Posted on Jun 17, 2015

SecurityScorecard CRO Talks LastPass Hack in Business Insider

We Monitor Hacker Chatter in Our Platform

Our Chief of Research, Alex Heid, was interviewed yesterday by Business Insider on the LastPass breach that the company announced earlier in the week. Heid told the business website that there is evidence that LastPass had been probed by a hacker over two years ago in September of 2013. The publication, however, gave more emphasis to Heid's statement about the voracity of entering passwords in the cloud to obtain encryption keys.

The real take home, however, isn’t necessarily that LastPass has been targeted for years now, said Heid. Instead it’s that offering a supposedly secure service that stores private keys on public clouds is a 'counter intuitive idea.' ... He (along with many other experts) recommend that people use password manager solutions that allow people to store their private key information locally.

Are Online Password Managers Secure Enough for You?

The question of whether LastPass and other online password management services similar to it are secure enough for the general population is a topic that has been often discussed and debated. Companies like LastPass are, in fact, raising the awareness bar for the use of encryption with password for users who want deeper protection with encryption. Transmitting secure communications is a very complex issue for mass consumer and employee use.

Storage in the public cloud is a risk factor, as is, having one central master password for access to all the passwords. When combined with multi-factor authentication, password management tools can be effective against password theft, but as Heid pointed out, the risks may be better mitigated by local storage for encryption keys rather than in the cloud.

Researchers have found flaws with web-based password managers in the recent past. Last year, University of California at Berkeley security researchers published a paper entitled "The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers" and had this to say:

Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS.

LastPass has disputed to Business Insider that it was being probed for SQL injections (sqli), but the evidence, according to Heid is that it appears to be clear. Business Insider wrote:

We asked Heid about the Pastebin in question. He wrote in an email, "that pastebin list is a list of websites that were possibly vulnerable to both sqli and xss... [LastPass is] disputing their original vulnerability but it's pretty cut and dry: H-00p the hacker was probing many sites, they were one of them."

Read the full story here: http://www.businessinsider.com/security-expert-describes-lastpass-vulnerabilities-posted-to-pastebin-in-2013-2015-6#ixzz3dR7yh6Fy




How SecurityScorecard Works


Security Research in your Inbox

Thanks for siging up for the newsletter!

Our Platform

Learn How It Works

Find out how we use open source intelligence, proprietary and open data feeds, and deep machine learning systems to correlate, attribute, and prioritize risks.

Learn About the Platform

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 categories of risk. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!