Security expert rips Okta for their response to hack

We have none other than Snorkel42 from Reddit on the podcast today. He has 20 years experience in InfoSec, and is a prolific writer on Reddit under the handle Snorkel42. (Check out his posts here: https://www.reddit.com/user/snorkel42/). (We will not be using his given name during the recording.).

He thinks Okta managed to turn a mole hill into a mountain by incorrectly handling the hack that happened in January – that we just learned about last week. That’s right, we just found out about a hack that actually happened in January!

We dive deep into what happened, what it means, and how the worst problem of all is how Okta responded to it. Our expert says he no longer trusts Okta, and gives advice to customers on what to do next.

This is a very timely episode that you will really enjoy – unless you’re an Okta customer or employee.

You can listen by pressing play above, or you watch the video version below.

Episode Transcript

 

Snorkel42: can I make an admission real quick? I had no idea what that karma meant.

W. Curtis Preston: Yeah.

Snorkel42: I did not know what that number translated.

W. Curtis Preston: Hi, and welcome to Backup Central’s Restore it All podcast. I’m your host, W. Curtis Preston. AKA Mr. Backup. And I have with me, my fellow photo-shoot model, Prasanna Malaiyandi. going, Prasanna?

Prasanna Malaiyandi: I’m good. That was a very interesting experience, but I had fun and it was good to see you too. What’s funny is that’s the first time I’ve been to an office in the last two years. It just wasn’t my office.

W. Curtis Preston: Right, Yeah. yeah, w it is actually, Druva’s new office. We moved from, we were over on California avenue in Sunnyvale, and now we’re over on. What is it?

Prasanna Malaiyandi: mission college

W. Curtis Preston: college in Santa Clara across from the Intel museum? I believe,

Prasanna Malaiyandi: yeah, it’s one of Intel’s campuses

W. Curtis Preston: Yeah. and, so I wanted to do some photos podcast.

Prasanna Malaiyandi: Curtis tired of his face being on the homepage or the title art for the podcast. But I liked your photo.

W. Curtis Preston: what’s that.

Prasanna Malaiyandi: I liked the picture of you on the podcast. have you seen the new, the the bearded contemplated one?

Yes, I have. That one’s also good too. Yeah.

W. Curtis Preston: I got lots of compliments on that photo, but I wanted your picture. I wanted this giant mane of yours to be captured because I think one day you’re going to come to your senses and maybe cut it all off and I want to capture It for posterity.

Prasanna Malaiyandi: And so we had a photo shoot and, we got to, we got some, it was. a lot of fun doing that, It was. Thank you, Alex, if you’re listening to this, but that was awesome. Thank you for the help.

Alex did a great job and there were, just a couple of dudes taking photos in an office. It wasn’t awkward at any time.

Prasanna Malaiyandi: No, not at all.

W. Curtis Preston: Not at all. Yeah. Look longingly into each other’s eyes. Yeah,By the time you hear this, hopefully those photos or some of those photos will be up on the website, at backupcentral.com. And, before I bring on our guest, I’ll go ahead and throw out our usual disclaimer. I mentioned, the Druva office I work for Druva. Prasanna happens to work for zoom.

This is not a podcast of either company. And the opinions that you hear are all ours. Be sure to rate us at ratethispodcast.com/restore and subscribe to the podcast. You can either do it in your favorite pod catcher, or you can go over to backupcentral.com and subscribe to our mailing list.

And we’ll let you know, every time we come out with an episode and, we also are always looking for interesting guests. We have discovered a good one this week. I’m very excited to bring him on. And,if you’re interested in the things we’re interested, which is data protection,disaster recovery, backup and recovery security, beer, barbecue.

Prasanna Malaiyandi: barbecue. Definitely. Yes. To barbecue.

W. Curtis Preston: Definitely. Yes. To barbecue.

And, then, just reach out to me @wcpreston on Twitter or wcurtispreston@gmail.com.

Today I wanted to talk about a little something has happened in the InfoSec world. Isn’t that right, Prasanna?

Prasanna Malaiyandi: Yep. just a tiny little something, nothing big.

