1Password detects "suspicious activity" in its internal Okta account(blog.1password.com) |
1Password detects "suspicious activity" in its internal Okta account(blog.1password.com) |
This comes immediately after 1P's forced transition away from local app with local storage to Web app with cloud storage, and assurances that their security stance and practices would make a breach unlikely. If they had stuck with the old model, a breach would have no chance of impacting users, but now, we're left scratching our heads and speculating about the true extent of the damage.
Well, since 1P clients are not open sourced, you always have to trust that they implement their white paper correctly, this is regardless before or after the transition.
Now, if you do trust them, then you should believe when they say that "IdP is only used for authenticate downloads of _encrypted_ secrets and the decryption only happens on device with a local credential", in which case a breach of IdP still would have no chance of impacting users.
I have a lot of rants about this transition, but the storage location of encrypted data is never something I worry about. In the past it was my personal iCloud/Dropbox accounts, now it's my 1Passowrd.com account. Am I missing something?
Getting access to this data is the holy grail for attackers - it is preposterous not to have a local-only or "saved on iCloud only" model. Clearly the only reason they removed this ability was the juicy, juicy subscription revenue, which requires them to hold the data.
They may have avoided a breach this time but have they previously been breached? Will they be breached in future? The possibility of each is non-zero.
Needless to say, I'm still using the older version and am planning how to transition once it stops working after an OS update.
People have long lost the difference in meaning between "security" and "convenience". They now believe the two are interchangeable.
Not sure they're wrong. There are so many IT departments and websites that force dumb practices which are detrimental to both: frequent password changes, required low-entropy recovery question options, etc. And then on the other side, some really convenient flows with reasonable security, e.g. streaming apps that show you a short temporary credential you can copy from your Roku's screen to your signed-in computer/phone rather than requiring you downgrade your permanent password to something easier to enter on the Roku keyboard. So while fundamentally you're right that "security" and "convenience" are in tension, in practice I think the bigger factor is competence and care of the dev and admin teams.
Securing a large organization populated by regular human beings is extremely difficult, and is an exercise in balancing theoretical security with convenience.
Okta and 1Pass are incredibly well designed and the companies do all of the right things when it comes to security and audit processes.
I know that troubleshooting for pwms is hard, but leaving unencrypted files to access accounts on a server that’s not governed by the same threat-model seems very negligent to me.
I then have a BTC node that will send me an SMS if those coins ever move.
I'm curious whether companies have faced this hard reality and decided that buying liability insurance + doing things inhouse is more economical & better for business.
Now, sure, technically there may be circumstances when you can technically/legally shift liability. But your customers don't care - they have the relationship with you. So the third parties problems, are your problems.
IF that were true. No way would it be cost effective at my company to try to internally reimplement 1Password's functionality though. I also would not trust it to be more reliable or more secure than 1Password.
For large companies, however, it seems like a liability, but I would hope an IdP would still be more competent, on average, then internal IT staff (obviously there are tech companies that have needed to deal with this for a long time with success). If a large business’s competency is not tech, there is some likelihood they can’t evaluate the robustness of their IT infrastructure.
That’s not a reason. Haven’t you read any terms of service and user agreements? The vendor never accepts responsibility.
So the culprit seems to have been the session information in the har. It made me wonder a few questions. What were they troubleshooting with Okta that required sending a har over, of their own interaction with Okta. And why are the session lengths so long, wouldn't Okta dogfood and use their own JWTs with limited lifetime?
Someday it will be much, much worse. Someday someone will manage to breach and take control of a bigger one in a bigger way, and will instantly gain root on a large subset of the entire computing ecosystem. There's a trend of even delegating things like ssh to systems under OIDC control, so I'm not using root metaphorically.
But hey, OIDC is convenient and that's all that matters in computing.
It’d be based on keys you control so there’s no way someone could hack some master database or key authority and own the entire universe. That’s a distinct possibility today.
Plausible scenario: high sophisticated nation state sponsored break at Google with cooperation from inside, used to launch a sudden mass malware infection attack against hundreds of millions of systems.
It's odd that they wrote that right out there on an incident report publicly shared and related to such a high profile potential breach though, for something like this it really has to be more of a 1st step triage than a definitive nope nothing wierd here...
Or is something like 1Password truly secure at its core, even if an attacker penetrates some layers of access?
With that said, there is a lot of rebuttals to this that begin with "but, that assumes..." that I'm sure some of our fellow HN peeps will point out here :)
Any other takes?
1. because people want to know if their for-money proprietary password storage company got hacked 1. because if in the future they actually get owned, "oh yeah, it sorta happened another time also but we didn't say anything" is a terrible look
Does not mean it didn’t happen
Also, don't use 1Password or LastPass. KeePassXC, PasswordSafe, Dashlane, or properly-configured Bitwarden.
