Security Bits Logo no alpha channel

Security Bits — 5 March 2023

Deep Dive 1 — The Last Pass Breach Reports

Since we last recorded, LastPass have released a lot of very detailed information. This is finally the level of detail I expect to see from responsible organisations. The structure and contents of the various reports are in line with industry norms at last.

The best entry point into the set of documents released is their summary blog (Security Incident Update and Recommended Actions —blog.lastpass.com/…](https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/)), this links to the more detailed posts so you can drill down into the sections you’re interested in.

My big-picture takeaways are:

  1. The company was probably coasting in terms of security posture in the lead-up to the incident. They seem to have slipped behind the curve, not having kept pace with the rapidly changing best practices rather than making specific obvious mistakes.
  2. Management seem to have seen the light — their short and medium-term plans make sense, and seem realistic.
  3. While their announced roadmap will make the service more secure, the most fundamental weakness remains — the security of vaults rests entirely on the strength of the master password, and while they will be doing more to help strengthen master passwords, they’re not moving to 1Passwords fundamentally more secure design of layering the master password on top of an account key whose strength doesn’t depend on the user.
  4. There’s still one piece of information I wish they’d shared — their backup retention policy, but the chances are that even if they had told us that, we’d still be where we are — users should assume anything older than last October is at risk and rests on the security of the worst master password you ever had on your account

If you’re still using LastPass, you really need to follow LastPass’s advice: Recommended Actions for Free, Premium, and Families Customers — support.lastpass.com/…

That’s the most important stuff, but I have some more thoughts and impressions for those interested.

Firstly, the backup question. In an ideal world, we’d know exactly what point or points in time each leaked backup was taken, but in hindsight that was probably unrealistic. The age of data in a backup is different for each piece of information, and is the product of two factors — the backup retention policy in use, and the times the files change. Unless the retention policy is extremely simplistic — a single copy updated at a specific rate — it’s basically impossible to tell users the exact point in time their oldest backup was captured. But we now know things are even more complicated for LastPass vaults because on the backend, vaults are not single files, but collections of data shards stored in different databases and/or file systems, each with their own backup schemes. So different parts of your vault will be backed up on different schedules!

Secondly, the way the organisational information from the first breach provided the wedge to start the second breach illustrates perfectly what I mean when I warn about the danger of spear phishing. At a technological level, the two breaches were unrelated, but one did lead to the other in the sense that the first breach gave the attackers a good map of the people that make up the LastPass team and their roles within the organisation. That let the attackers choose their target wisely, and target them effectively.

Finally, this breach perfectly illustrates the importance of basic security hygiene — there was no spectacular zero-day exploit that required spectacular skill by the attackers, it was just the simple stuff that let the attackers get a toe in the door, and then slows expansion their footprint mundane step by mundane step. Each single step was individually preventable, but protecting every device, every app, every user, and every system from every possible attack all the time is actually really difficult at scale!

The tools to protect from this type of attack are not rocket science, but they need to be procured, maintained, actively managed, supervised day-in-day-out, and regularly reviewed and updated. The only way to do that is to resource a dedicated security team well.

It’s really boring, but if you want to have effective cybersecurity defences you need to ensure you have:

  • The budget to pay for the best current tools, the outside experts to help configure them, and the staff to run them day-do-day
  • Enough staff that they can spend a significant percentage of their time learning, both independently, and in more formal settings.
  • Enough of those well educated staff that they have time to dedicate to regularly reviewing and updating the organisation’s entire security infrastructure.

Cybersecurity evolves relentlessly, so you have to run to stand still!

To bring it back to LastPass, from my reading of both the incident reports, and their resulting changes, the impression I get is that in the lead up to the attacks they don’t seem to have had the resources to:

  1. Protect their staff’s devices (end-points in the jargon) adequately
  2. To implement enough of the new Zero-trust principles (continuous identity verification, the principle of least privilege, and the assumption of breach)
  3. To actively watch out for unusual activity and trigger appropriate alerts (a mix of copious logging, the AI needed to digest it all, and the humans to investigate).

The silver lining is that ‘all’ organisations need to do is a good job of the boring basics!

Deep Dive 2 — Why Your iPhone Passcode REALLY Matters

Joanna Stern has done some excellent reporting that has rightly gotten a lot of coverage. She’s revealed how organised criminal gangs are managing to steal iPhones and deactivate activation lock without any kind of high-tech fancy-pants hackery.

We’ve seen anecdotes for some years now with people having their phones stolen and then finding themselves locked out of their iCloud accounts. We’ve never understood how that happened, but people made two inverse assumptions:

  1. These people must have used weak passwords so the bad guys just guessed (zero tech)
  2. The attackers had access to advanced hardware crackers like Grey Key (super-high tech)

Reality, it turns out, is much more banal — some years ago Apple added a feature to help people avoid getting locked out of their iCloud accounts, and as a result, simply watching someone type their simple iPhone PIN is all attackers need to take over an iCloud account, and hence disable activation lock.

The feature in question is iCloud password reset from a logged in device. If you have an Apple device and you are logged in to iCloud on that device, then that device is trusted, and can reset your iCloud password. The protection is your device’s own security, so for an iOS device, that means your unlock code, usually a 4 or 6 digit PIN.

Working as a team, the attackers shoulder-surf people unlocking their phones, then steal them. They now have the device and the PIN, so they can reset the Apple ID password and disable all protections. In the process, they lock the owner out of all their stuff!!!

Biometrics are no protection, because they are not required, as we all learned during COVID, when FaceID fails, it asks for your PIN, then lets you in.

The only answer is to remember to protect your phone’s code like you used to protect your PIN at ATM machines back when we used cash! Firstly, be discrete when entering it, but also consider making it harder to shoulder surf by switching to an alphanumeric code. Thanks to biometrics, you don’t have to enter the code often, so it’s not actually a big inconvenience to make it a password rather than a PIN!

Another tip that’s doing the round is enabling parental controls on your own phone so you need a separate second password to access the iCloud settings.

Links

Worthy Warnings

Notable News

  • Facebook announce a paid-for tier with account verification (actual identity checks requiring government ID), identity protection (protection from being impersonated on Facebook), and premium support doe $11.99 per month — appleinsider.com/…
  • You can now buy a hardware AirTag detector — appleinsider.com/…
  • 🇺🇸 The Biden administration have published the US’s latest cybersecurity strategy (these have been a thing since shortly after 9-11) — krebsonsecurity.com/…
    • The administration want to work with congress to draft laws to remove blanket immunity through contract clauses and replace it with responsibilities for software and service vendors in combination with a safe harbour for those that meet a certain basic standard
    • China is now seen as the biggest threat to US cybersecurity (both public and private)
  • 1Password preview their up-coming support for Passkeys for vault unlocking (so zero password 🙂) — blog.1password.com/…

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top