LastPass Users Vulnerable to Devastating Phishing Attack

[ClockWatcher]

People using LastPass to manage their financial passwords now have a new concern: a devastating phishing attack. LastPass has not been "hacked," but because it displays messages within the browser, as a webpage, these messages can be faked with pixel to pixel exactness allowing even a normally cautious user's master password and even two-factor authentication to be compromised. These are possible due to the way in which the LastPass interface has been designed. At a conference yesterday, Sean Cassidy, CTO of Praesidio demonstrated such a phishing attack, and then posted instructions to replicate it in Github, under the name "LostPass":

https://github.com/cxxr/lostpass

You can read more about how it works at Mr. Cassidy's blog:

https://www.seancassidy.me/lostpass.html

For a less technical discussion, here are two news articles that have been published:

LastPass has serious flaw called 'LostPass' -- your passwords and more are at risk

ShmooCon: LastPass design elements create perfect Phishing opportunity | CSO Online

Mr. Cassidy did contact LastPass, who subsequently issued an update, but he suggests that their patch has in some ways made things worse. The alert that was implemented now confirms to the attacker that the user ID and password are valid.

Here are the suggestions that Mr. Cassidy posted in his blog for users while they wait for LastPass can roll out better user protections:

• Ignore notifications in the browser window
• Enable IP restriction (only available to paid plans)
• Disable mobile login (although other attacks could use non-mobile API)
• Log all logins and failures
• Inform your employees of this potential attack

For those considering alternative password managers, he recommends:

• Browser extensions are riskier than native applications
• An API makes it easier to steal a lot of data
• Store only frequently used and low risk data in a password manager

 

[spncity]

Thanks for posting this.

There was a kerfuffle online among users when LastPass was sold to another company a few months ago.

Would LastPass be safeguarded if it lived on a USB device and you only logged on when you knew you were the one initiating things?

So - to the ER forum - do you care to post about your choice of password keeper, your password strategy and how secure it is?

Shall we go back to the little pieces of paper hidden under our keyboards or the Post-It notes stuck to the edge of the screen?

 

[Lsbcal]

Maybe I don't understand the problem here but it seems there is a simple solution for Lastpass users:
Train yourself to never click on a link that is presented to you or anything like a presentation in a browser window. This is the same as email good practice i.e. go to the source you know to be safe rather then a possibly compromised window or link.

That means for Lastpass if you think you need to login, click the Lastpass icon on your toolbar (for Firefox anyway) or click on the Lastpass icon on your phone.

Does this sound right? I'm no security expert but am a bit paranoid about security.

 

[tulak]

This is good info. I agree that this Phishing attack can work, but it doesn't mesh with how I use Lastpass. It would require me to visit a website with malicious code installed. Almost all of the sites I visit I either launch from Lastpass or visit directly. The only case where I could have a problem is if I mistype a website address, which is unlikely. And even in that case I think I'd suspect something odd.

Plus, as an additional step, I also have two-factor authentication setup for all my important accounts. This means that even if Lastpass is hacked, I still have an added layer of protection. This is important since I assume that Lastpass (or any password repository) is not a 100% secure.

I'm glad you posted this. It'll definitely make me more cautious on how/where I enter my Lastpass master password. From now on, I'll only do this through their extension. I'm also going to check if I can enable e-mails for login attempts or anything else that will tell me when my account is accessed.

 

[savory]

I use keepass on a thumb drive. I recently purchased a wireless one for occasional tablet use. I back-up to another thumb drive. Not as convenient but I think safer than cloud. And, if my computer is stolen or breaks, I have my passwords

 

[Chuckanut]

Thanks for the update.

I wonder that if instead of worrying about encrypting everything, the security experts should be finding ways to make sure these fake sites are much harder to create.

“I think that the security industry's view of Phishing is naive at best, negligent at worst. Phishing is the most dominant attack vector and is used by everyone from run-of-the-mill CryptoLocker types to APTs,” Cassidy wrote.
“The real solution is designing software to be Phishing resistant. Just like we have anti-exploitation techniques, we need anti-Phishing techniques built into more software. Software security evaluations should also include how easy it is to Phish said software.”

 

[Lsbcal]

...
Plus, as an additional step, I also have two-factor authentication setup for all my important accounts. This means that even if Lastpass is hacked, I still have an added layer of protection. This is important since I assume that Lastpass (or any password repository) is not a 100% secure.
...

