Dites, y'en a parmi vous qui utilisent #lastpass ?
J'aimerais pouvoir lui faire enregistrer des mots de passe différents en fonction du port pour du dev local (localhot:8000 n'aura pas les mêmes mots de passe que localhost:8001), mais ça ne marche pas, ça fait comme si il se fichait du port.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #44/2023 is out! It includes the following and much more:
➝ 🔓 #Okta hit by another #breach, this one stealing employee data from 3rd-party vendor
➝ 🔓 💸 #LastPass breach linked to theft of $4.4 million in crypto
➝ 🇮🇳 #India's Biggest Data Leak So Far? Covid-19 Test Info of 81.5Cr Citizens With ICMR Up for Sale
➝ 🔓 ✈️ #Lockbit ransomware group claims to have hacked #Boeing
➝ 🇳🇱 ⚖️ Dutch hacker jailed for extortion, selling stolen data on RaidForums
➝ 🇷🇺 🇺🇸 Russian Reshipping Service ‘SWAT USA Drop’ Exposed
➝ 🇮🇷 🦠 Iranian Cyber Spies Use ‘#LionTail’ Malware in Latest Attacks
➝ 📉 Security researchers observed ‘deliberate’ takedown of notorious #Mozi#botnet
➝ 🇮🇳 📱 Apple warns Indian opposition leaders of state-sponsored #iPhone attacks
➝ 🌍 Four dozen countries declare they won’t pay #ransomware ransoms
➝ 🇷🇺 How #Kopeechka, an Automated Social Media Accounts Creation Service, Can Facilitate #Cybercrime
➝ 🇪🇺 EU digital ID reforms should be ‘actively resisted’, say experts
➝ 🇷🇺 🇺🇦 #FSB arrests Russian hackers working for Ukrainian cyber forces
➝ 🇺🇸 FTC orders non-bank financial firms to report breaches in 30 days
➝ 🇨🇦 📱 #Canada Bans #WeChat and #Kaspersky Apps On Government Devices
➝ 🇺🇸 #SEC Charges #SolarWinds and Its #CISO With Fraud and Cybersecurity Failures
➝ 🇺🇸 🤖 #Biden Wants to Move Fast on AI Safeguards and Will Sign an Executive Order to Address His Concerns
➝ 🦠 📱 #Avast confirms it tagged Google app as #malware on Android phones
➝ 🦠 🇰🇵 North Korean Hackers Targeting Crypto Experts with #KANDYKORN#macOS Malware
➝ 👥 💸 EleKtra-Leak #Cryptojacking Attacks Exploit #AWS IAM Credentials Exposed on #GitHub
➝ 🦠 🐍 Trojanized #PyCharm Software Version Delivered via #Google Search Ads
➝ ✅ 🤖 #GooglePlay adds security audit badges for Android #VPN apps
➝ 🔐 Microsoft pledges to bolster security as part of ‘Secure Future’ initiative
➝ 🆕 FIRST Releases #CVSS 4.0 Vuln Scoring Standard
➝ 🆕 #MITRE Releases ATT&CK v14 With Improvements to Detections, ICS, Mobile
➝ ⛔️ 🦠 #Samsung Galaxy gets new Auto Blocker anti-malware feature
➝ 🍏 🔐 #Apple Improves #iMessage Security With Contact Key Verification
➝ 🔓 Researchers Find 34 #Windows Drivers Vulnerable to Full Device Takeover
➝ 🔓 🪶 3,000 #Apache#ActiveMQ servers vulnerable to RCE attacks exposed online
➝ 🗣️ #Atlassian CISO Urges Quick Action to Protect #Confluence Instances From Critical #Vulnerability
➝ 🔓 🩸 “This vulnerability is now under mass exploitation.” #CitrixBleed bug bites hard
➝ 🐛 💰 HackerOne paid ethical hackers over $300 million in #bugbounties
📚 This week's recommended reading is: "Permanent Record" by Edward Snowden
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
We're switching our corporate password manager from #LastPass to #Bitwarden due to several security incidents with LastPass in the past and the increased risk that leaked password vaults will be cracked in the near future.
This means a lot of work now, as every password for publicly accessible services has to be changed manually in this transition process.
Their latest move just shows they care more about their reputation and rather put responsibility and blame on their customers than solving the very serious security issues they have.
If you still use LastPass migrate asap to another password manager and change the secrets you have been storing in LastPass.
