Category: security

I haven’t written a real blog post in a long time, but this one is floating around in my head and insisting to come out.

For the last few months, I’ve been following closely the breach that occurred at Lastpass. You may have heard about it. It’s been all over the technical news feeds, with lots of fear, uncertainty and distrust. It was of particular interest to me, as a long time Lastpass user. These articles make it sound like Lastpass is the most insecure password manager out there. They advise everyone that their “vaults have been stolen” (not making clear it was the encrypted vaults, and the purpose of encryption is to protect information if it does get stolen). They advise everyone to change every password. They advise people to run screaming away from Lastpass to other password managers.

Their tone strikes me as off. It reminds me of the days when everyone piled on Microsoft for what we later learned was probably no good reason, for Microsoft had been moving in the right direction. Their tone — to me — sounds like risk-adverse panic. They are scaring people away from this product because of a risk that really isn’t as bad as they make it out to be.  There are times I wonder if there is an agenda behind those articles (and my mind even wonders at some times if a competing password manager wasn’t behind the attack — after all, you don’t have to do anything with the vaults to damage the market leader — the attack is sufficient).

I’ve read the latest blog post from Lastpass closely. I suggest that you do as well. Here’s what I take away from it.

First, this wasn’t a flaw in the product. The flaw — as it is so commonly — was on the human side. Social engineering was used to attack an employee’s home computer, and that employee hadn’t adequately patched their home computer. This is quite common, and to expect perfection in how people maintain their home machines is wrong. It also seems clear that this employee — and Lastpass itself — was targeted by an adversary. That tells me this wasn’t a typical “scoop up the data and sell it”. This was a targeted spearphishing attack, likely with some specific vaults in mind. That’s evident in how the attack went down, and the fact that the data exfiltrated hasn’t shown up elsewhere. For all we know, this was a government adversary targeting a specific individual they learned had a vault.

ETA: Could the breach have been stopped with a product patch? Possibly. But remember here that the attack was on a home computer, not a work machine managed by LogMeIn. On your home computer, do you install every patch on every third-party product? Most people don’t. There’s some hygiene and education to be done here, but it isn’t a product flaw.

The takeaways from this, for me, are:

• The product is not inherently flawed. It uses a reasonable scheme to protect the vaults, and suffers from the same risks that any product that stores stuff in the cloud faces. The vaults are protected with a strength commensurate with the user chosen master password and iteration count.
• The nature of the attack is something that could happen at any password manager product: targeting developers at home. That’s even true for open source products: open source products may still store user data in the cloud, and that data can be compromised.
• Corporate training may be weak, but corporate training overall is weak, and people are often the weakest part in any company.
• This was targeted attack. If you are a high-value target, I’d be worried. If you are the run of the mill user, I’d be much less worried. It is likely not worth the adversaries effort to attempt to decrypt your vault.

Second, should you change all your passwords? I think the clear answer here is “no”, not all. If you choose to change anything, you should make your determination based on what the password is protecting. Is it a bank or something vital, such as your domain configurations or DNS? Is it your social security account? Is it your email account? Change it. But you should be changing those passwords on a regular basis anyway, and enable MFA. But is the password for something like Slice or Lands End or Disqus. I wouldn’t worry. So they order a pizza on a credit card number they can’t see. You dispute the charge, unless they delivered it to you and you enjoyed it. The risk isn’t there. I’d venture you would only need to change about 20% of your passwords, if you have as many throwaway accounts as I do.

This, of course, is presuming you follow best practices. Create a unique account for each site; don’t rely on your Google or FB login. Have strong unique passwords for every site. Enable MFA where you can. These are all best practices you should know if you’ve been trained. You’re not that weak link, are you?

But do you need to change your passwords? The answer here is: it depends on you and your comfort level. They’ve already got the encrypted vaults. At minimum, you should change your vault master password to something long and strong (I recommend using xkpasswd or the pronounceable password generator and doing further conditioning), change the number of iterations to 600,000, and if you are using MFA, change the randomization seed. Details are in the Lastpass bulletin, and simply provide additional protection going forward. Should you be worried about what was stolen? I’d worry about adversaries using the non-encrypted information for phishing, so be extra careful with texts and emails (but then again, I believe that most of the data scraping attacks are collecting information for spearphishing, as it is easier to convince you to give me the data than to attempt to brute force it. See this XKCD). If you had a really weak master password and low iterations, change your key passwords and look for indications of attack. But remember: you’re likely not the target.

