ITECH 3215: Information Security

ITECH 3215: Information Security

USE CASE ANALYSIS

Arun Chacko

30375857

Detail of the attack

On the 24th of May 2019, Australian based online design company Canva came across a breach from one of its AWS servers, which they were using.

It was first detected from one of the monitoring systems about some unusual activity in one of their accounts and later an on-call engineer investigated suspicious activity coming from an IP address using certain access data and was immediately blocked out from the server.

This happened on a Friday, as the weekend was approaching. The attacker, being Gnosticplayers, stole a list of about 4 million Canva accounts containing passwords, which later was decrypted and exposed online.

The attacker had with them personal details of almost 140 million Canva users including usernames, official names, email addresses, countries, encrypted passwords, and partial payment information.

The attacker then tipped off a business news website ZDNet to report this breach to the public.

Analysis

The attacker might have done this to attract data buyers from the dark web marketplace, where they trade it with varying amounts of Bitcoin. Gnosticplayers is believed to be involved in the breach of user data from over 40 large companies and they hit a billion-user data breach during the Canva incident

Gnosticplayers have claimed to obtained OAuth login tokens for users who signs in via Google, but Canva has no proof they downloaded them and tried to access the keys.

Canva has staff taking care of its security and privacy, appointed Heads of Security, Privacy and Data, along with an information Security Committee meeting every three months to evaluate issues recorded in their risk registers.

The risk was perceived highly critical as there are a lot of things like confidentiality, authenticity, etc at stake. The attacker was stopped mid-attack. Canva immediately restricted logins, invalidated passwords that werent changed and notified users with unencrypted passwords. They notified through social media, emailed the customers directly and had a dedicated security page on their website to post updates.

The efforts over the security team increased and Canva decided to invest huge revenue and skilled personnel to rebuild the trust of its users. All active login tokens prior to the breach has been reset prompting users to reconnect their accounts when they login next.

Canva also partnered with other organisations like 1Password offering free services over certain time periods.

Further Action

Canva now has a very secure approach to handle future breaches. The servers are encrypted using AES 256 or stronger, and the data encrypted is transmitted over networks using TLS 1.2.

They also apply security patches to servers in accordance with Vulnerability Management Procedure.

They also maintain info security policy that meets with ISO 27001 standard as well as an internal audit that invigilate Canvas ISMS.

Resources

Canva Security Incident. (2020, January 17). Canva.com.https://www.canva.com/en_au/help/Canva's infosec resourcing 'still growing' two years after large data breach. (n.d.). iTnews.https://www.itnews.com.au/news/canvas-infosec-resourcing-still-growing-two-years-after-large-data-breach-569282Christou,L. (2019, June 3).Gnosticplayers: Why the hacker behind the Canva data breach boasted to the media. Verdict.https://www.verdict.co.uk/canva-data-breach-gnosticplayers/Cimpanu,C. (2019, May 24).Australian tech unicorn Canva suffers security breach. ZDNET.https://www.zdnet.com/article/australian-tech-unicorn-canva-suffers-security-breach/Lukic,D. (2021, November 2).All about Canva data breach. IDStrong.https://www.idstrong.com/sentinel/canva-data-breach/