W. Curtis Preston: I’m flashing back to the matrix. I don’t remember which one. I think it was the third one, the key master. you got the guy with all the keys. So we’re talking of course, about the Okta compromise that went wide this week. So this guest Prasanna,

Prasanna Malaiyandi: You’re excited. Aren’t you Curtis? Aren’t you?

W. Curtis Preston: I, am. He’s shrouded in mystery. we’ve had guests on before where we’ve used pseudonyms. but I knew those people.

And so I knew their actual names. And then I had to pretend not to know their names and refer to them by Harry Potter and Ron Weasley. And you may recall that during the. Recording. Occasionally I would slip up and call

Prasanna Malaiyandi: Yes. I remember that. Lots of editing for you. Lots of listening to it.

W. Curtis Preston: But in this case, I have no idea who this guy actually is. I just know that he knows his stuff. He has been in IT for 25 years in the InfoSec space for about 20. He has are you ready for this? He has a karma rating on Reddit of 33,000.

I’m excited that I’ve got like 600. He’s got 33,000, which means that at least 33,000 times someone has upvoted him. That’s impressive in and of itself because Reddit is a crazy place where if you say things that people don’t like, even if you’re correct, they’ll vote you down anyway. So he’s managed to convince 33,000 people somewhere to click, on what he wrote.

Welcome to the podcast. Snorkel42.

Snorkel42: Hello, can I make an admission real quick? I had no idea what that karma meant.

W. Curtis Preston: Yeah.

Snorkel42: I did not know what that number translated.

W. Curtis Preston: Every time you get an up vote, you get karma and every time someone downvotes you, your karma is subtracted from.

Snorkel42: Okay, now I know

W. Curtis Preston: Yeah.

Snorkel42: me

I post in a number of non it, subreddits where very much you can say the right thing, the correct thing, and they will get mad at you and downvote you, and then you just lost a bunch of karma.

W. Curtis Preston: And since I’m, I’m a relatively, especially compared to you, I’m a relatively new Redditor, would that be the right word? And I’m trying to,

Prasanna Malaiyandi: Reddit poster.

W. Curtis Preston: It helps you bubble up into threads and things. it gives your posts more weight. So yeah. The fact that you have 33,000 is a BFD.

Snorkel42: I’ll get a t-shirt made.

W. Curtis Preston: Why don’t you describe what happened at Okta.

Snorkel42: Yeah,I guess to start, I don’t have any insider knowledge here. All I have is what’s been announced and what little Okta has been able to slip through their marketing and legal teams, but

W. Curtis Preston: We’re going to get

Snorkel42: to right. but basically they contract out their customer support to a third party located in Costa Rica. and sometime around the end of January. A attacker from the lapses group gained access to one of those support engineer’s laptops, supposedly over RDP, which is something else to get into. and for about five days they had access to, that laptop and were able to monitor if not interact the privileged access that support engineer had.

So Okta has a, an internal application that they call a super user, which by the way, what a terrible name doesn’t mean that you have, super user God mode necessarily. It’s just the administrative interface to. Um, but it doesn’t necessarily mean that, Hey, I’m going to go in and reset everyone’s password to something I know, but it did give them the ability to reset passwords, to send, links to customers, to go reset their passwords and to reset their multifactor.

When Okta started off with,their CSO saying no customers impacted. We detected this back in January, or we detected an unsuccessful attempt. Which is the other thing to get into here, back in January and shut it down. And then the second blog post, they added a little bit more. And then the third blog posts like, 2.5% of our customers, about 366 people impacted,

Prasanna Malaiyandi: Yeah, and it’s interesting because it’s 366 people, but it’s really 366 customers, which could be of any size.

and we certainly know from the screenshots that CloudFlare was one of those customers and CloudFlare CEO was fairly vocal on Twitter about his dissatisfaction with Okta right now.

Prasanna Malaiyandi: And CloudFlare, I thought published a pretty good blog as well about sort of their analysis and what they did.

W. Curtis Preston: fact, a lot of people felt that Cloudflare’s analysis was better than what Octa provided themselves.

Snorkel42: me included. Yeah.

Prasanna Malaiyandi: Okay.

