OneLogin: Breach Exposed Ability to Decrypt Data
krebsonsecurity.comThe recent update from Krebs gives some interesting details into how the attack took place, something we don't get to hear very often:
“Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Evidence shows the attack started on May 31, 2017 around 2 am PST. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it.”
Credit where credit is due, that's a pretty quick response time for data breaches, which are normally quoted as being discovered in an average of 30 or so days.
However the fact people's information can be decrypted from this breach is awful. Sounds a lot like the private key to decrypt this information was stored alongside the data in the database... whoops! That's like storing the clear text password. Let's hope the decrypted information contains strongly hashed passwords, but I'm not holding my breath.
> Sounds a lot like the private key to decrypt this information was stored alongside the data in the database... whoops!
Not necessarily, even if this was done "properly" there is no guarantee that from the internal network there wasnt a separate exploit that the attacker could use to gain access to a different node which had the key in memory. With breakages like these you generally have to assume that anything that is theoretically possible has happened.
Eerily similar to the controversial Instagram bug last year:
Post: http://www.exfiltrated.com/research-Instagram-RCE.php
Discussion: https://news.ycombinator.com/item?id=10754194
Leak your cloud provider keys, leak everything. These should be kept under close scrutiny and locked down as much as possible.
Think about a single-sign-on service: by definition, the service would have the ability to generate/access tokens that would grant a user access to other applications. Therefore, a breach in any kind of SSO service would result in granting access to people's information -- no decryption needed!
That's true, but the SSO service itself can run on the users computer, so there is no need for the service to be able to decrypt the users data, only for it to be able to persist encrypted data.
Lots of confusion in all the posts about OneLogin - they are not a password manager like lastpass, they are a Single Sign-On (SSO) and Identity Provider, meaning they integrate with other services, maintain a master directory of all users, and provide a single login UI for all connected apps.
Companies use OneLogin so employees have 1 service to enter their credentials and can then use federated access to apps like Google, Office 365, Salesforce, etc without signing in again, most often connected via SAML which uses public/private keys. The identity provider can also be external, so for example users can sign-in via the OneLogin UI but the username/password are actually authenticated against Office 365 Active Directory instead.
From reading many articles, it seems that OneLogin does have a service called "Password Cache", which sounds to me like a cache for passwords, perhaps for storing credentials to sites that do not have SSO..
See here: https://support.onelogin.com/hc/en-us/articles/201175264-Pas...
If they are storing the password and pushing it to the connected service on the user's behalf, then they have to be able to decrypt it somehow, and if the bad actor was able to intercept and decrypt data within the platform, then that may have included passwords stored using this mechanism perhaps
If they are storing the password and pushing it to the connected service on the user's behalf, then they have to be able to decrypt it somehow
By storing so many passwords in one system, they made that system a high value target, all while not having the security chops they thought they had.
Password vaults should be distributed. This prevents the conglomeration of password secrets that creates a high value target. They would've been wise to have a series of password vault apps that are integrated with their system. They could have done this by leveraging Password Safe.
This is by far the best argument for decentralization of almost anything that is not meant to be public. You probably will lose some of it but at least you won't lose all of it.
If they are storing the password and pushing it to the connected service on the user's behalf, then they have to be able to decrypt it somehow [...]
But not necessarily all of them all the time. The decryption key could be derived from the master password of each user and only kept around while the user is logged in.
That wouldn't work, at least for a lot of customers, because they authenticate a user based on a chain of trust back to the customer's on-prem Active Directory instance. An agent running on the customer's infrastructure leverages Kerberos/NTLM to authenticate the user then passes a token back to the identity provider. As a result there are authentication flows where the provider never sees the password.
Many providers do have an agent that runs on the AD servers that MitM captures the passwords when the user rotates them but that's a lot more involved to get setup. They could either force use of that AD agent or remove the functionality entirely and force users to manage a password with the service but it would either make on-boarding slow/impossible or really reduce the convenience factor for users. It's something every identity provider would need to do (or be forced to do) because the ones that didn't would steal away all of their customers.
That depends on how the service works I suppose. Does a user have to enter a master password when they log into OneLogin, or does an SSO service authenticate them to OneLogin, which then logs them into Twitter/Facebook/etc?
If the latter, then OneLogin has to possess the ability to decrypt the passwords without user input (edit: although I suppose the SSO token coming from the client could be the key? I don't know if that's possible or how that would work - the key would still need to be cached for some period of time post-auth either way I would think)..
