image of breaking badness
Breaking Badness
Breaking Badness

144. LastPass on The Left

  • Today we’re talking about the LastPass breach shared on December 22 and Tim Helming is joined by DomainTools CISO and VP of Information Technology, Daniel Schwalbe along with Security Operations Engineer, Ian Campbell. We’re going to focus this episode on this breach from both the CISO and practitioner perspectives
  • To set the stage of what happened, LastPass is a vehicle for storing passwords in what is, ideally, an encrypted environment.
    • It’s not alone in its environment – there are competitors out there with similar business functions
    • Many have a feature to store an encrypted vault in the cloud so you can access it on whatever device you’re using, which is pretty handy and better than post-it notes (which is a joke, by the way)
    • Cloud-based encryption can be divisive amongst security professionals as there are some who believe it should always be cloud-based and others who prefer local storage
    • This past summer, LastPass announced they had a breach and released some information, but it wasn’t until December 2022 they released additional information including the intruder was able to steal offline vaults
    • We had been led to believe that everything in that vault was encrypted, but as it stands, it was actually not encrypted which brings us to today
    • As security professionals, we’ve touted using password managers, so it’s frustrating
    • However, the general functionality of a password manager is still important, and it is our hope that the takeaway from this will not be to stop using them
    • What we know is, everyone gets breached at some point and we’re not here to give anyone a hard time unnecessarily, but in looking at this, it’s not so much catastrophic as it is disappointing
    • We’ve been talking about the importance of metadata in this sphere for years, and to see the decisions made to not secure that metadata is disappointing and has put others in crosshairs, giving cybercriminals information to spearphish
  • Let’s talk about how spearphishing may unfold:
    • It’s expensive to brute force a bunch of vaults, but the master password on LastPass is the key to making that easier
    • This breach provides customer account, billing addresses, phone numbers, IP addresses, and more to line up spearphishing campaigns 
  • What happens next? What’s our guidance?
    • Do we switch to other platforms? Is that too hasty? 
    • First and foremost, don’t panic and don’t make hasty decisions
      • If you used a weak master password, you probably have bigger things to worry about 
      • Changing it now is not that effective against this breach (not a bad idea to change it anyway, but it does not protect you from this breach)
      • You’d have to look at your entries in there, and change every password that’s in there, which is a pain, but that’s the bargain we made with storing passwords in one place
      • Be sure you enable 2-factor authentication for every account that allows it. It’s a lot of labor, but it’s less to deal with than breached accounts
      • Evaluate how you create passwords and understand current guidelines on password security. The lesson seems to be that length trumps complexity – we encourage you to ensure your passwords are sufficiently long and incorporate numbers, special characters, etc. 
  • There are now class action lawsuits
    • We also wouldn’t be surprised if there was FTC action as a result of this breach or some sort of sanctions, especially if it turns out that there was negligence involved
    • This business focuses on the end user and the FTC has started to really pay attention here with fines and consent degrees
    • Senator Ron Wyden’s office is probably another place to watch because his office has been active in Internet security and privacy 
  • Graham Cluely, who hosts the Smashing Security podcast, noted that “when a company says it has ‘seen no evidence’ of anything bad happening, that’s not necessarily the same thing as saying ‘nothing bad happened.”
    • Daniel, having been on IR teams working on gnarly breaches feels this is a lawyer statement 
    • Sometimes these statements are painfully wordsmithed to prevent further damages and liabilities 
    • It’s hard because sometimes you want to release more details, but lawyers advise against it 
  • What should LastPass do to regain trust? What does that roadmap look like?
    • It’s a tricky question for Daniel. It’s a series of bad choices that arrived at the inevitable 
    • Giving users tools to change their passwords in the vault more straightforward would be helpful, but would take time
    • Make it easier for users to move away, which may seem counterproductive, but it could buy some goodwill – ensure that wherever you land, it’s with as little friction as possible 
    • Tim believes it does sometimes pay off because of the integrity of the organization that’s doing it 
    • Ian would like to see a more detailed report. We need much more information than they put out. They need to be more transparent of the timelines and the details, but it’s probably unlikely that we’ll see that

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!