Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Bug Security Businesses Communications Data Storage Network Privacy The Internet News

Staff Breach At OneLogin Exposes Password Storage Feature (cso.com.au) 47

River Tam quotes a report from CSO Australia: Enterprise access management firm OneLogin has suffered an embarrassing breach tied to a single employee's credentials being compromised. OneLogin on Tuesday revealed the breach affected a feature called Secure Notes that allowed its users to "store information." That feature however is pitched to users as a secure way to digitally jot down credentials for access to corporate firewalls and keys to software product licenses. The firm is concerned Secure Notes was exposed to a hacker for at least one month, though it may have been from as early as July 2 through to August 25, according to a post by the firm. Normally these notes should have been encrypted using "multiple levels of AES-256 encryption," it said in a blog post. Several thousand enterprise customers, including high profile tech startups, use OneLogin for single sign-on to access enterprise cloud applications. The company has championed the SAML standard for single sign-on and promises customers an easy way to enable multi-factor authentication from devices to cloud applications. But it appears the company wasn't using multi-factor authentication for its own systems. OneLogin's CISO Alvaro Hoyos said a bug in its software caused Secure Notes to be "visible in our logging system prior to being encrypted and stored in our database." The firm later found out that an employees compromised credentials were used to access this logging system. The company has since fixed the bug on the same day it detected the bug. CSO adds that the firm "also implemented SAML-based authentication for its log management system and restricted access to a limited set of IP addresses."
This discussion has been archived. No new comments can be posted.

Staff Breach At OneLogin Exposes Password Storage Feature

Comments Filter:
  • where are your eggs?
  • It's not suprising, but should be, that thier own systems were apparently not using best practices for security. These days it would almost be simpler to press release who isn't getting hacked. Will the day ever come when people take security seriously?
    • Will the day ever come when people take security seriously?

      No, in the end, security is a pain in someone's ass. The more important it is that $person use security measures, the more $person feels that their time is to important for all the extra steps. I've seen this at every single place I've worked, and now I see it at every single client's site.

      Besides, we've reached the stage with technology where it's extremely important to be 100% secure, and it's extremely important that the $government be able to bypass that security.

      • No, in the end, security is a pain in someone's ass.

        That's how every CSO/CISO seems to feel, too. They get paid for dealing with IT/infosec issues and yet have this insane hostility when you tell them there's a security issue. And they get even more hostile when you tell them the vulnerability you reported to them a year ago just got exploited. :-)

        • It's a game nowadays. Well arguably, it might always have been a game.
          OneLogin played it, used shitty cards (like everyone else) and got unlucky and lost.

          For CISOs it's all about being lucky while trying to dance on the edge.
          At the end of the day this means, you'd better spend your energy where it really matters, because the rest of the company certainly won't and you certainly won't have the authority or manpower.

          So by order of importance...

          0) pray you're lucky
          1) have a kick-ass IR team that has procedures

          • by dbIII ( 701233 )

            OneLogin played it, used shitty cards (like everyone else) and got unlucky and lost

            Not unlucky, their very product showed that they had some ideas about security that were not very good.
            It's a shortcut that trades off convenience for security.
            Convenience won this time and the thief didn't have to worry about dealing with any of that pesky security.

            • Do you think other companies are that different?
              For instance, have you tried Okta? Because it's the exact same bunch of issues.
              Have you tried auth0? Heck I'd say it's better, but they also have their bunch of issues, plus you can see them more easily as most of their stuff is open source.
              People will only panic if these issues are exploited and publicly exposed, otherwise believe it's safe and stuff. Just like you do.

              I think it's narrow sighted to believe that every company that gets pwned is a snow flake. K

              • by dbIII ( 701233 )

                Do you think other companies are that different?

                Many - yes.
                Vendors of this sort of shortcut - no.

      • the WHOLE POINT of this company is that (for a fee) it becomes their pain in the ass to deal with! they deserve all the bad publicity they can get.

      • No, in the end, security is a pain in someone's ass. The more important it is that $person use security measures, the more $person feels that their time is to important for all the extra steps. I've seen this at every single place I've worked, and now I see it at every single client's site.

        Sorry to butt in, but I have to on this one. I was at a place where a new lawyer was getting hired. Older guy, but still...

