Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security

Authentication Firm Okta Probes Report of Digital Breach (reuters.com) 44

Posted by msmash from the security-woes dept.
Authentication services provider Okta is investigating a report of a digital breach, the company said on Tuesday, after hackers posted screenshots showing what they claimed was its internal company environment. From a report: A hack at Okta could have major consequences because thousands of other companies rely on the San Francisco-based firm to manage access to their own networks and applications. The company was aware of the reports and was investigating, Okta official Chris Hollis said in a brief statement. "We will provide updates as more information becomes available," he added. The screenshots were posted by a group of ransom-seeking hackers known as LAPSUS$ on their Telegram channel late on Monday. In an accompanying message, the group said its focus was "ONLY on Okta customers." TechCrunch adds: Okta chief executive Todd McKinnon confirmed the breach in a tweet thread overnight on March 22: "In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January."
This discussion has been archived. No new comments can be posted.

Authentication Firm Okta Probes Report of Digital Breach More

Authentication Firm Okta Probes Report of Digital Breach

Comments Filter:

  • It's confirmed at this point, not officially by Okta but by employees at Okta on Twitter.

    https://www.cyberkendra.com/20... [cyberkendra.com]

    I recommend testing out the SSO/IDaaS has been pwned playbook if you're into Okta at work. They only hold 90 days of logs, which means you should act now, we know LAPSUS$ had access as far back as January. I don't know what the logs look like when a okta admin looks at customers information or accesses a customers account. However, I assume it's hidden from the customer. I'm going into t

    • Re: (Score:2)

      by upuv ( 1201447 )

      This is going to be a savage mess.

      Because of the level of apparent access. There was more than enough time to compromise system to the extent that "secrets" could have been compromised. Which means cyber controls could have been eroded to the point where client system could have been compromised.

      My colleagues in many organisations and enterprises are now scrambling to identify and contain any breach. The speed at which orgs mobilised here in Aus was actually rather impressive.

      My guess is all the other MFA

    • More than that, you should revoke all active logins and make all users re-authenticate. I imagine rotating might force that anyway, but the attacker could already have a computer logged into your systems.

    • Re: (Score:2)

      by ChoGGi ( 522069 )

      No no it's okay, the CSO said there's no breach :)

      "The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers."
      https://www.okta.com/blog/2022... [okta.com]

      The hacker had a few things to say
      https://img.guildedcdn.com/Con... [guildedcdn.com]
      https://img.guildedcdn.com/Con... [guildedcdn.com]
      I think the best one was:

      Security Standards. Okta's ISMP includes adherance to and regular testing of the key controls, systems and procedures of its ISMP to validate that they are properly implemented and effective in addressing the threats and risks identified. Such testing includes:

      a) Internal risk assessments;
      b) ISO 27001, 27002, 27017 and 27018 certifications;
      c) NIST guidance; and
      d) SOC2 Type II (or successor standard) audits annually performed by accredited third-party auditors ("Audit Report").

      I don't think storing AWS keys within Slack would comply to any of these standards?

  • Putting all eggs into one basket (Score:4, Insightful)

    by ffkom ( 3519199 ) on Tuesday March 22, 2022 @06:15AM (#62379399)
    The IT industry is so obsessed with delegating away responsibility, that they are not even concerned about putting all their eggs into one basket. Which in the IT translates to "provide some 3rd party vendor with a general key to access everything".

    Breaking the security of some grocery store's WLAN router may be 100 times easier than breaking into Okta's systems, but the incentive and possible profit of the latter is 10000 times more, so that is the much more attractive target.

    • Re: (Score:2)

      by DarkOx ( 621550 )

      Yes but good lock convincing the CIS/CSO types let a lone of the infosec industry who utterly fucking stupid a concept the okta/jumpclouds/AzureADs of the world are.

      Yes doing authentication and authorization in the enterprise environment well is HARD however unlike a lot of other SaaS offerings identity and access management is so fundamental to everything IT does it makes no sense to throw it over the wall. When you don't even truly control your IAM system of record you don't control anything at all.

