close
    • chevron_right

      LastPass Breach

      news.movim.eu / Schneier · Saturday, 24 December, 2022 - 18:23 · 2 minutes

    Last August, LastPass reported a security breach, saying that no customer information—or passwords—were compromised. Turns out the full story is worse :

    While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

    […]

    To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

    The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

    That’s bad. It’s not an epic disaster, though.

    These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.

    So, according to the company, if you chose a strong master password—here’s my advice on how to do it—your passwords are safe. That is, you are secure as long as your password is resilient to a brute-force attack. (That they lost customer data is another story….)

    Fair enough, as far as it goes. My guess is that many LastPass users do not have strong master passwords, even though the compromise of your encrypted password file should be part of your threat model. But, even so, note this unverified tweet:

    I think the situation at @LastPass may be worse than they are letting on. On Sunday the 18th, four of my wallets were compromised. The losses are not significant. Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.

    If that’s true, it means that LastPass has some backdoor—possibly unintentional—into the password databases that the hackers are accessing. (Or that @Cryptopathic’s “16 character password using all character types” is something like “P@ssw0rdP@ssw0rd.”)

    My guess is that we’ll learn more during the coming days. But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.

    If you’re changing password managers, look at my own Password Safe . Its main downside is that you can’t synch between devices, but that’s because I don’t use the cloud for anything.

    News articles . Slashdot thread .

    • chevron_right

      2020 had its share of merorable hacks and breaches. Here are the top 10

      Dan Goodin · news.movim.eu / ArsTechnica · Monday, 28 December, 2020 - 12:46

    A cartoonish padlock has been photoshopped onto glowing computer chips.

    Enlarge (credit: Traitov | Getty Images )

    2020 was a tough year for a lot of reasons, not least of which were breaches and hacks that visited pain on end users, customers, and the organizations that were targeted. The ransomware menace dominated headlines, with an endless stream of compromises hitting schools, governments, and private companies as criminals demanded ransoms in the millions of dollars. There was a steady stream of data breaches as well. Several mass account takeovers made appearances, too.

    What follows are some of the highlights. For good measure, we’re also throwing in a couple notable hacks that, while not actively used in the wild, were impressive beyond measure or pushed the boundaries of security.

    The SolarWinds hack

    2020 saved the most devastating breach for last. Hackers that multiple public officials say are backed by the Russian government started by compromising the software distribution system of SolarWinds, the maker of network monitoring software that tens of thousands of organizations use. The hackers then used their position to deliver a backdoored update to about 18,000 customers. From there, the hackers had the ability to steal, destroy, or modify data on the networks of any of those customers.

    Read 19 remaining paragraphs | Comments

    index?i=dcIHeO3Ic6Q:FLh6_hMICIE:V_sGLiPBpWUindex?i=dcIHeO3Ic6Q:FLh6_hMICIE:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
    • chevron_right

      Feds warn that SolarWinds hackers likely used other ways to breach networks

      Dan Goodin · news.movim.eu / ArsTechnica · Thursday, 17 December, 2020 - 20:56

    Stock photo of a glowing red emergency light

    Enlarge (credit: Getty Images )

    The supply chain attack used to breach federal agencies and at least one private company poses a “grave risk” to the United States, in part because the attackers likely used means other than the SolarWinds backdoor to penetrate networks of interest, federal officials said on Thursday.

    “This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” officials with the Cybersecurity Infrastructure and Security Agency wrote in an alert . “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered.” CISA, as the agency is abbreviated, is an arm of the Department of Homeland Security.

    Elsewhere, officials wrote: “CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”

    Read 12 remaining paragraphs | Comments

    index?i=kPz2cmrNpcI:9WZr_UMnAr4:V_sGLiPBpWUindex?i=kPz2cmrNpcI:9WZr_UMnAr4:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
    • chevron_right

      Security firm FireEye says nation-state hackers stole potent attack tools

      Dan Goodin · news.movim.eu / ArsTechnica · Tuesday, 8 December, 2020 - 22:08

    Stylized photo of desktop computer.

    Enlarge (credit: Lino Mirgeler/picture alliance via Getty Images )

    FireEye, a $3.5 billion company that helps customers respond to some of the world’s most sophisticated cyberattacks, has itself been hacked, most likely by a well-endowed nation-state that made off with potent “red-team” attack tools used to pierce network defenses.

    The revelation, made in a press release posted after the close of stock markets on Tuesday, is a stunning development. It suggests that a group that was already capable of penetrating a company with FireEye’s security prowess and resources is now in possession of new exploits, backdoor implants, or other tools, making the hackers an even greater threat to organizations all over the world.

    So far, the company has seen no evidence the tools are actively being used in the wild and isn’t sure if the attackers plan to do so. Nonetheless, FireEye said it is releasing more than 300 countermeasures that customers can use to protect themselves in the event the tools are used. Such tools are used by so-called red teams, which mimic malicious hackers in training exercises that simulate real-world hack attacks.

    Read 5 remaining paragraphs | Comments

    index?i=Biq1D0whXSQ:RgoVfjPlhLY:V_sGLiPBpWUindex?i=Biq1D0whXSQ:RgoVfjPlhLY:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA