Skip to content
Salus Cyber

Salus News August 29th 2022

29 August 2022

LastPass Hacked Again

One of the world’s biggest password managers confirms it has been hacked again. With over 25 million users, is it time to change your passwords and find another way to store them? According to LastPass’s CEO Karim Toubba, the answer is no. In an email to its users, Toubba confirmed that the hack compromised some of the source code for LastPass, and that user accounts should be safe. Taking into consideration the zero-knowledge security model that LastPass uses, no one should have access to your master password or the data in your vault.

The LastPass website says, “To ensure only authorized access is granted to your vault, we use industry standard mechanisms, such as AES-256 encryption and PBKDF2 hashing, to keep your master password private”. If LastPass is following these industry standards and the master password has good strength, then this should keep a user’s account safe.

Toubba stated that “portions of source code and some proprietary LastPass technical information” had been taken and that they have contained the breach with no further malicious activity. Karim also noted there was no evidence of customer data or the encrypted password vaults being accessed.

This is not the first time LastPass has been in the news, with an incident back in July 2015 where suspicious activity was found on their network, but similarly found no evidence of user vault data being taken or user account data being accessed. In December 2021, some users were sent warnings of unauthorized logins to their LastPass, to which LastPass recommended users changed their master password as a precaution.

We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that users’ LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.

LastPass response to December 2021 potential security incident

None of the above incidents have involved user data being harvested, according to LastPass but it would still be advisable to enable MFA (Multi Factor Authentication) to harden your account against potential hacks in the future.

LastPass state that they are always updating their procedures and code to protect users and passwords, so far, and have implemented data breach monitoring, where the dark web is monitored, and users are notified if their data is compromised and found. Monitoring is now built into the software’s dashboard. LastPass also offers a bug bounty program for any potential security issues, so vulnerabilities can be fixed quickly and LastPass prides itself with updating its customers “with the transparency they deserve.”

Despite the increased frequency of these attempts, it is still better to use a password management system and be more secure than using the same password for multiple accounts.

References

LastPass was hacked — again | ZDNET
LastPass Hacked: Password Manager With 25 Million Users Confirms Breach | Forbes


Ransomware Payment Ban

US States Say No to High-Tech Extortion?

With Ransomware continuing to be a destructive force against organisations worldwide, it is becoming more important than ever for action to be taken to reduce the impact ransomware can have, and to deter malicious actors from exploiting organisations with ransomware. A controversial area of ransomware is if the ransom that malicious actors request should be paid in return for the data that was encrypted. Two US states have decided to ban the payment of ransoms in the latest attempt to discourage criminals. The idea behind banning these payments is that it will stop malicious actors from profiting from the attacks, which will ideally stop them from using ransomware. The two states implementing this are North Carolina and Florida. North Carolina’s law stipulates that state, local government agencies, public schools, community colleges, and universities must not pay any ransoms. Instead, all victims must rapidly report such attacks to the states IT department and consult with them. An additional part of the law also makes it illegal to communicate with the malicious actors. Florida however has taken a different approach where they do allow the victims of such attacks to communicate with the attackers to try and gain a better understanding of what data may have been stolen. They also allow the education sector to pay ransoms. Other states such as Pennsylvania are also currently planning to implement similar laws.

Will This be Effective?

While the idea behind not paying ransoms may be a valid move and ultimately should be the end goal, Alan Brill, a senior marketing director in the cyber risk practice, has claimed that this may cause more damage than it does good. One such example of this would be when Baltimore decided that it was not going to pay their ransom, and instead ended up spending millions to recreate and restore the affected data. However, it should be noted that paying the ransom to receive a decrypter does not guarantee that the malicious actors will hold up their end of the deal. Equally, organisations choosing not to pay the ransom and instead rebuilding should end up with better systems and infrastructure in place to deal with further ransomware in the future. Brill has also claimed that banning negotiations with the attackers will end up being counterproductive. Having worked regularly with victims of ransomware to help them recover, Brill states that negotiating with the attackers may help the victims identify what exactly has been stolen and what has been encrypted.

Conclusion

Overall, when it comes to ransomware, there is no one size fits all answer. It is most likely that these bans will not deter malicious actors from still performing ransomware. Malicious actors will likely investigate other methods of profiting from the stolen data and alternatively only target sectors which can pay. This could be potentially dangerous as it paints a bigger target on those sectors.

References

As States Ban Ransom Payments, What Could Possibly Go Wrong? | Data Breach Today