Okta’s Cybersecurity Breach: A Deep Dive into its Impact and Implications

Okta, a leading identity management solution provider, recently faced a cyberattack that has sent ripples throughout the tech and financial sectors. Here’s what you need to know:

1. Financial Aftermath:

Okta’s market value took a significant hit following the breach’s disclosure. Its shares plummeted by 11% on the announcement day and 8.1% the following Monday. This decline equates to a staggering loss of over $2 billion in market capitalization.

2. Details of the Attack:

While specifics are limited, an anonymous hacker group accessed client data through Okta’s support system. The extent and nature of the accessed data remain undisclosed, raising concerns and speculation within the cybersecurity community.

3. Okta’s Integral Role in the Tech Ecosystem:

If you’re unfamiliar with Okta, it’s worth noting its pivotal role in the digital space. With a clientele of over 18,000 companies, Okta offers single login solutions for multiple platforms. Big names like Zoom integrate with Okta to consolidate access to platforms such as Google Workspace, VMware, ServiceNow, and Workday.

4. Client Communication Controversy:

In the aftermath of the breach, Okta claimed it had notified all impacted clients. However, this narrative was challenged by BeyondTrust. The identity management firm revealed it had spotted and reported suspicious activity to Okta weeks before the public disclosure. BeyondTrust’s report emphasized their belief in a probable larger compromise within Okta, a concern initially downplayed by the latter.

5. History Repeats? Past Breaches Involving Okta:

It’s not the first time Okta has been in the cybercrime spotlight. Earlier in the year, casino magnates Caesars and MGM were victims of cyberattacks that targeted their Okta installations. These attacks resulted in losses exceeding $100 million. Moreover, the modus operandi included advanced social engineering tactics executed via IT help desks.

In a separate incident earlier this year, hacker group Lapsus$ allegedly infiltrated several Okta systems. This group has been associated with breaches at high-profile companies like Uber and Rockstar Games.

Final Thoughts:

The recent breach underscores the need for heightened cybersecurity measures, especially for firms integral to the tech infrastructure, like Okta. As digital reliance grows, so does the responsibility to protect client data and maintain trust. The incident serves as a reminder for corporations to evaluate and bolster their cybersecurity defenses constantly.

Other Articles:

CNBC Okta cybersecurity breath wipes out more than $2 billion in market cap

Fast Company Gen Z hackers created a sophisticated new playbook for cyberattacks.

Reuters Hackers who breached casino giants MGM and Caesar also hit three other firms.

Okta’s Security Breach: A Ripple Effect in the Realm of Cybersecurity

In the interconnected world of cybersecurity, when a service as integral as Okta experiences a breach, the shockwaves are felt far and wide. Okta, a cornerstone in the identity and access management arena, recently faced a security incident that has raised eyebrows across the cybersecurity community. The incident wasn’t just a solitary event but triggered a cascade of security alerts and potential breaches across various high-profile companies, including BeyondTrust and Cloudflare.

The breach, as reported, originated when threat actors exploited stolen credentials to gain unprecedented access to Okta’s support case management system. This unauthorized access allowed them to view sensitive files uploaded by certain customers, including HTTP Archive (HAR) files, typically used for troubleshooting. These files contain sensitive data like session tokens and cookies, which, in the wrong hands, can be a skeleton key to user impersonation and unauthorized system access.

Okta, a service entrusted with authentication and single sign-on services for thousands of companies worldwide, including government agencies, was quick to respond. Chief Security Officer at Okta, David Bradbury, confirmed that the company took immediate steps to protect their customers, including revoking embedded session tokens. However, the specifics of the number of customers impacted by this breach remain undisclosed, raising questions and concerns in the security community.

The ripple effect of this breach became evident when BeyondTrust, a company specializing in identity management, revealed that they detected suspicious activities linked to the Okta breach as early as October 2nd. The attackers reportedly used a stolen session cookie from Okta’s system to try and gain a foothold in BeyondTrust’s environment. Despite the prompt response and the containment measures by BeyondTrust, the delay between detecting suspicious activities and Okta’s confirmation of the breach—a span of over two weeks—is concerning.

