Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, October 27th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes David Shipley of Beauceron Security will be here to discuss recent news. That includes the admission by identity management provider Okta that a hacker compromised its customer support system and then saw customer technical files that included credentials. 1Passord, Cloudflare and BeyondTrust said their systems were attacked as a result of this compromise.
The annual SecTOR cybersecurity conference took place in Toronto this week. David and I were both there and we’ll talk about a couple of sessions we were at.
And we’ll look at cybersecurity and AI-related resolutions passed at the annual conference of the Canadian Chamber of Commerce.
Also in the news in the past seven days, NCC Group says a record 514 organizations were listed as victims by ransomware groups in September. On the other hand, last week the suspected developer of the Ragnar Locker ransomware strain was arrested in Paris and the gang’s IT infrastructure was smashed.
Japanese watchmaker Seiko issued a third report on a ransomware attack it suffered earlier in July. About 60,000 items of personal data was stolen including customer and employee names and email addresses and personal information of people who applied to Seiko for jobs.
Think the number of huge denial of service attacks is increasing? You’re right. Cloudflare reported this week that the number of hypervolume DDoS attacks it deals with is now in the thousands.
More evidence that IT departments still aren’t prioritizing their work — or are under-resourced — came in a survey released by SonicWall. Seventy-eight per cent of the customers questioned admitted they don’t patch critical vulnerabilities within 24 hours of their release. Thirteen per cent of respondents said they only apply critical patches when time allows.
Zerto released a survey of 201 attendees at a recent VMware conference. Only half of those surveyed said their firms prioritize both the prevention of attacks and data recovery if there’s a hack. Zerto suggests IT departments have to prioritize both.
Kaspersky released a more detailed analysis of the compromise of iPhones and iPads it first publicized in June. Malware was likely spread through attachments sent to victims via iMessage texts. The malware then leveraged four zero-day exploits in the Apple operating systems. What helped in the investigation was that several Kaspersky employees were victims.
Finally, police in Spain arrested 34 people involved in computer scams. They seized a database with stolen information on 4 million people. And police in Nigeria say that last month they dismantled a gang that ran a wide range of business and romance email scams. Six men were arrested. Others are being sought.
(The following is a transcript of the first of four topics discussed. To hear the full conversation play the podcast)
Howard: First, let’s talk about something most listeners will have heard of: The access by a hacker to a file many organizations upload to Okta for analysis. Okta is an identity management platform used by many big companies and government departments. Using a stolen credential the hacker was able to get into Okta’s customer support system and view HAR files. These are files IT departments create on request for troubleshooting browser issues. HAR files can include cookies and session tokens which can be used by an attacker to hack into the company that created the HAR file. And it seems that’s what a hacker did: Using credentials seen in HAR files, an attacker tried getting into 1Password, Cloudflare and BeyondTrust.
Two questions: First, how did a hacker get an Okta credential allowing them access to its customer support system? Second, Okta advises companies to sanitize their HAR files before sending them. Apparently, some companies didn’t. Why?
David Shipley: From what we’ve learned so far this was yet another social engineering attack, targeting an IT help desk at Okta to do a privileged user account takeover. They went hunting through [the support system] to see what they could use. The HAR files and their rolled-up session cookies were jackpots for these these attackers. This group clearly knew what it was doing — did their homework on the people, processes and the best way for a data theft prize. A better question, from my perspective, with respect to the HAR files is why didn’t Okta have a better process where customers could upload their files and it [Okta] could sanitize them? Every time you ask someone to do something in a process you’re depending on their relative skill level and understanding of the importance of that step. And also remember you’re not calling Okta trying to troubleshoot your login because you’re having a good day? This is something not working properly. The stress levels are up, the anxiety to get this solved is there and so the susceptibility to missing these kinds of human-dependent steps [removing credentials in the HAR file] is quite obvious — in hindsight.
Keep in mind there are also some pretty huge human dynamics involved in this overall story that make this hack quite sophisticated. When we look at IT help desks this is yet another story on top of the recent hacks in Las Vegas of Caesars Palace and MGM Resorts. There’s a huge problem with the way that IT help desks are measured and incentivized for performance. Zendesk has a great 2023 article on the top metrics and KPI’s [key performance indicators] for help desks. They include things like customer satisfaction, customer effort required, response time, resolution time and so on. But do you know what metrics aren’t included? Metrics related to thorough checking of privileged account access requests. We need to add this as a clear metric. There is no technology silver bullet that is better than doing this today. Help desk staff should be rewarded for doing a thorough job vetting access requests and making sure that they aren’t being socially engineered. And for bonus — here’s where security culture really comes in — executives and high-privileged users should be accountable if they try to bypass any kind of a thorough review by the help desk in a request. These folks should be thanking the help desk for having a thorough detailed process to challenge access requests.
Howard: So when Okta mentions that it’s the the job of customers to remove session tokens from their HAR files before uploading them is the company trying to blame the victim?
David: I think so. I think I think it ignores the context in which a support request happens, and context is important. Again, you [the vendor] know people are stressed. They’re making assumptions about the relative skill levels of the people in the IT staff who might be troubleshooting this problem. Why don’t you have a better tool to scan within the HAR files and just nuke it before you store it? This seems something that would be a win-win: It reduces risk and liability for Okta, improves customer security and maybe it’s a cool differentiating feature versus all the other single sign-on Providers.
Howard: Let me go one step backward to the original compromise. It started with an Okta IT support account that was compromised. If staff have multifactor authentication isn’t that supposed to blunt the risk that stolen credentials can be abused?
David: Well, yeah. But if I had done this [as an attacker] I would have done my homework on who I was trying to target — in this case, someone with access to the IT support system so I could impersonate them. I probably have already phished their credentials and what I’m probably going to do is say my multifactor authentication device has been lost. Can you reset the MFA and send that to me ASAP? And if I’m really smart, I’m doing this when the other person [the real IT person] is asleep. If there’s a 24/7 seven operation or help desk they’ll respond and as me to validate my identity. I’m able to give all the details required on that validation process, ‘Okay, we’ve reset your MFA so you can get back to doing work.’ That’s one way this could all play out.
Howard: So one of the one of the lessons is — again organizations — have to have better processes for their IT support staff to block this kind of attack.
David: A hundred percent. But it’s culture too because you need to inject into all of these efficiency-oriented and cost-oriented metrics for help desk and an awareness program that says when a request is about resetting credentials you stop being super-friendly and will do anything to make the customer happy. Instead, ‘Customer you and I are both going to be happy if we do this process very thoroughly so that your account potentially doesn’t get compromised. Let’s go through this process together and make sure we do this right.’ And that’s the important part, but all too often it’s like, ‘I’m super busy, I’m down right now. There’s a customer yelling at me to get into my accounts to get something fixed. Get this done for me right now,’ This is what makes us social engineering so damn effective.
Howard: Except in this case I suspect it’s the attacker is impersonating an Okta employee.
David: Exactly. So an Okta employee helped an Okta employee who has access or would have privileged access into that helped desk database side of things. And they were able to convince somebody else in the help desk process and maybe the help desk for octa. Maybe it’s an outsourced help desk.