Hackers Stole Access Tokens From Okta's Support Unit (krebsonsecurity.com) 26
An anonymous reader quotes a report from Krebs on Security: Okta, a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach involving a compromise of its customer support unit, KrebsOnSecurity has learned. Okta says the incident affected a "very small number" of customers, however it appears the hackers responsible had access to Okta's support platform for at least two weeks before the company fully contained the intrusion. In an advisory sent to an undisclosed number of customers on Oct. 19, Okta said it "has identified adversarial activity that leveraged access to a stolen credential to access Okta's support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases."
Okta explained that when it is troubleshooting issues with customers it will often ask for a recording of a Web browser session (a.k.a. an HTTP Archive or HAR file). These are sensitive files because in this case they include the customer's cookies and session tokens, which intruders can then use to impersonate valid users. "Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens," their notice continued. "In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it."
Okta has published a blog post about this incident that includes some "indicators of compromise" that customers can use to see if they were affected. But the company stressed that "all customers who were impacted by this have been notified. If you're an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets." The security firm BeyondTrust is among the Okta customers who was involved in the breach. "BeyondTrust Chief Technology Officer Marc Maiffret said that [Okta's] alert came more than two weeks after his company alerted Okta to a potential problem," reports Krebs. They have also published a blog post detailing their findings.
Okta explained that when it is troubleshooting issues with customers it will often ask for a recording of a Web browser session (a.k.a. an HTTP Archive or HAR file). These are sensitive files because in this case they include the customer's cookies and session tokens, which intruders can then use to impersonate valid users. "Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens," their notice continued. "In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it."
Okta has published a blog post about this incident that includes some "indicators of compromise" that customers can use to see if they were affected. But the company stressed that "all customers who were impacted by this have been notified. If you're an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets." The security firm BeyondTrust is among the Okta customers who was involved in the breach. "BeyondTrust Chief Technology Officer Marc Maiffret said that [Okta's] alert came more than two weeks after his company alerted Okta to a potential problem," reports Krebs. They have also published a blog post detailing their findings.
They had one job. (Score:1)
Re: (Score:2)
Re: (Score:2)
Every security system, physical or digital, has vulnerabilities. Do you have evidence that Okta is somehow more lax than others? What others do better?
Re: (Score:2)
The claim was that they "have piss-poor security", that is in absolute, not that "others" might be just as bad or not.
And the evidence is really clear, how can you call this?
Re: (Score:2)
Security is not measured in absolutes, it's always relative.
You lock your car in a parking lot, not because locking your car constitutes absolute protection, but because car thieves are opportunists. If your car is locked, and somebody else's isn't, they'll pick the one that isn't. If *everybody* locks their car, then you might want to consider additional security, such as perhaps a car alarm. The important thing about security is to make your target less available than other targets. You can't stipulate th
Re: They had one job. (Score:1)
Re: (Score:2)
YOU assume that the customer would have reason to know. The reality is more complex. Even in my own experience,
As part of my job managing the construction of an SSO mechanism, I work with a pen test team to look for potential vulnerabilities. The pen test team found a few legitimate issues, and also hundreds of false alarms. I'm sure Okta is no different. Sure, they heard from the customer. But when 99% of what you hear from customers is actually false alarms, it's not surprising that one real alarm got th
Re: They had one job. (Score:1)
Re: (Score:2)
Okta may well have screwed this up, I don't know. The point is, neither do you. You are assuming facts not in evidence. You haven't seen the root cause analysis, nor do you have all the data. All you have is one person's report, which doesn't tell the whole story.
Okta may be terrible at its job, but this incident alone doesn't prove that.
What alternative do YOU recommend?
Re: (Score:2)
LOL now you're making car analogies. Give us a break, seriously. PAYING CUSTOMERS ARE TELLING A SECURITY COMPANY THEY'RE BEING UNDER ATTACK FROM THE DATA LEAKED FROM THEIR LAST SUPPORT TICKET and they are ignored for MORE THAN TWO WEEKS. This is bad, no matter how you slice it!
Re: (Score:2)
I don't think you understand how security works.
I've gone through numerous penetration tests. These test sometimes tell you something important, but the important warnings are accompanied by hundreds of false alarms. Okta is no different. For every real alarm from a customer, they no doubt receive hundreds of false ones. Did they have reason to know that this one customer claim was legitimate, when 99% of them aren't? *You* don't know that.
Re: (Score:2)
These are not the penetrations you are thinking of ...
Re: (Score:2)
Re: (Score:2)
Do you have evidence that Okta is somehow more lax than others?
Okta needs to be more secure than others. They are building software to keep things secure, that's their job, and they are failing at it.
Although a cynical person might say that their job is to make things more convenient.
Re: (Score:2)
By "others" I was referring to "other security providers."
And you don't have the facts, just from this story, to prove that they are "failing at it."
Re: (Score:2)
Okta better be checking them all, otherwise things will happen like are reported in this story.
Re: (Score:2)
You are misquoting my post, I never said Okta *shouldn't* validate all reports. What I did say was that 99% (+ or -) are false positives. Okta may have incorrectly judged this report is a false positive. That is a mistake even the best and brightest could have made. I challenge you to show me a company or person with a better record.
Re: (Score:2)
I challenge you to show me a company or person with a better record.
Seriously? How much are you going to pay me? That's an easy challenge, Okta doesn't have a good record.
Re: (Score:2)
And yet, you can't name a single security provider that does better! If it's such an easy challenge, you should be able to just reply and name a name. Your evasiveness and indignation strikes me as being unable to answer.
Re: (Score:2)
What devices are you talking about? There were no "devices" involved in this hack.
You do understand that every kind of security, has vulnerabilities, right? That's true of the physical security of your home, your bank, and everything in between. Why should digital security be different?
you mean centralized auth on internet bad? (Score:2)
But hey, at least it means we all die together.
Re: (Score:2)
Oh, so you don't use the internet? I mean, you have to get an access token to access anything on the internet these days.
Re: you mean centralized auth on internet bad? (Score:2)
Re: you mean centralized auth on internet bad? (Score:1)
Re: you mean centralized auth on internet bad? (Score:2)