Feedback & Followups
- UK backs down from nonsensical law after threats from Apple, WhatsApp — appleinsider.com/… (in a dishonest way, but better than nothing)
Deep Dive — LastPass Vaults are Being Cracked (Follow the Money!)
It was predicted when the details of the LastPass breach emerged that it would become viable to crack the weakest vaults in a matter of months, and it now seems clear that that’s started to happen. To understand what’s happening, and why it makes sense, it’s important to remember two things:
- Depending on when you started your LastPass account, you had different encryption strengths by default, and LastPass never pro-actively upgraded the encryption, so the most loyal users had the worst protection.
- The attackers got both the encrypted vaults, and metadata about the vaults, including the encryption strength, and customer information
To understand cybercrime the single most important thing to remember is that it’s a for-profit enterprise, so you need to follow the money. If it doesn’t make economic sense to attack a weakness, it won’t be attacked, if it does, it almost certainly will be!
What Brian Krebs is reporting is that a spate of high value crypto thefts (we’re talking millions of dollars) has been linked to leaked LastPass vaults belonging to prominent members of the crypto community and employees of prominent Crypto firms.
These users had strong passwords, but, weakly encrypted vaults, so attacking their vaults still cost money — the raw computing power to perform a brute-force attack against even weak encryption is still substantial, and it has to be paid for somehow — be that in hardware & electricity bills, cloud computing bills, or botnet fees. But, these users were also carefully chosen because the probability that they contained crypto currency private keys was high. Because the attackers had both the metadata and the encrypted vaults, they could carefully choose their targets to maximise their profits.
Think about it this way, if it costs $10K to attack a weakly encrypted vault, and you choose vaults with a 10% chance of containing a $1M crypto wallet private key, then you invest $100K to make $1M, which gives $900K profit! I’m just making very crude guesses with nice round numbers, but the principle certainly applies of we’re seeing the attacks happening for real.
The silver lining here is that if you’re not recognisable as being a likely valuable target based on the leaked metadata, the chances are very small your vault will be attacked. Attacking any vault is not cheap, and with so so many to choose from, the attackers are going to be careful and deliberate in their choices. Remember, they’re in it for profit!
Links
- Brian Krebs Reporting: Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach — krebsonsecurity.com/…
❗ Action Alerts
- Apple issues patches for their OSes to address vulnerabilities used by recent versions of the NSO Group’s Pegasus spyware, including a zero-click exploit, though Lockdown Mode did protect against exploitation:
- OS Security Updates Plug Image and Wallet Vulnerabilities Exploited by Pegasus Spyware — tidbits.com/…
- Exploit that delivered Pegasus spyware patched in iOS 16.6.1 update — appleinsider.com/…
- Apple patches “clickless” 0-day image processing vulnerability in iOS, macOS — arstechnica.com
- Apple fixes 0-Day Vulnerability in Older Operating Systems — isc.sans.edu/…(iOS/iPadOS 15.7.9, macOS Monterey 12.6.9 & macOS Big Sur 11.7.10)
- Related: Apple warns Russian journalists of Pegasus iPhone infections — appleinsider.com/…
Worthy Warnings
- Malicious Google ads deceive Mac users into installing Atomic Stealer malware — appleinsider.com/… (From researchers at Malwarebyes, and note we are talking about social engineering to trick users into installing trojans, not self-propagating viruses)
- Tip from NosillaCastaway @Grumpy (aka Mike Price): If you use the budding social network Bluesky, be aware that there are known and un-patched vulnerabilities that allow the true targets of links to be obscured, which could aid phishing attempts — github.com/…
Notable News
- Mozilla have released their first privacy repot on cars: Mozilla Says Modern Cars Are Data Collection Nightmares on Wheels — tidbits.com/…
- The full report: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy — foundation.mozilla.org/…
- A detailed article on how car companies collect the data: What Data Does My Car Collect About Me and Where Does It Go? — foundation.mozilla.org/…
- The EU Commission have officially announced the Digital Markets Act (DMA) gatekeepers — www.cultofmac.com/…
- It includes services from the companies you’d expect— Alphabet, Amazon, Apple, ByteDance, Meta & Microsoft
- The law does not apply to companies though, it applies to individual products — see the image below from the commission for the full list:
- There are some notable exceptions — primarily in the messaging category where both Apple’s Messages app and Microsoft’s Teams are omitted
- The US DOJ’s antitrust case against Google has opened, with the government accusing Google of ‘knowingly’ breaking the law, the case still has weeks to run — appleinsider.com/…
- Apple have released its latest report on its responses to law enforcement requests; the numbers are basically flat since the previous report, so nothing really of note — appleinsider.com/…
Palate Cleansers
- From Bart: A double pick, both a podcast series, and the British Sci-fi comedy it recommends — Imaginary Worlds: The Nine Lives of Red Dwarf — overcast.fm/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
Note Bart and Allison are aware that emoji are not showing. There appears to be an encoding problem of the database that is causing this problem and we’re in the process of discovery to solve it. The curious thing is that it’s a problem on both Allison’s podfeet.com and Bart’s lets-talk.ie.
| Emoji | Meaning |
|---|---|
| A link to audio content, probably a podcast. | |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| A link to graphical content, probably a chart, graph, or diagram. | |
| A story that has been over-hyped in the media, or, “no need to light your hair on fire” | |
| A link to an article behind a paywall. | |
| A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. | |
| A tip of the hat to thank a member of the community for bringing the story to our attention. |