Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
LastPass Users Vulnerable to Devastating Phishing Attack
Old 01-17-2016, 04:43 AM   #1
Dryer sheet aficionado
 
Join Date: Apr 2013
Posts: 43
LastPass Users Vulnerable to Devastating Phishing Attack

People using LastPass to manage their financial passwords now have a new concern: a devastating phishing attack. LastPass has not been "hacked," but because it displays messages within the browser, as a webpage, these messages can be faked with pixel to pixel exactness allowing even a normally cautious user's master password and even two-factor authentication to be compromised. These are possible due to the way in which the LastPass interface has been designed. At a conference yesterday, Sean Cassidy, CTO of Praesidio demonstrated such a phishing attack, and then posted instructions to replicate it in Github, under the name "LostPass":

https://github.com/cxxr/lostpass

You can read more about how it works at Mr. Cassidy's blog:

https://www.seancassidy.me/lostpass.html

For a less technical discussion, here are two news articles that have been published:

LastPass has serious flaw called 'LostPass' -- your passwords and more are at risk

ShmooCon: LastPass design elements create perfect Phishing opportunity | CSO Online

Mr. Cassidy did contact LastPass, who subsequently issued an update, but he suggests that their patch has in some ways made things worse. The alert that was implemented now confirms to the attacker that the user ID and password are valid.

Here are the suggestions that Mr. Cassidy posted in his blog for users while they wait for LastPass can roll out better user protections:

Ignore notifications in the browser window
Enable IP restriction (only available to paid plans)
Disable mobile login (although other attacks could use non-mobile API)
Log all logins and failures
Inform your employees of this potential attack

For those considering alternative password managers, he recommends:

Browser extensions are riskier than native applications
An API makes it easier to steal a lot of data
Store only frequently used and low risk data in a password manager

__________________

__________________
Many people take no care of their money till they come nearly to the end of it, and others do just the same with their time. -- Johann Wolfgang von Goethe
ClockWatcher is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 01-17-2016, 07:10 AM   #2
Full time employment: Posting here.
 
Join Date: Jan 2007
Posts: 854
Thanks for posting this.

There was a kerfuffle online among users when LastPass was sold to another company a few months ago.

Would LastPass be safeguarded if it lived on a USB device and you only logged on when you knew you were the one initiating things?

So - to the ER forum - do you care to post about your choice of password keeper, your password strategy and how secure it is?

Shall we go back to the little pieces of paper hidden under our keyboards or the Post-It notes stuck to the edge of the screen?
__________________

__________________
spncity is offline   Reply With Quote
Old 01-17-2016, 10:13 AM   #3
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,681
Maybe I don't understand the problem here but it seems there is a simple solution for Lastpass users:
Train yourself to never click on a link that is presented to you or anything like a presentation in a browser window. This is the same as email good practice i.e. go to the source you know to be safe rather then a possibly compromised window or link.

That means for Lastpass if you think you need to login, click the Lastpass icon on your toolbar (for Firefox anyway) or click on the Lastpass icon on your phone.

Does this sound right? I'm no security expert but am a bit paranoid about security.
__________________
Lsbcal is online now   Reply With Quote
Old 01-17-2016, 10:22 AM   #4
Full time employment: Posting here.
 
Join Date: Aug 2007
Posts: 892
This is good info. I agree that this Phishing attack can work, but it doesn't mesh with how I use Lastpass. It would require me to visit a website with malicious code installed. Almost all of the sites I visit I either launch from Lastpass or visit directly. The only case where I could have a problem is if I mistype a website address, which is unlikely. And even in that case I think I'd suspect something odd.

Plus, as an additional step, I also have two-factor authentication setup for all my important accounts. This means that even if Lastpass is hacked, I still have an added layer of protection. This is important since I assume that Lastpass (or any password repository) is not a 100% secure.

I'm glad you posted this. It'll definitely make me more cautious on how/where I enter my Lastpass master password. From now on, I'll only do this through their extension. I'm also going to check if I can enable e-mails for login attempts or anything else that will tell me when my account is accessed.
__________________
Eat, Drink and Be Merry.
tulak is online now   Reply With Quote
Old 01-17-2016, 10:31 AM   #5
Full time employment: Posting here.
 
Join Date: Jul 2011
Posts: 573
I use keepass on a thumb drive. I recently purchased a wireless one for occasional tablet use. I back-up to another thumb drive. Not as convenient but I think safer than cloud. And, if my computer is stolen or breaks, I have my passwords
__________________
davef is offline   Reply With Quote
Old 01-17-2016, 10:33 AM   #6
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,329
Thanks for the update.

I wonder that if instead of worrying about encrypting everything, the security experts should be finding ways to make sure these fake sites are much harder to create.

