1. We didn't compromise any laptop? It was a thin client.
2. "Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider." -
I'm STILL unsure how its a unsuccessful attempt? Logged in to superuser portal with the ability to reset the Password and MFA of ~95% of clients isn't successful?
4. For a company that supports Zero-Trust. Support Engineers seem to have excessive access to Slack? 8.6k channels? (You may want to search AKIA* on your Slack, rather a bad security practice to store AWS keys in Slack channels )
5. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords. -
Uhm? I hope no-one can read passwords? not just support engineers, LOL. - are you implying passwords are stored in plaintext?
6. You claim a laptop was compromised? In that case what suspicious IP addresses do you have available to report?
7. The potential impact to Okta customers is NOT limited, I'm pretty certain resetting passwords and MFA would result in complete compromise of many clients systems.
8. If you are committed to transparency how about you hire a firm such as Mandiant and PUBLISH their report? I'm sure it would be very different to your report :)
21. Security Breach Management.
a) Notification: In the event of a Security Breach, Okta notifies impacted customers of such Security Breach. Okta
cooperates with an impacted customer’s reasonable request for information regarding such Security Breach, and Okta
provides regular updates on any such Security Breach and the investigative action and corrective action(s) taken. -
But customers only found out today? Why wait this long?
9. Access Controls. Okta has in place policies, procedures, and logical controls that are designed:
b. Controls to ensure that all Okta personnel who are granted access to any Customer Data are based on leastprivilege principles;
kkkkkkkkkkkkkkk
1. Security Standards. Okta’s ISMP includes adherence to and regular testing of the key controls, systems and procedures of
its ISMP to validate that they are properly implemented and effective in addressing the threats and risks identified. Such
testing includes:
a) Internal risk assessments;
b) ISO 27001, 27002, 27017 and 27018 certifications;
c) NIST guidance; and
d) SOC2 Type II (or successor standard) audits annually performed by accredited third-party auditors (“Audit
Report”).
I don't think storing AWS keys within Slack would comply to any of these standards?
I believe they are Brazil. Also a month or two back there were claims that a member accidentally doxxed themselves a couple times, and they were in Spain.
the Hive infograpgh (amongst others) always comes to mind; 18 characters long, upper, lower, numerical, special. estimate time to brute force 438tn years.
not OP but I only have to remember two 18 character passwords, my laptop and KeepassXC. I use all of OP's suggestions as well as mixing languages, one being an indigenous language that only about 20K people in the world know, together with a little leet speak. I haven't been breached since the early 2000's.
ironic how just a few stories down is an article about how approx 50% of steam payments with bitcoin (when they accepted it) were fraudulent... everyone wanting a quick buck without doing the work
That was Steam's fault for accepting unconfirmed transactions.
You can make a fake Bitcoin transaction but you can make 2 transactions using the same funds but going to different addresses. Only one of those will end up on the Blockchain. If steam waited for the transaction to appear on the Blockchain instead of just the mempool, they wouldn't have had the problem.
i think I'll still with the sheldon method, built countless amounts of wheels and never needed or thought i needed to add unnecessary tech to what is such a simple job
It depends what you’re allowing it for. For most companies, letting people use gmail with strong authentication and short sessions on personal computers that are patched, encrypted and up to date is a very small risk compared to the productivity gains. If you’re a bank and you’re giving access to an internal app with customer data or worse money then definitely not!
I think this can be pretty much summed up along the lines of: way back when colour was introduced into film people wanted to show it off more, it was something magical whereas now everyone wants to be all edgy and gritty.
Or.... it's the lizard people controlling the world and making everyone miserable by using only dark grim colours?!