Similarly, Cloudflare experienced an attempted breach on October 18th, where threat actors used a compromised authentication token from Okta’s breach to try and penetrate Cloudflare’s systems. Thankfully, in both instances, the companies’ security protocols held strong, and no significant harm was reported.

This incident highlights a critical aspect of cybersecurity: the chain-reaction effect. A breach in one area can have a domino effect, leading to attempted breaches across many interconnected systems. Especially in cases where a service like Okta, central to many organizations’ identity verification processes, is involved, the potential for widespread impact is immense.

BeyondTrust’s advisory aptly stressed the complexity of modern identity-based attacks, underlining that such attacks can spring from outside an organization’s own environment. They emphasized the necessity of robust policies and internal controls, particularly concerning how sensitive files like HAR are shared and handled. The incident underscores the concept of defense in depth, illustrating that the failure of a single control shouldn’t result in a breach.

Notably, this isn’t the first time Okta has found itself in the crosshairs. Last year, the company reported that a breach at one of its third-party contractors allowed the Lapsus$ group to access customer information. In a separate incident in 2022, Okta also acknowledged that threat actors had accessed its source code through compromised GitHub repositories.

As the dust settles on this latest security incident, it’s a stark reminder to companies about the importance of stringent cybersecurity protocols, constant vigilance, and the implementation of multi-layered security defenses. It also underscores the need for transparency and prompt communication in the event of security breaches, given the potential for such incidents to have far-reaching consequences. It’s yet another wake-up call for users and organizations to practice caution, continually reassess security postures, and stay informed in an ever-evolving cybersecurity landscape.

1Password

Okta Support System incident and 1Password

1Password suffered a security incident after hackers gained access to its Okta ID management tenant.

Okta

Tracking Unauthorized Access to Okta’s Support System

Okta Stolen Credential Led to Support System Breach

Pwned Passwords

Pwned Passwords

Pwned Passwords are 555,278,657 real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they’re at much greater risk of being used to take over other accounts. They’re searchable online below as well as being downloadable for use in other online systems. Read more about how HIBP protects the privacy of searched passwords.

Have I Been Pwned is a site that keeps records of major user ID and password breaches from over 369 breached sites. Use this site to check your passwords.

Have I Been Pwned- Check if your email has been compromised in a data breach.weblocDownload

Have I Been Pwned- Pwned Passwords.weblocDownload

Time for smartcards, an op-ed by John Mulligan, Executive Vice President and Chief Financial Officer, Target | Target Corporate

Time for smartcards, an op-ed by John Mulligan, Executive Vice President and Chief Financial Officer, Target | Target Corporate.

These have been out for a while in Europe.  These cost more and should have been mandatory for the last eight years.  Additional measure needs to be added to the cards and to the Credit bureau reporting.  

Why do we have to safe guard our information?  Credit bureau need to update their input methods and have better measure to safe guard it.  Insurance companies are now finding new products by adding a baseline and then locking away with periodic reviews of the information for $60-$100 a year.

 

 

 

 


NFL Playbook Security

NFL Playbook Security

The NFL Teams had a few requirements:

  • Players had to limited time to view films
  • Playbooks needed to be updated
  • Players are always traveling
  • Security on playbooks

PlayerLync currently offers more than a dozen different modules for different features and needs.

  • Playbook publishing and updating
  • Video playback from practices and previous games
  • A module for quickly editing and distributing game or practice video called TravelLync
  • Communications for players and coaches to interact
  • A calendar and events module
  • A testing module to ensure that encourages communication and understanding of playbook content
  • A statistics module
  • Secure access to a team’s office intranet
  • Document management similar to solutions like SharePoint and BaseCamp
  • An equipment inventory and management module
  • A module for ticket requests
  • LifeLync, an internal team communications module similar to an internal social network
  • Scouting and recruiting tools

(PlayerLync, 2013) (Faas, 2012)

The Dolphins’ net iPads playbook won’t block players from accessing sites and features unrelated to studying plays and file and other job-related activities.  The bad news is there is going to be a stiff price for doing so.  The team will fine players $10,000 for accessing unauthorized websites. (Florio, 2012)

Security

The iPad is secured and there is a separate software application that requires a password.  It takes two passwords to open up the playbook.  It can be remotely wiped.  Everything is encrypted. (Darlington, 2012)

The typical iPad security solutions focus on device, app, and content management.