The other big thing is lots of saas companies don't implement multiple users per company initially, so you end up with a google doc with all the shared passwords of things like analytics/ads providers. This way you get a unique login, acls, etc by hiding the shared password inside onelogin
I've used these, but refused to put more important things like aws in there.
it's a semantic argument. You are not storing passwords in an SSO service, but it is passing tokens to authenticate access based on the asserting/relying relationship between IdP and app. The reason I say it is semantic is that while you are not storing passwords, you are sitting on a trove of access credentials. What is different about an SSO app that is of huge value is that cutting off access is not a function of changing passwords at the app level.
I think we agree on all the major points here, but I would not diminish the significance based on the fact that OneLogin is not a password vault.
OneLogin also stores passwords like 1Password. I used to work there.
It's a purely informational comment about what the service is, not about the significance of the security breach.
Any identity related service, especially one that also includes password manager and desktop login functionality along with secure notes, etc. being involved in something like this is a major issue. We were looking at using them but have decided to stick with Google instead.
This is my primary concern with SaaS identity providers--yes, they are easy to setup and administrate, but they are huge honey pots.
In addition, customers are unable to do any forensic analysis to determine how their data was affected.
> OneLogin’s blog post includes no other details, aside from a reference to the company’s compliance page.
The only option is to hope they provide customers with relevant information in a "timely manner", but that could be months for an organization with thousands of customers.
'Gartner Inc. financial fraud analyst Avivah Litan said she has long discouraged companies from using cloud-based single sign-on services, arguing that they are the digital equivalent to an organization putting all of its eggs in one basket.'
So it's better if that single point of failure the company puts all its eggs into is a hacked piece of shit by an engineer who couldn't build a secure login system if his life depended on it? This is a serious question and one that I've been struggling with at my current work and at every other job I've had in this industry without exaggeration. Plaintext passwords, passwords encrypted with an easily obtainable key, insecure hashes, no salts, etc. These things are the norm in DIY login schemes. This is what the quoted financial fraud analyst thinks is better and Krebs thinks is worth repeating? This should be the main point of discussion here, yet it's brushed off by the advice of a financial fraud analyst? Oh, our industry is fucked and I just lost a ton of respect for Krebs' reporting.
There are services companies can use as well that offer on-prem, integrated login solutions, not just DIY.
> After OneLogin customers sign into their account, the service takes care of remembering and supplying the customer’s usernames and passwords for all of their other applications.
Isn't that at least somewhat analogous to using the same username and password on every site?
Kinda-sorta, in the same way a password manager is. It allows one strong password/2fa vs many likely weaker passwords.
In reality OneLogin is typically using a federated login protocol like SAML or OIDC to grant access to third-party services. This means it can also be used to immediately revoke access, without having to reach out to and reconfigure various services.
For SAML at least if the identity provider is compromised, meaning I can now issue tokens using it's certificate, each service will need to be provided with a new certificate. That requires 'reach out' to each service,
Yup - we had to reconfigure each service that uses SAML today.
Also don't forget having to audit each service's API keys/tokens/local users etc to make sure someone hasn't gotten access via a compromised certificate and then created a sneaky API key for them to use in the future.
Basically we had to assume every app had been compromised and rotate every internal key/certificate the was in each one, as well as reconfigure them with a new SAML certificate.
In cases where OneLogin provisioned third-party accounts for sites that didn't support SAML, they (at least used to) sync your OneLogin password to these third parties. It did not use unique per-site passwords.
If your OneLogin password was "pass123", so was the password for your OneLogin-managed accounts at Google, Salesforce, and so on. I believe but am not certain that this was even the case for some sites that used SAML but required passwords for non-HTTP access. Mail clients accessing Gmail is an example.
I do not know if this is still the case. I suspect it would not be difficult to check.
It's a bit of a double-edged sword, but mostly a positive. If this account is compromised, you're fucked. However, if any of your other accounts are compromised, all of the rest are safe. If you used the same password for all sites, that is not true. So basically, you're putting all your eggs in one basket, which you then hope is super safe. That makes this breach pretty scary.
An individual OneLogin relying party does not have credentials to leak that could be used anywhere else. It just verifies signed messages from OneLogin.
The sheer number of databases that have and can lose your password is most of the risk with password reuse.
Companies aren't going to maintain separate user tables for every authenticated service that employees use. The alternative is to have each service handle passwords directly and pass them through to an LDAP server, or run their own SAML IdP with considerable difficulty.
At least an individual company's IdP doesn't have the "hack many companies at once" target on its back.
