Moussa Diallo and Brett Winterford

How to Block Anonymizing Services using Okta

Summary: Every customer using the Workforce Identity Cloud and Customer Identity Solution can now block access requests originating from anonymizing services prior to authentication. Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (“combo lists”), and scripting tools. From March 18, 2024 through to...

Stephen McDermid

Why Cyber-heroes need a Zero Trust CAEP!

In the modern digital landscape, where threats evolve and organizational perimeters extend into the cloud, maintaining a strong security posture requires more than static defense mechanisms. This is where the Continuous Access Evaluation Profile (CAEP) and the Shared Signals Framework (SSF) come into play. At the recent Gartner Identity & Access Management Summit in London , Apoorva Deshpande, Okta Engineering Lead, along with other OpenID Foundation SSF Working Group members, demonstrated...

Okta

Okta Verify Vulnerability Disclosure Report - Response and Remediation

Summary Okta has confirmed and remediated a reported Okta Verify vulnerability. No action is needed by customers, and outside of the original proof of concept Okta did not identify any evidence of attempts to exploit this vulnerability. As part of our recent Okta Secure Identity Commitment, we are communicating this remediation to customers in the spirit of transparency. Response On April 5th, Okta received a report from a researcher at Persistent Security of a potential vulnerability in...

John Murphy

Defensive Domain Registration is a Mug’s Game

Summary: The time and effort spent on defensive domain registration would be better invested in writing phishing-resistant authentication policies. Today I want to make the case that registering domains for the sole purpose of protecting against phishing is tackling the phishing problem from the wrong angle. It is, to use a very British idiom, a “mug’s game”: an effort that’s unlikely to yield much success. Most organizations register additional domains based on various permutations of their...

Brett Winterford

Protecting Administrative Sessions in Okta

Privileged users have always been and should always expect to be under constant attack from motivated adversaries. Over the last 90 days, Okta has devoted many of our most skilled resources into a program of work that dramatically hardens the Okta Admin Console, resulting in a number of new features, a subset of which are listed below. New Feature Description Availability ASN Session Binding Okta automatically revokes an administrative session if the ASN (Autonomous System Number)...

Karl McGuinness

How to Secure the SaaS Apps of the Future

Over the past few years we’ve observed a fundamental shift in the threat model for highly targeted organizations. Today, if an attacker can’t manage to steal user credentials for highly targeted organizations, they will pivot to instead stealing a user’s proof of authentication. Attackers will use malware to steal session tokens from a user’s browser after they sign in. They may similarly use transparent proxies to steal session tokens from a user’s browser after they sign in. And as Okta’s...

David Bradbury

Okta October 2023 Security Incident Investigation Closure

Related Posts: Recommended Actions - Nov 29, 2023 / Root Cause Analysis [RCA] - Nov 3, 2023 / Security Incident - Oct 20, 2023 Stroz Friedberg, a leading cybersecurity forensics firm engaged by Okta, has concluded its independent investigation of the October 2023 security incident. The conclusions of Okta’s investigation have not changed, and Stroz Friedberg has confirmed there is no evidence of further malicious activity beyond what was previously determined by Okta. The October 2023 security...

David Bradbury

October Customer Support Security Incident - Update and Recommended Actions

Related Posts: Root Cause Analysis [RCA] - Nov 3, 2023 / Security Incident - Oct 20, 2023 In the wake of the security incident Okta disclosed in October 2023 affecting our customer support management system (also known as the Okta Help Center), Okta Security has continued to review our initial analysis shared on November 3, re-examining the actions that the threat actor performed. This included manually recreating reports the threat actor ran in the system and the files the threat actor...

David Bradbury

Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation

Executive Summary We offer our apologies to those affected customers, and more broadly to all our customers that trust Okta as their identity provider. We are deeply committed to providing up-to-date information to all our customers. On Thursday, October 19, Okta advised customers of a security incident. Having finalized our investigation, we can confirm that from September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system...

David Bradbury

Tracking Unauthorized Access to Okta's Support System

Okta Security has identified adversarial activity that leveraged access to a stolen credential to access Okta's support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this...