Robin’s Newsletter #236

24 December 2022. Volume 5, Issue 52
LastPass customer vault data stolen in breach. EternalBlue-style vulnerability in Windows. Okta source code stolen.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

Happy Holidays! This edition was going to be a 2022 retrospective, but there is quite a lot to cover in its own right this week!

This week

Customer data stolen in LastPass breach

  • LastPass says attackers took customer vault data during their most recent breach. The 22nd December update doesn’t provide any information on the number of affected users or attempt to qualify the number in any way, indicating that the whole customer base may have been affected.

  • The compromised data includes company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses customers used to access LastPass services. The attackers stole the data from a backup hosted in a cloud environment.

  • If you are using a unique, strong password as your LastPass master password, the company says, “it would take millions of years to guess your master password using generally-available password-cracking technology.”

  • However, LastPass customers should be vigilant for attempts to phish their master password, as this would allow access to their vault data. Multi-factor authentication won’t protect attempts against stolen vaults.

  • The blog post also indicates that not all customer vault data is encrypted. Some fields, such as URLs, aren’t encrypted, so the attackers know which users have accounts on which websites and services. That could allow more targeted spear-phishing attacks against users. If published or shared with other groups, as well as being a privacy issue, it may pose a safety risk in some cases. For example, a user had an account on an LGBT+ site in a country with laws prohibiting such relationships.

  • The LastPass blog post does not provide details on what vault data — beyond URLs — are unencrypted. Confusingly the company’s Zero Knowledge Architecture implies that the whole vault is encrypted locally before transmission to LastPass.

  • I’ve reached out to LastPass for clarification and will update this post if/when I hear back from them. UPDATE, 15th Jan: I have tried repeatedly from LastPass and not heard back from the company over my query around which ‘vault data’ is (not) encrypted. This matches reports from journalists too. As a result, I have come to question the company’s “commitment to transparency” (vol. 6, iss. 3).

  • I know that a lot of you are LastPass users — they gave me free licences for subscribers of this newsletter on its first birthday — and so here is what I recommend:

  1. Change your master password
  2. If your previous master password was weak, then you will need to change the passwords on all the sites in your vault
  3. Enable multi-factor authentication on your LastPass account (if you haven’t already!)
  4. Check the ‘password iterations’ setting for your account is at least 100,100; increase this to 310,000 as recommended by OWASP
  5. Sign up for notifications with Have I Been Pwned
  • It is still much better to use a password manager than not. You may consider moving to a different provider.

Interesting stats

48.4% the share of US ad revenues shared by Meta (Facebook) and Alphabet (Google), the  Fifth consecutive year of decline, as Amazon, Apple and ByteDance (TikTok), and other ‘1st-party’ advertising solutions take a more significant market share.

Other newsy bits

  • A remote code execution vulnerability in Windows was patched by Microsoft in September that shares similarities with EternalBlue. EternalBlue is the ‘wormable’ vulnerability used to spread in the 2017 WannaCry attack. CVE-2022-37958 is worse, affecting not just SMB but anything that backs off to Windows authentication, like RDP, SMTP and some web apps like company portals. The good news is that Microsoft patched it in September — you’re up to date, right? — however, Microsoft recently upgraded the severity of the issue from important to critical, as they hadn’t fully understood the impact.

  • Okta says attackers stole the source code for its Customer Identity Cloud during an incident earlier this month where they accessed private GitHub repositories. The company says that live service and customer data were unaffected, adding that “[Okta] does not rely on the confidentiality of its source code as a means to secure its services.”

  • Phishing campaigns and info-stealer malware used by Russia against Ukrainian military operations system users. The system, called Delta, is used to collect intelligence data from military commanders and soldiers from land, sea, air and space, so, unsurprisingly, it’s being targeted.

  • Criminals compromised a system used to manage the taxi queue at New York’s JFK airport. They obtained access “at various times” over a year, bribing legitimate system users to install malware and stealing authorised devices. Taxi drivers could pay the attackers $10 to cut their wait in the pick-up queue, with up to 1,000 trips being “fraudulently expedited” each day.

Two mega-settlements this week:

  • Epic Games, who make the hit game Fortnite, settled with the FTC for over $500 million. The games company is to pay $275 million over allegations it violated the US Children’s Online Privacy Protection Act (COPPA) and another $245 million for “dark patterns” to manipulate users and make it more difficult to cancel subscriptions. The settlement also requires a programme and regular audits to address the complaints.

  • Meta plans to settle a class-action lawsuit over the third-party access abused by Cambridge Analytica for $725 million. Facebook — as the company was previously called — initially argued that its users had consented to the data being shared and had suffered no harm.

Privacy and surveillance:

  • Madison Square Garden Entertainment uses facial recognition systems at its venues to identify and eject attendees from its shows. A lawyer attending a performance from her daughter’s Girl Scout troop was escorted out by security after cameras identified her as working at a law firm involved in legal action against the entertainment group (the lawyer herself is not part of the litigation). In a statement to NBC, MSG Entertainment says it has “a straightforward policy that precludes attorneys pursuing active litigation against the Company from attending events at our venues until that litigation has been resolved.”

  • TikTok has admitted to surveilling journalists to identify their sources. An internal investigation found employees had ‘inappropriately obtained’ the data of two reporters to cross-reference with the location data of parent-company ByteDance employees.

In brief

Attacks, incidents & breaches

  • UK newspaper The Guardian is reporting it is suffering from a ‘serious IT incident’ that it believes to be a ransomware attack. Journalists are working from home, and the publication’s website is unaffected.

Threat intel


  • An authentication bypass vulnerability (CVE-2022-41654) in the Ghost CMS is rated critical and allows attackers to subscribe themselves and send content without an administrator’s approval.

  • A code execution vulnerability in Linux 5.15 kernel, CVSS score 9.6, affecting the in-kernel SMB server, ksmbd.

Cyber defence

  • VirusTotal has released a cheat sheet for threat intel analysts using the platform. (PDF)

And finally

  • Chris Inglis, the US National Cyber Director, is to step down in early 2023, reports CNN. Kemba Walden will fill the position on an interim basis.

  • Good advice from NCSC: Stop blaming users for clicking on bad links. Plus some things you can do to protect them better.


  Robin's Newsletter - Volume 5

  LastPass EternalBlue Worm Okta Meta Children's Online Privacy Protection Act (COPPA) Epic Games Dark patterns Facial recognition Surveillance