We’re excited to bring Transform 2022 back in person on July 19 and virtually July 20 – August 3. Join AI and data leaders for insightful conversations and exciting networking opportunities. Learn more
With no additional information from Okta in days, it appears the identity security company is simply waiting for the news of the Lapsus$ breach to subside.
Probably, but this didn’t happen as quickly as Okta would have liked. And not nearly as fast as it was for Microsoft, the most immediate previous victim of the Lapsus$ hacker group (and a major competitor in Okta’s identity security field).
For the most part, the leaks and leaks of Microsoft’s source code by Lapsus$ didn’t stay in the news cycle that long because it wasn’t all that important. Although Lapsus$ claims to have leaked 37GB of Microsoft data, no customer data was involved, according to Microsoft.
On the other hand, up to 366 Okta customers may have been affected in the Okta incident. Okta has said the third-party support provider Sitel was breached for five days in January and that 2.5% of its customer base may have been affected, making this a much bigger breach than the Microsoft incident.
But Lapsus$ itself helped matters for Microsoft by leaking screenshots of the Okta contractor breach just two hours after posting what it claimed was Microsoft’s source code for services, including Bing. (Lapsus$ had previously posted and deleted a claim that it violated Microsoft. But news of the Microsoft breach still dominated for just one day.)
Anyway, the fact remains that everyone from Microsoft turned to Okta when the Lapsus$ screenshots appeared on Telegram late Monday.
“The biggest winner in this situation may well be Microsoft, as Lapsus$ who posted 37GB of their data has largely hit the headlines over the possible breach of Okta,” said Ronen Slavin, co-founder and CTO at Cycode, a security firm for software supply chains. an email to VentureBeat.
For now, Lapsus$ says it has ended its leaks — or has been forced to do so by law enforcement actions — with the screenshots of the Sitel breach. Leaving Okta alone in the spotlight.
no payday
What did Lapsus$ get out of it? Reportedly the arrest of seven of his teenage members. And no clear payday. No financial demands were made and publishing the breach appears to limit the group’s opportunities to monetize access to Okta customers’ systems.
Okta, meanwhile, could face the ramifications for a while, both from a stock price perspective and due to lingering customer concerns. There are still some unanswered questions (some of which are listed below), and Okta’s handling of the incident has sparked a great deal of debate.
For example, Okta CSO David Bradbury’s own post on LinkedIn has turned into a forum for such debate – with many criticizing Okta and many others defending the company in the comments section.
Okta has declined to comment when VentureBeat contacts him this week.
What follows are some of the remaining unanswered questions, gathered from sources including comments to VentureBeat; a Twitter wire from noted cybersecurity consultant Jake Williams; and an “Open Letter to Okta” posted by Amit Yoran, CEO of cyber company Tenable and a customer of Okta.
How were customers affected? Customer data “may have been viewed or acted upon,” Bradbury said in a blog post. But Okta has not disclosed anything more specific. What happened from January 16-20? Okta’s timeline starts on January 20 at 23:18 UTC. But Lapsus$ had access to the remote support engineer’s laptop from Jan. 16-21, according to Okta. That leaves the first few days of the breach so far unanswered. Why does Okta define the blast radius of the attack this way? The 366 customers potentially affected by the Lapsus$ breach represent all Okta customers that Sitel had access to during the five-day period in January, Okta said. But since only a single engineer was affected, it’s unclear, Okta said, why the blast radius isn’t limited to what that person opened. What did Okta know about the breakthrough and when? “Okta’s investigation began on January 20, NOT March 10 as they seem to imply,” Williams said on Twitter. “Has Okta really gone from January 21 to March 10 with no new actionable information from Sitel?” When and how would Okta have notified customers if Lapsus$ hadn’t posted screenshots? (through Williams)Why did Okta’s initial statements imply that there was no impact on customers? Bradbury’s initial statement said that “the Okta service has not been breached … There are no corrective actions to be taken by our customers.” That was later changed to reveal that up to 366 customers may have “viewed or acted on” data. (“Please explain the contradiction in the initial impact statements about what is being communicated now,” Williams said on TwitterR.)Why hasn’t Okta provided useful information to customers? “When you were laughed at by LAPSUS$, you brushed off the incident and didn’t literally provide useful information to customers,” Yoran wrote. “LAPSUS$ then pointed out to you your apparent misstatements. Only then determine and admit that 2.5% (hundreds) of customer safety has been compromised. And still there are no useful details and recommendations.” Why did Okta characterize his analysis of 125,000 log entries as particularly meaningful? “In the past 24 hours, we analyzed more than 125,000 log entries to determine what actions were taken by Sitel during the relevant time period,” said Bradbury. However, “everyone in the field” knows that means people have analyzed all of the submissions, Williams wrote† “I believe the numbers are there to mislead laymen. Shame.”
Update: Following the publication of this post, Okta posted an FAQ on its website on Friday that addresses some of these questions.
VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more
This post The sole winner in the Okta Lapsus$ breach is Microsoft
was original published at “https://venturebeat.com/2022/03/25/the-only-winner-in-the-okta-lapsus-breach-is-microsoft/”