I work on and co-own BeamMP[1], an open-source multiplayer mod for BeamNG.drive (the driving simulation game at the core of this breach) with about 1M registered users/ >20k daily active users. I missed the original thread[2].
I can add some context on how this (likely) happened.
BeamNG.drive runs a Lua scripting engine, in which they also run a large amount of their own game / simulation code. This Lua scripting engine uses LuaJIT[3], which includes C FFI functionality. This whole scripting environment is sandboxed, but the C FFI is obviously needed to allow optimizations between the game's Lua logic and the game engine (C++).
People I know personally have found various ways around this sandbox, which effectively allows any mod (which can contain Lua scripts), to bypass the sandbox. These were always disclosed immediately to BeamNG GmbH itself, sometimes against payment, sometimes entirely for free. These people continue to find and report ways to break the sandbox, and BeamNG GmbH is very quick to fix these issues before they ever get found and exploited.
The following is my opinion, and not that of BeamMP Ltd. or BeamNG or anyone but me: I think the BeamNG developers would do well with hiring or otherwise working towards fixing their sandbox. These issues have been in the sandbox for such a long time that it's almost emberassing that they still exist -- I won't go into detail, but some of the exploits found (and fixed) are incredibly trivial. Add to that the possibility that a lot of players run the game as Administrator when it errors in any way, and you have admin permissions on random foreign Lua code that is barely sandboxed.
Of course the blame is on the hackers, but I can't help but feel like at least the more common hacks could be prevented. By hiring a security engineer or two, or not (occasionally) ghosting people who do this work for free, for example.
We (BeamMP, not affiliated with BeamNG.drive or BeamNG GmbH in any way, as they ignore any attempt we make at talking to them), are working actively to make sure players know that they cannot trust mods, especially mods from servers they join. But, sadly, we can't help them fix their game or their sandbox.
I personally just went down the route of stripping down the FFI system when integrating LuaIT. It included things like removing the ability to define new ffi types\functions or loading libraries, as well as removing most casting and pointer indexing.
Make sure to also remove any way to load bytecode. Luau has a good page on what they've done in pursuit of sandboxing: https://luau-lang.org/sandbox (it's also a good alternative to consider if ever you don't need LuaJIT specifically)
Are you aware of any information out there about what mod exactly contained the exploit and where it came from?
I'm of course quite curious about how said mod ended up on this person's computer in the first place. As I'm sure you know but I'll explain for the benefit of the wider HN audience, there's a big divide in the BeamNG community over third-party mod sites versus sticking to the official repository. The official repo has rules against stolen content like models ripped from commercial games so the people who just want to crash real life cars tend to go to the third party sites where there's a lot less oversight and quality control, while those of us who don't care about that tend to recommend sticking to the official repo for both ease of use and minimization of potential problems like version update breakage and security exploits. If this came from the official repo that'd blow a lot of holes in the main arguments against the third party sites, and vice versa if it did come from a third party site it'd stand as a demonstration of the point.
I didn't know BeamMP could automatically download mods from the server (none of my friends play Beam so I haven't really used it much), obviously that could have been it as well.
As far as we know it was a mod from modland, and nothing to do with BeamMP (luckily). We don't know which mod, but I've seen people on twitter talk about reverse engineering it - maybe someone knows which mod?
And yes when people join modded servers (which is clearly marked and the mods are listed), the mods are downloaded and installed. This enables super cool community made gamemodes, some of which have thousands of players.
The story is incomplete. The user can’t read those channels, but the app someone may have used his credentials to authorize did. Google Workspaces have the same problem with adding “backup” apps. It’s a broken authorization model.
We also don’t know where the tokens came from, they could have just been leaked literally anywhere else.
If I were Disney, I wouldn’t consider it “case closed.”
If I were you, I would focus on what you can affect. I am sure a motivated party can use the multiplayer code you’ve authored to manipulate a remote player’s computer. There’s nothing to say here besides software is riddled with security holes and egos too big to concede obscurity is the most important defense.
