Slashdot Mirror
Staff Breach At OneLogin Exposes Password Storage Feature (cso.com.au)
River Tam quotes a report from CSO Australia: Enterprise access management firm OneLogin has suffered an embarrassing breach tied to a single employee's credentials being compromised. OneLogin on Tuesday revealed the breach affected a feature called Secure Notes that allowed its users to "store information." That feature however is pitched to users as a secure way to digitally jot down credentials for access to corporate firewalls and keys to software product licenses. The firm is concerned Secure Notes was exposed to a hacker for at least one month, though it may have been from as early as July 2 through to August 25, according to a post by the firm. Normally these notes should have been encrypted using "multiple levels of AES-256 encryption," it said in a blog post. Several thousand enterprise customers, including high profile tech startups, use OneLogin for single sign-on to access enterprise cloud applications. The company has championed the SAML standard for single sign-on and promises customers an easy way to enable multi-factor authentication from devices to cloud applications. But it appears the company wasn't using multi-factor authentication for its own systems. OneLogin's CISO Alvaro Hoyos said a bug in its software caused Secure Notes to be "visible in our logging system prior to being encrypted and stored in our database." The firm later found out that an employees compromised credentials were used to access this logging system. The company has since fixed the bug on the same day it detected the bug. CSO adds that the firm "also implemented SAML-based authentication for its log management system and restricted access to a limited set of IP addresses."
How come a company with business based on being secure allows employee logins to access production data?
4wdloop
No, in the end, security is a pain in someone's ass.
That's how every CSO/CISO seems to feel, too. They get paid for dealing with IT/infosec issues and yet have this insane hostility when you tell them there's a security issue. And they get even more hostile when you tell them the vulnerability you reported to them a year ago just got exploited. :-)
-SR
But this can't be!! They clearly state that they are a visionary according to the Gartner Magic Quadrant!
Why would hackers bother? All they need to do is create a website "Store your critical logins here to save a bit of time" and the sheep go and store their passwords there.
Why not hand your passwords out to random strangers??
FFS. How can you tell the difference between being hacked (i.e. your password out of your control and in the hands of people you don't know who might use it for malicious purposes) and stored on one of these password services (i.e.your password out of your control and in the hands of people you don't know who might use it for malicious purposes).
It's a game nowadays. Well arguably, it might always have been a game.
OneLogin played it, used shitty cards (like everyone else) and got unlucky and lost.
For CISOs it's all about being lucky while trying to dance on the edge.
At the end of the day this means, you'd better spend your energy where it really matters, because the rest of the company certainly won't and you certainly won't have the authority or manpower.
So by order of importance...
0) pray you're lucky
1) have a kick-ass IR team that has procedures and forensics
2) try to break stuff with red teaming, that includes actually breaking stuff, not showing it's going to break (because nobody cares for that)
3) attempt a few wins here and there in the design of the products to wipe out entire classes of risks (that the best you'll do - for ex, 2FA would've saved OneLogin maybe)
4) try to educate users/engineers via training, phishing, super simple risk analysis
The rest is CYA docs and stuff, but not *actually* useful since nobody follows it.