Brett Winterford

Auditing your Okta org for Legacy Authentication

Using Okta System Logs to monitor use of basic authentication to Office 365: As promised on the Risky Business podcast, here are some System Log queries to help Okta administrators weed out examples of clients connecting to their Office 365 tenant over basic authentication (“legacy authentication”, in Microsoft parlance.) If you already know why these authentication methods are risky, skip straight on to the queries and containment strategies. Otherwise, read on!   In 2019, Microsoft announced...

Vickie Li

Malware Detection Using Yara And YarGen

Malware can often be detected by scanning for a particular string or a sequence of bytes that identifies a family of malware. Yara is a tool that helps you do that. “Yara rules” are descriptions that look for certain characteristics in files. Using Yara rules, Yara searches for specific patterns in files that might indicate that the file is malicious. Let’s take a look at this example rule taken from Yara’s official documentation page. rule silent_banker { meta: description = "This...

Seth Rosenblatt

Why BGP Hijacking is Still a Threat

When the Internet goes down, rendering everything inaccessible from mission-critical business services to mental stability-critical meme generators, is it because of an accident or malicious hackers? In the case of BGP hijacking, it could be either—and sometimes both. Consider the BGP hijacking incident on April Fool’s Day last year, which caused massive Internet service disruptions just as the world was beginning to grapple with the consequences of the COVID-19 pandemic. Internet traffic that...

Sean Frazier

Executive Order on Improving the Nation’s Cybersecurity — Ushering in a New Age of Security

Yesterday, President Biden took a major step forward in ensuring that the US government has the resources and focus needed to address our cybersecurity needs with the issuance of Executive Order on Improving the Nation’s Cybersecurity. This focus is long overdue. For nearly a decade, we’ve lived in this tenuous world where the next critical cyber event lies just around the corner, but the seeds were planted long before that. The day we decided to connect our agencies or our enterprises to the...

Ron Waisberg

Uncovering and Disclosing a Signature Spoofing Vulnerability in Windows Installer: CVE-2021-26413

Okta Security has discovered and disclosed a new bypass in Windows Installer (MSI) Authenticode signature validation that could allow an attacker to disguise an altered package as legitimate software.

David Bradbury

A CSO’s perspective on the recent Verkada cyber attack

At Okta we are committed to ensuring the safety of our employees and workplaces. Nothing is more important to us than the trust of our employees, customers and partners. Transparency is one of our core values and in that spirit, I wanted to offer a reflection on the recent Verkada cyber attack. We partner with a number of cloud technology companies to achieve our holistic approach to security, and one of those companies is Verkada. It supplies us with cameras that we use in our office entrances...

Vickie Li

Why Is It So Hard To Prevent Open Redirects?

In my last post, we talked about how open redirects can allow attackers to steal tokens from OAuth systems. Today, let’s take a deeper dive into open redirects and explore why it’s so prevalent in web applications! Sites often have HTTP or URL parameters that cause the web application to redirect to a specified URL without any user action. Open redirects are a type of vulnerability that happens when an attacker can manipulate the value of this parameter and cause users to be redirected...

Vickie Li

Stealing OAuth Tokens With Open Redirects

SSO is a feature that allows users to access multiple services belonging to the same organization without logging in multiple times. For example, if you are logged into “”, you won’t have to re-enter your credentials to use the services of “”. This way, companies with many web services can manage a centralized source of user credentials instead of keeping track of users for each site. And, users won’t need to log in multiple times when using the different services...

Marc Rogers

SAML Certificate Security: The Latest Findings and Potential Impacts

Recently, the National Security Agency (NSA) published new findings that reference how previously discovered tactics, techniques, and procedures (TTPs) abusing federated authentication could be used in conjunction with on-premises network access to gain broad access across an organization’s applications. The Cybersecurity and Infrastructure Agency (CISA) has also updated its bulletin to include these attacks, and Microsoft has also published insights. This advisory comes on the heels of the...

Vickie Li

More Than Subdomain Takeover: Ways To Takeover, Hijack And Impersonate Your Website

In my last post about subdomain takeovers, we talked about what subdomain takeovers are and how hackers can use them to attack shared-session SSO. Today, let’s dive deeper into subdomain takeovers and some other ways hackers can hijack your website. Subdomain Takeover Recap Subdomain takeover is when a hacker takes control over a company’s unused subdomain. It happens when a stale DNS entry points to a domain that is available for registration. Let’s say a company hosts its site on a...

Page 1 of 6