Use a Password Mgr? Which One? Like It?

[Kwirk]

The media software package has been identified as Plex. I've not found details about the remote code execution vulnerability or whether it has been fixed.

 

[timbervest]

started using Keeper -- seems to be fairly non invasive.

 

[OldShooter]

IMO it's probably the case that there are only two types of password managers. Those that have been hacked and those that haven't been hacked yet. Remember that the most successful exploit is the one that is never detected and also that vendors are negatively motivated to disclose exploits that they detect.

If I wanted to use a PWM I would look for the one that kept the least amount of information in my customer record. I would also answer all challenge questions (mother maiden name, first grade school, etc.) with fake information and would not permit them to save my credit card information. Or maybe use a one-time CC number.

 

[Rianne]

I use LastPass, updated all my passwords, and deleted sites I don't use. Instead of using the "launch" to get to the sites I use, I put the address in the address bar. A PNC security agent told me to do this but he was not big on any password manager. He said to clear all cookies and caches after each use. Nothing is completely safe on the internet. Hackers have been stealing SS #s for decades as well as Medicare information. CC #s are hacked almost daily.

A friend of mine did have $$ hacked from her checking/savings account when an alert blared on her computer one night saying her accounts are at risk. It gave her a phone number to call (this was not in an e-mail or text but flashed on her screen). She called the number and gave all her personal data to that person as "verification" it was her. She's a senior and trusted this message. It was a major mess that took weeks to clear up. The bank did honor her savings and covered the loss.

It's one thing when the scam is obvious. This was not obvious but I would not have called that number.

 

[RetMD21]

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the Dfor his devOps engineer’s LastPass corporate vault.”

That's amazing. I wonder if Plex really needed to be on his home pc. BTW the Security Now #904 transcript previously mentioned is available. https://www.grc.com/sn/sn-904.pdf

 

[Kwirk]

That's amazing. I wonder if Plex really needed to be on his home pc. BTW the Security Now #904 transcript previously mentioned is available. https://www.grc.com/sn/sn-904.pdf

From the above transcript: "Since LastPass was not encrypting our email addresses and website URLs, there was definite leakage of who we are and where we go and what we do, without any need to decrypt anything."

That allows for a lot of targeting! They apparently also recorded and did not encrypt the last used IP address, allowing a direct to the user's machine attack searching for open ports with vulnerabilities. Plex is just one application that may be vulnerable. My understanding is that many IoT devices do the same.

Fortunately, I use KeePass rather than LastPass. I do use Plex (updated) so I'm still looking for whether the exploited vulnerability is a current vulnerability.

ETA: Thanks to RetMD21 for the link!