The takeaways here are:

• You don’t need to change all your passwords
• Change your vault passwords, iterations, and MFA seed on general principles.
• If you had a weak master password, change key passwords protecting financial institutions, major accounts (email, FB), and DNS/domain related accounts.
• Take a deep breath.

Third, do you need to run screaming away from Lastpass? Again, that depends on your comfort level. Although their latest communication was good and detailed, they sucked on communication up to this. I attribute that partially to timing, as they were being divested away from LogMeIn and that introduces a certain chaos in corporate communications. But they were also probably holding things close to the vest until they improved processes. Reading their longer term plans, I think they are significantly improving things and so their update product will be more secure. They are certainly retraining their development team. I particularly noted “Working to encrypt URL and URL-related fields in the vault BLOBs.” That’s a good thing.

Moving away from Lastpass has certain costs. There is the friction in moving the vaults (and moving your vault does nothing to protect you from this breach, as the general user information and encrypted vault data was already stolen). Arguably, it puts your data in more places to be stolen, as it doesn’t delete data from backups and such. There are also usability issues (Lastpass is an extremely easy to use product), and with the paid product, the features of the Family plan were excellent.

The takeaways here are:

• Lastpass sucked at communication during the process, but has now finally given good details. They lost trust due to how they handled this, which is a lesson we all should learn from.
• The improvements they have made, and are making, are good and increases confidence in their product.
• They could do more: increased training of employees, increased emphasis on awareness, and increased practical exercises on recognizing phishing are key. Increased restrictions on what computers can connect to them, combined with techniques to ensure those computers are configured properly. Those may be coming, or perhaps they weren’t explicitly mentioned.
• Every user should balance their risk tolerance with their likelihood as a target and the value of the information being protected. Be realistic, and understand the frictional costs in moving platforms.

Am I going to abandon Lastpass? Probably not. But I have changed master passwords, increased iterations, and updated MFA seeds. I’ve also changed passwords on critical accounts, and enabled MFA in more places (using an authenticator app instead of SMS when I can). I’m also keeping an eye out for any anomalous activity, but then again, I always do that.

I haven’t done a news chum posts in a while, and the articles of interest are accumulating. So here’s a collection of articles that caught my eye, all dealing with cybersecurity:

