Welcome to Cyber Security Today. From Toronto, this is the Week in Review for the week ending Friday, November 10th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes David Shipley of New Brunswick’s Beauceon Security will join me to discuss recent news. But first a review of headlines from the past seven days:
Identity and access management provider Okta said an employee’s mistake led to a recent data breach. David and I will dissect that explanation. We’ll also look into Cloudflare’s explanation of last week’s disruption of service, blamed on a power failure at a data centre it uses.
We’ll debate the wisdom of an expert at a conference I covered this week who said an organization’s priority should be planning to recover from a possible cyber attack, David will have thoughts on whether cybersecurity spending by IT departments is dropping and whether coming European product regulations will improve cybersecurity.
Also this week the European Parliament passed the Data Act. When it comes into force in 2025, individuals and businesses will have more control over the sharing of information, particularly data collected by smart home appliances and internet-connected sensors and machines. One goal is to help small and medium-sized European firms access pools of data.
On Thursday OpenAI was able to deal with a denial of service attack that caused ChatGPT to be temporarily unavailable. According to Bleeping Computer, a group calling itself Anonymous Sudan claimed credit for the attack because of OpenAI’s alleged bias towards Israel.
The FBI issued a private industry warning that a crook has created a phone callback scam: Employees get an email message about a supposed charge on their account and asks them to call a phone number. If they do, the victim gets a follow-up email with a link they are to click on. That link, of course, leads to the installation of malware, data theft and then an attempt to extort the company.
MGM Resorts International says it has fully restored and enhanced IT systems after September’s cyber attack on its Las Vegas property. The attack cost it about US$100 million, mostly in lost hotel bookings. Insurance will cover most of that.
Crooks have set up a phony copy of the Windows Report news site to spread malicious software. Researchers at Malwarebytes say the content is scraped from the real site. Victims get taken there by clicking on a search engine ad for a popular Windows utility called CPU-Z. This is another reminder that clicking on an ad on a search engine page may get you into trouble.
Threat actors continue to plant malware in open-source library repositories, hoping to sucker developers into adding the code into their applications for widespread distribution. The latest example was found by researchers at Checkmarx in the PyPI repository for Python language code. Discovered last month, these particular packages have the ability to steal data, passwords, set up a keylogger and make a victim’s computer unusable. Developers have been warned.
Finally, Kyocera AVX, which makes electronic components, is notifying over 39,000 people around the world their data was stolen in March. The company is not saying this was a ransomware attack. But it is saying the attackers encrypted company data. Data stolen included names and social security numbers.
(The following edited transcript covers the first of five items we discussed. To hear the full conversation play the podcast)
Howard: Two weeks ago when you were on the show we talked about the compromise of the customer support system of identity management provider Okta. Listeners may recall that some technical files that IT departments send to Okta for analysis, called HAR files, were copied by an attacker. Included in some files were session tokens that the hacker was able to use to get into the IT systems of customers. Last week Okta issued a detailed report on how it started. And it goes like this: An Okta employee used their company computer to log into their personal Google account. When they did that, their Okta login credentials were copied into the Google account. A hacker was able to steal those credentials. After that they logged in to the Okta customer support system and stole 134 HAR files. Five of Okta’s customers were then compromised with the session tokens the hacker got hold of.
David Shipley: The biggest thing for me is why were they able to log into personal Google accounts, and how exactly that chain still played out to gain access to basically take over the laptop — or then pivot from that laptop — to then go into the [customer support] systems. Or were the HAR files downloaded to the user’s laptop? There’s still some more questions I have on that.
One of the most important pieces of learning here is, is your Google Chrome enterprise managed? I sure hope so. And do you have this personal account sign-in option disabled? Because if you don’t, here’s a new headache for you.
Howard: The explanation doesn’t say that this was a clear violation of company policy on the use of a corporately owned computer. So one interpretation is Okta didn’t want to leave the employee hanging in the wind — because if it was a violation that would open the question of whether the employee was disciplined. The other interpretation is the appropriate use policy wasn’t clear and Okta doesn’t want to admit it.
David: I don’t think it would be a good look for Okta to throw the employee under the bus. But if it absolves them from the flurry of lawsuits that might be coming their way have no doubt that the corporation would act in the corporation’s best interest. My guess is the policy is silent on logging into your Google account from work. And because the policy was silent on it probably no one thought of using enterprise control to enforce a policy that probably didn’t exist.
This is classic cybersecurity. Let me just pause here. Everyone thinks that hacking an organization is about finding a technical vulnerability. It’s about finding gaps in process policy and technology and exploiting them in ways that someone didn’t have the imagination or foresight to prevent. Kudos to the attackers, they had a lot of imagination on this one. If an organization is using Google there’s a way to manage their password login process so staff can only log into corporate assets and they can’t log into their personal Google account. But it raises the interesting question of managing the enterprise browser. Chrome’s ubiquity, its popularity, has led people just to say, ‘Oh well. The user installed Chrome.’ Even in organizations that control the installation of applications … and Chrome is an approved app, how many of those are effectively managed by the organization? Generally it requires a fairly sophisticated IT team. Even in some of the big Fortune 500 plus enterprises, browser-level controls are not as prevalent as people assume.
Howard: The other thing that isn’t clear in this explanation is why this particular Okta employee’s computer was hacked? Was he targeted? Was this just a coincidence?
David: One hell of a coincidence. At this point the chain of these things would lead me to believe, No. Okta has a giant target on its back as a global-scale identity and access management provider. We’ve seen several attacks [against it] — the teenage kids from Lapsus$ managed to score a hit. So I think this was targeted. I think that they’re always going to have a long list of nation-states that are just dying to get into their business because then they can go from there into other parts of the supply chain. Part of the bargain of moving from your on-prem to cloud-based solutions was the promise that you would get some security dividends from that, but there may be security liabilities to the concentration of having such a large player hold so many keys to the kingdom.
Howard: What are the lessons to be learned from this incident?
David: Number one, the more complex the IT environment the more things that you have to spend some time thinking how could get pwned. How many security teams are resourced appropriately to be proactive in thinking about these things? It’s damn near impossible to have an accurate software inventory, and even if you do are you resourced to make sure that there are proper controls around all of those things? For a security company, you would think this is necessary. But if this this is happening to a global top-tier security company in the identity space how well protected are our critical infrastructure — financial institutions, telcos and others? You can bet that there’s going to be more of this going down.
The other part that’s really interesting is these HAR files. We’ll dive into that a bit more, but was there a better process that Okta could have put in place to strip out sensitive information [like session tokens]? Because they didn’t need them. You know, couple of days after the breach someone had built an open source tool to do exactly that [automatically strip tokens from HAR files]. Why weren’t organizations proactive in the first place?
Howard: Certainly one lesson is you’ve got to make sure that employees understand you can’t use company-owned laptops or smartphones for personal uses. You can’t log into your personal accounts.
David: Absolutely, particularly if they are highly privileged users.