W. Curtis Preston: Yeah. and by the way, there, there were a couple of people you put on a, another Reddit thread that was about this. Maybe more than one. I don’t know, but I know I was reading one of them. And more than one former employee of Okta logged in and, and replied and explained basically what the super-user, which I agree it’s a really bad name, but, I don’t know where to start, but the thing about the resetting passwords and stuff, like they, it didn’t appear that they had the ability to do anything, to be able to access an account. They could reset a password. They could reset or even remove MFA, but that, but anything towards that would be sent to the customer. So at best, they would only be able to do that if they had access to that customer in the first place. So it didn’t look like they would have been able to use this to actually access any customers.does that sound about right? Yeah.

Snorkel42: It sounds about right to me for a few reasons. Look to me, the biggest issue here has been the way Octa has been communicating to customers and the lack of transparency. And the reason why it’s important is I find myself in my own back of my mind saying, if we believe Okta. Every time I think about this.

If we believe them, and the only reason I have that question for a company that their entire existence hinges on, if we believe Okta. Like they provide, maybe we should start that off of what does Okta do. So Okta provides authentication services and identity management to corporations, particularly around single sign-on And, multi-factor, and the way, you can place them in your infrastructure can get as far as deep as: through the Okta portal, I can reset your active directory, your on-prem active directory password. so you know, it’s a company that holds a lot of keys and if you can’t trust them, my God, how do you keep them in your enterprise? And so since to your point of, yeah, it doesn’t look like they had that kind of access to really take over the accounts of Okta customers. And I believe that to be true, not so much because of what Okta said, but mainly because lapses didn’t appear to use it. I think if they would have had that access, we would have seen a much bigger impact, but I don’t.

I’m a hundred percent on board with everything that you’re saying about, that the biggest issue here has been Okta’s response. I just wanted to for anyone who’s listening to this for the first time, it sounds horrible. And screenshots of customer data sounds horrible, but it, I do want to at least say it does look based on the information that we have most of which did not come from Okta, that they wouldn’t have been able to actually access any customer’s environment. They might have been able to annoy some customers, Change your passwords and things like that. but they. I completely agree with you that from the get-go, like from the very beginning from message one and all the way up to message three their verbiage is really weird,

Snorkel42: Yeah.

Prasanna Malaiyandi: I wondering if this has to do with any of, the new laws going through Congress, around data breaches, or just public perception with everything going on in the world right now that they just did a PR blunder, if you will.

Snorkel42: It could be that. Yeah. and certainly they are a publicly traded company and that has certainly been called out a number of forums of, they, they may be tied as to what they can say. That one of the things that really sticks out to me is from Cloudflare’s response, it was very clear that they learned about this along with everyone else.

So one day they woke up and saw screenshots on Twitter from an attack group of their information. And Okta has a publicly disclosed, privacy and security policy that – i can even name the sections 20 and 21- talk about when they will alert customers of a breach. And I think you would have to do some pretty fancy legal footwork to explain why CloudFlare did not know about this in January 20.

To me that is the real big takeaway from, do I trust this company anymore? The fact that the customers that we do know were impacted clearly didn’t find out until the rest of the world found out as well. Um, and that’s an example of Okta not following their own policies and that’s troubling to me.

Prasanna Malaiyandi: Yeah. And especially because these are in legal contracts, You could be held liable for it and you’re losing the trust of your customers, right? Who would trust Okta the next time something happens?

Snorkel42: yeah. And then of course the timing, all of it is very interesting in that Okta is saying that we couldn’t respond until we got the security incident report from the company that this third party hired, and we just got that conveniently. As the screenshots got posted. but even then it’s so you had a third party contractor to get compromised and what kind of access they had. You just sat on it for three months. are you telling me that Okta did not actually get involved in that incident response at all? so just a lot of things not adding up and it certainly doesn’t paint a pretty picture for Okta.

W. Curtis Preston: yeah. I forgot. I w I was scrolling through the post right now, the verbiage where it says,you made a comment that, that it seemed that, marketing was involved in these,the statements that went out because like it did start out with even in the third one, even in the third message, they referred to it as, an attempt to access.

Snorkel42: and unsuccessful.

W. Curtis Preston: This was not an attempt. This was a hack. I don’t know what the proper term is.

Snorkel42: no, I think a hack is absolutely the right term And so they also have a timeline. And I think if you marry those blog posts, where they talk about unsuccessful attempts and the timeline. You, you see where they’re getting to the unsuccessful attempt that I derive is. where Okta caught em.

which honestly, we need to take a step back and really give Okta security, some kudos in the detection to begin with. So where Okta caught them was the attacker apparently attempted to add a second MFA token to the support engineer’s account, so that they could start approving from what I’ve been told.

