Nand Kishor Contributor

Nand Kishor is the Product Manager of House of Bots. After finishing his studies in computer science, he ideated & re-launched Real Estate Business Intelligence Tool, where he created one of the leading Business Intelligence Tool for property price analysis in 2012. He also writes, research and sharing knowledge about Artificial Intelligence (AI), Machine Learning (ML), Data Science, Big Data, Python Language etc... ...

Full Bio 
Follow on

Nand Kishor is the Product Manager of House of Bots. After finishing his studies in computer science, he ideated & re-launched Real Estate Business Intelligence Tool, where he created one of the leading Business Intelligence Tool for property price analysis in 2012. He also writes, research and sharing knowledge about Artificial Intelligence (AI), Machine Learning (ML), Data Science, Big Data, Python Language etc...

3 Best Programming Languages For Internet of Things Development In 2018
430 days ago

Data science is the big draw in business schools
603 days ago

7 Effective Methods for Fitting a Liner
613 days ago

3 Thoughts on Why Deep Learning Works So Well
613 days ago

3 million at risk from the rise of robots
613 days ago

Top 10 Hot Artificial Intelligence (AI) Technologies
317757 views

Here's why so many data scientists are leaving their jobs
82287 views

2018 Data Science Interview Questions for Top Tech Companies
80337 views

Want to be a millionaire before you turn 25? Study artificial intelligence or machine learning
78219 views

Google announces scholarship program to train 1.3 lakh Indian developers in emerging technologies
62886 views

OneLogin security chief reveals new details of data breach

By Nand Kishor |Email | Jun 8, 2017 | 5604 Views

A week after OneLogin disclosed it had been hacked, the company's security chief has said that thousands of its customers may have been affected -- but admitted that it still has a lot to learn about how it was breached.

The company has spent the past week investigating how it was breached.

OneLogin is similar to a password manager, but also manages the identities and login information of enterprise and corporate users -- from hospitals, law firms, financial giants, and even newsrooms. OneLogin acts as a central sign-in point to allow its customers -- which includes millions of staff and end users -- to access their accounts on other popular sites and services, like Microsoft and Google accounts.

At the end of last month, the company announced news that nobody wants to hear.

An attacker obtained and used highly-sensitive keys for its Amazon-hosted cloud instance from an intermediate host -- effectively breaking into its service using its front-door key. The company added that while it encrypts sensitive data, the attacker may have "obtained the ability to decrypt" some information.

When we spoke on the phone Monday, Alvaro Hoyos, the company's chief information security officer, wouldn't name the service provider, but downplayed any connection to his company. "That's a key piece of the puzzle of how this attack was orchestrated and launched," he said. That will be for the unnamed forensics firm, hired to help Hoyos and the company augment its ongoing investigation, to determine.

As it carries out its investigation, the company has held its cards close -- and remained otherwise mum on the matter. But that lack of detail and clarity has also left a trail of confusion behind for its customers.

We reached out to several companies affected by the breach and none would comment or talk on the record. But some have privately expressed their concern at the breach.

Hoyos admitted that the response by its customers had "understandably been mixed" after it announced its systems were breached.

Some had shown alarm at the apparent ease with which the hack had been carried out, and others questioned how the hackers had access to customer data that could ultimately be decrypted.

The company has advised customers to change their passwords, generate new API keys for their services, and create new OAuth tokens -- used for logging into accounts -- as well as to create new security certificates.

One report pointed to a corporate customer affected by the breach having to "rebuild the whole authentication security system."

Hoyos denied that the company has a "master key" to access customer data, but did confirm that the hacker used a single secret key to gain a foothold to carry out the hack. "The way they gained access to our network was through this authorized [Amazon Web Services] key," he said, adding that both unencrypted and encrypted data was stolen.

"[The hacker] was able to potentially compromise keys and other secret data, including passwords" during a seven-hour period in the middle of the night, he said. The company said it uses intrusion detection to spot threats as they happen, but that the use of an authorized key went for the most part unnoticed.

"We encrypt secrets, like passwords and secure notes," he said, referring to the company's proprietary note-storage system, typically used by IT administrators to store sensitive network passwords. But other, less sensitive data, such as names and email addresses -- the most basic information required for companies to use the service -- were not encrypted. (Some companies choose to add more personal information to these unencrypted profiles, such as job titles and office location.)

"It's not easy... because you need to be able to work with the data," he said. Unlike a password manager, which stores usernames and logins on behalf and in the hands of the individual, an identity manager's sole purpose is to store and serve a user's credentials to services that need them.

Hoyos said that the company uses a range of encryption -- at rest (in storage) and in-transit, but, "no matter how you protect it or safeguard it, that it is possible to get to that data," he argued.

This is the company's second breach in as many years. The company warned users last August that its Secure Notes service had been accessed by an "unauthorized user." Trust in the company's ability to function has been shaken once again, though it's not known if the company has lost business from the breach. The perceived effect on businesses has been profound, given the exponential impact on the breach. For every customer that's affected, thousands of their staff are sitting ducks for further hacks.

One veteran industry analyst with knowledge of the situation we spoke to (who didn't want to be named) called it a "business existential threat."

"[The] company's whole business model is based on companies allowing them to store and broker users' passwords with countless other major online services. If companies can't -- or no longer are willing to -- trust them to do that, they have no business," the analyst said.

Hoyos said that the company is learning the lessons from the attack, by encrypting more data, and investing in greater monitoring and adding more technical support staff.

"We're also investigating our ability to encrypt and decrypt, and how we manage our keys in that process," he said. Continue Reading>>

Source: ZDnet