CANARIE recommends all CAF participants implement Multi-Factor Authentication (MFA).
SheerID “Direct Sign On (DSO)” Issue Mitigation Recommendations
While SheerID have said that they did not store user credentials gathered during their DSO activities, nor were there any indications of breach, per standard cybersecurity protocols CANARIE recommends that you reset any user’s credentials who has accessed the SheerID service.
As those credentials might have been used on sites directly authenticated on the institutional Identity Management System (IdM), as well as on federated internal resources authenticated by your Identity Provider (IdP) software, you would examine both the logs of the services authenticated directly on the IdM and the logs of the IdP over the affected dates.
Colleagues of the University of Trento shared some useful information to confirm if the bot used by SheerID has made any attempt to access your authentication systems:
The user-agent declared by the bot is:
"Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML\,+like+Gecko)+HeadlessChrome/89.0.4389.82+Safari/537.36"
The source IP addresses used by the bot are two and apparently used in round-robin:
- 34.199.186.214
- 35.153.89.227
The first login attempt was made with an incorrect user, probably to verify the response from the authentication system. The user is « invalid_user ».
By using the user-agent above to track the sessions opened by the bot, you should be able to check for accessed accounts. In the event of a positive response, we recommend that you:
- Tell the users about the incident.
- Reset the password of the compromised accounts.
Effective measures to block bots from accessing systems:
- Block suspicious user-agents, such as the one used by SheerID which contained the indication of a headless client (HeadlessChrome) in its identification string:
"Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML\,+like+Gecko)+HeadlessChrome/89.0.4389.82+Safari/537.36"
- Use anti-bot tools such as CAPTCHA and the likes in the login pages of the Identity Provider and services accessible via direct authentication on your Identity Management System.
- Advise your users to always check the address bar before using their institutional credentials and do not enter them if the domain does not correspond to their organization.
Support
Our team is here to support you. Please contact us at [email protected] for assistance.
