API tools faq
paste
Guest User

Untitled

a guest
Feb 11th, 2019
366
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.29 KB | None | 0 0
raw download clone embed print report
  1. Delivered-To: davem@devkitpro.org
  2. Received: by 2002:a92:9f18:0:0:0:0:0 with SMTP id u24csp2251361ili;
  3. Fri, 8 Feb 2019 10:25:40 -0800 (PST)
  4. X-Google-Smtp-Source: AHgI3IbUJe5f+Jt6VUb4RvZ5SLEcfw2s37OL6ecgLWaiJnJg8mZw8hWYZ766sKjS6Pq/Gjj8Iu4h
  5. X-Received: by 2002:a17:902:8d8d:: with SMTP id v13mr4866870plo.121.1549650340314;
  6. Fri, 08 Feb 2019 10:25:40 -0800 (PST)
  7. ARC-Seal: i=1; a=rsa-sha256; t=1549650340; cv=none;
  8. d=google.com; s=arc-20160816;
  9. b=QAj8W9V1Slb9dL1TsCrIdd/F7uKT6lR8cyyFfVsyOCaS0NRXYnLAcN1Fiz92oGY4a9
  10. v9EyOY5S2xxLZXRRLfXThJj30juR4TsS6nB6pLQG6P4HYSv1ZblGyXmXFfdizwSOX8T7
  11. Gf5uueM3fK5KWvVXu/OPPdF8qJo53rTU4RXqIpiYW+Tl+gsysFWtBcFjUZSGKByGop+J
  12. ZnQLmI1jaMrzO+iAdZK36+caX3wf0KcVGFd1h7HofyeLcc9XCK1ra4d4nCr6vkmQ5mv7
  13. meo7gOCRlu4/Pj5l12RCXSxtiQN2dDUkrGlLE8N6B+f/5yuu8G5aPQayKSweIYBEd+w6
  14. 5Z7A==
  15. ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
  16. h=to:subject:reply-to:references:mime-version:message-id:in-reply-to
  17. :from:dkim-signature:date:content-transfer-encoding:auto-submitted;
  18. bh=8vDRYGMbNSkKINXHvFCaZ00evqtQy5AxVNb7EVcoK3w=;
  19. b=rh9PgcY47VrHG9dCkbpY+RuZr60LXYl6l8N4faaygs0elX4Zo+wzFjy7tp01RW7Cib
  20. whRYxRp4t7lbD7HD/9o9odsz6OVxJP+tY4uVM2cYRpiFhRzG0JrtLUCb1/CK2ulgMOnK
  21. IpFOcwqOXeb6MkMGKaDIxKOD9MESdQFK9udniRn6THAv7eDGHgWcrerZIUjWvW/z1bwS
  22. wCsjaMywCIzYub+EXgOYPb9u0SgcC4dioRpR/+e33+k3FAJ11Q7crQ7puxzEZzqlqm5Q
  23. 3MOYL22EtAgT4HJtVjC5ERipmzR91gDQzvBztgDX84nT4dAeofpp+bS0Fyw/4QvX8QGC
  24. F1pQ==
  25. ARC-Authentication-Results: i=1; mx.google.com;
  26. dkim=pass header.i=@zendesk.com header.s=zendesk1 header.b=HWOLawSi;
  27. spf=pass (google.com: domain of support@gitlab.com designates 192.161.153.72 as permitted sender) smtp.mailfrom=support@gitlab.com;
  28. dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=gitlab.com
  29. Return-Path: <support@gitlab.com>
  30. Received: from out5.pod5.iad1.zdsys.com (out5.pod5.iad1.zdsys.com. [192.161.153.72])
  31. by mx.google.com with ESMTPS id j28si2699655pgm.160.2019.02.08.10.25.39
  32. for <davem@devkitpro.org>
  33. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
  34. Fri, 08 Feb 2019 10:25:40 -0800 (PST)
  35. Received-SPF: pass (google.com: domain of support@gitlab.com designates 192.161.153.72 as permitted sender) client-ip=192.161.153.72;
  36. Authentication-Results: mx.google.com;
  37. dkim=pass header.i=@zendesk.com header.s=zendesk1 header.b=HWOLawSi;
  38. spf=pass (google.com: domain of support@gitlab.com designates 192.161.153.72 as permitted sender) smtp.mailfrom=support@gitlab.com;
