This week
LastPass breaks silence on breach
- After two months of silence, LastPass CEO Karim Toubba has provided an update on the breach at the company that saw backups of customer password vaults stolen at the end of 2023.
- Through two separate incidents, the attacker first compromised a software engineer’s laptop and gained access to a development environment. During this first attack, attackers did not access customer information, however, the company believes they did gather intelligence on which members of staff to target.
- On the same day this first incident was resolved, the attackers launched their second attack: targeting a senior engineer at home by “exploiting a vulnerable third-party media software package” and using that remote code execution capability to install a key logger. The senior engineer was one of just four employees in the company that had access to a corporate vault containing the decryption keys needed to access the stolen backups. Once the key logger captured their master password, the attackers could use the master password to view the vault’s contents.
- In addition to the backups of live customer password vaults, the attackers could also steal the ‘K2’ split knowledge component of keys used as multi-factor authentication seeds and federated authentication mechanisms. Contrary to the December update, you may need to take action if you are a business customer using LastPass Federated Login.
- LastPass became aware of the compromise after the attacker used the stolen AWS access keys to perform an unauthorised activity, and AWS GuardDuty picked this up.
- The update also acknowledged customer frustrations over the poor frequency and lack of detail that has been forthcoming from the company. LastPass promises to “communicate more effectively” in the future.
- Recommendations for individuals and families include resetting your master password, increasing the iteration counts, and regenerating your multi-factor authentication shared secret.
- In addition, recommendations for businesses are more involved, including resetting user multi-factor authentication secrets or de-federating and re-federating all of your users (both of which will require users to take action). SCIM, API and SAML keys all need resetting, too.
- The threat actor was systematic and persistent in their approach. Most companies would not have the controls to prevent or detect this. Authentication systems are improving, but many don’t flag successful authentications from untrusted devices.
- However, it’s also crucial to remember that LastPass isn’t ‘many companies’: it is in the business of password management, and at least one senior engineer was logging in to a company vault containing the keys to the kingdom from an ‘untrusted’ home device. Good practice would be to segregate these vaults and accounts and require (procedurally or technical) logins to such this type of crown jewel to only occur from company-provided IT.
- Plex, reportedly the media streaming service used to gain access to the employee’s home network, has issued a statement saying they are unaware of any unpatched vulnerabilities in their software. However, the company did also experience a breach within two weeks of the LastPass intrusion.
White House cyber security strategy
- This week, the White House unveiled its National Cybersecurity Strategy, setting the agenda to protect the United States in cyberspace. While US-centric, it will undoubtedly make waves worldwide, with ambitions to “rebalance the responsibility for cybersecurity to be more effective and more equitable,” and “realign incentives to favor long-term investments in security, resilience, and promising new technologies.”
- The strategy (PDF) is built around five pillars: setting minimum requirements for critical infrastructure; taking offensive action to disrupt and dismantle cybercriminals and nation states; shift liability and using market forces to promote responsibility amongst technology companies; grow a diverse cyber workforce; and, build international partnerships.
- The US has lagged behind the EU in cyber regulation of critical infrastructure; Europe’s Network and Information Systems (NIS) directive came into force almost five years ago in May 2018. The US has a lot more utility and infrastructure providers, like municipal water companies, that will require a range of scaling requirements.
- Shifting responsibility for security onto larger technology vendors is another notable, if controversial, objective. Jen Easterly, head of the US Cybersecurity and Infrastructure Agency (CISA), says tech companies “were not incentivized to create safe technology,” amid calls for them to “fundamentally shift” product design to take greater responsibility for the security of their products. Another senior official is quoted as saying “we can’t have [software companies] devolving that responsibility down to a two-person open source project that hasn’t received any funding in the last five years”.
- I think this is a good thing: increasingly recently, I believe that the best way to tackle the cyber skills gap and improve security posture simultaneously is to do so ‘at source’. Imagine if your car came without a unique key and anyone could unlock it. That’s how many smart devices will still ship in 2023. As we increasingly rely on technology, it must be secure-by-design and secure-by-default.
Interesting stats
95% of iCloud users use multi-factor authentication, with 25% of Microsoft users, and just 3% of Twitter users enable a form of MFA. (See White House cyber strategy above).
Other newsy bits
-
Video: A great explainer of the growing problem of criminals shoulder-surfing phone PINs and then stealing devices. You can change and iCloud password knowing just the device PIN (Apple should fix this) and gangs are getting extremely quick at doing that. One victim says less than three minutes. Biometric authentication — TouchID, FaceID — often falls back on the device PIN code and can be used to open banking apps, or in many cases, users have the same PIN for their banking apps as they do on their devices. The resale value of iPhones and the demographics of their users make them more attractive targets than Android handsets, though the same steps can be used against these too.
