Menu
What's new
By:
Filters Better Search

Hackers Stole Access Tokens from Okta’s Support Unit

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Wallace_n_Gromit

Wallace_n_Gromit

Senior Member


Addendum 10/22/2023: Looks like it wasn't even Okta that discovered the breach. One of their customers found the breach which had been leveraged to attempt a breach of their own information system. Cloudflare reported to Okta that Okta.s system had been compromised. Cloudflare also offered some recommendations for Okta to harden their system(s). 🤨

https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
 
Last edited:
Online? Trust nothing...
 
L&LD said:
Online? Trust nothing...
Click to expand...
Article doesn't seem to indicate the Okta Verify Authenticator app is impacted.

Periodically as I go to various financial/health care/etc websites I have noticed a very quick redirect through an okta url. Seems that some businesses I frequent use okta to authenticate my session, if I understand it right.
 
Last edited:
It's a bit of a mess, but not near the degree of the current Citrix Netscaler problem...

www.mandiant.com

Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519) | Mandiant

www.mandiant.com www.mandiant.com

Tracking Unauthorized Access to Okta's Support System

Okta Security has identified adversarial activity that leveraged access to a stolen credential to access Okta's support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support...
sec.okta.com sec.okta.com

All of these enterprise "Something" as a Service apps have concerns - and a rich target for criminals...
 
sfx2000 said:
With Okta - it's an enterprise one-touch/single sign on application not based on trust, but verification...

Why is this important - Zero Trust Security... Okta puts themselves in that Verify path...

So yes, it's a big deal...
Click to expand...

I understand the Okta security breach reported in the linked article and its potential impact on those who use Okta. Yes, potentially a big deal.

I don't understand what 'Online? Trust nothing...' has to do with it.

OE
 
It means to limit your exposure when online by any means. If you don't need to be online, don't trust the 'safety net' that cannot be designed to save anyone, let alone everyone, all the time.
 
L&LD said:
It means to limit your exposure when online by any means. If you don't need to be online, don't trust the 'safety net' that cannot be designed to save anyone, let alone everyone, all the time.
Click to expand...

Again, sounds like wise advice, but I still don't know what to do with it... and now there's a 'safety net' that can't be trusted... that figures... trust nothing online. This is getting scarry now... what's the point of a safety net that can't be trusted, whatever that is? I do need to be online... what should I do?... logon and then hide in a closet?

OE
 
If you receive a message from your "wife" on iMessage, Viber, WhatsApp, etc. - goes over Internet, ask for the secret pass phrase first. On a question "Are you home?" never answer with "yes/no", but say "maybe" or simply don't reply. If you are brave enough to reply - lock the car doors or hide in the closet, depending on your location. Make sure you use prepaid SIM card, better registered on someone else's name and in another state. This is what "trust nothing" means. They will still get you so be constantly afraid. This will keep your alert levels high. When it happens - it won't be something unexpected for you.

The advice is similar to "Watch it!". Wise only if you know what to watch for.
 
Still don't know what to do with it. Okay.

Re-read the post you quoted. This isn't rocket science.

If you 'need' to be online. Know you're not private/secure/safe. No matter what promises are made. The level of those breaches is variable and their timing is unknown.

I know you're smarter than hiding in a closet.
 
the Okta compromise is starting to gain traction with upstream reports...

This is not as bad as Solarwinds (for now), but it does give another good example of the risks of SaaS, esp with regards to identity and access to resources
 
L&LD said:
It means to limit your exposure when online by any means. If you don't need to be online, don't trust the 'safety net' that cannot be designed to save anyone, let alone everyone, all the time.
Click to expand...

I think it's more situational awareness aka only the paranoid survive...

End-points are generally secure - I'm ok with being at the local starbucks and logging into my morgan stanley account to do a couple of stock trades - it's a TLS connection, and I can trust it for now...

I don't need a commercial VPN to do that - that VPN doesn't actually add any value to that transaction.

Things though, like Okta and the like, they're a bit concerning, as they aggregate logins across multiple sources, so if they are compromised, this causes issues of trust...

That's at a corp level, but at a personal level - let's say you have a password manager - lastpass is a good example.

blog.lastpass.com

Security Incident March 2023 Update & Actions - LastPass

Our March 2023 update regarding the LastPass security breach incident including our additional security measures and recommended actions for our LastPass users.
blog.lastpass.com blog.lastpass.com

For the audience here - the threat is commercial VPN's and cloud-pass authenticators as they tend to minimize the true threat surface - aka "trust us, we have your back" when they have issues keeping their own infrastructure secure...
 
OzarkEdge said:
Again, sounds like wise advice, but I still don't know what to do with it... and now there's a 'safety net' that can't be trusted... that figures... trust nothing online. This is getting scarry now... what's the point of a safety net that can't be trusted, whatever that is? I do need to be online... what should I do?... logon and then hide in a closet?

OE
Click to expand...
sfx2000 said:
I think it's more situational awareness aka only the paranoid survive...



For the audience here - the threat is commercial VPN's and cloud-pass authenticators as they tend to minimize the true threat surface - aka "trust us, we have your back" when they have issues keeping their own infrastructure secure...
Click to expand...


@OzarkEdge Look at what they are saying more from a social aspect, rather than a technical aspect. What they are driving at is Social Engineering is at the center of all this.

Social Engineering is always the core vulnerability.

You may have secure systems that aren't so vulnerable. But we humans almost always have some form of vulnerability to be exploited.

Well, perhaps the same could be said for many software and hardware.


Is it possible to create | produce something invulnerable?

Understand where the vulnerabilities lie at all times.
 
Seria17hri11er said:
You may have secure systems that aren't so vulnerable. But we humans almost always have some form of vulnerability to be exploited.
Click to expand...

And this is how Mitnik worked...

Catching Kevin

Legendary cracker Kevin Mitnick had violated one company too many - hacker Tsutomu Shimomura's. The exclusive story of the last hours of Shimomura's quest for justice, as he closes the trap on his prey.
www.wired.com www.wired.com
 
You must log in or register to reply here.

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 612 (members: 16, guests: 596)
Top