  39. dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=gitlab.com
  40. Received: from localhost (localhost.localdomain [127.0.0.1]) by out5.pod5.iad1.zdsys.com (Postfix) with ESMTP id 477BC1A3429 for <davem@devkitpro.org>; Fri,
  41. 8 Feb 2019 18:25:39 +0000 (UTC)
  42. Auto-Submitted: auto-generated
  43. Content-Transfer-Encoding: 7bit
  44. Content-Type: multipart/alternative; boundary="--==_mimepart_5c5dc9a29515b_db943fa2ae2bcf601060bc"; charset=utf-8
  45. Date: Fri, 08 Feb 2019 18:25:38 +0000
  46. Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zendesk.com; q=dns/txt; s=zendesk1; t=1549650338; bh=8vDRYGMbNSkKINXHvFCaZ00evqtQy5AxVNb7EVcoK3w=; h=date:from:reply-to:to:message-id:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding; b=HWOLawSiC+f0MeMKoH9d15lg+ux6XAGGPj5npNc6+nv4Drg+1LYZ/FZnGyBiAhNqwG/BART4KuzTo8xYtudnd6M2G0Q36+nDLRqYFsAMVwBJNDoStJaa2tShEwnHb8uCsKmzxbEafys5jN6/3T3em7ddd/baFQJdrT+6gB6HMXs=
  47. From: "Security Team (GitLab Support)" <support@gitlab.com>
  48. In-Reply-To: <CAAjerbKo1JZuVtV_Onc3WupGG4orKAbT=3Pt0rKC3_+BhkUKzg@mail.gmail.com> <XZVE8Z2GDO_5c5d76ff9d272_1712e3ffb77ebcf5088618_sprut@zendesk.com>
  49. Message-Id: <XZVE8Z2GDO_5c5dc9a2ee37_db943fa2ae2bcf601059cf_sprut@zendesk.com>
  50. Mime-Version: 1.0
  51. Received: from out1.pod14.use1.zdsys.com (out1.pod14.use1.zdsys.com [10.217.92.183]) by out5.pod5.iad1.zdsys.com (Postfix) with ESMTP id D55AA1CCBE5 for <davem@devkitpro.org>; Fri,
  52. 8 Feb 2019 18:25:38 +0000 (UTC)
  53. Received: from localhost (localhost.localdomain [127.0.0.1]) by out1.pod14.use1.zdsys.com (Postfix) with ESMTP id D03F51800097 for <davem@devkitpro.org>; Fri,
  54. 8 Feb 2019 18:25:38 +0000 (UTC)
  55. Received: from zendesk.com (unknown [10.217.102.79]) by out1.pod14.use1.zdsys.com (Postfix) with ESMTP id 9E50B1800096 for <davem@devkitpro.org>; Fri,
  56. 8 Feb 2019 18:25:38 +0000 (UTC)
  57. References: <XZVE8Z2GDO@zendesk.com> <XZVE8Z2GDO_5c5d76ffa8c1c_1e5883fdae68bcf582693d0_sprut@zendesk.com> <XZVE8Z2GDO_5c5d74793b54d_fe6f3f97414bcf5427294f_sprut@zendesk.com> <XZVE8Z2GDO_5c57c44dea19c_32793feeb3cbcf501560d5_sprut@zendesk.com> <XZVE8Z2GDO_5c57d0be4803d_d2dd3fe6ef2bcf58799b9_sprut@zendesk.com> <CAAjerbKo1JZuVtV_Onc3WupGG4orKAbT=3Pt0rKC3_+BhkUKzg@mail.gmail.com> <CAB64wYHKyj27nLtR_LBPijz5onvzd2kXC9j5wYzK8if0quQBUg@mail.gmail.com>
  58. Reply-To: GitLab Support <support@gitlab.com>
  59. Subject: [GitLab, Inc.] Re: compromised account
  60. To: Dave Murphy <davem@devkitpro.org>
  61. X-Auto-Response-Suppress: All
  62. X-Delivery-Context: event-id-602252322794
  63. X-Mailer: Zendesk Mailer
  64. X-Zendesk-From-Account-Id: 2cbf2e0
  65. X-Zendesk-Message-Id: <XZVE8Z2GDO_5c5dc9a2ee37_db943fa2ae2bcf601059cf_sprut@zendesk.com>
  66.  
