Credential Management Vulnerabilities Exposed By Breaches

Credential Management BreachThe recent breach of OneLogin is once again shining the spotlight on the safety and sanity of entrusting sensitive data to cloud-based credential management services. OneLogin provides single sign-on for cloud-based applications.

What Is A Credential Management Service?

Credential management services that offer Single Sign-On or SSO are great, but as we are beginning to find out, it could also be a single point of entry to a treasure trove of sensitive data for cyber criminals.

How Does A Credential Management Service Work?

The way credential management services work is that after a user of these Identity and credential management services sign into their account, the service takes care of remembering and supplying the customer’s usernames and passwords for all of their other applications. It pretty much attempts to save the user the pain and stress of trying to remember numerous passwords, security questions and other hoops people normally have to jump through just to access some online services.

What Is The Problem With Credential Management Services?

While a lot of these services promise secure access to, and a simplified Identity and Access Management (IAM), the recent spate of multiple breaches of LastPass and now OneLogin makes us wonder just how efficient and  secure these credential management services really are. And here is why: a single compromise exposes the credentials of all users, especially if that data theft includes the ability to decrypt encrypted data [thanks to Mark Maunder of Wordfence for that emphasis].

A breach that allows intruders to decrypt customer data could be extremely damaging for affected customers.

The vulnerabilities in credential management services like LastPass were so bad that Tavis Ormandy, a security researcher at Google’s Project Zero wondered if people were “really using this lastpass thing” because he took a quick look and could see “a bunch of obvious critical problems”.

Credential Management Services Have Been Breached Before

It will be recalled that between June and August of 2016, OneLogin also experienced a breach that affected its “Secure Notes” module. And not too long ago, several breaches of LastPass were reported.

What Now, After The Credential Management Services Breach?

To show how serious this particular breach could be, many organizations would have to reset their authentication infrastructure. As one analyst put it, “This is a big deal and it’s disruptive for victim customers, because they have to now change the inner guts of their authentication systems and there’s a lot of employee inconvenience while that’s going on.

Indeed, here is a portion of the long list of “required actions” sent by OneLogin to its users. It pretty much means resetting the entire authentication infrastructure:

  1. If you replicate your directory password to provisioned applications (using the SSO Password feature) or if your users authentication method is OneLogin as a directory, force a OneLogin directory password reset for your users.You don’t need to reset directory passwords if you don’t use the SSO Password feature or if your users authenticate using Active Directory!
  2. Generate new certificates for your apps that use SAML SSO.
  3. Generate new API credentials and OAuth tokens.
  4. Generate and apply new directory tokens for Active Directory Connectors and LDAP Directory Connectors.

For Active Directory Connectors:

  • Create a new failover Active Directory Connector instance.
  • Copy the installation token for the new failover over the existing primary Active Directory Connector token on the server where the Active Directory Connector instance runs, replacing the contents of the Windows Registry key at
    HKEY_Local_Machine\SOFTWARE\Wow6432Node\OneLogin, Inc.\Active Directory Connector\DirectoryToken
  • Restart the Active Directory Connector.
  • Switch the new failover Active Directory Connector instance to be the primary (sync) connector, following the instructions in “Failing over a synchronization Active Directory Connector instance manually.”
  • Delete the old Active Directory Connector instance from OneLogin by following the instructions in “Deleting or disabling your Active Directory Connector instance.”

For LDAP Directory Connectors:

  • Create a new failover LDAP Directory Connector instance, following steps 1 – 6 in Installing Multiple LDAP Directory Connectors for High Availability.
  • Copy the token from the new instance to the config file for your existing active LDAP Directory Connector by editing the file conf/ldc.conf and updating the configuration property ldc.api.token. (See steps 9 and 10 in “Installing an LDAP Directory Connector”)
  • Restart the LDAP Directory Connector.
  • Switch the new failover LDAP Directory Connector instance to be the active connector, following the instructions in “Switching a standby connector to active.”
  • Remove the old LDAP Directory Connector instance from OneLogin by clicking Delete on the Basic tab of the LDAP Directory Connector configuration page (Go to Users > Directories, select the directory, go to the Basic tab, and select the instance to delete).

You can visit their blog for further instructions.

What Are The Alternatives To Credential Management Services?

Avivah Litan, a financial fraud analyst with Gartner Inc., offered her take on the danger of “trusting the farm” in a manner of speaking, to credential management services that offer single sign-on. She argued that they are the digital version of an organization putting all of its eggs in one basket. Her recommendation is that organizations should be discouraged from using cloud-based single sign-on services because “It’s just such a massive single point of failure…And this breach shows that other [credential management] services are vulnerable, too.”

While we’ve been advising organizations to pay more attention to network security, it is still amazing how many executives believe that they are secure, and nobody wants what they have, or that they have the best security already installed.

The question is, when what could be considered the best in the IT security world (OneLogin, LastPass, RSA, etc), and those who have all the money in the world (the U.S. National Security Agency etc.) get hacked, what are the options for the rest of us?

The best the rest of us can do is remain vigilant and take the necessary steps in protecting our network infrastructure.

If you need to know whether your computer network is secure, Tech Prognosis can perform a risk-free security assessment with no obligation to purchase anything. Call us now at (512) 814-8044 or use the form on this page.