LastPass gets hacked
As many of you are already aware, recently LastPass confirmed in a tweet that they had “detected unusual activity within portions of the LastPass Development environment…”. Whilst LastPass will take great pains to point out that no customer data was directly stolen, I’m still very surprised at how well they have managed to contain the fallout.
It seems they have neatly skirted the real issue and the market has graciously let them get away with it….again.
Supply Chain Attacks
Supply Chain Attacks are where “Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components.”. How do you think those cybercriminals manage to “tamper” with the distribution of a product or service?
Yep, an attack like LastPass where they “discovered” that an unauthorised user had stolen portions of the source code and some proprietary technical information, is often the start, not the finish of an attack.
Also keep in mind IBM’s report which cites the average time from break to containment takes 287 days. LastPass discovered the breach after detecting unusual activity in early August. So how long had the attackers been inside their systems already? How long have they had to plan and execute a variety of actions…theft, infiltration, vulnerability research? Can LastPass guarantee their platform isn’t already compromised? Can they guarantee that these recent actions will not result in further attacks and vulnerabilities?
I’m not going to suggest this means LastPass WILL be breached in a Supply Chain Attack. I’m hopeful they have managed to detect all activity, close immediate vulnerabilities and redesign their systems to block attacks that may only be in the planning stage - using an unknown vulnerability that has only just been spotted by the attackers. Of course that sounds almost impossible to guard against and it is. So we have a big problem.
Lets’ not bandy words here…we’ve seen numerous direct and indirect attacks against every password manager under the sun.
THEY WILL CONTINUE.
The problem with single knowledge factor authentication
Aggregating a single knowledge factor authenticator (the password) in one place is fundamentally madness no matter what bells and whistles you put on it. You can try to improve the security of the password and make it more usable but you’re also making it possible to attack everyone at once or every service used by anyone. Convenience and operational efficiency should not come at the expense of security.
Password managers are a high value target to hackers and will always remain a high value target. They are fundamentally unsafe and they expose all participants to mass exploitation.
Hopefully that is clear enough but judging from the recent response by the press and industry, I think that message is far from understood.
Of course I can go on about MIRACL’s systems, passwordless, zero knowledge proof, no client data (so nothing to attack or lose) but I don’t want to provide a solution and take away from the real problem….
Why have security professionals, tasked with protecting their users and systems, closed their eyes in the interests of an easy life instead of calling out password managers for what they are - The Emperor’s New Clothes?