Yes, I'm sure our code allows various exploits. It's open source though, and we try our best - that's really all we can do since we're volunteers and the project is not commercial, and none of us get paid.
All the money we generate indirectly (i.e. through offering a multiplayer experience) goes to BeamNG themselves via game sales, who sadly also refuse to speak to us. All direct donations go to keeping our infrastructure up, and the rest is saved up for rainy days.
We can't hire security researchers, not if they wanna get paid ;)
> One of the people to unwittingly install it was a Disney software development manager, who also had the company’s Slack channels active on the same computer.
The issue here is the IT department allowing employees to install personal software or games on work computers, or access work-related materials on personal machines directly, without a VPN or similar security measures.
Perhaps one of the Real Problems™ is a work-culture where the worker "has" to be responsive and active on Slack from their personal computer. :P
(To be fair, I also have a browser-window opened to corporate Slack on my home computer, but that's partly related to issues with VNC/RDP and wanting to use my multiple monitors.)
> access work-related materials on personal machines directly, without a VPN or similar security measures
The VPN encrypts the network traffic and can serve as a way to let access the internal network only to authenticated devices. But once a device is compromosed by a malware, the VPN doesn't give any extra protection: the malware just needs to wait for the user to activate the VPN, and then can access the company's network just like any other application running on that machine.
> the malware just needs to wait for the user to activate the VPN, and then can access the company's network
In theory, you are correct, and it does increase the risk compared to never having it connected. However, it doesn’t mean it’s automatically compromised, since the initial point of infection happened through a user action (installing the mod), not through an unknown exploit that spreads through a specific network protocol. So just connecting it doesn’t mean infection, not to mention the VPN settings. Maybe they have file transfer disabled or similar, different OS, protection, etc., where it makes it harder to infect. The worst scenario is he was infected with a RAT type (remote access trojan), where the attacker actively tries to scan other hosts connected to the network through VPN to find vulnerabilities.
That being said, accessing the company network through VPN is still the best practice. After all, you need to access the network remotely for a lot of reasons.
I think a key here is that the employee was a Software Development Manager. This makes it more likely that they had the ability to install arbitrary software and likely had elevated local privileges on their work machine. Non-software development employees at Disney probably have more restrictions.
It sounds like this employee should have known better than to install a game, and a random mod for the game on a work machine.
It's interesting because I actually do agree with you entirely but unfortunately I suspect this is a fairly common issue.
I think unfortunately there's a lot of software developers who (and I'll happily include myself in this), think they know better and that they don't have to worry about malware because they use 'common sense'.
One of the biggest issues that I find people tend not to understand is that, even if you find the malware very quickly, and remove it, it only takes a matter of seconds for it to steal credentials / sessions / other sensitive data and send them to who only knows where.
I wouldn't call it common sense to install a random mod. Script kiddies are always in places that have gullible audiences. Games and worse unvetted mods should have really sounded the alarm.
Either way is a terrible practice. Work devices for work and personal devices for home, and never the twain shall meet. Your company’s IT department should insist!
The terrible practice is using Slack for anything important.
Edit: practically, the line is getting more and more blurry. I have to install (multiple, ugh) MFA apps on my phone in order to authenticate to various work services. I've always been a strict work/personal separation devotee, but short of buying and carrying a separate phone, it's difficult.
MFA apps are only work thing on my personal phone. Nothing else work related lives there...
This might actually be even more secure way as on my work laptop there is no personal things. Very rarely I might pay for a train ticket, but that is it.
So MFA is separate from accounts and passwords. Meaning both would need to be compromised at same time...
Just set up another user on your phone and switch to that for work stuff. I have a whole seperate user area with work stuff installed, emails, teams etc.
It's good as it means I can access work stuff when I need to but there's no risk of me getting notifications or seeing work stuff outside of work hours unless I specifically switch into the account.
This is how I do it and it works. It's a royal pain in the ass to switch profile all the time since our VPN has an aggressive idle timeout that boots you off. But... It's very nice to have that clean separation.
Nice idea in theory, impossible to make a strict rule in practice.
