Posted on Jun 17, 2015
Our Chief of Research, Alex Heid, was interviewed yesterday by Business Insider on the LastPass breach that the company announced earlier in the week. Heid told the business website that there is evidence that LastPass had been probed by a hacker over two years ago in September of 2013. The publication, however, gave more emphasis to Heid's statement about the voracity of entering passwords in the cloud to obtain encryption keys.
The real take home, however, isn’t necessarily that LastPass has been targeted for years now, said Heid. Instead it’s that offering a supposedly secure service that stores private keys on public clouds is a 'counter intuitive idea.' ... He (along with many other experts) recommend that people use password manager solutions that allow people to store their private key information locally.
The question of whether LastPass and other online password management services similar to it are secure enough for the general population is a topic that has been often discussed and debated. Companies like LastPass are, in fact, raising the awareness bar for the use of encryption with password for users who want deeper protection with encryption. Transmitting secure communications is a very complex issue for mass consumer and employee use.
Storage in the public cloud is a risk factor, as is, having one central master password for access to all the passwords. When combined with multi-factor authentication, password management tools can be effective against password theft, but as Heid pointed out, the risks may be better mitigated by local storage for encryption keys rather than in the cloud.
Researchers have found flaws with web-based password managers in the recent past. Last year, University of California at Berkeley security researchers published a paper entitled "The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers" and had this to say:
Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS.
LastPass has disputed to Business Insider that it was being probed for SQL injections (sqli), but the evidence, according to Heid is that it appears to be clear. Business Insider wrote:
We asked Heid about the Pastebin in question. He wrote in an email, "that pastebin list is a list of websites that were possibly vulnerable to both sqli and xss... [LastPass is] disputing their original vulnerability but it's pretty cut and dry: H-00p the hacker was probing many sites, they were one of them."
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.