  67. ----==_mimepart_5c5dc9a29515b_db943fa2ae2bcf601060bc
  68. Content-Type: text/plain; charset=utf-8
  69. Content-Transfer-Encoding: quoted-printable
  70.  
  71. ##- Please type your reply above this line -##
  72.  
  73. Your request (113388) has been updated. To add additional comments, reply t=
  74. o this email.
  75. ----------------------------------------------
  76.  
  77. Security Team, Feb 8, 13:25 EST
  78.  
  79. Hi Dave
  80.  
  81. My name is Paul Harrison, the Senior Security Engineer who investigated thi=
  82. s incident. I'm sorry for the delayed investigation and response, =
  83. and I am now leading an effort to improve the end-to-end handling of securi=
  84. ty engagements so these delays don't occur in the future.
  85.  
  86. Here is my assessment of the events to answer your questions as best as pos=
  87. sible, some were mentioned by Tom Atkins prior:
  88.  
  89. - The attacker was seen making a single login attempt, which was successful=
  90. , at 20:23 UTC.
  91.  
  92. By having no failed attempts and immediately succeeding this would imply th=
  93. e attacker had prior knowledge of the password obtained from another source=
  94. such as a website/database breach or phishing attack. Additionally, witho=
  95. ut two-factor authentication being enabled on the account there were no oth=
  96. er barriers to prevent access.
  97.  
  98. - The password change was performed almost immediately following the succes=
  99. sful login, also at 20:23 UTC.
  100.  
  101. The password change procedure in GitLab requires the user to enter the exis=
  102. ting password in addition to entering the new password in duplicate. This =
  103. is to prevent many forms of account takeovers but unfortunately ineffective=
  104. when the attacker has knowledge of the existing password.
  105.  
  106. We will investigate ways to improve the password change notification to inc=
  107. lude functionality such as the ability to disable access to an account or a=
  108. means of urgently notifying us of an issue, as I agree that while the emai=
  109. l notice is valuable it does not provide you with much recourse. Unfortuna=
  110. tely in this specific circumstance these two suggestions, or the one you pr=
  111. ovided to prevent the change, would not have been adequate to prevent or mi=
  112. tigate the incident due to the delay between the event and when you saw the=
  113. notice as well as the attackers knowledge of the existing password.
  114.  
  115. - Between 20:23 UTC and 20:49 UTC the attacker accessed, downloaded, and de=
  116. leted many (if not all) repos while logged in as WinterMute.
  117.  
  118. I can confirm the attacker downloaded archives of the following projects un=
  119. der WinterMute and devkitpro prior to deleting them. We are unable to rest=
  120. ore these projects.
  121.  
  122. <redacted>
  123.  
  124. We have retained audit and application logs of this event however as they m=
  125. ay contain personal data of third parties we are unable to release this inf=
  126. ormation without a court order or subpoena.
  127.  
  128. As Tom mentioned in his previous email we recommend all users to use strong=
  129. , unique, passwords and enforce two-factor authentication on all online acc=
  130. ounts. Had 2FA been enabled the attacker could not have accessed this acco=
  131. unt.
  132.  
  133. Please let me know if you have any additional questions or comments.
  134.  
  135. Thank you,
  136. Paul Harrison
  137. Senior Security Engineer, Security Operations | GitLab, Inc.
  138.  
  139. Security Team
  140. GitLab, Inc.
  141.  
  142. ----------------------------------------------
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!