-
The Lockdown Files: Journalist and ghostwriter Isabel Oakeshott handed over 100,000 WhatsApp messages to The Telegraph from former UK health secretary Matt Hancock. The messages were shared with her (under a non-disclosure agreement) while writing a book for Hancock. An ICO spokesperson says they “do not see it as a matter for the ICO,” citing public interest and other exemptions.
-
A year of cyber-war: Cyberscoop has an interview with Victor Zhora, the deputy chairman of the State Service of Special Communications and Information Protection of Ukraine, who has been responsible for coordinating Ukraine’s cyber defence and describes lessons learned from fending off Russian attacks.
-
Data breach: Personal information of current and former WH Smith employees has been stolen by cybercriminals during an incident at the UK book and stationery retailer. In a regulatory filing, the company said that “there has been no impact on the trading activities of the Group. Our website, customer accounts and underlying customer databases are on separate systems that are unaffected by this incident”.
-
Stuffed chicken: Chic-fil-a says that criminals breached 71,473 customer accounts in a credential stuffing attack that lasted from 18th December 2022 to 12th February 2023. The breached accounts were sold for between $2 and $200 on the dark web.
-
Carding marketplace: A dataset of over 2,000,000 debit and credit cards has been released for free by the ‘BidenCash’ carding marketplace. A random sample showed that only around 30% were ‘fresh’ and could be used and with lots of potential users the rest should hopefully be detected by card issuers pretty quickly.
-
Social engineering: Cyber criminals offering SIM swapping services for $1,000 appear to have gained unauthorised access to internal T-Mobile tools on more than 100 different occasions through 2022. It’s believed that T-Mobile employees are targets by attackers pretending to be the firm’s IT department by phone and then directed to a phishing page mimicking a company login page. This seems like a simple thing to reduce with multi-factor authentication.
-
Process failure: Volkswagen’s Car-Net vehicle tracking service initially refused to give an Illinois sheriff’s office the location of a stolen vehicle containing a two-year-old child because the trial period of the service had expired.
-
Ransomware: The US Marshals Service suffered a ransomware attack in February and “the affected system contains law enforcement sensitive information.” US TV and telco company Dish has confirmed ransomware as the cause of ongoing disruption across their network; customers have complained about a lack of communications with Dish initially blaming the outage on ‘VPN issues’. Pierce Transport, which provides public bus services in and around Tacoma, Washington, have using workarounds since mid-February following an attack by LockBit. The Play ransomware group has started leaking the data it stole from the City Of Oakland during a recent ransomware attack. Bitdefender has released a free decryption for MortalKombat ransomware victims.
-
Secrets scanning: GitHub has rolled out a service for all public code repositories that detects accidentally exposed API keys, credentials and authentication tokens.
-
ATT&CK Decisions: MITRE has released an open-source tool called Decider to help defenders map adversary behaviours to the tactics and techniques in the popular MITRE ATT&CK framework. The web app can be downloaded from GitHub.
-
Endpoint protection: Microsoft is shouting about its ‘leader’ status in the recent Gartner endpoint protection magic quadrant. The blog also provides a link to download a complimentary copy of the report from Gartner, which might be helpful if you’re considering your options. (H/T Phil)
-
Privacy: The US Federal Trade Commission has banned online mental health company BetterHelp from sharing personal data with advertising companies. Samuel Levine, director of the FTC’s Bureau of Consumer Protection, slammed the firm for betraying consumers in a ‘moment of vulnerability’ for profit. BetterHelp will pay a $7.8 million fine that will be used, in part, to refund affected customers.
-
Combating sextortion: The US National Center for Missing & Exploited Children (NCMEC) has released a tool allowing minors to protect themselves from sextortion. The tool, called Take It Down, uses similar technology to the database of Child Sexual Abuse Materials (CSAM) that NCMEC maintains, but allows individuals to proactively report ‘nudes’ they are concerned about anonymously to help prevent their spread.
-
Fundraising: Cloud security outfit Wiz has completed a $300 million Series D round that values the company at $10 billion.
-
Acquisitions: Cisco is to acquire Valtix to bolster its multi-cloud security offering. The terms of the deal were not announced.
And finally
- Dumb password rules: “A collection of 288 sites with dumb password rules,” dumbpasswordrules.com.