JumpCloud rotates API keys “Out of an abundance of caution relating to an ongoing incident.”
Jumpcloud's abundance of caution.
Jumplcoud released a statement on July 6th that says, “Out of an abundance of caution relating to an ongoing incident, JumpCloud has decided to rotate all application programming interface (API) Keys for JumpCloud Admins.” These keys are used for authenticating a user or application and are commonly used in Internet-of-Things (IoT) products. The keys are static, which means they are stored on a system or device, and have to be manually changed or “rotated.” In some cases changing a static key is referred to as “rolling codes.”
Clients are advised that the rotation is important.
The Hacker News reports, “The company has informed the concerned clients about the critical nature of this move, reinforcing its commitment to safeguarding their operations and organizations. This API key reset will, however, disrupt certain functionalities like AD import, HRIS integrations, JumpCloud PowerShell modules, JumpCloud Slack apps, Directory Insights Serverless apps, ADMU, third-party zero-touch MDM packages, Command Triggers, Okta SCIM integration, Azure AD SCIM integration, Workato, Aquera, Tray, and more.” The API key rotation seems to specifically affect admins, as the company’s instructions on its support page are geared towards admins, “or Command Runners.” Several cyber news outlets have reached out to JumpCloud for further comment, but they’re still waiting on details. For now, JumpCloud is urging customers to reset their API keys for enhanced security.
Should static keys be the norm?
Some industry professionals suggest moving away from static keys and integrating session specific security measures. Jason Kent, Hacker in Residence at Cequence Security writes:
"As someone that has given words of caution on the use of long-lasting keys in the past, and has commented many times on persistent API keys for sensitive controls, the “I told you so” phase just isn’t much fun. As the teams that utilize these systems now have to see how many integrations have failed, how much backlash it's going to create internally and will have to set about fixing everything, it’s a very stressful thing.
"IT and Cyber Security professionals don’t like redoing work and having to go set keys on various systems and wait for reports of successes and failures, thus we beg the question. ‘What is the best way to manage keys?’ The answer is ‘generate them at the time of use.’ This is because storage of the keys tends to be found by attackers and compromises like this one end up being a huge problem.
"Computers are really good at repetitive tasks, have them log in every time. Utilize a PAM or similar strategy and make sure you protect the key."