Brett Winterford and Defensive Cyber Operations

Detecting Real-Time Phishing Attacks

In the last two installments in our series on phishing resistance, we discussed phishing resistant authenticators and how to gather signals about phishing lures directly from your users. Now let’s drill down into detection and response: what signals does Okta’s System Log provide that are indicative of in-flight phishing campaigns? Okta’s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers...

Okta

Okta’s Response to OpenSSL Security Update

The OpenSSL Project has announced the availability of a security update (version 3.07) that addresses a vulnerability affecting OpenSSL versions 3.0 and above (3.0.0 - 3.0.6). The two CVE’s are listed below: CVE-2022-3602 CVE-2022-3786 Response Okta’s engineering teams have applied patches and other mitigations, where required. Customer Guidance For both CVEs, the severity level has been listed as “high” and the following information has been made available: OpenSSL versions 3.0.0 to...

Chris Niggel and Brett Winterford

Monitoring for Abuse of Administrative Privileges

All applications require a highly-privileged administrator role to deploy and maintain that application. The monitoring and oversight (audit) of actions performed by users with these roles is a cornerstone of any well-designed security program. A number of research projects have highlighted ways in which the most privileged administrators in Okta could, if unchecked, abuse their privilege in some way. These research efforts serve to reinforce some long-held security principles: most notably...

David Bradbury

System Log: a Window into Supporting the Okta Cloud

Transparency is a core value at Okta. In April 2022, Okta committed to a range of initiatives that aim to drive greater transparency in how we respond to security incidents. One of those commitments was to provide our customers with insights into all the things our customer support teams do behind the scenes to deliver the unrivaled experience that is the Okta Identity Cloud. Under 2.6 in our Security Action Plan: “Okta will enhance the Okta System Log so that every customer support...

Brett Winterford

The Human Factor in Phishing Resistance

In the wake of recent security events at Uber and Twilio, organizations are understandably interested in pivoting to authenticators that offer the most resistance to phishing attacks. In this second part of our series on phishing resistance, we consider the human element. All organizations should aspire to a state in which technical and operational controls reduce the burden on end users to identify and respond appropriately to social engineering. Large numbers of Okta customers are pivoting...

Auth0

Auth0 Code Repository Archives From 2020 and Earlier

Notification of Auth0 Code Repository Archives Security Event: No Customer Action Required, Auth0 Fully Operational. In alignment with our core value of transparency, we are communicating about a recent security event related to certain Auth0 archival code repositories; there is no impact to customer data. This does not impact any other Okta products.

Brett Winterford

Phishing Resistance and Why it Matters

In the wake of recent security events at Uber and Twilio, organizations are understandably interested in pivoting to authenticators that offer the most resistance to phishing attacks. So what is phishing resistance, and why does it matter? Credential theft remains the primary means by which attackers gain unauthorized access to systems. In 2021, over 80 percent of successful attacks on web applications stemmed from credential-based attacks such as phishing, credential stuffing and password...

Defensive Cyber Operations

Detecting Scatter Swine: Insights into a Relentless Phishing Campaign

Summary Twilio recently identified unauthorized access to information related to 163 Twilio customers, including Okta. Access was gained to internal Twilio systems, where data of some Okta customers was accessible to a threat actor (detailed below). Okta has determined that a small number of 1) Mobile phone numbers and 2) Associated SMS messages containing one-time passwords (“OTPs”) were accessible to the threat actor via the Twilio console. Okta has notified any customers where a...

Moussa Diallo and Tim Peel and Brett Winterford

Defending against Session Hijacking

Multi-factor Authentication (MFA) is very effective at limiting what an adversary can do with a stolen password. According to research commissioned by Google in 2019, MFA thwarted 99% of automated credential-based attacks and 93% of phishing campaigns. It remains one of the most essential and effective controls against account takeovers. In some circumstances (outlined below), MFA can be bypassed. Okta’s Cyber Threat Research team has observed the proliferation of malware designed to extract...

Page 1 of 8