Quote:
“I think that the security industry's view of Phishing is naive at best, negligent at worst. Phishing is the most dominant attack vector and is used by everyone from run-of-the-mill CryptoLocker types to APTs,” Cassidy wrote.
“The real solution is designing software to be Phishing resistant. Just like we have anti-exploitation techniques, we need anti-Phishing techniques built into more software. Software security evaluations should also include how easy it is to Phish said software.”
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 01-17-2016, 10:38 AM   #7
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,681
Quote:
Originally Posted by kiki View Post
...
Plus, as an additional step, I also have two-factor authentication setup for all my important accounts. This means that even if Lastpass is hacked, I still have an added layer of protection. This is important since I assume that Lastpass (or any password repository) is not a 100% secure.
...
Good point about 2FA. My 2FA accounts ask for authentication should a user login from another computer. They could be set up to require 2FA from any computer but that means it is not as convenient.
__________________
Lsbcal is online now   Reply With Quote
Old 01-17-2016, 02:19 PM   #8
Thinks s/he gets paid by the post
 
Join Date: Jan 2008
Posts: 1,495
Quote:
Originally Posted by davef View Post
I use keepass on a thumb drive. I recently purchased a wireless one for occasional tablet use. I back-up to another thumb drive. Not as convenient but I think safer than cloud. And, if my computer is stolen or breaks, I have my passwords
This. Exactly.

Of course LastPass had something nasty happen. It was only a matter of time. It's a hacker's paradise. I've said it before: my brother has worked with the cloud since its inception including security and has warned it is not at all as secure as the public has been led to believe. Ask anyone who works with it. Nothing in the cloud is safe.
__________________
Options is offline   Reply With Quote
Old 01-18-2016, 08:29 PM   #9
Thinks s/he gets paid by the post
 
Join Date: Jan 2008
Posts: 1,495
The hits just keep on coming...

TaxAct breached: Customer banking and Social Security information compromised - SC Magazine
__________________
Options is offline   Reply With Quote
Old 01-18-2016, 09:04 PM   #10
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,329
From what I understand LastPass security was not breached. Rather, LastPass users were tricked into revealing sensitive information. I am not sure what LastPass or any others can do about that. Even if you have all your passwords only on hard copy and locked securely away, if a criminal tricks you into typing it into a computer, they have it.

Tricking and fooling people into revealing sensitive information has nothing to do with whether or not it is in the cloud.

That said, I agree that all is not as safe as we are lead to believe. These boys and girls have got to get a handle on this, or we will all be going back to spending cash at brick and mortar stores.
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 01-18-2016, 09:25 PM   #11
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,681
Quote:
Originally Posted by Chuckanut View Post
...
Tricking and fooling people into revealing sensitive information has nothing to do with whether or not it is in the cloud.

...
I agree. Just today I was ready to do a sales tax return for DW. The email from the state of California had a link to their site. It did go to what appeared to be a legitimate login page. I did not use that page.

That is a terrible practice on their part...I think. They should require me to look up the link in a reliable browser. Or can I totally rely on the Google browser link to bring up the .gov site safely? I hope so. Anyway, that is how I got to the login page.

Then I look at my bank's email and there is a link to their login page. Then I look at Vanguard's email and another login page link.

Am I wrong about this?
__________________
Lsbcal is online now   Reply With Quote
Old 01-18-2016, 09:38 PM   #12
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,469
Quote:
Originally Posted by Options View Post
This deserves its own thread. Lots of taxAct users here.
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is online now   Reply With Quote
Old 01-18-2016, 10:07 PM   #13
Thinks s/he gets paid by the post
 
Join Date: Jan 2008
Posts: 1,495
Quote:
Originally Posted by Chuckanut View Post
From what I understand LastPass security was not breached. Rather, LastPass users were tricked into revealing sensitive information. I am not sure what LastPass or any others can do about that...
Here's what they can do/should have done:

Internet Safety: Protecting Your Financial Transactions

Quote:
When is a website secure for financial transactions?

Before sending any sensitive or financial information online, you want to know that you are communicating with a secure site. Secure sites make sure all information you send is encrypted—or protected—as it travels across the Web. The https address heading and your browser's security symbol are two signs indicating you are on a secure site.
Emphasis added.

On the prior LastPass breach:

Hack Brief: Password Manager LastPass Got Breached Hard | WIRED

Specifically:

Quote:
On Monday password manager service LastPass admitted it had been the target of a hack that accessed its users’ email addresses, encrypted master passwords, and the reminder words and phrases that the service asks users to create for those master passwords.

How Serious Is This?

That depends. The severity of this latest LastPass’s hack—the first it’s experienced since it admitted to an earlier possible breach in 2011—is contingent on both the strength of a person’s master passwords and how long the breach went undetected. Given the encryption that LastPass describes, a strong, truly random master password is likely safe, says Joseph Bonneau, a Stanford cryptography researcher who’s focused on password security.

But “this is still pretty bad,” says Bonneau, particularly for users with weak passwords that are vulnerable to guessing. “If they can brute force any master passwords, the attackers could extract password vaults and decrypt them for lots of users or some high value targets.”
Emphasis added.

