

Chinese APT group IronHusky exploits zero-day Windows Server privilege escalation

‘Bug bounty ‘set up to improve 5G commercial products

Key ASEAN markets top global ransomware ranking

October is high season for cyber attacks as attackers exploit natural disasters

7 deadly sins of Salesforce security

Why device identity is the overlooked insider threat

OTHER NEWS