Staff Breach At OneLogin Exposes Password Storage Feature (cso.com.au) 47
River Tam quotes a report from CSO Australia: Enterprise access management firm OneLogin has suffered an embarrassing breach tied to a single employee's credentials being compromised. OneLogin on Tuesday revealed the breach affected a feature called Secure Notes that allowed its users to "store information." That feature however is pitched to users as a secure way to digitally jot down credentials for access to corporate firewalls and keys to software product licenses. The firm is concerned Secure Notes was exposed to a hacker for at least one month, though it may have been from as early as July 2 through to August 25, according to a post by the firm. Normally these notes should have been encrypted using "multiple levels of AES-256 encryption," it said in a blog post. Several thousand enterprise customers, including high profile tech startups, use OneLogin for single sign-on to access enterprise cloud applications. The company has championed the SAML standard for single sign-on and promises customers an easy way to enable multi-factor authentication from devices to cloud applications. But it appears the company wasn't using multi-factor authentication for its own systems. OneLogin's CISO Alvaro Hoyos said a bug in its software caused Secure Notes to be "visible in our logging system prior to being encrypted and stored in our database." The firm later found out that an employees compromised credentials were used to access this logging system. The company has since fixed the bug on the same day it detected the bug. CSO adds that the firm "also implemented SAML-based authentication for its log management system and restricted access to a limited set of IP addresses."
Re: (Score:2)
Yeah, I was thinking BeauHD missed his chance for a little fun editorializing:
"The aptly and ironically named access management firm OneLogin suffered an embarrassing breach ..."
you put all your eggs in a basket... (Score:1, Insightful)
Re: (Score:2)
You wouldn't download a basket.
Re: (Score:2)
where are your eggs?
In stupid. :>
One ring to rule them all and in the darkness bind (Score:1)
Re: (Score:2)
Will the day ever come when people take security seriously?
No, in the end, security is a pain in someone's ass. The more important it is that $person use security measures, the more $person feels that their time is to important for all the extra steps. I've seen this at every single place I've worked, and now I see it at every single client's site.
Besides, we've reached the stage with technology where it's extremely important to be 100% secure, and it's extremely important that the $government be able to bypass that security.
Re: (Score:3)
No, in the end, security is a pain in someone's ass.
That's how every CSO/CISO seems to feel, too. They get paid for dealing with IT/infosec issues and yet have this insane hostility when you tell them there's a security issue. And they get even more hostile when you tell them the vulnerability you reported to them a year ago just got exploited. :-)
Re: (Score:3)
It's a game nowadays. Well arguably, it might always have been a game.
OneLogin played it, used shitty cards (like everyone else) and got unlucky and lost.
For CISOs it's all about being lucky while trying to dance on the edge.
At the end of the day this means, you'd better spend your energy where it really matters, because the rest of the company certainly won't and you certainly won't have the authority or manpower.
So by order of importance...
0) pray you're lucky
1) have a kick-ass IR team that has procedures
Re: (Score:2)
Not unlucky, their very product showed that they had some ideas about security that were not very good.
It's a shortcut that trades off convenience for security.
Convenience won this time and the thief didn't have to worry about dealing with any of that pesky security.
Re: (Score:2)
Do you think other companies are that different?
For instance, have you tried Okta? Because it's the exact same bunch of issues.
Have you tried auth0? Heck I'd say it's better, but they also have their bunch of issues, plus you can see them more easily as most of their stuff is open source.
People will only panic if these issues are exploited and publicly exposed, otherwise believe it's safe and stuff. Just like you do.
I think it's narrow sighted to believe that every company that gets pwned is a snow flake. K
Re: (Score:2)
Many - yes.
Vendors of this sort of shortcut - no.
Re: (Score:2)
the WHOLE POINT of this company is that (for a fee) it becomes their pain in the ass to deal with! they deserve all the bad publicity they can get.
Re: (Score:2)
No, in the end, security is a pain in someone's ass. The more important it is that $person use security measures, the more $person feels that their time is to important for all the extra steps. I've seen this at every single place I've worked, and now I see it at every single client's site.
Sorry to butt in, but I have to on this one. I was at a place where a new lawyer was getting hired. Older guy, but still...
I created a password for an account for him to use, and made it simple to remember, but hard to break. I told him, and I quote, "I created this password so it's secure enough to prevent your information from being accessed by someone internally or externally, but it's easy enough for you to remember if you just repeat it to yourself twice and look at it for about 10 seconds. Really
Re: (Score:2)
Re: (Score:2)
Lack of security is a pain in someone's ass too. What we need, is to merge these two asses. One ass: all the pain. Then you can get the correct tradeoffs.
