API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 3rd, 2016
426
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.43 KB | None | 0 0
raw download clone embed print report
  1. Rotten Lies from Freshservice's "Data Security" page: https://freshservice.com/security
  2.  
  3. TOC:
  4. i. Meta
  5. ii. Backstory
  6. iii. Call to Action
  7. iv. The Lies
  8.  
  9.  
  10. --------META--------
  11. Freshservice is a product owned by Freshdesk ("The Company").
  12. Freshdesk's leadership team can be viewed here: https://freshdesk.com/company/leadership-team
  13. Twitter might be a way for you to help hold them accountable in the interest of their customers:
  14. @freshserviceapp, @freshdesk, @mrgirish (CEO), @dilawar (President), @stsprasad (SVP of Eng)
  15. Some tout-worthy Freshservice customers are listed here: https://freshservice.com/customers
  16.  
  17.  
  18. --------BACKSTORY--------
  19. This document is a plea for The Company to acknowledge an issue that was reported two months ago, on 4th August 2016, to both Freshservice support and the Freshdesk Security team, by an unnamed customer ("Broken Whistle"). The issue is, less vaguely, a very broad-scope Customer Data Exposure Vector ("The Problem").
  20.  
  21. The Company responded to The Problem indicating that it was *not* an issue, wholly dismissing its seriousness, and unhelpfully indicating that The Problem was (is?*) a result of an architectural choice, based on The Company's written correspondence with Broken Whistle. Within said correspondence, Broken Whistle asked early and often to be put in touch with The Company's legal counsel.
  22.  
  23. The Company did not put Broken Whistle in touch with The Company's legal counsel. The Company did not acknowledge The Problem and did not express any intent to reassess The Problem, let alone fix it, in any correspondence with Broken Whistle. The Company did, however, acknowledge and expeditiously correct a separate narrower exposure vector (involving direct S3 access of production data via `s3cmd` with arbitrary credentials set in the shell environment), which Broken Whistle became aware of only as a result of Broken Whistle's early investigation into The Problem's extent.
  24.  
  25. After The Company's initial dismissal of The Problem reported by Broken Whistle, Broken Whistle attempted to demonstrate the seriousness of the broad-scope Customer Data Exposure Vector. Broken Whistle collected, and securely shared (with closely-monitored analytics), some of the Customer Data exposed by The Problem with The Company, in aim to bring about realization of The Problem's gravity. These assets were also shared with Broken Whistle's employer (with segregated closely-monitored analytics). The secure access to the assets obtained by Broken Whistle was revoked just several hours after its instantiation, when Broken Whistle was alerted by a coworker to a photo of a U.S. Passport among the securely-shared assets.
  26.  
  27. The Company responded in an unexpected manner: rather than say "OK, now we get it, let us look into this," a series of aggressive communications and legal correspondence were sent by The Company to Broken Whistle's (now-former) employer, including specific directives to remove previous attempts via Twitter to alert a few other of The Company's customers, in hopes of a several voices being stronger than the one The Company refused to hear. The Problem was, in their view, not a problem, but yet should apparently be kept secret. Correspondence from The Company's legal counsel asserts that Broken Whistle is a criminal, but perhaps you'll agree that The Company attempting to cover up The Problem is a much darker shade of gray than Broken Whistle's hat.
  28.  
  29.  
  30. --------CALL TO ACTION--------
  31. By bringing attention to this document via social media, you can help achieve three goals:
  32. 1) Pressure The Company into a position of honesty and accountability
  33. 2) Help bring about a fix* for The Problem via #1
  34. 3) The Company's notification of all customers whose assets (of a particular type) lived, for several years, in 'rather plain' view on the public Internet, in publicly-accessible storage, available with no sort of authentication, without the use of The Company's application whatsoever, and perhaps most disturbingly, without sufficient anomaly-/intrusion-detection, nor monitoring/alerting/auto-bans.
  35.  
  36. There is hope that the above goals can be realized without further public disclosure of details and/or correspondence.
  37.  
  38. *Broken Whistle is unaware as to whether The Problem has been fixed over the past two months, as Broken Whistle has complied with requests to cease research of The Problem. Broken Whistle is aware that at least a small number of The Company's customers have been given some version of the above story, based on analytics of traffic to Broken Whistle's website, and is also hopeful some degree of publicly-available information will help prevent further attempts at defamation.
  39.  
  40.  
  41. --------THE LIES--------
  42.  
  43. Application Architecture
  44. Lie #1
  45. [...] no customer has access to another customer’s data.
  46.  
  47. Application Engineering and Development
  48. Lie #2
  49. [...] our products are developed with security considerations from the ground-up.
  50.  
  51. Deployment & Post Deployment
  52. Lie #3
  53. The security team stays vigilant about common vulnerabilities and exposures and stays on top of updates to the US National Vulnerabilities Database.
  54.  
  55. Data Security
  56. Lie #4
  57. Freshdesk takes the protection and security of its customers’ data very seriously.
  58. Lie #5
  59. The Freshdesk development team has no access to data on production servers.
  60. Lie #6
  61. Different environments are in use for development and testing purposes, and production data is never available for access by Freshdesk employees or third parties.
  62.  
  63. Operational Security
  64. Lie #7
  65. Should an individual attempt such a test in the production environment, it will be detected as an intrusion, and the source IP will be blocked.
  66.  
  67. Network Security
  68. Lie #8
  69. Access to the production environment is via SSH and remote access is possible only via the office network.
  70. Lie #9
  71. Also, the access to production systems are always through a multi-factor authentication mechanism.
  72.  
  73. Regulatory Compliance
  74. Lie #10
  75. [...] we implement industry standard security, technical, physical and administrative measures against unauthorized processing of such information [...]
  76.  
  77. Reporting issues and threats
  78. Lie #11
  79. Freshdesk adheres to strict data security, access, integrity policies, [...]
  80. Lie #12
  81. Freshdesk [...] uses an external program with Hackerone’s bug bounty platform to detect security vulnerabilities for proactive resolution.
  82. Lie #13
  83. We deeply appreciate your help in detecting and fixing flaws in Freshdesk[...]
  84. Lie #14
  85. [Freshdesk] will acknowledge your contribution to the world once the threat is resolved.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!