      • IAM [wikipedia.org] = Identity and Access Management

      • I love the implicit statement that you believe most businesses would be better off saddling their two overworked IT employees (who are 60% glorified help desk, 20% sys-admins, 15% scape goats, and MAYBE 5% security-minded) with developing, implementing, managing, and maintaining a home-grown local AAA system, rather than utilizing a vetted, highly reliable SaaS solution.

        I mean, how many companies have got popped because they didn't / wouldn't update an AD server? Let alone all the other issues of poorly th

        • ^^ This guy knows the reality. The old salty sysadmins will say 'Bah! I knew active directory was the way to go!', but AD is more easily compromised than Okta usually. All it requires is a means of entry into the internal network, and in real world IT environments sysadmins will be reluctant to update the DC. Or, the client won't pay for upgrades. There are still many DCs at businesses running Windows 2008 etc, which can easily be pwned from the inside. Once they are in the DC it is catastrophic to re

          • The old salty sysadmins will say 'Bah! I knew active directory was the way to go!',

            No, no they wouldn't. But maybe people who have no experience other than their free annual Microsoft trainings would say that.

          • AD isn't home grown. It's just as prone as the large service providers, but with the additional layer of not always getting security updates.

            • AD itself isn't, no. But the setup, configuration, patch management, security, etc., etc., all are. And that's usually where things fall apart.

              Which is more or less exactly what you're paying these providers for: to manage all that other stuff for you so you don't have to. And with SSO, so your users don't have to manage multiple passwords for various accounts, which we've basically all been forced to accept just /doesn't happen/ and they will immediately reuse, trivialize, or just write down their passw

          • Re: (Score:2)

            by jd ( 1658 )

            It's slightly worse than what you describe. Active Directory is, after all, a Windows solution. You can run something similar on Linux, there are Active Directory-like systems, but getting those systems to work fluidly with AD is, at best, improbable because Microsoft really does not approve of interoperability.

            There are alternative authentication systems that are somewhat more interoperable - Microsoft does support Kerberos - but Kerberos is horrible to admin and I'm not sure Microsoft works well with the

            • The closest 1:1 with Okta is actually ADFS, which integrates AD with SaaS apps that support SAML. Microsoft's ADFS in Azure is actually an Okta competitor/clone.

            • There is one thing AD has which no other system possesses -- the ability to scale. You can go from a domain to trees, to cross-linked forests, with many millions of objects, and still be able to keep everything reasonably managed and secure, using GPOs, OUs, etc. As of now, there isn't anything out there that has this capability of being able scale as tall and as wide that AD can.

              • There is one thing AD has which no other system possesses -- the ability to scale. You can go from a domain to trees, to cross-linked forests, with many millions of objects, and still be able to keep everything reasonably managed and secure, using GPOs, OUs, etc. As of now, there isn't anything out there that has this capability of being able scale as tall and as wide that AD can.

                AD is a directory server with mediocre performance and ancient inherently insecure authentication methods. People use it because its easy and integrated not because its good.

        • Re: (Score:2)

          by Arethan ( 223197 )

          Very much this. It's really easy to throw stones at outsourcing AAA & SSO, but as you pointed out, those systems are typically operated far better by the outsourced specialists.

          As GP pointed out, IAM is fundamental to everything IT does, which is exactly why it has become an undifferentiated product that is attractive for outsourcing.

          While GP is aiming at trust issues of outsourcing, they're missing the point that doing business at all always requires some level of trust. In various ways, you trust in y

        • rather than utilizing a vetted, highly reliable SaaS solution.

          So...is Okta that?

          Those homegrown systems get breached, but they're smaller targets. I would argue that security through obscurity is making a comeback. I don't really see a good solution. The large platforms sometimes still have less revenue than scammers. They really have a lot of resources.

          The problem with 3rd party solutions is that sometimes they are just a home grown system with better marketing. Storagecraft (arcserve) recently (last week) decommissioned a server array prematurely and lost all o [storagecraft.com]

          • Okta has been doing their thing for years now without much issue. Even this current bit seems to be overblown (if you trust what Okta is saying, and I will fully agree that they're probably incentivized to downplay the issue, but "whoops Okta got popped and now LAPSUS$ is in all your boxes" also doesn't seem to have happened). So whether that's enough for you, personally, to trust them isn't something I can say, but no one was really discussing Okta in specific--rather the concept of using outsourced IdP/S

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      It's about externalizing responsibility. If they get hacked they can blame Okta and collect the insurance money. After all, they did best practice, contracted for a secure service, blah blah blah.

