Security Bits Logo no alpha channel

Security Bits — 8 January 2023

Deep Dive 1 — Rethinking the Last Pass Breach (It’s Worse 🙁)

Two weeks ago the latest details on the Last Pass breach were much fresher, and since then two things have happened:

  1. More facts have come to my attention
  2. More well-reasoned opinions have been expressed

In terms of new information we have the following:

  1. Even LastPass’s current default of 100,100 rounds of PBKDF2 is not best practice, OWASP now advise 310,000, but worse, when they increased from 50,000 to 100,100 in 2018, they didn’t update existing vaults, so even today, many vaults are way more vulnerable than LastPass implied
  2. Password Vaults don’t need to be as vulnerable as LastPass’s design makes them
    • 1Password vaults use randomly generated account keys stored locally on users’ devices (and encoded in the recovery kit they ask users to print out and keep safe) combined with the master password to protect vaults. That means that the password is in effect only relevant on your device (it has the key), the copy in the cloud is protected by the key, even if there was no password, and the key is strong enough to outlast the universe.
    • 1Password vaults are fully encrypted in the cloud, metadata and all, so website names would not leak
  3. Humans are terrible at picking passwords, so any password that’s not computer generated is much weaker than its raw entropy implies, and real-world attackers are very skilled at focusing their cracking attempts at human-type passwords.

In terms of opinion, there’s the obvious fact that lots of smart people are choosing to leave LastPass, and advising others to do the same. What’s influenced me much more is an observation by Leo Laporte that the breach notifications are actually missing a lot of critical detail, yes, they were timely, and yes they included nerdy technical detail, but they failed to address two critical questions:

  1. Who’s backups were taken? Everyone’s? In the absence of detail, I guess we need to assume that.
  2. From when? At what point in time were the backups created? Is it just one backup from a specific date, or is it a time series stretching back from the present to some specific time in the past? Do the backups go back to further than the change to defaulting to 100,100 iterations of PBKDF2 in 2018? If a user moved from a weak to a strong password a year ago, are they safe?

Unless you started using LastPass after 2018 and know you have never had a weak password, you must assume baddies have a poorly protected copy of your vault. If you joined before 2018, or if you ever had a poor password, then you need to change every password you ever stored in LastPass before the baddies have time to break a weakly encrypted vault.


Deep Dive 2 — The Twitter Breach

With all the hubub around LastPass, the news that up to 400,000 Twitter accounts have have been leaked has gotten rather lost in the mix!

What we now know is that early last year there was a flaw in a Twitter API that allowed an attacker to test if a given phone number or email address matched a Twitter username, and if it did, which one. This allowed attackers to mine Twitter for usernames that match email addresses from other breaches, and, the ranges of telephone numbers used by major providers. This let them build up a searchable database of Twitter usernames with supposedly private email addresses and phone numbers.

For most people the biggest danger here is automated but convincing targeted phishing, but for high-value users who rely on SMS 2FA being targeted for a SIM swapping attack is the biggest danger. In this case, high-value is from the point of view of baddies, so some categories that leap to my mind include:

  1. Celebrities, political leaders, and government officials
  2. Industry leaders and engineers working on important projects
  3. Any user with a cool username, hacking and selling cool usernames is big business for cybercriminals 🙁

While I think it’s important for all high-value users to change away from SMS 2FA, I think this is probably a good time for everyone still using SMS 2FA on Twitter to switch over to TOTP (Google Authenticator-like codes from an app like Authy or 1Password).


Deep Dive 3 — Meta’s €390M ($411M) Fine, and its Implications

The Irish Data Protection Commissioners (Irish DPC) have found that Meta is not in compliance with the GDPR because it doesn’t get user consent for targeted advertising. The judgement requires that it pay the fine, and update its processes to gather the needed consent on Facebook & Instagram.

Obviously Meta are appealing the decision, but so are the Irish Data Protection Commissioners (sort of)!

If you want a detailed understanding of the GDPR, I suggest CCATP episode 534 where myself and Allison go through the entire regulation in detail, but for this discussion, we just need to understand one concept — the legal basis on which data is collected. Under the GDPR, each piece of personally identifiable data you collect must be covered by one of six possible legal basises:

  1. Consent
  2. Legitimate Interest
  3. Contractual Obligations
  4. Legal Obligations
  5. Vital Interests
  6. Public Interests

Just two of those are in play here — Consent and Contractual Obligations.

Meta say that by using Facebook you are entering into a contract with them, and that that contract requires tracking for targeted ads, so there is no need for consent.

In their initial ruling on a case brought by Austrian privacy campaigner Max Schrems the Irish DPC agreed with Meta, but that initial ruling had to be sent to all other EU DPCs, and many did not agree. That kicked of a process whereby the ruling went to a board of DPCs, and that board agreed with Schrems that ad targeting is not covered by contractual obligation because tracking is not essential for the delivery of the service, so consent is needed. The board overruled the Irish DPC, and forced them to issue the ruling against Meta that made the news.

The Irish DPC is quite cranky about being overruled like this, so they’ve filed suit in the European court, alleging that the board of DPCs over-stepped their authority with this ruling.

If the ruling stands it’s a really big deal, it would mean actual informed consent would be needed for targeted ads.


Notable News

Top Tips

Interesting Insights

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top