• Programmes
  • Le Réseau national de la recherche et de l’éducation du Canada (RNRE)
    • Partenaires du RNRE
    • Connexions
    • Le Réseau mondial de la recherche et de l’éducation (RMRE)
  • Le Programme de cybersécurité
    • Programme Initiatives en cybersécurité (PIC)
    • Participez au programme Initiatives en cybersécurité (PIC)
    • Initiatives financées
    • Foire aux questions
    • Cybersécurité Soutien
  • Le réseau CANARIE
    • Se connecter
    • Services réseau
    • MOXY
    • Réseau CANARIE – Soutien et outils
  • Gestion des identités et des accès
    • Fédération canadienne d’accès (FCA)
    • eduroam
    • La gestion fédérée des identités (GFI)
    • Études de cas
    • Soutien technique – Gestion des identités et des accès
• Adhésion à CANARIE
  • Adhésion à CANARIE
  • Membres de CANARIE
• À propos
  • À propos
  • Équipe de la haute direction
  • Conseil d’administration
  • Comités consultatifs
  • Trousse pour les médias
  • Politiques
  • Documents
• Carrières
• Contactez-nous
• Nouvelles
  • Nouvelles
  • Blogues
  • Communiqués de presse
• Événements
  • Tous les évènements
  • Sommet CANARIE
  • Forum SecuR&E canadien
  • Événements parrainés
  • Événements communautaires

Recherche Recherche

English

Accueil / Recommandations concernant le problème soulevé par la procédure d’ouverture directe de séance (DSO) de SheerID

SheerID “Direct Sign On (DSO)” Issue Mitigation Recommendations

While SheerID have said that they did not store user credentials gathered during their DSO activities, nor were there any indications of breach, per standard cybersecurity protocols CANARIE recommends that you reset any user’s credentials who has accessed the SheerID service.

As those credentials might have been used on sites directly authenticated on the institutional Identity Management System (IdM), as well as on federated internal resources authenticated by your Identity Provider (IdP) software, you would examine both the logs of the services authenticated directly on the IdM and the logs of the IdP over the affected dates.

Colleagues of the University of Trento shared some useful information to confirm if the bot used by SheerID has made any attempt to access your authentication systems:

The user-agent declared by the bot is:

"Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML\,+like+Gecko)+HeadlessChrome/89.0.4389.82+Safari/537.36"

The source IP addresses used by the bot are two and apparently used in round-robin:

• 34.199.186.214
• 35.153.89.227

The first login attempt was made with an incorrect user, probably to verify the response from the authentication system. The user is « invalid_user ».

By using the user-agent above to track the sessions opened by the bot, you should be able to check for accessed accounts. In the event of a positive response, we recommend that you:

• Tell the users about the incident.
• Reset the password of the compromised accounts.

Effective measures to block bots from accessing systems:

• Block suspicious user-agents, such as the one used by SheerID which contained the indication of a headless client (HeadlessChrome) in its identification string:

"Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML\,+like+Gecko)+HeadlessChrome/89.0.4389.82+Safari/537.36"

• Use anti-bot tools such as CAPTCHA and the likes in the login pages of the Identity Provider and services accessible via direct authentication on your Identity Management System.
• Advise your users to always check the address bar before using their institutional credentials and do not enter them if the domain does not correspond to their organization.

Support

Our team is here to support you. Please contact us at [email protected] for assistance.