Re: (Score:2)
Re: (Score:2, Insightful)
The cracker is the actual password DB's were safe. Just some developer wrote the affected sections to log file as well. In the clear BTW.
Always audit the log file.
Re: (Score:1)
Re: (Score:2)
It is always a good idea to log as much as you can. Because if something goes wrong later then you can go back and check the actual data. Having the log only for debug mode doesn't help you when something is wrong on a live system. But of course you always remove or starr out any critical information when logging.
employee login to access production data? (Score:3, Insightful)
How come a company with business based on being secure allows employee logins to access production data?
Re:employee login to access production data? (Score:5, Insightful)
Well, being able to access production *logs* is useful. The problem was that sensitive data was being written to those logs, not that a developer had access to them.
The cause was probably as simple as some debug code accidentally left in, but something as obvious as private data being logged should have been caught by any of the frequent security audits they claim to have.
Re: (Score:2)
Well, being able to access production *logs* is useful. The problem was that sensitive data was being written to those logs, not that a developer had access to them.
The cause was probably as simple as some debug code accidentally left in, but something as obvious as private data being logged should have been caught by any of the frequent security audits they claim to have.
There was an audit (this is not arguing with you, just sharing ridiculousness) I had to go through. They thought the line: .. in a log, which indicated that a process ran and said it successfully finished was a security violation, BUT the line in another log:
12:32:41 fin.
05/23/2016 15:21:19 Current password expired. Hint: 'Long Range'. Exchanged new password successfully.
"...[was] not at all a threat because it didn't give the full password, just like Windows can give you a clue if you forget your passwo
Was it hacked? (Score:4, Insightful)
Why would hackers bother? All they need to do is create a website "Store your critical logins here to save a bit of time" and the sheep go and store their passwords there.
Why not hand your passwords out to random strangers??
FFS. How can you tell the difference between being hacked (i.e. your password out of your control and in the hands of people you don't know who might use it for malicious purposes) and stored on one of these password services (i.e.your password out of your control and in the hands of people you don't know who might use it for malicious purposes).
Re: (Score:3, Interesting)
Their business isn't based on being secure, but on looking secure.
Re: (Score:2)
How come a company with business based on being secure allows employee logins to access production data?
"Uhhh... LOOK AT THAT OMG OMG!"
*silent run*
Safe as clouds (Score:1)
FFS, why would you put your passwords in a cloud service anyway? It's far far worse than writing them on post-it notes on your monitor because you've made it computer friendly and handed it to a company whose employees you don't know can can never vet.
It would probably be safer to put the post-it note on the window for passers by to read.
Fuck this company (Score:3)
But this can't be!! They clearly state that they are a visionary according to the Gartner Magic Quadrant!
Goverment (Score:1)
were all missing the point here
the data was stored unencrypted before entering their longterm database.
How much you want to bet theres a tie in to the nsa or fbi given all of their recent crying about encryption
Easy to do - hard to enforce (Score:2)
1992 - steel mill - execs got real time info of what was happening on the line (via cool graphical displays on Amigas) but there was an air gap between the monitoring network and ALL of the control systems. The only way to breach that gap, by design, was to speak to a human being.
Today - all kinds of shit on networks and only incompatibility saves control systems from sinking into a malware swamp.
Defence in depth (Score:2)
I Knew It (Score:2)
That's it, I'm going back to putting passwords on post-it notes with ROT-26. Inside jobs are easier to prosecute, after all.
Re: (Score:2)
That's it, I'm going back to putting passwords on post-it notes with ROT-26. Inside jobs are easier to prosecute, after all.
That's incredibly insecure. You should use a minimum; ABSOLUTE MINIMUM of ROT-104!
Where are teh securities going these days? Sigh.
Heh :>
The blind leading the blind (Score:1)
No offense to the blind, but we are ignorant when trusting others with our information and data. Don't think for a second one careless idiot can't screw it up for millions. Opera just acknowledge a breech with its syncing servers too. Every day or so another idiot messes up or a brilliant hacker breaks in. Or are they brilliant? Or just able to find the idiots?
Banking on it (Score:2)
Why can't they get the money back? Certainly the receiving bank and any further transferred banks would be able to return it. Threats to cut off the bank or the nation's entire banking system would open some eyes, even in the most corrupt of countries.
Dropbox employee just did something similar (Score:2)
...and breached 60 million accounts!
https://techcrunch.com/2016/08... [techcrunch.com]