        I created a password for an account for him to use, and made it simple to remember, but hard to break. I told him, and I quote, "I created this password so it's secure enough to prevent your information from being accessed by someone internally or externally, but it's easy enough for you to remember if you just repeat it to yourself twice and look at it for about 10 seconds. Really

        • Everyone in IT has a story like that to some degree. That's why there are people making a lot of cash making hardware that scans some part of your body to decide if you can have access or not. But even then, lazy people will find a way to be lazy.
      • by Sloppy ( 14984 )

        in the end, security is a pain in someone's ass

        Lack of security is a pain in someone's ass too. What we need, is to merge these two asses. One ass: all the pain. Then you can get the correct tradeoffs.

        • Nah, then you'd have a turd-merger too, and each ass-owner would point the finger at the other. It's always sunny in Philadelphia.
  • by 4wdloop ( 1031398 ) on Wednesday August 31, 2016 @11:22PM (#52806423)

    How come a company with business based on being secure allows employee logins to access production data?

    • by pushing-robot ( 1037830 ) on Wednesday August 31, 2016 @11:50PM (#52806483)

      Well, being able to access production *logs* is useful. The problem was that sensitive data was being written to those logs, not that a developer had access to them.

      The cause was probably as simple as some debug code accidentally left in, but something as obvious as private data being logged should have been caught by any of the frequent security audits they claim to have.

      • Well, being able to access production *logs* is useful. The problem was that sensitive data was being written to those logs, not that a developer had access to them.

        The cause was probably as simple as some debug code accidentally left in, but something as obvious as private data being logged should have been caught by any of the frequent security audits they claim to have.

        There was an audit (this is not arguing with you, just sharing ridiculousness) I had to go through. They thought the line:
        12:32:41 fin. .. in a log, which indicated that a process ran and said it successfully finished was a security violation, BUT the line in another log:
        05/23/2016 15:21:19 Current password expired. Hint: 'Long Range'. Exchanged new password successfully.

        "...[was] not at all a threat because it didn't give the full password, just like Windows can give you a clue if you forget your passwo

    • Was it hacked? (Score:4, Insightful)

      by Anonymous Coward on Wednesday August 31, 2016 @11:59PM (#52806497)

      Why would hackers bother? All they need to do is create a website "Store your critical logins here to save a bit of time" and the sheep go and store their passwords there.

      Why not hand your passwords out to random strangers??

      FFS. How can you tell the difference between being hacked (i.e. your password out of your control and in the hands of people you don't know who might use it for malicious purposes) and stored on one of these password services (i.e.your password out of your control and in the hands of people you don't know who might use it for malicious purposes).

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      Their business isn't based on being secure, but on looking secure.

    • How come a company with business based on being secure allows employee logins to access production data?

      "Uhhh... LOOK AT THAT OMG OMG!"
      *silent run*

  • by Anonymous Coward

    FFS, why would you put your passwords in a cloud service anyway? It's far far worse than writing them on post-it notes on your monitor because you've made it computer friendly and handed it to a company whose employees you don't know can can never vet.

    It would probably be safer to put the post-it note on the window for passers by to read.

  • by Lunix Nutcase ( 1092239 ) on Wednesday August 31, 2016 @11:58PM (#52806495)

    But this can't be!! They clearly state that they are a visionary according to the Gartner Magic Quadrant!

  • by Anonymous Coward

    were all missing the point here

    the data was stored unencrypted before entering their longterm database.

    How much you want to bet theres a tie in to the nsa or fbi given all of their recent crying about encryption

  • Defence in depth - a golden ticket to access all area sounds nice until somebody else gets it.
  • That's it, I'm going back to putting passwords on post-it notes with ROT-26. Inside jobs are easier to prosecute, after all.

    • That's it, I'm going back to putting passwords on post-it notes with ROT-26. Inside jobs are easier to prosecute, after all.

      That's incredibly insecure. You should use a minimum; ABSOLUTE MINIMUM of ROT-104!

      Where are teh securities going these days? Sigh.

      Heh :>

  • by Anonymous Coward

    No offense to the blind, but we are ignorant when trusting others with our information and data. Don't think for a second one careless idiot can't screw it up for millions. Opera just acknowledge a breech with its syncing servers too. Every day or so another idiot messes up or a brilliant hacker breaks in. Or are they brilliant? Or just able to find the idiots?

  • Why can't they get the money back? Certainly the receiving bank and any further transferred banks would be able to return it. Threats to cut off the bank or the nation's entire banking system would open some eyes, even in the most corrupt of countries.

  • ...and breached 60 million accounts!

    https://techcrunch.com/2016/08... [techcrunch.com]

No spitting on the Bus! Thank you, The Mgt.

Working...