Okta internally uses MFA a lot. So apparently Okta is huge on every step you take within their networks MFA. So it looks like the attacker tried to add their own MFA token. So while they had RDP access and the support engineer was away, they could start moving around and start respond to MFA.

Snorkel42: And Okta caught that. The addition of an MFA token from a weird location. Which is fantastic, like really great job and darn it.

So I think what, Okta is referring to when they say, there was an unsuccessful attempt, was the unsuccessful attempt to add that MFA token. But boy is that some marketing wordplay there that say, oh Yeah. it’s an unsuccessful attempt to take over an engineer laptop. no, they took it over.

Prasanna Malaiyandi: They took it over. They had access to your network. They got in, they just weren’t able to.

Snorkel42: Yeah.

W. Curtis Preston: And for five days they could do, because they were controlling that laptop via RDP, which is the remote desktop protocol, which should not be exposed to the internet.

Prasanna Malaiyandi: Curtis’ second favorite topic, I think.

and so it is a really good point. And I think this is what’s way more interesting about this. Is w was it exposed to the internet? We don’t know if it wasn’t then it would sure seem, the lapses actually have access to this third party’s network first, and then managed to get RDP access to this contractors laptop, the screenshots show Global Protect of which Global Protect is a VPN product from Palo Alto Networks.

Snorkel42: So it was, this person worked from home. possibly and was their home network breached. So it does, from an InfoSec standpoint, certainly this screams to me. you should have RDP locked down on your workstations, does your laptop need to be able to accept RDP connections? Absolutely not.

But, yeah. So I think that RDP side though is really a big topic because it has a lot of, fine read between the lines there of, what does it mean that they had RDP access? How did they even reach it over RDP?

Prasanna Malaiyandi: And it’s something we may never really find out. Unless.

Snorkel42: Yeah.

Prasanna Malaiyandi: because noone’s really going to bring that up. Noone’s going to talk about that. They’re just going to say, yeah, we stopped the attack or whatever the breach was. They’ll focus on the Okta side. Everyone talks about okay, we found the issue or we saw what they were trying to do and we stopped it. End of story. Not necessarily. How do they really get in the first place? And what does that look like and how do we prevent that from happening.

Snorkel42: Yeah, and the thing to keep in mind too. When we think about this is a third-party contractor that specializes in 24/7 customer support for larger enterprises. If lapses, which is a attack group, that’s setting the world on fire Right. now had access to their network. What else was going on?

Okta may be the tip the iceberg for them.

W. Curtis Preston: Yeah. somebody, one of the commenters, they felt that the whole like throwing out the. Screenshots from Okta was actually an attempt at subterfuge on the part of lapses to throw away attention from the fact that the real problem is the access you just mentioned. Somebody said, maybe that’s why they threw out all the Okta information because. we’re not talking about Sykes. We’re talking about Okta. The technically the hack was actually a Sykes. Okta was just the customer in this case.

And Octa is very quick to call that out. They say third party, as often as they possibly can as if that’s, oh, wash our hands of that. Sure, we gave that third-party access to go reset your passwords and MFAs, but that’s their problem.

W. Curtis Preston: There were people, a handful of people in the comments and there, as there always is on the internet, there were a handful of people that came to Octa’s defense regarding that they get thousands of attacks a day. And that they’re saying no customer systems were accessed. and so was there really a duty to report back in January? What do you think about that?

Snorkel42: The title of the post I had made was am I overreacting? cause I is probably coming through in this podcast. I’m still quite upset with them. and I agree with a lot of what the, what those folks were saying. yes, I’m sure Okta is attacked repeatedly. Now the question is what does that look like if they are attacked so often to the point that people have access to the super user program that it’s such a non-event for them, like that’s an everyday event

then holy cow, right? Like seriously, if that’s every day for Okta, then we had something way bigger to talk about here. I’m guessing that’s not the case. I’m guessing this. This was a significant event for, um, and downplaying that I don’t buy. I think this was a significant event and Okta was very happy to. keep it under wraps and hope that it never came out. and I think I, as we said at the start, yeah, I don’t think anyone really, I don’t think there was any actual breach of a customer’s account. I think what we saw on the screenshots was pretty much all that happened, but I think if you were to get CloudFlare CEO on those podcasts, he would tell you that was significant.

and the fact that he didn’t know about it until a couple of days ago, when it was posted on Twitter, Was not acceptable for him. And I’ll be really surprised if CloudFlare isn’t looking at moving to another provider right now.