Good point about 2FA. My 2FA accounts ask for authentication should a user login from another computer. They could be set up to require 2FA from any computer but that means it is not as convenient.

 

[Options]

I use keepass on a thumb drive. I recently purchased a wireless one for occasional tablet use. I back-up to another thumb drive. Not as convenient but I think safer than cloud. And, if my computer is stolen or breaks, I have my passwords

This. Exactly.

Of course LastPass had something nasty happen. It was only a matter of time. It's a hacker's paradise. I've said it before: my brother has worked with the cloud since its inception including security and has warned it is not at all as secure as the public has been led to believe. Ask anyone who works with it. Nothing in the cloud is safe.

 

[Options]

The hits just keep on coming...

TaxAct breached: Customer banking and Social Security information compromised - SC Magazine

 

[Chuckanut]

From what I understand LastPass security was not breached. Rather, LastPass users were tricked into revealing sensitive information. I am not sure what LastPass or any others can do about that. Even if you have all your passwords only on hard copy and locked securely away, if a criminal tricks you into typing it into a computer, they have it.

Tricking and fooling people into revealing sensitive information has nothing to do with whether or not it is in the cloud.

That said, I agree that all is not as safe as we are lead to believe. These boys and girls have got to get a handle on this, or we will all be going back to spending cash at brick and mortar stores.

 

[Lsbcal]

...
Tricking and fooling people into revealing sensitive information has nothing to do with whether or not it is in the cloud.

...

I agree. Just today I was ready to do a sales tax return for DW. The email from the state of California had a link to their site. It did go to what appeared to be a legitimate login page. I did not use that page.

That is a terrible practice on their part...I think. They should require me to look up the link in a reliable browser. Or can I totally rely on the Google browser link to bring up the .gov site safely? I hope so. Anyway, that is how I got to the login page.

Then I look at my bank's email and there is a link to their login page. Then I look at Vanguard's email and another login page link.

Am I wrong about this?

 

[audreyh1]

The hits just keep on coming...

TaxAct breached: Customer banking and Social Security information compromised - SC Magazine

This deserves its own thread. Lots of taxAct users here.

 

[Options]

From what I understand LastPass security was not breached. Rather, LastPass users were tricked into revealing sensitive information. I am not sure what LastPass or any others can do about that...

Here's what they can do/should have done:

Internet Safety: Protecting Your Financial Transactions

When is a website secure for financial transactions?

Before sending any sensitive or financial information online, you want to know that you are communicating with a secure site. Secure sites make sure all information you send is encrypted—or protected—as it travels across the Web. The https address heading and your browser's security symbol are two signs indicating you are on a secure site.

Emphasis added.

On the prior LastPass breach:

Hack Brief: Password Manager LastPass Got Breached Hard | WIRED

Specifically:

On Monday password manager service LastPass admitted it had been the target of a hack that accessed its users’ email addresses, encrypted master passwords, and the reminder words and phrases that the service asks users to create for those master passwords.

How Serious Is This?

That depends. The severity of this latest LastPass’s hack—the first it’s experienced since it admitted to an earlier possible breach in 2011—is contingent on both the strength of a person’s master passwords and how long the breach went undetected. Given the encryption that LastPass describes, a strong, truly random master password is likely safe, says Joseph Bonneau, a Stanford cryptography researcher who’s focused on password security.

But “this is still pretty bad,” says Bonneau, particularly for users with weak passwords that are vulnerable to guessing. “If they can brute force any master passwords, the attackers could extract password vaults and decrypt them for lots of users or some high value targets.”

Emphasis added.

It happened before. It will happen again. Here's what dedicated, persistent hackers are capable of:

Hackers Breach FBI-Run Site, Email Account of Top Bureau Official

Beware the cloud.

 

[Sunset]

I use keePass as it resides local so no browser to interact with. I can put copies on thumbdrives or other laptops to take with me.

It works in Windows/Linux/ etc.

When I put it on a laptop, I put the encrypted password file with a truecrypt encrypted file, so if I lose the laptop, it's going to take the bad guys a long long time to crack it.

 

[Chuckanut]

If a person uses weak passwords that are vulnerable to clever guessing or brute force attacks, not much is going to help. Criminals won't need a password manager, clever fake emails or other tricks. Using a weak password is basically tricking oneself. Not so good.

