Welcome to cybersecurity today. From Toronto, this is the week in review for the week ending Friday, November 10, 2023. I’m Howard Solomon, contributing cybersecurity reporter for ITWorldCanada.com and TechNewsday.com in the US
In a few minutes, David Shipley of New Brunswick’s Beauceon Security will join me to discuss recent news. But first, a review of the headlines from the last seven days:
Identity and access management provider Okta said it was an employee error led to a recent data breach. David and I will dissect this explanation. We will also analyze Cloudflare’s explanation of last week’s service outageattributed to a power failure in a data center it uses.
We will debate the wisdom of aAn expert at a conference I covered this week said an organization’s priority should be to plan for recovery from a potential cyber attackDavid will reflect on whether cybersecurity spending by IT departments is decreasing and whether upcoming European product regulations will improve cybersecurity.
Also this week the European Parliament approved the Data Law. When it comes into effect in 2025, individuals and businesses will have more control over sharing information, especially data collected by smart home appliances and internet-connected sensors and machines. One of the objectives is to help European small and medium-sized companies access data sets.
On Thursday, OpenAI managed to deal with a denial of service attack that caused ChatGPT to become temporarily unavailable. According to Bleeping Computer, a group calling itself Anonymous Sudan claimed credit for the attack because of OpenAI’s alleged bias toward Israel.
The FBI issued a warning from private industry that a criminal created a phone callback scam: employees receive an email message about a supposed charge on their account and ask them to call a phone number. If they do, the victim will receive a follow-up email with a link they must click. This link, of course, leads to malware installation, data theft, and then an extortion attempt from the company.
MGM Resorts International says has been completely restored and improved IT systems following the September cyberattack on its Las Vegas property. The attack cost an estimated $100 million, mostly in lost hotel reservations. Insurance will cover most of this.
The bandits have configure a fake copy of the Windows Report news website to spread malicious software. Malwarebytes researchers say the content is pulled from the actual website. Victims are taken there by clicking a search engine advertisement for a popular Windows utility called CPU-Z. This is another reminder that clicking an ad on a search engine page can cause problems.
Threat actors continue to plant malware in open source library repositories, hoping to convince developers to add the code to their applications for widespread distribution. The most recent example was found by Checkmarx researchers in the PyPI repository for Python language code. Discovered last month, these specific packages have the ability to steal data, passwords, set up a keylogger and render the victim’s computer unusable. Developers have been warned.
Finally, Kyocera AVX, which manufactures electronic components, is notifying more than 39,000 people around the world, their data was stolen in March. The company is not saying it was a ransomware attack. But it claims that the attackers encrypted the company’s data. The stolen data included names and social security numbers.
(The following edited transcript covers the first of the five items we discussed. To hear the full conversation, play the podcast)
Howard: Two weeks ago, when you were on the show, we talked about the compromise of identity management provider Okta’s customer support system. Listeners may recall that some technical files that IT departments send to Okta for analysis, called HAR files, were copied by an attacker. Included in some files were session tokens that the hacker was able to use to break into customers’ IT systems. Last week, Okta released a detailed report on how it all started. And it goes like this: An Okta employee used the company’s computer to log into his personal Google account. When they did this, their Okta login credentials were copied to their Google account. A hacker managed to steal these credentials. After that, they logged into the Okta customer support system and stole 134 HAR files. Five of Okta’s customers were then compromised with the session tokens the hacker obtained.
David Shipley: The most important thing to me is why they were able to log into personal Google accounts and how exactly that chain still worked to gain access to basically take control of the laptop – or else pivot from that laptop – to then get into (support client ) systems. Or were the HAR files downloaded to the user’s laptop? I still have a few more questions about this.
One of the most important learnings here is: is your company with Google Chrome managed? I certainly hope so. And have you disabled this personal account login option? Because if you don’t, here’s a new headache for you.
Howard: The explanation does not say that this was a clear violation of company policy on the use of corporate-owned computers. So one interpretation is that Okta didn’t want to leave the employee up to the wind – because if it was a violation that would open the question of whether the employee was disciplined. The other interpretation is that the appropriate use policy was unclear and Okta doesn’t want to admit it.
David: I don’t think it would be a good idea for Okta to throw the employee under the bus. But if it absolves them from the barrage of lawsuits that may come their way, have no doubt that the corporation would act in the corporation’s best interests. My guess is that policy prohibits logging into your Google account at work. And since the policy was silent on this, probably no one thought of using corporate control to impose a policy that probably didn’t exist.
This is classic cybersecurity. Let me pause here. Everyone thinks that hacking an organization is about finding a technical vulnerability. It’s about finding gaps in process policy and technology and exploiting them in ways that someone didn’t have the imagination or foresight to avoid. Congratulations to the attackers, they had a lot of imagination in this case. If an organization is using Google, there is a way to manage the password sign-in process so that staff can only sign in to corporate assets and not their personal Google account. But this raises the interesting question of corporate browser management. Chrome’s ubiquity and popularity led people to say, ‘Okay. The user has installed Chrome.’ Even in organizations that control the installation of apps… and Chrome is an approved app, how many of them are actually managed by the organization? It usually requires a very sophisticated IT team. Even at some large Fortune 500 companies, browser-level controls are not as prevalent as people assume.
Howard: The other thing that isn’t clear from this explanation is why was this particular Okta employee’s computer hacked? Was he targeted? Was this just a coincidence?
David: What a coincidence. At this point, the chain of these things would lead me to believe: No. Okta has a giant target on its back as a provider of identity and access management on a global scale. We saw several attacks (against him) — the Lapsus$ teenagers managed to get it right. So I think that was targeted. I think they will always have a long list of nation states that are dying to get into their business, because then they can move from there to other parts of the supply chain. Part of the bargain of moving from your on-premises solutions to cloud-based solutions was the promise that you would get some security dividends out of it, but there may be security responsibilities in the concentration of having such a large player holding so many keys to the kingdom.
Howard: What are the lessons to be learned from this incident?
David: Number one: the more complex the IT environment, the more things you will have to spend time thinking about how to ignore. How many security teams have adequate resources to be proactive in thinking about these things? It’s nearly impossible to have an accurate software inventory, and even if you do, do you have the resources to ensure there are adequate controls around all of these things? For a security company, you would think this is necessary. But if this is happening to a top-tier global security company in the identity space, how well protected is our critical infrastructure – financial institutions, telecommunications companies and others? You can bet there will be more of this happening.
The other really interesting part is these HAR files. We’ll delve into this a little more, but was there a better process that Okta could have implemented to remove sensitive information (like session tokens)? Because they didn’t need them. You know, a few days after the breach, someone built an open source tool to do just that (automatically strip tokens from HAR files). Why weren’t organizations proactive in the first place?
Howard: Of course, one lesson is that you need to make sure employees understand that you can’t use company laptops or smartphones for personal use. You cannot log into your personal accounts.
David: Absolutely, especially if they are highly privileged users.