It starts with the two-factor authentication. Why spend $25 per employee on a yubikey, or several hundred bucks per employee on a company smartphone, when they can use their personal smartphone for free?
Then it's the business travellers, some of whom are very senior people. The CTO is spending the night in a hotel for work, it's well outside of work hours, he'd like to log into his personal netflix account on his work laptop.
Then it's the all-hands meeting about the big reorg - 9am US time, but 8pm for the team in Poland. Of course they're not going to stay in the office to watch that on company equipment, frankly they're doing us a favour by watching it at all.
Then the people wearing headphones in the office want to connect to spotify....
IMHO any large company whose security strategy relies on nobody doing work on a personal device or personal stuff on a work device is destined for failure. You can follow the rule yourself if that's your preference - but if you try to make it mandatory and enforce it effectively, you'll find there are a lot of stakeholders who are unhappy about it...
> IMHO any large company whose security strategy relies on nobody doing work on a personal device or personal stuff on a work device is destined for failure
Every place I've worked for ~25 years has restricted the installation of software on work devices. If the CTO wants to watch netflix, they'd need to take their own laptop or use their phone. Same with Spotify at work.
There has been more allowance for accessing work resources from personal devices in some orgs, though in many places that has also been strictly banned. At my current place, Slack sits in a grey zone where we use it for work but have to maintain discipline around what we discuss. IMO we shouldn't be using it at all.
MFA is almost a separate category - while technically "work stuff" it is reducing attack vectors rather than increasing them.
Disney is almost certainly using SSO for their Slack auth. there's a high chance the Disney staffer was signed into a browser profile with active cookies for Disney ('s auth provider). assuming the game mod gave them filesystem access, they've got the cookies and can use them elsewhere. job done.
So the industry has basically just gone and reinvented the very premise Google built BeyondCorp to mitigate, starting back in 2009.
IIUC the baseline premise was to move away from "login to the VPN and you're inside the corporate network and you can access everything". It was incredibly convenient but a logistical nightmare in practice.
The BeyondCorp approach was to integrate authentication into each product so that the access control could be managed on a case by case basis.
Google standardised on OAuth across the board, and had a centralised login protocol/API with a WAF etc, but each product called out to this, and policy was decided by the calling application. This approach shines through to the whole Login with Google ideology.
Thinking about it, I wonder how much corporate/enterprise/even SOHO OAuth is effectively the inverse of this approach - login to eg Auth0 once and you immediately have access to all your apps.
That approach isn't technically broken, but it feels a bit like there's an antipattern here in the encouragement of centralised policy management. That just encourages everyone to think about "login once!" just like the old VPNs.
And it's just hilarious how everyone's just... wandered in this direction. First VPNs, then "centralised access bad", then BeyondCorp, then OAuth, then "login once!", and back to the beginning.
At least the web gives you the tools to setup siloed authentication per app. VPNs don't provide that level of slicing and dicing. So it's easier to fix, and merely a (complex) security design problem now.
I don't see how Slack is not the prime example of BeyondCorp approach? No VPN or firewall, all access control is done via centralized system. I don't know what Disney was using for identity, but it could have even been Google.
After all, what could have been done differently? Require password retype/MFA multiple times per day? This would drive people crazy, and if the computer ia infected then credentials could be stolen anyway.
[assuming you're using best practices etc] having your users log into a centralized VPN means that you've got all your different on-prem/DC services and services all in well-designed tightly-controlled VLANs with pinhole access network ACLs between them. additionally, you've got your VPN users in tightly-controlled role-specific VPN groups in their own IP pools that are again additionally tightly-controlled via network ACLs. all of this takes time to setup, run and monitor. unless you run a tight ship with automation helping many of these steps and layers, it can be a logistical nightmare. maybe that's GP meant.
Pretty much every company I've worked for had credentials and other sensitive information easily discoverable on Slack, making it a massive headache to clean up.
Slack has all kinds of integrations built-in. For example, paste a google docs link into slack, and you can preview and download the doc right there. There are all kinds of file sharing and app tie-ins.
