No, you don’t need to close your LastPass account…

Your passwords…

Yesterday, at ShmooCon, security researcher Sean Cassidy announced a vulnerability in the popular LastPass password manager.  He demonstrated a way that an attacker could send a user a phishing email, redirecting them to a specially crafted web page which logged them out of LastPass and presenting a “pixel perfect” copy of the LastPass login screen where the user could then enter their user name, master password and two factor authentication code.  This information would be sent to the attacker, who would then have access to all of the user’s passwords.

Key to this evil plan was a “cross site request forgery” (CSRF) vulnerability in LastPass, which allowed the attacker to force the user to log out of the password manager.  This vulnerability has been fixed in the latest version of the application, so this particular attack will not work today and LastPass users should not panic.

I have been a proponent of password managers in general and LastPass in particular and still think that LastPass, DashLane, Keepass and the like are great solutions for protecting your online accounts.  In my opinion, the extra security you achieve by having unique long, strong passwords for each of your accounts outweighs the risks posed by using a password manager.

One of the debates around LassPass and its online brethren is whether their practice of storing encrypted versions of passwords in the cloud to allow them to be shared amongst devices and browsers presents too much of a security risk.  Many people prefer to use offline password managers like Keepass which store the encrypted passwords locally.  I can see the case for either choice, but I feel that for most people, the ease of use of a synchronized solution like LastPass or DashLane makes it more likely that they will use long, strong, unique passwords for all sites.  In particular, the ability to use these programs with both mobile and desktop devices is important – non synchronized password managers can be a pain to use and keep up to date on mobile devices, where we are increasingly leading much of our online lives.

I did take this opportunity, however, to look at LastPass’ main competitors, Dashlane and was quite impressed with it from an ease of use point of view.  It definitely gives a superior user experience on the mobile platform, but it does not seem to allow you to store attachments in Secure Notes, which is a LastPass feature I like and use.  Dashlane is more expensive than LastPass ($39 per year versus LastPass’ $12 price tag).  Dashlane seems to be easier to configure for the non technical user and uses the device itself as a second form of authentication, obviating the need for a separate authorization code.  Of course, this means that a stolen phone or iPad could give an attacker access to your passwords, but you can specify a PIN or use the iPhone’s fingerprint reader to control access.  I was able to import my LastPass data into Dashlane really easily and they provide a 30 day trial of their premium features, which I am currently taking advantage of.   I’ll let you know how it goes.

To summarize, this vulnerability points out how seemingly innocuous vulnerabilities (being able to remotely log someone out of a website or tool) can be leveraged by malicious miscreants for their nefarious purposes.   However, it is not a show stopper for LastPass and they seem to have responded in a timely fashion.  Password managers are still a great security solution.

 

No, you don’t need to close your LastPass account…

ready cash – the hacker’s latest tool

Ready cash – the ultimate attacker tool?

Cybersecurity firm BAE Systems (a large and credible industry player) announced that it had found and remediated an attack on an unnamed hedge fund back in late 2013 which placed malware on the firm’s servers which intercepted HFT trades, delayed their execution, and sent information about the trades to a third party server. BAE believes that “organized crime” was behind this attack.

If this report is accurate, it marks a new level of sophistication and business insight by attackers – rather than simply stealing random information or creating denial of service situations, these guys used knowledge of the financial industry (and at least some significant level of capital) to profit from their hack. Apparently, the attack went unnoticed for 8 weeks.

The firm’s report also mentions another attack on an insurance firm, where the attackers created bogus insurance policies in the firm’s underwriting systems and then file claims against them.

This is a new attack trend that I have been expecting to see for some time – now that attackers have gotten really comfortable and successful with the technical side of hacking, the next logical step is to combine these skills and wins with business knowledge and capital to create much more sophisticated, profitable and (for victimized companies) potentially devastating attacks.  The financial services industry needs to take this incident seriously and adjust its view of the motives and sophistication of attackers.  While we have all talked about the theoretical possibility of hacks like this one, it has always seemed to be one of those “just over the horizon” threats.  Well, this new bit of news should firmly place these blended cyber/business/capital attackers and attacks on our radar.

While we don’t know exactly how the attackers gained access to the servers in question, I would be pretty surprised if a workstation malware compromise was not one of the first steps in the attack chain.  Another reason to keep bolstering our workstation defenses – patching, EMET, browser virtualization, behavioral based malware detection, and web filtering and blocking.  And another reason to have a conversation with your employees about just how perilous the landscape is becoming.

 

ready cash – the hacker’s latest tool

galaxy s5 fingerprint authentication and lastpass

Interesting blog post from Graham Cluley on LastPass’ support for using the Galaxy S5’s fingerprint reader as the key to your password vault.   Since the S5’s fingerprint reader has been shown to be vulnerable to low sophistication fake fingerprint attacks, he wonders whether this (admittedly) very convenient feature is worth the risk.   As a LastPass user, I don’t think I would base the security of the keys to my entire digital life on this particular piece of hardware.  However, this does beg the question – is the low but non zero risk of someone getting hold of your phone and fingerprint exceed the risk of using the same damn password on every site you visit?  LastPass also offers a mitigation for this scenario – it is possible to specifically permission which mobile devices can access your account.  If you phone is lost or stolen, it is possible to revoke that permission (if you notice the loss or theft quickly enough).  This is a risk calculation that users will have to make for themselves.

galaxy s5 fingerprint authentication and lastpass

how not to do a risk assessment

So, the risk management mavens for the City of Portland, Oregon have provided us all with an object lesson in how not to make risk based decisions.  It seems that one of the local young rowdies had the audacity to urinate into one of the reservoirs supplying the city with drinking water.  This particular reservoir contains 38 million gallons of water.   Horrified at this sullying of the public water supply, the city fathers made the obvious decision – empty and refill the reservoir.   I mean, it had pee in it!   Never mind that the uncovered reservoir contains all sorts of other contaminants (animal urine and feces, dead birds, pollutants carried by rain, etc.) as a matter of course.   Never mind that the concentration of urea caused by the wayward urinator would be around 3 parts per BILLLION – the EPA allows up to 10 parts per billion of arsenic in tap water, people.  No, because this particular infintessimal contamination made the news, 38 million gallons of water is going to be dumped.  As someone who has witnessed small children lugging jerry cans of water to their homes located miles away from the communal tap in Rwanda, this makes perfect sense to me.

It is this kind ridiculous approach to risk management that ensures that society will spend billions of dollars protecting itself from the wrong risks, and leave us vulnerable to the ones that really threaten us.

We need to get better at this, folks – science knows that people are bad at judging risk.  That’s why we need to train professionals in all fields to use evidence based methods and processes which compensate for our built in handicap in this area.  The basis of for good risk analysis is to train kids in critical thinking skills early and often throughout their education.  Maybe, they’ll be better at this stuff than we are.

 

how not to do a risk assessment