Prasanna Malaiyandi: It reminds me.

W. Curtis Preston: If the Cloudflare CEO wants to come on this podcast. he’s he or she is more than welcome.

Prasanna Malaiyandi: This kind of reminds me like how bad it could be of, I don’t know if you both recalled the RSA hack that happened many years ago where the root key was compromised. Because that’s almost what could have happened to Okta, except in the case of Okta, there is no hardware fobs, right?

so again, I think Okta does absolutely deserve some praise here. despite giving the super user application a really stupid name, this tier two support engineer, didn’t have the ability to reset the password to something that he would know. if that were a scenario, if the attacker could have gone in and made the password password, then this would have been a much bigger deal.

W. Curtis Preston: subsequently deactivating MFA.

Snorkel42: yeah, absolutely.

W. Curtis Preston: Change the password to what you want and subsequently deactivating MFA. You’re in.

Yeah. and if you start thinking about how many customers Okta has and what Octa actually does and where I’m walking into. If they had access to the fed ramp, if they were able to get into government systems that way. But, Zoom, for example, if they were able to get into the zoom Okta page, what applications would they be able to get into?

I can tell you from my company, it’s pretty much domain admin. you have access to everything, right? definitely kudos to Okta for having those controls. And again, I really do praise their security team for catching it that quickly. that was an excellent detection on their part, especially for a third party in Costa Rica. Having that kind of logging. Fantastic. but Yeah. to your point, it could have been massive.

W. Curtis Preston: Yeah, this, I do think I, I liked that even though,we agree it was a weird, it’s a weird name. It does appear that. That th that there, what they did employ the concept of least privilege, right? There’s a reason that they have that, that they have the ability for a support person to do the password reset because sometimes customers get locked out of their accounts

there’s no other way to do that, but they at

Snorkel42: I need to interrupt because I disagree.

you disagree?

Snorkel42: I do. so here’s the thing, right? So they had the, these Okta support engineers, or honestly, these, what did we say? A Sykes? I can’t remember which company came first, but they, these contractors have the ability to reset the passwords of their customers, of every user within their customers.

And if Octa is your identity provider, that is where your accounts live. They are the source of truth. Then may. But if Okta is just your single sign on solution, your SAML solution or something along those lines for active directory, do you, if you signed up for Okta as a customer, do you expect that there’s some third-party company and Costa Rica that can reset your active directory passwords of your CEO right now? I wouldn’t. And I would expect them to give me access my admin access back to my dashboard if I happen to walk myself out at that point. Yeah. But down to the individual user level, that certainly caught me off guard. I did not expect that.

Prasanna Malaiyandi: Because that should go through your normal it process, which is owned by your company and driving it through active directory. That way.

way

Snorkel42: And it calls out another thing that Okta publishes a document of their subcontractors, who they use. and this company is on that list and our 24/7 customer support. And in the notes, it says something along the lines of, they have no data centers. They simply have access to our Salesforce and AWS, that’s it.

So if you are doing your due diligence as a customer and doing your vendor reviews you’re gonna look at their subcontractors. You see this and like, all right, I don’t care if they have access to Salesforce and how AWS that can mean anything. I don’t think any reasonable human can read that and go, oh, this third-party contractor has the ability to reset my active directory passwords.

W. Curtis Preston: Yeah, good point. And so I’ll take back my comment. I forgot about that part. and there was a comment again from the former Okta employees or people claiming to be former Okta employees. And what they said was the practice and the policy is that you do not use this power to do that, but that power is still there.

Prasanna Malaiyandi: that’s probably the mistake, right? That you can’t trust people to have the power and not use it.

you, what you would do, I could see edge cases where maybe that’s needed. I don’t, I can’t imagine it right now, but let’s just say those edge cases to me, those would be edge cases and they would require additional MFA. For example, if you’re going to do the thing that, we don’t think should normally be done, then that should require a MFA or MPA. If you’re going to reset, a password that deep, then it should have to come from multiple people.