It happened before. It will happen again. Here's what dedicated, persistent hackers are capable of:

Hackers Breach FBI-Run Site, Email Account of Top Bureau Official

Beware the cloud.
__________________
Options is offline   Reply With Quote
Old 01-18-2016, 10:08 PM   #14
Thinks s/he gets paid by the post
Sunset's Avatar
 
Join Date: Jul 2014
Location: Chicago
Posts: 4,727
I use keePass as it resides local so no browser to interact with. I can put copies on thumbdrives or other laptops to take with me.

It works in Windows/Linux/ etc.

When I put it on a laptop, I put the encrypted password file with a truecrypt encrypted file, so if I lose the laptop, it's going to take the bad guys a long long time to crack it.
__________________
Sunset is offline   Reply With Quote
LastPass Users Vulnerable to Devastating Phishing Attack
Old 01-18-2016, 10:21 PM   #15
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,329
LastPass Users Vulnerable to Devastating Phishing Attack

If a person uses weak passwords that are vulnerable to clever guessing or brute force attacks, not much is going to help. Criminals won't need a password manager, clever fake emails or other tricks. Using a weak password is basically tricking oneself. Not so good.
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 01-18-2016, 10:22 PM   #16
Thinks s/he gets paid by the post
 
Join Date: Jan 2008
Posts: 1,495
Unfortunately, KeePass has been hit, too:

(Hacking tool swipes encrypted credentials from password manager | Ars Technica

OTOH:

Quote:
In fairness to KeePass developers, they have long warned users that no password manager can secure passwords on a compromised computer...

There's no doubt that password managers represent a single point of failure that could be catastrophic. Still, on the whole, they provide more benefit than risk when used correctly.
Emphasis added.

IMO, the chances of an individual computer being compromised (particularly with proper safeguards employed) are far lower versus that same information stored in the cloud (cloud PM's, by their very nature, represent a single source jackpot for hackers).

While I was working for a very well-known organization, IT showed me a computer screen of the globe, providing a live, multi-colored display of the number of by-the-second attempted breach attacks from all over the world on our organization (that IT was defending against, of course). It looked like a scene out of the movie "War Games". How could such a rich bounty target as LastPass not be under these same constant attack attempts? Why take the chance that one will eventually succeed, particularly since one already has.
__________________
Options is offline   Reply With Quote
Old 01-19-2016, 06:39 AM   #17
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
braumeister's Avatar
 
Join Date: Feb 2010
Location: Northern Kentucky
Posts: 8,599
Quote:
Originally Posted by Lsbcal View Post
They should require me to look up the link in a reliable browser.
Some people get it. I've always appreciated this note that appears on the email I get from a credit union:

Quote:
Notice: To help protect members from potential phishing attempts, Wright-Patt Credit Union does not provide direct links to our website in your eStatement notification. To access your most recent eStatement and copy of WPCU's Privacy Policy, please visit Wright-Patt Credit Union's website and enter your username and password in the member login area at the top of the page. Then click on eStatements from the Additional Services menu bar.
__________________
braumeister is offline   Reply With Quote
Old 01-19-2016, 08:34 AM   #18
Recycles dryer sheets
 
Join Date: Oct 2009
Posts: 420
I just started using SplashID Safe and only use it from their app, I DO NOT use it from a webpage. It updates my 2 smartphones and 2 MacBooks nicely.
__________________
You do not have a soul. You are a soul. You have a body.
folivier is offline   Reply With Quote
Old 01-19-2016, 09:32 AM   #19
Thinks s/he gets paid by the post
Tadpole's Avatar
 
Join Date: Jul 2004
Posts: 1,170
I've been meaning to ask the software gurus here - Even if a piece of software runs locally, how do you know that it doesn't call home and share a session?
__________________
Tadpole is offline   Reply With Quote
Old 01-19-2016, 09:38 AM   #20
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,705
Quote:
Originally Posted by Tadpole View Post
I've been meaning to ask the software gurus here - Even if a piece of software runs locally, how do you know that it doesn't call home and share a session?

Look into network monitoring software. It will show ports opening. Can do this in other ways, like watch your router's log.
__________________

__________________
target2019 is offline   Reply With Quote
Reply

Tags
lastpass, password, phishing


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LastPass hacked MichaelB Other topics 25 06-19-2015 01:54 PM
WSJ: 'Target' Funds Vulnerable to Rate Rise SumDay FIRE and Money 4 04-24-2013 06:19 PM
Heat Attack Grill Spokesman Dies of Heart Attack easysurfer Other topics 1 02-13-2013 04:55 AM
Potentially Devastating Social Security Offsets walkinwood FIRE and Money 12 11-09-2009 12:42 PM
Vulnerable Retiree Stories mickeyd FIRE and Money 7 12-21-2007 01:03 PM

 

 
All times are GMT -6. The time now is 11:27 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.