Slashdot Mirror
Staff Breach At OneLogin Exposes Password Storage Feature (cso.com.au)
River Tam quotes a report from CSO Australia: Enterprise access management firm OneLogin has suffered an embarrassing breach tied to a single employee's credentials being compromised. OneLogin on Tuesday revealed the breach affected a feature called Secure Notes that allowed its users to "store information." That feature however is pitched to users as a secure way to digitally jot down credentials for access to corporate firewalls and keys to software product licenses. The firm is concerned Secure Notes was exposed to a hacker for at least one month, though it may have been from as early as July 2 through to August 25, according to a post by the firm. Normally these notes should have been encrypted using "multiple levels of AES-256 encryption," it said in a blog post. Several thousand enterprise customers, including high profile tech startups, use OneLogin for single sign-on to access enterprise cloud applications. The company has championed the SAML standard for single sign-on and promises customers an easy way to enable multi-factor authentication from devices to cloud applications. But it appears the company wasn't using multi-factor authentication for its own systems. OneLogin's CISO Alvaro Hoyos said a bug in its software caused Secure Notes to be "visible in our logging system prior to being encrypted and stored in our database." The firm later found out that an employees compromised credentials were used to access this logging system. The company has since fixed the bug on the same day it detected the bug. CSO adds that the firm "also implemented SAML-based authentication for its log management system and restricted access to a limited set of IP addresses."
where are your eggs?
It's not suprising, but should be, that thier own systems were apparently not using best practices for security. These days it would almost be simpler to press release who isn't getting hacked. Will the day ever come when people take security seriously?
If you can't see the source code and host it yourself, don't trust it with sensitive data like that.
How come a company with business based on being secure allows employee logins to access production data?
4wdloop
an employees compromised credentials
It looks like an apostrophe was also compromised.
Will the day ever come when people take security seriously?
No, in the end, security is a pain in someone's ass. The more important it is that $person use security measures, the more $person feels that their time is to important for all the extra steps. I've seen this at every single place I've worked, and now I see it at every single client's site.
Besides, we've reached the stage with technology where it's extremely important to be 100% secure, and it's extremely important that the $government be able to bypass that security.
Politics; n. : A religion whereby man is god.
FFS, why would you put your passwords in a cloud service anyway? It's far far worse than writing them on post-it notes on your monitor because you've made it computer friendly and handed it to a company whose employees you don't know can can never vet.
It would probably be safer to put the post-it note on the window for passers by to read.
No, in the end, security is a pain in someone's ass.
That's how every CSO/CISO seems to feel, too. They get paid for dealing with IT/infosec issues and yet have this insane hostility when you tell them there's a security issue. And they get even more hostile when you tell them the vulnerability you reported to them a year ago just got exploited. :-)
-SR
But this can't be!! They clearly state that they are a visionary according to the Gartner Magic Quadrant!
Why would hackers bother? All they need to do is create a website "Store your critical logins here to save a bit of time" and the sheep go and store their passwords there.
Why not hand your passwords out to random strangers??
FFS. How can you tell the difference between being hacked (i.e. your password out of your control and in the hands of people you don't know who might use it for malicious purposes) and stored on one of these password services (i.e.your password out of your control and in the hands of people you don't know who might use it for malicious purposes).
were all missing the point here
the data was stored unencrypted before entering their longterm database.
How much you want to bet theres a tie in to the nsa or fbi given all of their recent crying about encryption
This just goes to show that even if you use a signed FIPS compliant library of crypto functions in your software, you can still make mistakes in how you call those functions or sequence the steps. Companies that claim to be in the security software business should really invest in Formal Verification of Correctness when testing their software, to ensure the highest possible quality. Is this expensive? You'd better believe it, but these companies are being paid to guarantee the security of others and so must be held to a higher standard.
Defence in depth - a golden ticket to access all area sounds nice until somebody else gets it.
Security is easy to do when people take it seriously. When they do not it is very hard to enforce.
1992 - steel mill - execs got real time info of what was happening on the line (via cool graphical displays on Amigas) but there was an air gap between the monitoring network and ALL of the control systems. The only way to breach that gap, by design, was to speak to a human being.
Today - all kinds of shit on networks and only incompatibility saves control systems from sinking into a malware swamp.
Yeah, I was thinking BeauHD missed his chance for a little fun editorializing:
"The aptly and ironically named access management firm OneLogin suffered an embarrassing breach ..."
#DeleteChrome
It's a game nowadays. Well arguably, it might always have been a game.
