Deep Dive 1 — The Last Pass Breach Reports
Since we last recorded, LastPass have released a lot of very detailed information. This is finally the level of detail I expect to see from responsible organisations. The structure and contents of the various reports are in line with industry norms at last.
The best entry point into the set of documents released is their summary blog (Security Incident Update and Recommended Actions —blog.lastpass.com/…](https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/)), this links to the more detailed posts so you can drill down into the sections you’re interested in.
My big-picture takeaways are:
- The company was probably coasting in terms of security posture in the lead-up to the incident. They seem to have slipped behind the curve, not having kept pace with the rapidly changing best practices rather than making specific obvious mistakes.
- Management seem to have seen the light — their short and medium-term plans make sense, and seem realistic.
- While their announced roadmap will make the service more secure, the most fundamental weakness remains — the security of vaults rests entirely on the strength of the master password, and while they will be doing more to help strengthen master passwords, they’re not moving to 1Passwords fundamentally more secure design of layering the master password on top of an account key whose strength doesn’t depend on the user.
- There’s still one piece of information I wish they’d shared — their backup retention policy, but the chances are that even if they had told us that, we’d still be where we are — users should assume anything older than last October is at risk and rests on the security of the worst master password you ever had on your account
If you’re still using LastPass, you really need to follow LastPass’s advice: Recommended Actions for Free, Premium, and Families Customers — support.lastpass.com/…
That’s the most important stuff, but I have some more thoughts and impressions for those interested.
Firstly, the backup question. In an ideal world, we’d know exactly what point or points in time each leaked backup was taken, but in hindsight that was probably unrealistic. The age of data in a backup is different for each piece of information, and is the product of two factors — the backup retention policy in use, and the times the files change. Unless the retention policy is extremely simplistic — a single copy updated at a specific rate — it’s basically impossible to tell users the exact point in time their oldest backup was captured. But we now know things are even more complicated for LastPass vaults because on the backend, vaults are not single files, but collections of data shards stored in different databases and/or file systems, each with their own backup schemes. So different parts of your vault will be backed up on different schedules!
Secondly, the way the organisational information from the first breach provided the wedge to start the second breach illustrates perfectly what I mean when I warn about the danger of spear phishing. At a technological level, the two breaches were unrelated, but one did lead to the other in the sense that the first breach gave the attackers a good map of the people that make up the LastPass team and their roles within the organisation. That let the attackers choose their target wisely, and target them effectively.
Finally, this breach perfectly illustrates the importance of basic security hygiene — there was no spectacular zero-day exploit that required spectacular skill by the attackers, it was just the simple stuff that let the attackers get a toe in the door, and then slows expansion their footprint mundane step by mundane step. Each single step was individually preventable, but protecting every device, every app, every user, and every system from every possible attack all the time is actually really difficult at scale!
The tools to protect from this type of attack are not rocket science, but they need to be procured, maintained, actively managed, supervised day-in-day-out, and regularly reviewed and updated. The only way to do that is to resource a dedicated security team well.
It’s really boring, but if you want to have effective cybersecurity defences you need to ensure you have:
- The budget to pay for the best current tools, the outside experts to help configure them, and the staff to run them day-do-day
- Enough staff that they can spend a significant percentage of their time learning, both independently, and in more formal settings.
- Enough of those well educated staff that they have time to dedicate to regularly reviewing and updating the organisation’s entire security infrastructure.
Cybersecurity evolves relentlessly, so you have to run to stand still!
To bring it back to LastPass, from my reading of both the incident reports, and their resulting changes, the impression I get is that in the lead up to the attacks they don’t seem to have had the resources to:
- Protect their staff’s devices (end-points in the jargon) adequately
- To implement enough of the new Zero-trust principles (continuous identity verification, the principle of least privilege, and the assumption of breach)
- To actively watch out for unusual activity and trigger appropriate alerts (a mix of copious logging, the AI needed to digest it all, and the humans to investigate).
The silver lining is that ‘all’ organisations need to do is a good job of the boring basics!
Deep Dive 2 — Why Your iPhone Passcode REALLY Matters
Joanna Stern has done some excellent reporting that has rightly gotten a lot of coverage. She’s revealed how organised criminal gangs are managing to steal iPhones and deactivate activation lock without any kind of high-tech fancy-pants hackery.