I'm not a user of OneLogin, but if they store encrypted passwords and encryption keys, their security model is fundamentally broken imho and I'd never give them my passwords.
Better services (1password for example) are specifically designed to never know your master password/key to avoid this very situation.
You misunderstand: OneLogin is a web SSO implementation, not a password manager. By necessity they have access to customers' authentication services because OneLogin functions as a SAML/OIDC identity provider. It's no different than if you ran AD FS or Shibboleth yourself.
I'm also a 1Password customer and just went back to their site to confirm this. I was pretty sure they didn't store my master password or my secret key, because that would be insane..
I wonder if in this case OneLogin was the victim of a MITM attach while the attacker had access to their infrastructure?
So they didn't decrypt data at rest that they obtained but rather they captured activity in transit?
Either way it sounds like OneLogin had some implementation issues.
Does any of those better designed services support Linux?
I use enpass, which supports Linux. It's not open source, but it's built on an open source sqlite extension called SqlCipher. That doesn't guarantee the applications that use it are solid, but I like the tradeoff it provides.
All of them.
Except 1Password - unless you want to use it through the browser only which is no where near as convenient.
1Password and DashLane don't :/
LastPass
These SSO providers like OneLogin and Okta are incredibly high value targets. State-level targets. I predict that SSO providers and security tools (whether on-prem or SaaS) will be targeted and breached more and more often. The SSO providers are the middle men for accessing everything so they literally have the keys to the kingdom. Security tools are given incredible amounts of access and permissions without question.
As a result of trying to be more secure a big enterprise has gone from maybe a couple single points of compromise to several. It's not as easy to do script kiddie-level attacks but the tradeoff is that a very smart and/or well funded attacker now has some very, very powerful targets.
There seems to be a great need for an Open Source password vault codebase/library that:
Runs securely cross-platform, including tablets & smartphones
Can present a great looking UI across all platforms
Has no licensing issues in proprietary walled gardens
Can securely support plugins to integrate with webapps
How did this happen ? We see big companies getting hacked all the time, how do we protect our products ? I'm an engineer, and have no clue about how I could protect myself against such attacks.
One thing to remember in all of this is that services like OneLogin are likely a huge upgrade in security for their customers. They lower the barriers for moving away from things like shared passwords and poorly functioning in-house SSO setups.
It's easy for a Gartner analyst to sit behind a desk and pontificate about the ultimate-most-secure single-sign-on, but resource constraints are a thing. SaaS SSO is a very reasonable compromise for those who don't have the time, money, or talent to invest in on-premise infrastructure.
How was a central password store ever a good idea?
It was never a good idea. What it is is better than some really horrible alternatives. The horrible alternatives are having users pick their own weak passwords and use the same password for every site they log into. This is an especially bad problem with large companies which have a lot of unsophisticated employees and a lot of employees that simply don't care about security.
The worse alternatives is where the "top passwords" lists come from... those lists are from people that are not using any password store:
https://www.google.com/search?q=top+passwords+2017&ie=utf-8&...
The most horrible alternative I've seen: I once worked with a person who used his Outlook "contacts" as his "password manager." I discovered that after he quit and I was deactivating his accounts. Not only did he use Outlook "contacts" as his "password manager", but his passwords were discoverable (based on readily available personal information), guessable (e.g. pa$$word), and heavily reused either directly or as minor variations.
It's not a password store, SSO services like OneLogin are federated services that authenticate users with encrypted tokens. In a SAML transaction, or with OAuth, a username/password combination is never exchanged. How is this better, aside from user experience? For starters, the ability to disrupt access benefits from a single point rather than having to change passwords in every app. It also benefits from relying on a credential from a directory service that can then be used to provision access within the target application, which means you can have more granular role-based or dynamic access based on metadata like time of day or geolocation.
Yeah I used to be skeptical as well
In a perfect world, that is, if no service stored passwords with risible security, just remembering 2 or 3 strong passwords would be workable
Instead, since we live in a word where several system developers are inexperienced or just plain idiots, there is a need for passwords to be disposable
Password manager are worthy because they allow you to keep several different passwords and the strong password they require hopefully is not stored as MD5 anywhere.
I use onelogin. Should I change my password?
Come down to this: your most sensitive data is in danger of one misplaced character or one wrong click.
I'm thinking of splitting my logins into a set of essential information in a paper journal -- while keeping some transactional passwords on 1password. 1password was one of those times where I decided to trade off convenience for absolute security -- which I'm realizing is a mistake.