Doesn’t seem like a particularly strong counter-argument, unless the point is that sometimes we humans like to err on the side of recklessness in the name of progress.
or the harmful effects were missed, and the drug is dangerous
It just simply isn't worth the investment for CIO/CTO/CISO types because it isn't sexy. To say it's impossible is just factually inaccurate.
I know more than a few places doing 40gbps and 100gbps full packet capture for 30+ days. And relatively speaking, the investment isn't that large (for tens of petabytes it isn't as expensive as you might think).
Complacency will result in more leaks and less knowledge of them maybe?
I reckon “passwords on a notepad in pen and ink” is safer plus passkeys like yubi.
If someone breaks into your home you got other concerns..
simultaneously, Okta seems rather bad at their job of not getting hacked and having proper fucking audit logs
Anyone else?
Wow.
In general I would regard anyone using a password manager that uses a cloud service and/or phones home to be unreasonable. But even if you believe that this is a good idea, at this point everyone should drop 1Password as they clearly do not have the competence to run such a service.
That's one expensive alert.
then just alert yourself when the native asset is moved to that address, because then someone is trying to sweep. your node can also send some some of the same asset faster at a higher transaction fee and move all of your tokens somewhere safe
people already do this
mostly as a scam to take the tiny amount of funds that thieves send to try to move the more lucrative bounty
you can take this one step further and have many assets worth sweeping, including assets that merely look like lucrative tokens. one of those is backdoored so that the transfer() function is nonstandard and transfers all the assets out of the attackers address when they try to move yours. or you can at least get just your own assets back if you want to be morally superior, moved to a safe address. this wont work if they dont take your backdoored token though. but all other parts about intercepting your assets before accepted into a block still would.
Why not fill the vault with canary accounts and tokens instead? There’s services that do it for you.
Sorry man, I dunno if this is a weird flex or what, but it's kind of ridiculous to leave $15K of bitcoin as a canary for your password manager. Gotta call a spade a spade.
i don't think that is a bad idea . It can be a cheaper one or a replica. The idea is it's a small price to pay when being deceived costs far more
Actually, no - if they implement their whitepaper incorrectly, and I manage to keep my insecurely-encrypted vault blob private, I'm still safe. Bad implementation is only a risk if there is also a data breach. This is defense in depth. Your argument is based on an all-or-nothing model of trust, rather than one where trust can be contextual and partial.
Would you be comfortable uploading your vault somewhere 100% public, rather than behind authentication with iCloud/Dropbox/1P, since it's safely encrypted?
The irony is that as a user since at least version 3, I would have easily kept paying a yearly subscription fee just for the same local+sync they had before centralizing. It’s clear that most tech businesses need stable recurring revenue in order to keep doing their best work.
They could have probably done an Amanda Palmer-style patreon (donations fund the ability to make all work public) for individuals/families and a straightforward high-cost enterprise subscription and been just as big if not bigger.
You just went from "significant financial harm" to "significant financial harm, and 0.5 BTC".
I would expect the BTC to be moved first and foremost which would hopefully give me enough time to mitigate any other damage that could be caused by the content of my password manager being exposed.
An intruder will rifle through the top drawers and go for the obvious stuff and let's face it half a BTC is a bit of a shiner. You seem to be able to afford to lose it, given that its loss will trigger the shutters coming down and hopefully allow you to secure the rest of your stuff.
I get that and hopefully that is close to the last resort in your defence in depth approach to security.
There is no tax penalty for moving bitcoin. You should definitely move most of this elsewhere.
Museums and galleries etc put their wares on show in public - can you be sure that what is shown is what you think it is or secured as you think it is?
Please don't describe anyone as dumb - its as much demeaning to you as it is anyone else.
It's a question about not touching an easy $15k, in exchange for a chance at a bigger score.
I'd assume most attackers wouldn't be able to resist securing the low hanging fruit first.
And even if there's a parallel move, it's even less likely they would leverage everything but the $15k, so OP would still receive a realtime indicator of compromise.
From a game theory perspective, it's a pretty compelling trap for OP to get what they want.
If OP is part of a bigger breach, those data dumps will almost certainly get analyzed automatically and multiple wallets swept at once. Passwords to interesting stuff likely aggregated and then tried. It’s not some script kiddy that browses through the vault 1by1
(a) Trivially accessible Bitcoin is stolen or (b) passwords are used to ferret items/info of value out of additional individual sites
For OP's plan to fail, someone has to leave $15k laying on the table, in plain sight and for the taking, while they plan their subsequent moves. Which is why the amount matters.
Your average attacker might be equally motivated to go for $20k, or $10k, or $5k. $1k, maybe not. $100, probably not. $1, almost certainly not.
There's an interesting game to play in minimizing the cost at no hit to efficiency.