  • Device management ensures that only needed device features are enabled – that can mean deactivating the on-board cameras, prevent the ability to install outside apps, and requiring a passcode to unlock an iPad. It also means that ability to wipe a lost or stolen device.
  • App management offers easy install and update of apps across all iPads used by a team, suggesting apps to players and others in a team’s organization, and alerting coaches or administrators to the install of unauthorized apps.
  • Content management means the secure distribution of documents, videos, and other files to all the iPads used by a team. It also means controlling which players or coaches see which content. At a granular level, access to specific information can denied or allowed. Most importantly, content management means securely encrypting content on a device such that someone stealing an iPad wouldn’t be able to get to the secure information and videos stored on it. (Faas, 2012)

Advanced Layers of Security

  1. Device certificates – Enterprise model
  2. VPN (optional for organization compliance of off-network access)
  3. SSL – Secure Socket Layer
  4. Encryption of local data
  5. Application username, password, and UDID (Unique Device Identification)
  6. Tablet Login with multiple failures – content wiping
  7. User tracking & Single user instance
  8. Auditing & trackability
  9. Role based security & administration
  10. TTL (Time to Live) with local and remote “time-bomb” capabilities

(PlayerLync, 2013)

Bibliography

Florio, M. (2012). Dolphins to fine players who visit “unauthorized” sites on iPad playbooks. Retrieved from www.profootballtalk.nbcsports.com: http://profootballtalk.nbcsports.com/2012/06/24/dolphins-to-fine-players-who-visit-unauthorized-sites-on-ipad-playbooks/

Darlington, J. (2012). Touch Footbal. Retrieved from www.nfl.com: http://www.nfl.com/qs/ipadplaybook/index.jsp

PlayerLync. (2013). Auto Synchronize iPads Giving you Mobility with Security. Retrieved from www.playerlync.com: http://www.playerlync.com/solutions/distribution-model.html

Faas, R. (2012). Why Most NFL Teams are Ditching their Playbooks for iPads. Retrieved from www.cultofmac.com: http://www.cultofmac.com/188847/why-most-nfl-teams-are-ditching-their-playbooks-for-ipads-feature/

Who do you trust?

Mr. Ken Thompson creator of the Bon programming language, B programming language, and co-invented the C programming language. The Plan 9 and UNIX operating systems.  He as received the Turing award, IEEE Richard W. Hamming Medal, Fellow of the Computer History Museum, Tsotomu Kanai Award, Japan Prize and the National Medal of Technology.  By all measures a “god” in computers.

In his acceptance speech for the Turing Award he gave a lecture in Reflections on Trusting Trust.  In the first two pages he explains how to write self-replicating code.  He further explains on how a compiler is trained or updated to accept future conditions as yet unknown.  In short how to introduce binary into a compiler. If this were not deliberate, it would be called a compiler “bug.” Since it is deliberate, it should be called a “Trojan hours.” (Thompson, 1984)

 The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler.

I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect. (Thompson, 1984)

         Ken Thompson 1984

Mr. Thompson is talking about code from 1969 in the year 1984. Now roll forward 2014 to EMC and their RSA division with respect to the embed encryption software and the use of the Elliptic Curve Cryptosystems.  We have a document that would indicate that something has been “planned” between RSA and the NSA. (James Ball, 2013)  In 2007, security export Bruce Schnier detailed the flaws in the algorithm’s use of secret constants. (Schneier, 2007). We have the denial that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries.  We categorically deny this allegation of EMC RSA division. (RSA, Speaking of Security, 2013)  Mr. Thompson thirty years earlier is warning us what would happen.