Interesting… #LastPass sent an email around saying that they finally want to start enforcing strong master passwords. Not right now but at some point in future.
No word on enforcing a consistently high number of PBKDF2 iterations. Yet when I logged in this time, my iterations count was finally upgraded to 600,000 automatically. So it looks that they are only five years late rolling out this feature (assuming that this time it has been rolled out to everyone).
Cancelling #LastPass teams account has been a nightmare. Firstly they don't allow you to cancel the auto-renewal/subscription in the back office.
So it took me at least 15 minutes going through cyclic references in der docs to find a contact form where I could submit a generic request.
Now 2 days later they finally respond and want more account info, even though I had to be logged with that account when opening the ticket. So all the information I had to provide was visible from that account.
Since I’m writing a lot about #LastPass and #LastPassBreach lately, I realized that maybe I should disclose my financial ties to the company. I’ve received $20,500 via the LastPass bug bounty program for 9 security issues reported between 2016 and 2018. Another 3 reported security issues received no monetary reward.
Also, following my findings about LastPass’ inadequate account data protection in 2018 (https://palant.info/2018/07/09/is-your-lastpass-data-really-safe-in-the-encrypted-online-vault/), there was a discussion about a consulting agreement allowing me to do a more thorough review of the code. This agreement never materialized, and I suspect that it was part of their overall delay tactics or intended to make me write more favorably about them.
Vor einigen Jahren hat mich ein Werksstudent in der Firma, für die ich arbeitete, schräg von der Seite angesehen, weil ich ja #LastPass nicht nutze.
Macht doch jeder.
Und die sind schon vertrauenswürdig.
Is doch viel viel einfacher, anstelle KeePass-Dateien immer wieder händisch auf den Geräten zu aktualisieren.
Nunja...
No pity from my side for using #cloud-based #password services in the first place. Sorry, it's your own fault when you prioritize convenience over #security. Security experts were warning you before and you ignored it. 🤷
There have been a spate of Crypto thefts recently, which were not necessarily seen as connected, until one research found that almost all of them, were from groups that stored their Seed Phrase for their Crypto-wallets, in Last-Pass which was breached almost a year ago.
Having seen so many discussions around the #LastPass breach, I now think that “I have a password with X bits of complexity” is universal code for “I have no clue how password cracking works but I’ll just convince myself that I’m on the safe side.”
There is apparently more evidence that the attackers who breached #LastPass last year did it for money. And this is really the best-case scenario.
Yes, millions of dollars stolen from crypto wallets is sad and everything, and I hope that LastPass is sued into oblivion for their negligence. But just imagine what a state-level actor would have done with passwords of millions of users. There will certainly be some in this pile who are of significant interest to them. And who knows how many companies e.g. with ties to the US government used (still use?) LastPass.
Really, your regular crooks looking to make some money are the friendly bunch in comparison.
Small scoop here: In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.
"...the researchers learned the attackers frequently grouped together victims by sending their cryptocurrencies to the same destination crypto wallet.
By identifying points of overlap in these destination addresses, the researchers were then able to track down and interview new victims. For example, the researchers said their methodology identified a recent multi-million dollar crypto heist victim as an employee at Chainalysis, a blockchain analysis firm that works closely with law enforcement agencies to help track down cybercriminals and money launderers.
Chainalysis confirmed that the employee had suffered a high-dollar cryptocurrency heist late last month, but otherwise declined to comment for this story."
I published a lengthy write-up on #LastPass again, but the essence is quite short: they’ve had a year, they don’t seem to have done anything. If somebody wants real mitigation advice for the LastPass breach, the LastPass website is still the wrong place to look. It only downplays the impact.
Long-standing technical issues that security researchers have been warning about for years? Still ignored. When the next breach comes, users will be just as ill-protected as they were last year. People have to update iterations count manually, even though LastPass could have fixed it for everyone automatically. Weak master passwords are still permitted as long as people don’t change them. And much of the data is still not being encrypted (URLs, modification times etc).
Supposedly, they improved the security of their infrastructure. Conveniently for them, nobody can verify this claim. But they are clearly calling it a day, we shouldn’t expect any further improvements.
Guess what: I just logged into my test account, and it is still set to 5000 iterations. If a new breach happens tomorrow, only the people who read about the issue and fixed it under “Advanced settings” will be better protected.
Then again, given LastPass’ security track record, I’m not surprised at all. Should I even bother checking whether they encrypt URLs now, an issue which was brought up in 2015 initially?