• Password Managers. Recently, there was an article about vulnerabilities related to common password managers, the gist of which was: All password managers are vulnerable to attack. Many people took that as an excuse to trigger their risk aversion, and to run away from password managers. Bad thing to do. The attacks in question all required physical access to the machine in question. Vaults in the cloud were safe. Further, if you had physical access to the machine, then a complicated attack to look at a residual password in a buffer is the least of your worries. This is a clear example of people not understanding the risks. The upshot: Use password managers. They make it so that you have longer, more complex, passwords in use; they also encourage the use of one password, unpredictable, per site. They are much more secure than algorithmic generation by humans, or writing things down.
• Choosing Good Passwords. Another password related article looked at the surprisingly common password “ji32k7au4a83”. This is a good example of why a password that looks strong might not be. In this case, the password turned out to be the ASCII representation of the characters you get when you type the Chinese for “My Password” on a specific Taiwanese keyboard. I could imagine similar problems for Hangul, or possibly other representations. This is yet another argument for using password generators (I recommend Lastpass, but other good tools are the XKpasswd generator and the nonsense word generator… and for good measure, the username generator from Lastpass, if you don’t want to have the same username everywhere).
• I Am Not A Robot. Some of us remember the days when everyone used a CAPCHA that required you to recognize letters and enter them in order to prove that you were not a bot. But you don’t see those very much anymore. You may see tests that require you to recognize what is in images, but even those are getting fewer. That’s because it is getting harder and harder to prove you are not a robot, and CAPTCHAs are having trouble catching up. Somedays, it seems that the only thing computers can’t reliably recognize is porn (but then again, neither can humans, and imagine the CAPCHAs). What you do see is a simple checkbox that “I am Not a Robot”. But why does something simple work. There’s actually a great explanation, which involves all the information your browser collects, and all those cookies you don’t think about track, that a bot does not have. Who knew?
• Forgetting the Past. Recently, Gene Spafford (a grey-beard I know well from the days of USENET) visited the RSA conference. His reaction was very interesting, and reflected the feeling that many of us grey-beards and CBGs and other professional old-codger terms have: the youth of the cyber industry have forgotten what was done in the past. I’ll note that luckily, the people behind the Annual Computer Security Applications Conference haven’t, and we are starting to plan the 2019 Conference (web pages should be updated soon) that will include both new research, and reach-back into the relevant history. We’ll be doing our 2nd year in San Juan PR in December; mark your calendars now.
• Listening and Privacy. We often use our computers thinking we’re the only ones who see what we are typing, just as we talk out in public as if we are the only one listening. Both are pretty far from the truth. Hopefully, you know that most public wireless access is not secure, and the best way to secure it is through the use of a VPN. Virtual Private Networks make sure that communication between your computer and a trusted endpoint are secured, and claim to provide security from that endpoint to your ultimate destination on the web. How much can you trust them? It depends on the VPN you choose, as some are better for privacy than others. But what about the real world? When you discuss things on the bus or the subway, how secure are you? Not very. One instructor gave their students an interesting assignment: find out as much as you can about that stranger sitting next to you on the bus, using only public information. They found out quite a bit by listening to the public side of phone conversations, looking at visible screens, and noticing other aspects of the person. Sherlock Holmes in the wild. But that’s not the only risk. It turns out that your hard disk might be eavesdropping as well. Sound waves create movement in disk heads, which can be monitored by sensors in the disk. So when will those concerned about eavesdropping move to SSDs to get rid of that risk?
• AntiVaxxers and Cybersecurity. A meme has been going around asking why we are willing to inoculate our computers against viruses and malware, but not our children? As memes go, it makes an interesting point — but misses some of the differences between computers and the human immune system. Vaccines are a great example of how we train our immune system to work for us by exposing it to the potential malware — in a neutered form — to train it to recognize the real thing. Traditionally, humans have been great at this: that’s why babies crawl around and put things into our mouths — the exposure makes our immune system stronger. In fact, our current antiseptic and germaphobic environment has both weakened our immune response, and trained it to overreact. So yes, pick your nose and eat it, but not in public where anyone can see you. But I digress. Think about this in terms of computers. We install an anti-virus or anti-malware program; this is the equivalent of installing an immune system in our computer. But the success of that system depends on the collection of malware signatures that it downloads regularly. These signatures are benign snippets of code DNA that allow for safe identification of dangerous code. Exposure to those benign snippets is vital if our computer immune systems are to work, and we don’t lose the system. Similarly, vaccines allow our natural anti-virus mechanisms to recognize the malware that try to invade us — and more importantly, they protect those systems that — due to specialized wetware — cannot install the anti-virus. In short: Vaccinate your kids and yourself to protect those around you, as well as yourself.

 

And the cleaning out of the accumulated news chum links continue. Here’s a collection of links related to cybersecurity, but the concern here is not where you think it might be:

• When Identity Thieves Hack Your Accountant. We are all concerned about the online services that we used, and what might happen when they are attacked. But have you thought about the human service providers you use? Your accountant. Your auto repair shop. Your financial advisor. They use services too, and these services have your information. Hint: The adversaries have thought about it.
• Why Cities Are So Bad at Cybersecurity. Many folks are aware of the US government’s efforts in cybersecurity, and at least the awareness is growing. But what about your state and local governments? How cyberaware are they? The answer, unfortunately, may not be as good as you might like. Now think about this: most of our critical systems are at the local level: power, elections, traffic control, ….
• Transportation is now the third most vulnerable sector exposed to cyberattacks. The previous item connects directly to this. When we think about cybersecurity, we think about our banks, our national security systems. But one of our most vulnerable sectors is transportation — from automated traffic systems to air traffic control to automated trains to the computers in our cars. Just imagine attacks on all those black Ford SUVs carrying government officials. There’s a lot of risk there.
• 4 Mistakes Security Pros Make and how a Wellness Model can Help. When we think security, we think certification and border protection. But a holistic wellness model is a great way to think about the subject. According to the National Wellness Institute, “wellness is multidimensional and holistic, encompassing lifestyle, mental and spiritual well-being, and the environment.” The model surrounding wellness is essentially a conscious effort to help an individual become self-directed to achieve their healthiest state, based on awareness and choice.   Wellness also understand that you don’t get well at once; it is incremental improvement.
• Don’t Give Away Historic Details About Yourself. One way to start getting well is to stop answering those quizzes about yourself. Giving away historical data helps adversaries in so many ways: from giving hints on passwords (if you’re not using a random password generator) to giving answers to security questions for password recovery. Think before you answer a quiz.