      You have to remember that when they get hacked their main concern is not for the poor users who get ripped off, it's that they don't get the blame for it.

    • As it turns out, security through obscurity is not the worst option.

  • As of 2020 US Department of Justice was a client.
  • Hacking Okta does not guarantee access to their customers' internal resources, for couple reasons:

    1. The first factor authentication is executed remotely using encrypted communication with their customer's LDAP/AD/etc...
    2. The second factor goes to an SMS, app and that data needs to be confirmed.

    The hackers don't have neither info. They only got what they may have found at Okta, which is in no way going to provide them access to the customers. The hackers claim they only want the customer info and not

    • Wait... SMS is the second factor? Seriously?

      Gee, I wonder how a system designed by people who can implement this level of security could possibly have been compromised. /sarcasm

    • I'll admit that I don't have direct knowledge on how this particular provider works, but for the first factor, are they still sending their login to the Okta server? Do they host the login page with username/password blanks? Even if it creates a one-time access token, the malicious user can just take it for themselves rather than return it to the user. Having a copy of Okta's data doesn't get them access to customers, but having access to place code on Okta's servers might.

      The second factor can be interc

      • No, for the first factor, they direct you to a page with a username/password entry. The POST data is immediately encrypted on the browser before being sent to the customer's LDAP/AD for verification, then the result of that verification is sent to Okta only as a succeed/failed status. When this factor is successful, Okta will send a notification to the 2nd factor. Yes SMS can be intercepted but that will take an entirely different hack. Most people opt to use the Okta Verify app instead of SMS. This app giv

        • It sounds like even if the credentials go directly to the AD server, the verification is sent to Okta and you can pick up the auth token from there instead of returning it to the user. It would depend on the site using Okta for authentication whether the token alone is enough to grant you access.

    • Re: (Score:2)

      by darkain ( 749283 )

      Check the leaked info again. The tools displayed in the screen shots show things like "reset password"/"assign password" and "change 2fa method", so very much yes, they would be able to bypass #1 and #2 with the tooling they have at their disposal.

      • It's true that Okta can change/assign passwords, but that's for customers that use Okta's authentication module. For customers who use federated IAM, the authentication happens on their own LDAP/AD. Okta cannot make changes to these. But yes, they can change the 2FA method to something that they can more easily intercept.

    • Re: (Score:2)

      by xwin ( 848234 )
      OKTA provides variety of second factors. I think it is configured at a client company request. You can enable any combination of allowed second factors. SMS is just one of them. I personally do not enable SMS. The other ones are TOTP through OKTA app and Symantec VIP, as well as push authentication through the OKTA app. Any standard compliant TOTP app works. The the push authentication is similar to what Google does where it askes you - "did you just sign in to this account?"
      I would imagine it would be pre

      • OKTA provides variety of second factors. I think it is configured at a client company request. You can enable any combination of allowed second factors. SMS is just one of them. I personally do not enable SMS. The other ones are TOTP through OKTA app and Symantec VIP, as well as push authentication through the OKTA app. Any standard compliant TOTP app works. The the push authentication is similar to what Google does where it askes you - "did you just sign in to this account?"
        I would imagine it would be pretty hard to spoof or bypass.

        In general I would trust OKTA much more over the in house security team. That is the only thing that they do.

        Just listening to this is depressing. TOTP, SMS no crypto binding of factors, no MITM protections. It's 2022 and people are still pretending phishing isn't one of the most salient threats they face.

    • No it does not; however it does make the task easier. That said if you operate on the premises that everyone and everything is compromised you can build in validation processes to limit the damages.
  • Their website consists of a giant NoScript image, and some heading about the "Okra Advantage" ;)

Slashdot Top Deals

No man is an island if he's on at least one mailing list.

Close