 

[Options]

Unfortunately, KeePass has been hit, too:

(Hacking tool swipes encrypted credentials from password manager | Ars Technica

OTOH:

In fairness to KeePass developers, they have long warned users that no password manager can secure passwords on a compromised computer...

There's no doubt that password managers represent a single point of failure that could be catastrophic. Still, on the whole, they provide more benefit than risk when used correctly.

Emphasis added.

IMO, the chances of an individual computer being compromised (particularly with proper safeguards employed) are far lower versus that same information stored in the cloud (cloud PM's, by their very nature, represent a single source jackpot for hackers).

While I was working for a very well-known organization, IT showed me a computer screen of the globe, providing a live, multi-colored display of the number of by-the-second attempted breach attacks from all over the world on our organization (that IT was defending against, of course). It looked like a scene out of the movie "War Games". How could such a rich bounty target as LastPass not be under these same constant attack attempts? Why take the chance that one will eventually succeed, particularly since one already has.

 

[braumeister]

They should require me to look up the link in a reliable browser.

Some people get it. I've always appreciated this note that appears on the email I get from a credit union:

Notice: To help protect members from potential phishing attempts, Wright-Patt Credit Union does not provide direct links to our website in your eStatement notification. To access your most recent eStatement and copy of WPCU's Privacy Policy, please visit Wright-Patt Credit Union's website and enter your username and password in the member login area at the top of the page. Then click on eStatements from the Additional Services menu bar.

 

[folivier]

I just started using SplashID Safe and only use it from their app, I DO NOT use it from a webpage. It updates my 2 smartphones and 2 MacBooks nicely.

 

[Tadpole]

I've been meaning to ask the software gurus here - Even if a piece of software runs locally, how do you know that it doesn't call home and share a session?

 

[target2019]

I've been meaning to ask the software gurus here - Even if a piece of software runs locally, how do you know that it doesn't call home and share a session?

Look into network monitoring software. It will show ports opening. Can do this in other ways, like watch your router's log.

 

[nash031]

After reading this, I checked out Sean Cassidy's page and then dug a little bit more into the preferences and tools on LastPass. There are a few other recommendations I gleaned from the various places that weren't specifically mentioned:

- Use Firefox. It's tougher to spoof, though not impossible, since it uses operating system looks/feels instead of browser-specific ones. While a code could probably determine which OS you're on and spoof it, it's a more complex problem. (This is all about being a harder target for this stuff).

- Inside LastPass, you have the option to turn off all notifications in the browser bar, thus if you turn them off (uncheck them all under preferences), and something pops as a notification, you know it's bogus.

- Only access and/or log in to LastPass using the button on your browser, not through a website.

 

[Lsbcal]

...
- Inside LastPass, you have the option to turn off all notifications in the browser bar, thus if you turn them off (uncheck them all under preferences), and something pops as a notification, you know it's bogus.

Wouldn't this mean that LastPass cannot ask you if you want to include a recent new login/pw in your LastPass account? In Firefox one gets a green strip across the top of the window asking if you want to include the most recent new login/pw. This is very convenient and I do not think it is a security issue.

- Only access and/or log in to LastPass using the button on your browser, not through a website.

If you did this as a practice, then maybe the change to preferences would not be necessary?

 

[Alan]

Wouldn't this mean that LastPass cannot ask you if you want to include a recent new login/pw in your LastPass account? In Firefox one gets a green strip across the top of the window asking if you want to include the most recent new login/pw. This is very convenient and I do not think it is a security issue.

Yes, I believe this is correct, you have to add new sites manually. The convenience of that strip plays into the hackers' hands as it can apparently be "spoofed".

 

[tulak]

- Only access and/or log in to LastPass using the button on your browser, not through a website.

This is what I will make sure to do going forward. I appreciate threads like this because they remind me not be lazy, especially when entering passwords.

In practice, I rarely enter my Lastpass password. On my PC it stays logged in and on my iOS devices I use Touch ID. I do this so infrequently where at one point I was logged out and couldn't remember my password. I eventually figured it out (thankfully), but it had me worried for a bit.

 

[nash031]

Yes, I believe this is correct, you have to add new sites manually. The convenience of that strip plays into the hackers' hands as it can apparently be "spoofed".

Exactly. That handy notification banner is an example of what this guy is talking about spoofing, except it is a login notification. That means by turning all notification banners off, anything that pops up isn't from last pass. I'd rather click once or twice more and have the added security, personally.