Snorkel42: Yeah.

I just going to say, if it’s an edge case, it would be an escalation. right? There’s one person on a floor.

But, and so yeah, you’re right. So in one sense, they did separate, but they didn’t, it sounds like you’re saying they could do, they could have done the least privilege concept a little better.

Snorkel42: Yeah. I think more it’s and it goes back to exactly what I was railing against at the very beginning. It’s a communication issue that I’m struggling with Okta right now, as an Okta customer, I did not know they had that capability. And after doing due diligence and I happen to know, but sub-process or document, cause I happened to have it on my computer.

When this happened, I went, wait a minute. Was that even disclosed? And I went and looked he’s huh, no, not at all. And the word that really stuck out to me was the simply they simply have the ability to access Salesforce and AWS wow. so how does a company. Who’s trying to do the right thing.

He’s trying to do their due diligence, trying to make sure that they’re onboarding vendors, that aren’t going to open them up for security woes. What do you do in that situation? When a company, as big as Okta is frankly, at least being awfully liberal with their definitions.

W. Curtis Preston: Yeah, that’s that is, I would feel much better if they notified of what happened in January. And they said, listen, there was this thing happen. I can understand why they might not want to, but I can see, this is what, this is what happened. We’re not sure of the extent we’re studying it, et cetera, whatever, but just a simple notification.

And that would allow people to go, just do a quick. did anybody change their passwords? Did anybody lose her MFA? W whatever. just let me go as a user go. Just do a quick check that, that everything seems fine, but if you’re not even told that you’re not going to go do it, you’re not going to go do a check.

and honestly, it could have been a great success story for them, as I’ve said several times now I have nothing but praise for the security team that caught it. And if they would’ve came out in a reasonable time and said, Hey, heads up, here’s what happened. Here’s where we detected and stopped and the controls that we had in place to realize it.

Snorkel42: And here’s what we’re going to do to make sure that RDP is an accessible on, there’s, third-party support, contractors, laptops and things along those lines. I think people would have been, wow. Yeah, that could have been real bad, but kudos to Okta, they got their fingers on the pulse and they know what’s up instead this is a PR nightmare for them. To what end? I don’t know. I don’t know what they were gaining from trying to keep this quiet and then doing this frankly, pathetic attempt at wordsmithing, their official message.

and I think that’s the danger because a lot of people in the InfoSec community, right? You guys know the difference. Like you can smell, The lack of transparency, That something is fishy, something doesn’t sound right.

Snorkel42: right.

Prasanna Malaiyandi: And you lose trust in them.

Snorkel42: Yeah. And again, for a company like Okta, that’s not a company you can lose trust in and it’s a shame too. It’s a shame to see because it would’ve been such an easy message for them to deal with properly.

W. Curtis Preston: Yeah. their stock price went from 166 to 145 in the last two days. it could have been it’s a 10% loss could have been, could have been better. and I agree with you. I think that companies that are Okta customers. are going to reevaluate their, their trust that they have placed in this huge company.

And Okta’s, and the thing that really is the Octa’s the default, right? Okta’s everywhere

Snorkel42: yeah.

W. Curtis Preston: and, yeah, that’s just.

Prasanna Malaiyandi: you have to have a good reason not to pick Okta. Like you won’t lose your job for recommending Okta and your company. gotten to that stage for Okta, or it was that way for Okta.

Snorkel42: It’s to the point where if you are implementing a new product and you look up their documentation of how do I implement SAML chances are, it’s going to say, oh, if you’re an Okta customer, just click here and they’ll have those screenshots. And then there’s the everyone else.

Prasanna Malaiyandi: Yeah.

W. Curtis Preston: Okta screenshots means something very different now.

Snorkel42: Right?

W. Curtis Preston: Oh, that’s tough. so w I can, I assume now that the 2.5% of customers have been notified.

Snorkel42: this again goes back to if we take Okta’s word for it. Yes. that, that was the other side of this, of the blog post, right? The comment of. after we, after doing a thorough analysis over the last 24 hours and scanning, I think it was like 125,000 log entries. that’s a significant number as logs go.

we now know that 2.5% of our customers were impacted, which again, you take just half a step back and you think about that, so for three months you did nothing. Then these screenshots came out and in 24 hours you looked at what do you think 125,000 logs are to Okta. An eighth of their log. Yeah.