OneLogin played it, used shitty cards (like everyone else) and got unlucky and lost.
For CISOs it's all about being lucky while trying to dance on the edge.
At the end of the day this means, you'd better spend your energy where it really matters, because the rest of the company certainly won't and you certainly won't have the authority or manpower.
So by order of importance...
0) pray you're lucky
1) have a kick-ass IR team that has procedures and forensics
2) try to break stuff with red teaming, that includes actually breaking stuff, not showing it's going to break (because nobody cares for that)
3) attempt a few wins here and there in the design of the products to wipe out entire classes of risks (that the best you'll do - for ex, 2FA would've saved OneLogin maybe)
4) try to educate users/engineers via training, phishing, super simple risk analysis
The rest is CYA docs and stuff, but not *actually* useful since nobody follows it.
That's it, I'm going back to putting passwords on post-it notes with ROT-26. Inside jobs are easier to prosecute, after all.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Not unlucky, their very product showed that they had some ideas about security that were not very good.
It's a shortcut that trades off convenience for security.
Convenience won this time and the thief didn't have to worry about dealing with any of that pesky security.
But it appears the company wasn't using multi-factor authentication for its own systems
Failure to eat your own dog food is a way to failure for a lean and mean software related business.
No offense to the blind, but we are ignorant when trusting others with our information and data. Don't think for a second one careless idiot can't screw it up for millions. Opera just acknowledge a breech with its syncing servers too. Every day or so another idiot messes up or a brilliant hacker breaks in. Or are they brilliant? Or just able to find the idiots?
the WHOLE POINT of this company is that (for a fee) it becomes their pain in the ass to deal with! they deserve all the bad publicity they can get.
Why can't they get the money back? Certainly the receiving bank and any further transferred banks would be able to return it. Threats to cut off the bank or the nation's entire banking system would open some eyes, even in the most corrupt of countries.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
...and breached 60 million accounts!
https://techcrunch.com/2016/08...
No, in the end, security is a pain in someone's ass. The more important it is that $person use security measures, the more $person feels that their time is to important for all the extra steps. I've seen this at every single place I've worked, and now I see it at every single client's site.
Sorry to butt in, but I have to on this one. I was at a place where a new lawyer was getting hired. Older guy, but still...
I created a password for an account for him to use, and made it simple to remember, but hard to break. I told him, and I quote, "I created this password so it's secure enough to prevent your information from being accessed by someone internally or externally, but it's easy enough for you to remember if you just repeat it to yourself twice and look at it for about 10 seconds. Really easy one. It's: '{pass here}'*."
The FIRST thing he did was look around for a post-it note and said "I'm not gonna remember that, let me find a post-it..."
I told him that defeats the purpose of password security, and repeated how easy it is to remember if [he] just looks at it and sees that it's got little pieces that make perfect sense and are almost impossible to forget. I told him that it would be more of a pain to remember something like 'ThisIsMyPassword!1' than it is to remember [one created' one!
He said, "I'm sure no one here is going to go around looking for my post-its with my passwords on them."
I literally just did a hand-forehead slap with downward motion with simultaneous rolling eyes, turned, and walked out. It took every bit of energy I had to not blurt out, "And this is why secure legal information gets out and leaked, you #uc%ing IDIOT! Ghawd!"
* Placeholder, not literal.
Lack of security is a pain in someone's ass too. What we need, is to merge these two asses. One ass: all the pain. Then you can get the correct tradeoffs.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
is the first sign that you're Doing It Wrong.
Cloud = Somebody else's system.
Do you think other companies are that different?
For instance, have you tried Okta? Because it's the exact same bunch of issues.
Have you tried auth0? Heck I'd say it's better, but they also have their bunch of issues, plus you can see them more easily as most of their stuff is open source.
People will only panic if these issues are exploited and publicly exposed, otherwise believe it's safe and stuff. Just like you do.
I think it's narrow sighted to believe that every company that gets pwned is a snow flake. Keep in mind that most companies that do NEVER disclose it.
They only do if they have absolutely NO choice.
TLDR Convenience wins almost every time. "OneLogin used shitty cards (like everyone else)"
Many - yes.
Vendors of this sort of shortcut - no.
Nah, then you'd have a turd-merger too, and each ass-owner would point the finger at the other. It's always sunny in Philadelphia.
Politics; n. : A religion whereby man is god.
Everyone in IT has a story like that to some degree. That's why there are people making a lot of cash making hardware that scans some part of your body to decide if you can have access or not. But even then, lazy people will find a way to be lazy.
Politics; n. : A religion whereby man is god.