Robin’s Newsletter #239

This week

LastPass silent on data breach

It’s been almost four weeks since I contacted LastPass for clarification on their data breach (vol. 5, iss. 52). Three times to the press/public relations team and once to a senior member of the organisation via LinkedIn. All have gone unanswered, not even a ‘no comment’ or redirection to existing statements.

My question was simple: can they tell me what ‘vault data’ is encrypted and what isn’t?

I wanted to provide clarification to the many of you that received free LastPass subscriptions celebrating a previous anniversary of this newsletter.

In the user interface of their app and browser plugin, the whole thing appears to be the vault. You can’t view anything until you enter your password and ‘unlock’ the vault. So to many of you, the LastPass customer base and security community, it was a surprise that LastPass did not encrypt website URLs associated with usernames and passwords.

LastPass’s zero knowledge model shows your vault passing through AES-265 encryption before transmitting the “encrypted vault” to LastPass:

I guess that the product decision not to encrypt URLs is to support other features, such as (ironically) breach notifications. However, those alerts could have been handled locally without compromising the privacy and security of user vaults. Whatever the reason, the impression you take from the marketing and support pages of the company’s website is that the whole vault is encrypted and that things like URLs are part of that vault.

To an attacker, this means they can tailor their efforts — be that on brute forcing or phishing — against those customers that are of greatest interest to them. It’s also a breach of privacy, with little effort revealing exactly which customers access which websites and services and when they were last accessed.

The identity and intent of the attackers are unknown, and it is unclear if they will keep the data to themselves or offer it to other parties. 

Understanding what information is easily accessible matters to LastPass customers because other metadata, say notes or the folder organisation, may be important. It could give away further information about them that, in extreme cases, could lead to physical or mental harm.

The lack of response I’ve received, the silence other reputable news sources have received, and the choices on content and structure of the security updates jar with the lauded “commitment to transparency”.

Mistakes happen. Incidents happen. Things don’t always go right. It’s how you handle those situations that define the situation. LastPass’ choices have undermined my trust in the last month, and I’m migrating my personal and business accounts away from them.

Using a password manager is still the right thing to do, and if you’re a LastPass customer, you too may want to consider carefully switching to an alternative.

cyberscoop.com

Royal Mail suffers a ransomware attack

The LockBit ransomware group has attacked Royal Mail, the UK’s postal service, and is threatening to publish data if their demands are unmet. The Telegraph reported that printers at a distribution centre in Belfast printed out hard copies of the cybercriminal’s ransom note.

The attack has disrupted Royal Mail’s ability to send parcels and letters destined overseas, with the company warning of “severe disruption”. Domestic deliveries are unaffected.

The NCSC and National Crime Agency (NCA) are working with Royal Mail to understand the impact.

ft.com, theguardian.com,  zdnet.com

Flights across the US grounded following FAA system outage

Flights were grounded nationwide in the United States this week after a failure of the Federal Aviation Administration’s (FAA’s) Notice to Air Missions system, NOTAM. The system warns airlines of hazards and non-fly zones, such as air shows, military exercises and rocket launches.

The FAA grounded flights while it validated the integrity of flight and safety information, and air traffic was resumed shortly after 9:00 am Eastern Time on 11th January.

arstechnica.com, arstechnica.com (NOTAM explainer)

Interesting stats

3 seconds, the length of training needed to mimic a person’s voice in a new text- to speech (TTS) model from Microsoft called VALL-E. theregister.com

$20.1 billion, the value of illicit crypto current transactions in 2022 (up over 10%), according to Chainalysis, with  44% being linked to organisations sanctioned by the US. cyberscoop.com

Other newsy bits

• Twitter says that leaked data on 200 million users (vol. 6, iss. 2) was likely already publicly available and there is “no evidence” the data was stolen by exploiting the company’s systems.therecord.media

• CircleCI says that attackers stole customer data in a December breach (vol. 5, iss. 52). The company has published a write-up of the incident saying that initial access was via an employee’s laptop, where access tokens allowed the bypass of two-factor authentication. From here, the attackers could access production systems and make off with “customer environment variables, tokens and keys”. techcrunch.com

Attack surface reduction rules in Microsoft’s Defender for Endpoint started causing issues on Friday 13th. The misfiring rules resulted in some icons being removed from the user’s start menus and taskbars. In some cases, it reportedly uninstalled Redmond’s Office suite. theregister.com

