
OneLogin suffers breach–customer data said to be exposed, decrypted - mercutio2
https://arstechnica.com/security/2017/06/onelogin-data-breach-compromised-decrypted/
======
devrandomguy
On a tangent, has anyone tried using Vault as a personal keyring, rather than
using a cloud based password manager? In particular, how much would I need to
trust each device that runs a Vault instance, if I was concerned mainly about
malware running alongside it?

Right now, I have everything in Keepass, and no good way to synchronize that
between devices. Merging key repos is a royal pain, but mainly, I don't like
the idea of trusting _everything_ to an organization that I can't hold
accountable. Running my own service on a generic tiny EC2 cluster feels like
an improvement, although I would still worry a little about the virtual
neighbors.

~~~
dbingham
Please, someone build an open source solution similar to Lastpass backed by a
Vault instance with browser plugins and a web front end to allow for key
management. That would be amazing.

Lastpass is almost necessary for me to keep all my passwords moderately secure
and still usable. But I really do not love trusting all of my info to a 3rd
party.

~~~
UnoriginalGuy
> But I really do not love trusting all of my info to a 3rd party.

You don't need to. You need to trust Lastpass's design.

A Lastpass database is an AES-256 encrypted blob, encrypted using a "slow"
hash of your master password (PBKDF2, rounds are configurable). Lastpass don't
know your password. When they authenticate you they test to see if your
database is decryptable with the password you entered (after it is hashed). If
you set 2F then they won't even allow attempts until 2F is satisfied (Google
Authenticator is free).

Lastpass's biggest weakness is also applicable to this theoretical OpenSource
alternative: Javascript. Javascript is delivered from Lastpass (for the
browser extension) and after you decrypt your password database, that JS has
full access to it. If a "bad guy" is able to inject evil JS between you and
them, then they could trivially steal already decrypted passwords.

As I said, this weakness has nothing to do with Lastpass, it would equally
apply to all password managers which integrate into the browser with an
extension. In effect you've exchanged convenience for security. And you can
already read the Lastpass browser extension's source code, being more open
source doesn't make you immune from this issue.

So you can choose to trust Lastpass, or not, but the design is sound. Slapping
the words "open source" onto something won't mitigate any of LastPass's
inherent design issues, and you'd still want to follow a similar design since
it is a good compromise between security and convenience. Coming up with a
superior design that doesn't sacrifice convenience would be awesome, but it is
a hard problem...

~~~
heliosAtwork
Sure, it can happen to open source; all engineering rules still apply. The
attractive part to me would be that there are more eyes on the code.

I would host my own in a google app engine or heroku and avoid a 3rd party who
is more attractive to hackers due to the number of accounts they host and
potential gain to criminals.

~~~
kasey_junk
Thats not how many (most?) breaches occur. The situation you would run into
(and worry about) is that an exploit is found in the software and then it is
mechanized so that things like google app engine and heroku are scanned and
user run versions exploited in mass. Open source does not prevent that, only
diligent operations do. So by self hosting your are making the bet that you
are doing that singularly more competently than the hosted version.

~~~
heliosAtwork
No, open source does not prevent anything. There is just more transparency.

Any self hosting would need to be fully connected with automated update
notifications from the "crowd" of contributors and reviewers.

I guess, it becomes a managed service at that point (since as you point out it
should have reliable and secure production characteristics which does require
a high level of competency). I am imagining a cloud of one for my passwords (a
stateless, secure container, with disabled user access to the OS and which
connects to an encrypted simple file store to keep my small sized but precious
passwords).

------
rbinv
One thing I have always wondered: how do companies like this actually detect
such a breach in the first place? HTTP and SSH log files?

Also, how do they ensure that their systems are no longer compromised?

~~~
troydavis
Of the 6-7 breaches I've heard the details of, they were detected because
either:

\- an engineer stumbled upon clear evidence of a rootkit, like a leftover
dotfile or shell history entries

\- the exfiltrated data got used and someone noticed

(Different story for active intrusions, where the intruder is detected when
they first breach a system. At least anecdotally, the passive after-the-fact
detection above seems more common, though.)

~~~
zitterbewegung
For a really great book about an Active Intrusion this is a classic.
[https://www.amazon.com/Cuckoos-Egg-Tracking-Computer-
Espiona...](https://www.amazon.com/Cuckoos-Egg-Tracking-Computer-
Espionage/dp/1416507787)

~~~
jk563
Is this the one that started to realise what was happening due to unpaid time
on a machine amounting to 25c or similar?

~~~
bungie4
Yup. Cliff Stoll. His first book is a great read. The second as well, but he
caught a lot of flack for his 'Luddite' views. Personally, and with the aid of
hindsight, I think he just undershot on his predictions.

------
eatbitseveryday
I don't trust putting all my passwords into the hands of another system for
this reason.

~~~
wand3r
The threat model these defend against best is using a single login and
password across a host of secure and unsecured systems out of convenience.

Some pass managers are better than others and on balance are better than the
solutions non-technical (and many technical) would otherwise use. This is
highly dependent on your threat model, degree of technical skill, actual data
risk, and behavior.

------
dwwatk01
Another tangent: I see OneLogin, on their main site, lists the customers using
their solution. I know this is a very common practice, but can anyone explain
any (not short-sightedly financial) benefit possible for a company allowing
this disclosure?

~~~
Kalium
Sure! I can offer one reason that isn't purely "because we got a discount".

Imagine that you're a company not necessarily known for security prowess. Now
imagine that you want to be able to demonstrate to users / customers /
investors that you take security seriously and work with reputable vendors.
You could list off the vendors you use, but then they're just taking your word
for it. Wouldn't it be better if the vendor listed _you_?

Alternately, perhaps there are common investors or board members exerting
influence.

------
wdr1
This is why I won't use mint.com for anything but my credit cards.

