Robin’s Newsletter #246

5 March 2023. Volume 6, Issue 10
LastPass breach was via engineer's home device. The White House wants to shift cyber liability.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

LastPass breaks silence on breach

  • After two months of silence, LastPass CEO Karim Toubba has provided an update on the breach at the company that saw backups of customer password vaults stolen at the end of 2023.
  • Through two separate incidents, the attacker first compromised a software engineer’s laptop and gained access to a development environment. During this first attack, attackers did not access customer information, however, the company believes they did gather intelligence on which members of staff to target.
  • On the same day this first incident was resolved, the attackers launched their second attack: targeting a senior engineer at home by “exploiting a vulnerable third-party media software package” and using that remote code execution capability to install a key logger. The senior engineer was one of just four employees in the company that had access to a corporate vault containing the decryption keys needed to access the stolen backups. Once the key logger captured their master password, the attackers could use the master password to view the vault’s contents.
  • In addition to the backups of live customer password vaults, the attackers could also steal the ‘K2’ split knowledge component of keys used as multi-factor authentication seeds and federated authentication mechanisms. Contrary to the December update, you may need to take action if you are a business customer using LastPass Federated Login.
  • LastPass became aware of the compromise after the attacker used the stolen AWS access keys to perform an unauthorised activity, and AWS GuardDuty picked this up.
  • The update also acknowledged customer frustrations over the poor frequency and lack of detail that has been forthcoming from the company. LastPass promises to “communicate more effectively” in the future.
  • Recommendations for individuals and families include resetting your master password, increasing the iteration counts, and regenerating your multi-factor authentication shared secret.
  • In addition, recommendations for businesses are more involved, including resetting user multi-factor authentication secrets or de-federating and re-federating all of your users (both of which will require users to take action). SCIM, API and SAML keys all need resetting, too.
  • The threat actor was systematic and persistent in their approach. Most companies would not have the controls to prevent or detect this. Authentication systems are improving, but many don’t flag successful authentications from untrusted devices.
  • However, it’s also crucial to remember that LastPass isn’t ‘many companies’: it is in the business of password management, and at least one senior engineer was logging in to a company vault containing the keys to the kingdom from an ‘untrusted’ home device. Good practice would be to segregate these vaults and accounts and require (procedurally or technical) logins to such this type of crown jewel to only occur from company-provided IT.
  • Plex, reportedly the media streaming service used to gain access to the employee’s home network, has issued a statement saying they are unaware of any unpatched vulnerabilities in their software. However, the company did also experience a breach within two weeks of the LastPass intrusion.

White House cyber security strategy

  • This week, the White House unveiled its National Cybersecurity Strategy, setting the agenda to protect the United States in cyberspace. While US-centric, it will undoubtedly make waves worldwide, with ambitions to “rebalance the responsibility for cybersecurity to be more effective and more equitable,” and “realign incentives to favor long-term investments in security, resilience, and promising new technologies.”
  • The strategy (PDF) is built around five pillars: setting minimum requirements for critical infrastructure; taking offensive action to disrupt and dismantle cybercriminals and nation states; shift liability and using market forces to promote responsibility amongst technology companies; grow a diverse cyber workforce; and, build international partnerships. 
  • The US has lagged behind the EU in cyber regulation of critical infrastructure; Europe’s Network and Information Systems (NIS) directive came into force almost five years ago in May 2018. The US has a lot more utility and infrastructure providers, like municipal water companies, that will require a range of scaling requirements.
  • Shifting responsibility for security onto larger technology vendors is another notable, if controversial, objective. Jen Easterly, head of the US Cybersecurity and Infrastructure Agency (CISA), says tech companies “were not incentivized to create safe technology,” amid calls for them to “fundamentally shift” product design to take greater responsibility for the security of their products. Another senior official is quoted as saying “we can’t have [software companies] devolving that responsibility down to a two-person open source project that hasn’t received any funding in the last five years”.
  • I think this is a good thing: increasingly recently, I believe that the best way to tackle the cyber skills gap and improve security posture simultaneously is to do so ‘at source’. Imagine if your car came without a unique key and anyone could unlock it. That’s how many smart devices will still ship in 2023. As we increasingly rely on technology, it must be secure-by-design and secure-by-default.

Interesting stats

95% of iCloud users use multi-factor authentication, with  25% of Microsoft users, and just  3% of Twitter users enable a form of MFA. (See White House cyber strategy above).

Other newsy bits

The Gartner Magic Quadrant for Endpoint Protection Platforms (source: Gartner)

  • Privacy: The US Federal Trade Commission has banned online mental health company BetterHelp from sharing personal data with advertising companies. Samuel Levine, director of the FTC’s Bureau of Consumer Protection, slammed the firm for betraying consumers in a ‘moment of vulnerability’ for profit. BetterHelp will pay a $7.8 million fine that will be used, in part, to refund affected customers.

  • Combating sextortion: The US National Center for Missing & Exploited Children (NCMEC) has released a tool allowing minors to protect themselves from sextortion. The tool, called Take It Down, uses similar technology to the database of Child Sexual Abuse Materials (CSAM) that NCMEC maintains, but allows individuals to proactively report ‘nudes’ they are concerned about anonymously to help prevent their spread.

  • Fundraising: Cloud security outfit Wiz has completed a $300 million Series D round that values the company at $10 billion.

  • Acquisitions: Cisco is to acquire Valtix to bolster its multi-cloud security offering. The terms of the deal were not announced.

And finally

Robin

  Robin's Newsletter - Volume 6

  LastPass Bring Your Own Device (BYOD) White House Cyber strategy United States of America Regulation Liability PIN Surfing Shoulder surfing Sextortion MITRE ATT&CK Endpoint Protection