In August of last year, a security researcher at UC Berkeley found two security vulnerabilities in LastPass while researching the security of web based password managers. He reported the problems to LastPass, who quickly remediated them.
One of the vulnerabilities would have allowed an attacker to gain access to unencrypted credentials IF the user accessed a malicious web site and then used the LastPass “BookMarklet” to log into that site – if you use the browser extensions for Chrome, IE, Firefox, or Safari (as 99% of LastPass users do), your account was not vulnerable to this attack. BookMarklets are only used if the browser in use does not support LastPass directly.
The other vulnerability would have allowed an attacker who knew a user’s log in ID to retrieve an user’s encrypted password file, but not the key needed to decrypt this file.
LastPass states that they have no evidence that either of these vulnerabilities were exploited by anyone other than the researchers.
I still use and recommend LastPass – after all, if we stopped using software every time a security vulnerability was found and fixed, we would not be using Windows, Mac OS, or any browsers and plugins. The extra security provided by using LastPass to manage unique strong passwords for the sites you log into far outweighs the risk of being compromised by vulnerabilities such as the ones described.
There is a lesson to be learned for LastPass users, though. The security of your account is as only as good as the master password you choose for your LastPass account. Make sure that it is hard to guess, and is constructed using letters, numbers and special characters in order to make it as hard as possible for someone to crack.
I am disappointed in how long it took LastPass to reveal this issue – when you are entrusted with users’ “keys to the kingdom,” you have a responsibility to be transparent about issues like this in a timely fashion. I think that this is also a good time for LastPass to open up their code for third party security review to be proactive about finding and fixing security issues before the bad guys do.
A security vulnerability in the way that online storage provider DropBox (and possibly rival Box) handles links to shared files caused some documents (which were supposed to be viewable only people designated by the file owner) accessible and available to web site owners using Google’s visitor analytics and advertising tools. The rival online storage firm which found the issue claimed to have reported the problem (which gave access to sensitive files like mortgage documents and tax returns) to Dropbox last November. Dropbox fixed this issue, which it insists is a feature rather than a security flaw, this past Monday.
This issue highlights the need to make encryption of files and data stored on cloud service providers with keys stored on the user’s local system simple enough for non technical folks. The solution also needs to be able to support sharing of encrypted files securely with a third party or with other cloud services you authorize. If cloud providers can get this right (no small feat), living your life in the cloud will truly be ready for prime time.
Some solutions which currently exist:
- Boxcryptor is a software solution which sits on top of Dropbox and other storage providers and automagically encrypts files as they are sent to and received from the cloud. They provide secure sharing as well as mobile apps for the major platform. Of course, since Boxcryptor is an overlay to services like DropBox, using this product would break the integration between DropBox and other cloud apps.
- There is at least one consumer usable provider (SpiderOak) which currently claims to offer this type of Zero Knowledge Encryption.
The real answer to the issue of cloud encryption lies in having the encryption built in to the platforms in a standard and interoperable way. C’mon cloud vendors, you can do it!
A cautionary tale of cloud computing… apparently, a Google Groups group set up by the Japanese Ministry of the Environment to (internally) share documents and messages regarding negotiations about an international treaty was misconfigured, leaving the information therein world readable. Cloud computing is here to stay folks and governments, companies and other organizations (and their security folks) need to figure out ways to keep confidential data either out of the cloud or, better yet, safe in the cloud. IMHO, we need cloud providers to come up with creative ways to allow organizations to encrypt particularly sensitive data with keys controlled by the data owner.