Okta Attack Points Out Important Issues
One more time, Okta was attacked and customer data and systems compromised.
I am going to leave the conversation about whether or not you should use Okta vs. a competitor to a separate conversation, but it seems that their security may be a bit lacking.
In this most recent attack, the Okta support system was what was compromised. Granted this did not expose customer passwords, but it is still a problem.
First, what was exposed.
Okta often asks customers to upload HAR files or HTTP Archive files. This allows their engineers to reproduce a problem. BUT, consider what is in those files. Could be passwords. Could be session tokens. Could be sensitive corporate data. Or customer data. Or data covered by an NDA. Or many other types of data.
If a support technician asks you to upload data, you have to consider – or at least you should consider – what, exactly is in that data and what are the consequences of that data getting into the wild.
Then we have the issue of who discovered the breach and how Okta handled it.
BeyondTrust is an Okta customer and they noticed an attempted login using a stolen cookie. They notified Okta on October 2nd. Even though the were working with Okta, including Zoom sessions on October 11th and 13th, it wasn’t until October 19th that Okta admitted they had been hacked. Is two or three weeks too long when the customer provides you with the evidence? I am sure that given Okta’s history of multiple breaches, they wanted to make sure it was really their fault. But that delay compromised other customers.
It turns out that BeyondTrust tightened down the MFA requirements to require admins to provide MFA creds every time they logged in, even if they had a valid (but stolen) cookie. That is what saved them. Specifically, they required hardware MFA (FIDO2 tokens). Super secure and costs a little money. Is that inconvenient? Maybe. Is getting hacked inconvenient? Probably. Is losing sensitive data or control of your network inconvenient? Definitely. In this case, the combination of reauthentication and very strong MFA saved their bacon.
But you have to decide which is more important – protecting your environment or inconveniencing your users a little bit. It is a business risk decision.
As I always say – security or convenience – pick any one.
Credit: Bleeping Computer and CSO Online
by 