We’ve seen anecdotes for some years now with people having their phones stolen and then finding themselves locked out of their iCloud accounts. We’ve never understood how that happened, but people made two inverse assumptions:
- These people must have used weak passwords so the bad guys just guessed (zero tech)
- The attackers had access to advanced hardware crackers like Grey Key (super-high tech)
Reality, it turns out, is much more banal — some years ago Apple added a feature to help people avoid getting locked out of their iCloud accounts, and as a result, simply watching someone type their simple iPhone PIN is all attackers need to take over an iCloud account, and hence disable activation lock.
The feature in question is iCloud password reset from a logged in device. If you have an Apple device and you are logged in to iCloud on that device, then that device is trusted, and can reset your iCloud password. The protection is your device’s own security, so for an iOS device, that means your unlock code, usually a 4 or 6 digit PIN.
Working as a team, the attackers shoulder-surf people unlocking their phones, then steal them. They now have the device and the PIN, so they can reset the Apple ID password and disable all protections. In the process, they lock the owner out of all their stuff!!!
Biometrics are no protection, because they are not required, as we all learned during COVID, when FaceID fails, it asks for your PIN, then lets you in.
The only answer is to remember to protect your phone’s code like you used to protect your PIN at ATM machines back when we used cash! Firstly, be discrete when entering it, but also consider making it harder to shoulder surf by switching to an alphanumeric code. Thanks to biometrics, you don’t have to enter the code often, so it’s not actually a big inconvenience to make it a password rather than a PIN!
Another tip that’s doing the round is enabling parental controls on your own phone so you need a separate second password to access the iCloud settings.
- 💵 Joanna Stern’s article (paywalled): A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life — www.wsj.com/…
- Some good advice I agree with: Stop using your 4-digit iPhone passcode in public. Do this instead — www.zdnet.com/…
- The trick of using Parental Controls: Simple security hack keeps your iCloud account safe from iPhone thieves — www.cultofmac.com/…
- GoDaddy admits: Crooks hit us with malware, poisoned customer websites — nakedsecurity.sophos.com/…
- A timely reminder of why SMS makes for very poor MFA/2FA: Hackers Claim They Breached T-Mobile More Than 100 Times in 2022 — krebsonsecurity.com/… (to provide SIM-swapping-as-a-Service to cyber criminals)
- Beware rogue 2FA apps in App Store and Google Play – don’t get hacked! — nakedsecurity.sophos.com/… (overpriced subscriptions and theft of MFA/2FA secrets)
- A timely reminder of why you shouldn’t pirate software: macOS targeted by evasive crypto-jacking malware — appleinsider.com/…
(spreading through pirated copies of Final Cut Pro)
- Facebook announce a paid-for tier with account verification (actual identity checks requiring government ID), identity protection (protection from being impersonated on Facebook), and premium support doe $11.99 per month — appleinsider.com/…
- You can now buy a hardware AirTag detector — appleinsider.com/…
- 🇺🇸 The Biden administration have published the US’s latest cybersecurity strategy (these have been a thing since shortly after 9-11) — krebsonsecurity.com/…
- The administration want to work with congress to draft laws to remove blanket immunity through contract clauses and replace it with responsibilities for software and service vendors in combination with a safe harbour for those that meet a certain basic standard
- China is now seen as the biggest threat to US cybersecurity (both public and private)
- 1Password preview their up-coming support for Passkeys for vault unlocking (so zero password 🙂) — blog.1password.com/…
- From Bart: The BBC word service’s twice-daily global news podcast has started to dedicate one episode each week (on Saturdays) entirely to good news:
- From Allison/Bart/Barry CGP Grey explains what the numbers mean on runways. His magic is explaining the intricate complexities of something you thought was simple. The Simple Secret of Runway Digits
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
|A link to audio content, probably a podcast.
|A call to action.
|The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
|A link to graphical content, probably a chart, graph, or diagram.
|A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
|A link to an article behind a paywall.
|A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
|A tip of the hat to thank a member of the community for bringing the story to our attention.