Now talking in #ds_it_helpdesk
RoyD: hi guys this is roy. i have trouble with logging on says my password is wrong. i double checked it multiple times but it doest let me in. can you reset it to Mickey123?
MarkP: hi. reset it for you, check now?
RoyD: works now thanks
This is a work of fiction. Names, characters, places and incidents either are products of the author's imagination or are used fictitiously. Any resemblance to actual events or locales or persons, living or dead, is entirely coincidental.
Given Slack is mentioned I'd guess credentials to some remote machine were regularly posted in a channel as a means to notify about periodic password changes.
> Convincing a tech professional with computer literacy that presumably far exceeds the average person’s to install a piece of software seems like a hard sell.
IT here. My developers like to think that knowing how to code gives them some kind of zenlike understanding of all things computer. But they still make the same boneheaded mistakes that all my other users do. And they're actually a bigger pain to deal with due to their overconfidence.
The group’s motivations, however, don’t really add up, especially given how the mod was likely delivered.
Convincing a tech professional with computer literacy that presumably far exceeds the average person’s to install a piece of software seems like a hard sell.
This excludes the possibility that a a few sufficiently skilled furries were hanging together. The furries I know are intelligent to a fault and highly skilled in their crafts.
What seems very likely to me: A group of coders - some being familiar with remote access code and deploying payloads - found each other thru the furry community and formed a working group.
Even if the original headline is still not correctly capitalized ("Hackers Exploited a PC Driving Sim to Pull Off Massive Disney Data Breach"), we're not talking about a Subscriber Identity Module here.
>Convincing a tech professional with computer literacy that presumably far exceeds the average person’s to install a piece of software seems like a hard sell.
Um, so "installing compromised executable on desktop PC" isn't in the threat model for these folks??
For sure I wouldn't install a downloaded game mod (or...a game) on a PC with access to anything, but come on -- the probability that some user is going to install some compromised application, or view some video that has an exploit for the video codec, is 1.0. So you can't design a system that depends on that probability being 0.0
The fact that you have to copy&paste into a different app, apply a feature of that app, then copy&paste again is absolutely ridiculous. It's just another example of how bots are stupid, and the dependency of their use is just lame.
In the context for the targeted audience it's clear sim is a simulator not a SIM card. Gamers know and talk about driving sims, they don't talk about SIM cards as much.
I can add some context on how this (likely) happened.
BeamNG.drive runs a Lua scripting engine, in which they also run a large amount of their own game / simulation code. This Lua scripting engine uses LuaJIT[3], which includes C FFI functionality. This whole scripting environment is sandboxed, but the C FFI is obviously needed to allow optimizations between the game's Lua logic and the game engine (C++).
People I know personally have found various ways around this sandbox, which effectively allows any mod (which can contain Lua scripts), to bypass the sandbox. These were always disclosed immediately to BeamNG GmbH itself, sometimes against payment, sometimes entirely for free. These people continue to find and report ways to break the sandbox, and BeamNG GmbH is very quick to fix these issues before they ever get found and exploited.
The following is my opinion, and not that of BeamMP Ltd. or BeamNG or anyone but me: I think the BeamNG developers would do well with hiring or otherwise working towards fixing their sandbox. These issues have been in the sandbox for such a long time that it's almost emberassing that they still exist -- I won't go into detail, but some of the exploits found (and fixed) are incredibly trivial. Add to that the possibility that a lot of players run the game as Administrator when it errors in any way, and you have admin permissions on random foreign Lua code that is barely sandboxed.
Of course the blame is on the hackers, but I can't help but feel like at least the more common hacks could be prevented. By hiring a security engineer or two, or not (occasionally) ghosting people who do this work for free, for example.
We (BeamMP, not affiliated with BeamNG.drive or BeamNG GmbH in any way, as they ignore any attempt we make at talking to them), are working actively to make sure players know that they cannot trust mods, especially mods from servers they join. But, sadly, we can't help them fix their game or their sandbox.
[1]: https://beammp.com and https://github.com/BeamMP
[2]: https://news.ycombinator.com/item?id=40955693
[3]: https://luajit.org/