• A recent security audit of the US Department of the Interior found 21% of passwords were cracked easily using a password-cracking rig built for $15,000. Within 90 minutes of starting, nearly 14,000 account credentials were recovered, about 16% of the department. techcrunch.com

• Russians can download drivers and software updates from Intel and Microsoft again. Both companies blocked such downloads following the Russian invasion of Ukraine last year, with Intel attributing the change to meeting ‘warranty obligations’. However, you can’t access their main websites: you need to find the specific URL via a search engine first. theregister.com

In brief

Attacks, incidents & breaches

• Fortinet says that attackers used a heap-based buffer overflow vulnerability in its FortiOS SSL-VPN to access government and government-related organisations. CVE-2022-42475 (CVSS score 9.8/10.0) was fixed on 28th November in version 7.2.3, but not before the targeted organisations were infected with “custom implants”. arstechnica.com
• Millions of Japanese customers were affected in data breaches at insurers Aflac and Zurich. 1.3 million Aflac customers with cancer insurance policies had their name, age, gender, and insurance plan information stolen from a third party. A further 0.75 million Zurich car insurance customers had their name, ID, email, date of birth and vehicle information stolen from a third party. therecord.media
• Cybercriminals stole the personal data of 461,070 patients at Maternal & Family Health Services (MFHS) in Pennsylvania during a ransomware attack. techcrunch.com
• San Francisco’s Bay Area Rapid Transport (BART) is investigating a ransomware attack. The Vice Society group has claimed responsibility, while the public transport organisation claimed the incident had impacted no services or internal systems. therecord.media
• Security and privacy issues in California’s new digital license plates. Security researchers gained ‘super administrative access’ to the company’s systems which allowed them to track the physical location of vehicles via GPS vice.com, 

Threat intel

• Group-IB says it has uncovered a new campaign, dubbed Dark Pink, targeting organisations across the Asia-Pacific Region. The firm says that have not attributed to any existing group and believes it may be a new advanced persistent threat (APT) group, typically linked with nation-state activity. cyberscoop.com
• A campaign of 1,300 fake sites pushes info-stealer malware on unsuspecting AnyDesk users. bleepingcomputer.com

Vulnerabilities

• A remote code execution (RCE) vulnerability affecting all versions of the JsonWebToken library before version 9.0.0 has been fixed. CVE-2022-23529 has a CVSS score of 7.6/10.0, and many high-profile apps use the open-source library. bleepingcomputer.com
• A critical authentication bypass in end-of-life Cisco routers will not be patched. CVE-2023-2002 allows an attacker to bypass authentication on the web interface of the small business RV016, RV042, RV042G and RV082 routers and gain root access to the devices. Disabling the web interface and blocking related ports helps to protect against the vulnerability. bleepingcomputer.com

Operational technology

• Vulnerability in Siemen’s S7-1500 series programmable logic controllers can be used to silently install new firmware. The exploit require physical access to the PLCs and abuses the onboard cryptographic chip to decrypt, modify and re-encrypt the firmware for use. Siemens PLCs are used in a wide variety of industrial processes, with a vulnerability being exploited in the Stuxnet attack that disrupted Iran’s uranium enrichment programme in 2009. arstechnica.com

Privacy

• Fears grow that Iran is using facial recognition to identify women not wearing hijabs. arstechnica.com
• France’s data protection regulator has fined TikTok €5 million for making it difficult for users to opt out of tracking on its website. The Commission nationale de l’informatique et des libertés (CNIL) said that the cookies banner on the website of the social media firm allowed single-click acceptance, but no similar option was present for refusal. therecord.media

Industry news

• Shares in Darktrace have fallen below their IPO price. Ten per cent was wiped off the firm’s stock price after it cut its full-year revenue forecast by 2%-4%. Cathy Graham, CFO, attributed it to a challenging macroeconomic environment with “prospects more reluctant to run product trials”. ft.com

And finally

• The final updates for Windows 7 & 8 was last Tuesday, 10th January, when Microsoft’s Extended Security Update program finished. bleepingcomputer.com PS, Exchange Server 2013 reaches end of life in 90 days.

• A neat, and terrifyingly hard-to-audit, abuse of Google Sheets’ IMPORTDATA function to export data. tiktok.com/@trufflesecurity