On 28/07/2019 00:41, Nick Lamb wrote:
On Sun, 28 Jul 2019 00:06:38 +0200
Ángel via dev-security-policy <dev-security-policy@lists.mozilla.org>
wrote:
A set of credentials mistakenly exposed in a public GitHub repository
owned by a Comodo software developer allowed access to internal Comodo
documents stored in OneDrive and SharePoint:
https://techcrunch.com/2019/07/27/comodo-password-access-data/
It doesn't seem that it affected the certificate issuance system, but
it's an ugly security incident nevertheless.
What was once the Comodo CA is named Sectigo these days, so conveniently
for us this makes it possible to simply ask whether the incident
affected Sectigo at all:
- Does Sectigo in practice share systems with Comodo such that this
account would have access to Sectigo internal materials ?
Alternative problem scenario (and thus additional question):
- Did the Comodo systems or data compromised include sensitive
information about Sectigo systems or operations, such as yet-to-be
fixed security issues?
This could of cause be an effect of this information being present in
files that remained in Comodo's possession under promise of secrecy or
deletion after the operation split.
In passing it's probably a good time to remind all programme
participants that Multi-factor Authentication as well as being
mandatory for some elements of the CA function itself (BR 6.5.1), is a
best practice for any security sensitive business like yours to be using
across ordinary business functions in 2019. Don't let embarrassing
incidents like this happen to you.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