Schneier, B. (2007, 11 15). Did NSA Put a Secret Backdoor in New Encryption Standard? Retrieved from www.wired.com: http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

Thompson, K. (1984). Reflections on Trusting Trust. Communication of the ACM , 27 (8), 761-763.

James Ball, J. B. (2013, 09 5). Revealed: how US and UK spy agencies defeat internet privaacy and security. Retrieved from www.theguardian.com: http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

RSA, Speaking of Security. (2013, 12 22). RSA Response to media claims regarding NSA relationship. Retrieved from blogs.rsa.com: https://blogs.rsa.com/news-media-2/rsa-response/

 

 

Catalyst Concepts | CSC

In addition to this weeks policies: SecSDLC and ISPME I use the following:

CSC Catalyst

CSC Catalyst is CSC’s strategic methodology for delivering business change that addresses all aspects of a change program. It provides a common framework, language and processes that CSC uses to deliver consistent, efficient and high-quality services and solutions to our clients worldwide.

Catalyst is a set of repeatable processes and techniques for analyzing a business situation and developing and implementing the best solution. It is based on industry best practices, and reflects the thinking and experience of CSC employees globally. We use Catalyst for every outsourcing engagement, as well as to support clients in every industry.

Catalyst aligns with established standards, frameworks, and reference models. This enables organizations to come into compliance with such standards and guidelines as the SEI CMMI, ISO 9001, PMBOK, PRINCE2, ITIL and Lean/Six Sigma, among others.

Catalyst Concepts | CSC.

To be fair, I have watched the Cloud and CyberSecurity technologies and offerings get adopt and get adopted into the Catalyst models.    In my day job we are investigating all the offerings in Catalyst to apply to our customers existing framework to increase the maturity model in the database space.

Books, Stephen Pedneault, Fraud 101, Anatomy of Fraud Investigation, Preventing & Detecting Employee Theft & Embezzlement | Forensic Accounting Services

Not knowing very much on fraud investigation I ran across Stephen Pedneault’s book: Anatomy of a Fraud Investigation From Detection to Prosecution.  This was an interesting read.  Since it was cold and snowy outside I got the ebook from Amazon and read it.  Although Mr. Pedneault spends considerable time taping and cutting the tape to the storage closet for the 26 boxes, four computers and four garbage bags of evidence he tells a great story.  Lots of twists and turns but from a computer guy studying computer forensics it has great detail.  I still want to know what was on the laptop!  Some very important points are made in the book along the way to help explain why certain actions are taken or not taken.  Very important to beginners just starting out in forensics.

 

Books, Stephen Pedneault, Fraud 101, Anatomy of Fraud Investigation, Preventing & Detecting Employee Theft & Embezzlement | Forensic Accounting Services.

WoW is probably where they need to be looking…

Online Gaming

I was a bit dumb on the online gaming part.  It has been a while since I played WoW (2004) and I was thinking as a scout leader where we do everything with two adults including e-mails.

Here are some interesting articles I have dug up on this subject and it get worse.

http://www.dfinews.com/articles/2010/05/multiplayer-game-forensics#.Uq4-6JG6z98

http://gamepolitics.com/2011/11/03/teen-murderer-confess-crime-world-warcraft-chat#.Uq4-8pG6z98

http://exforensis.blogspot.com/2010/05/multiplayer-game-forensics-ceic-2010.html

http://socialtimes.com/sociologists-measure-social-behavior-and-psychology-in-world-of-warcraft_b12433

So it looks like we need online police and they need to be watching.

 

To fel with you! There’s an NSA spook in my World of Warcraft • The Register

To fel with you! There’s an NSA spook in my World of Warcraft • The Register.

Okay most programs now have the ability to leave a message to convey a message.  Should adult agents be pretending to be children to “talk” on game message boards.  No I think they have crossed the line.  Gathering information from a database or a tap is one thing but interaction with children is a big no no.  Who is watching them?  I am not cool with this.