Snorkel42: It’s nothing.

And it’s such a disingenuous comment, too., you look at it like, oh, so you had like skilled security engineers looking at those logs. No, you ran some greps on them. you didn’t actually look at them.

W. Curtis Preston: I was going to throw a grep. I was going to say they, grepped some stuff.

like I tell you this, I’m sure the,their CTO isn’t the guy actually or CSO, I forget what his title is, is actually writing these things. I’m sure it’s going through all kinds of legal marketing, but man, every time he posts it’s get the popcorn out. Cause he’s just keeps making it worse.

I don’t know any advice for Okta customers? What is it?

with regards to this breach, I truly don’t think it’s significant in terms of customer impact. always do your IR. Always do your due diligence. Go look at your logs from that timeframe. See if there were any strange resets. but I, that breach is not keeping me up at night.

Snorkel42: What my advice is. And certainly what I’ve been doing is contact your Okta reps and make a stink and try to drive the message that I’m not concerned about. This breach. I am concerned about how you handled it and the fact that you waited three months and for the attackers to give up the evidence for you to say something makes me have to question. What else are you sitting on? What other security incidents have occurred that you have conveniently not reported? And I’m not saying there aren’t any, I don’t know, but that’s the problem that I don’t, I no longer trust them to tell me. and I think that’s what Okta needs to hear and, be nice to your rep, right?

Like they’re caught up in those too, but make sure you’re saying, Hey, escalate this to your executive level. Cause this is just not an acceptable way for a company like Okta to be off. Yeah.

that’s my main comment to all Okta customers is now’s the time to take off the gloves and raise some stink.

W. Curtis Preston: send a WTF.

Snorkel42: Yeah.

W. Curtis Preston: Your Octa rep

for the record. It’s two months, not three months just throwing that out there.

Snorkel42: End of January. It’s end of March. Okay. Fair enough.

W. Curtis Preston: Once I got the math, right.

Prasanna Malaiyandi: I know for once Curtis. Yeah. Curtis math, they’re not

W. Curtis Preston: always off by an order of magnitude usually or something I’m like, I think that was 10% and was like,

Snorkel42: There’s 1%. 2, 3. That’s how it works.

W. Curtis Preston: Exactly.

Snorkel42: Fair enough. Yeah,

W. Curtis Preston: yeah. thanks for coming on to talk about the, the Okta situation.

Snorkel42: it was a pleasure. I don’t know if that’s the right word.

W. Curtis Preston: is never fun is it Prasanna?,

Prasanna Malaiyandi: No, it’s not. Yeah. I hope at least you had a chance to vent snorkel.

Snorkel42: Yeah, it was cathartic. Yes. Thank you.

W. Curtis Preston: Yeah. Yeah, this is not a,one of my favorite words is the German word schaudenfreude, which means taking joy in the misfortunes of others. this is not that,this is anger, right? This is. I agree with you. Like how is this, it’s the whole like, oh, now you’re telling us after the screenshots came out and would we ever even heard of anything?

Snorkel42: They should have saw it coming, This is what this group does. They’re an extortion group. They stole the screenshots and I would be, I’d be willing to bet money that they were holding that up to Okta, send us money, or we’re going to disclose.

I could not have been surprised when those screenshots finally appeared

the whole thing. Just You have to wonder what they were thinking.

Prasanna Malaiyandi: It’s, it sounds a little staged if you will, or planned, They knew it was coming. They weren’t paying up or whatever, and

Snorkel42: Which you would think that they would take the other approach and let’s be the ones to control that message. Then let’s be the ones to disclose that this happened. Cause it really, if we take them at their word, it wasn’t that big of a deal. They could have controlled that message instead. it’s a big deal.

W. Curtis Preston: it’s not the crime. It’s the cover up.

Prasanna Malaiyandi: Yeah.

Snorkel42: No.

same old. All right. thanks to our listeners and,be sure to subscribe so that you can restore it all.


%d bloggers like this: