Posted on 06/05/2017 7:29:09 PM PDT by piytar
OneLogin is reporting its recent data breach was made possible when a hacker obtained access to a set of Amazon Web Service keys through a third-party vendor. With this, the hacker was enabled entry into its U.S. data center compromising all its records.
(Excerpt) Read more at scmagazine.com ...
Jeff Bezos is not likely to apologize.
Monumental.
This shifts the entire modern paradigm.
People and organization are ok if it’s them that screws up and lets the data out.
But they are FURIOUS if someone else does it.
AWS is the largest cloud provider in the world, and the first.
A very big deal.
I work in cyber security. I always have and always told my customers.
DONT PUT ANYTHING IN THE CLOUD YOU DON’T WANT EXPOSED
Didn’t AWS contract with the CIA for cloud services?
I’m pretty sure it was the NSA that contracted with AWS...with an offer they couldn’t refuse.
EVERYTHING is recorded and backed up. It’s stored for at least 10 years.
Everything. Including these key strokes.
If it’s in the cloud, it isn’t your data any more.
Oops.
Does this include “lastpass” password management service? Leo LaPorte will not be happy.
I had been thinking of a password keeper.. can you give me some dtails on using a USB device?
That's a competitor.
http://www.pcmag.com/article2/0,2817,2491437,00.asp
PC Magazine might want to update its four star rating for OneLogin.
I think many end users (and others) don’t know what the cloud is, or how to know where their data goes. They just want the cool stuff.
I’m so paranoid I haven’t even used the cloud yet. Thought about it, but who wants to read my psych study research? LOL What I should have done is put my Wrath of God study on there.
A password keeper is a target of opportunity. I have a file with passwords that are abbreviated so someone finding it would still not know the passwords. Besides, if I were a target the attackers would log my keystrokes or the browser. If I used a password keeper they would log the password keeper password when I type it or log the browser password fields, not much different or more difficult
The other thing to think about is complex passwords created by password keepers are pointless. If a site is hacked such that the password hashes are accessed, then your personal info will be stolen instead. Or they will log passwords after HTTPS decryption but before hashing. Long and/or complex passwords don't help.
Had a notice a couple days ago from Amazon about an order being canceled. Haven’t used them in years...wonder if someone tried to use an old credit card listing.
Received one yesterday and another today. Deleted them both without opening them. Received a third stating an inquiry was being initiated. No way to tell if the email was Amazon initiated or not without opening it. When I’m good and ready I’ll sign in and see if there is a notification on the account. I haven’t done business there is some time.
Wife’s CC had unauthorized charges attempted and the bank caught them yesterday. New card in the mail.
Going Galt just isn’t in the in the cards.
This is exactly the kind of compromise I’ve warned was inherent in this model of network storage.
The cloud is for two types of customers:
1) Organizations that have a business requirement to publish large amounts of low-risk content to a large, geographically-dispersed audience; and
2) Stupid people
DONT PUT ANYTHING IN THE CLOUD YOU DON’T WANT EXPOSED
While I don't work primarily in security, I agree 100%!
There's a saying that's quite true... "There is no cloud. It's just someone else's server."
Mark
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.