|
|
01-20-2016, 10:55 AM
|
#41
|
Thinks s/he gets paid by the post
Join Date: Aug 2011
Posts: 3,604
|
Quote:
Originally Posted by nash031
After reading this, I checked out Sean Cassidy's page and then dug a little bit more into the preferences and tools on LastPass. There are a few other recommendations I gleaned from the various places that weren't specifically mentioned:
- Only access and/or log in to LastPass using the button on your browser, not through a website.
|
This is exactly the opposite of my initial reaction after reading this thread.
My preference would be to only login from the Lastpass web site (after verifying the https security certificate is good.) Isn't that the whole point behind secure web sites -- that you can trust they are who they say they are and not a man in the middle attack?
If I login via some other box that pops up, I am not sure who is serving up the box.
If someone can describe why using the plugin button on the browser bar to login vs using the field on the web page itself is preferable I may reconsider. But other then that I am sticking with https. It has been quite reliable over the years, other than the Heartbleed bug which was a failure of the openssl implementation.
-gauss
|
|
|
|
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!
Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!
You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!
|
01-20-2016, 11:41 AM
|
#42
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: May 2006
Location: west coast, hi there!
Posts: 8,809
|
Quote:
Originally Posted by gauss
...
My preference would be to only login from the Lastpass web site (after verifying the https security certificate is good.) Isn't that the whole point behind secure web sites -- that you can trust they are who they say they are and not a man in the middle attack?...
|
The little button on the Firefox toolbar is there because I installed the Lastpass extension. I'm not sure it is easy to hack ... or is it?
What one sees is:
1) The button is black
2) Clicking on the button brings up a Lastpass popup with your email filled in
3) Enter the master password and the button turns red. You are ready to use your passwords.
I'm not sure what part of this process is hackable. Just thought I'd summarize what you think is not a good thing to do.
I guess what you are saying is, go to the bookmarked Lastpass site and login from that URL by clicking the Login. First make sure that the site URL contains something like: the little green lock and words like "Lastpass: (Maravosol, Inc) (US) https:/Lastpass.com"
|
|
|
01-20-2016, 12:01 PM
|
#43
|
Thinks s/he gets paid by the post
Join Date: Jun 2013
Location: Bonita (San Diego)
Posts: 1,795
|
Quote:
Originally Posted by gauss
This is exactly the opposite of my initial reaction after reading this thread.
My preference would be to only login from the Lastpass web site (after verifying the https security certificate is good.) Isn't that the whole point behind secure web sites -- that you can trust they are who they say they are and not a man in the middle attack?
If I login via some other box that pops up, I am not sure who is serving up the box.
If someone can describe why using the plugin button on the browser bar to login vs using the field on the web page itself is preferable I may reconsider. But other then that I am sticking with https. It has been quite reliable over the years, other than the Heartbleed bug which was a failure of the openssl implementation.
-gauss
|
I guess I should edit the point to read: "Only access LastPass either through the button on your browser (via the extension) -OR- directly through the website (type in the address) - NOT VIA A LINK."
Certainly, if you're typing https://lastpass.com into your browser, you're safe. Lostpass relies on either clicking a bogus login link in your notifications bar (turning off notifications fixes this since any notification you get is bogus) or another link which takes you to a bogus login page (standard phishing/spearphishing).
If you never login via a website, and only login via the browser extension button WHICH YOU CLICKED (not some popup that just happened), you're safe. The only circumstance where this wouldn't be true is if you installed a bogus extension not directly from LastPass, which seems unlikely and isn't exactly a new vulnerability. If you don't trust browser extensions at all, then that's a different matter altogether.
So, while I would agree that using the website directly is safe, I don't think you're correct that using the browser extension directly is unsafe, at least not any more unsafe than it was before "Lostpass".
__________________
"So we beat to our own drummer in the sun;
We ask for nobody's permission to run.
I just wanna live in a world like that;
Now I'm gonna live in a world like that!" - World Like That, O.A.R.
|
|
|
01-20-2016, 12:09 PM
|
#44
|
Moderator
Join Date: Oct 2010
Posts: 10,723
|
As scary as this phishing attack is, I do think that most of us would realize something was amiss when the master password dialog appeared on a blank page and not on top of the page we were on (see image).
Quote:
Originally Posted by gauss
If someone can describe why using the plugin button on the browser bar to login vs using the field on the web page itself is preferable I may reconsider. But other then that I am sticking with https. It has been quite reliable over the years, other than the Heartbleed bug which was a failure of the openssl implementation.
|
The reason why clicking on the LastPass icon in the brower's tool bar is safe is that there is no vulnerability there. I'm sure hackers have tried, but they have not succeeded in getting their code to run when you click on the LastPass add-in button. Contrast that with clicking anything in the view port. THAT is where the phishing problem is.
Quote:
Originally Posted by Lsbcal
Maybe I don't understand the problem here but it seems there is a simple solution for Lastpass users:
Train yourself to never click on a link that is presented to you or anything like a presentation in a browser window.
|
Correct. If you don't want to get phished, follow Rule#1: only type your master password only if you specifically asked for the login dialog from the add-in button. Problem solved.
Quote:
Originally Posted by Chuckanut
Tricking and fooling people into revealing sensitive information has nothing to do with whether or not it is in the cloud.
|
Since the encrypted vault is in the cloud, it makes the master password more valuable to a hacker than, say, a vault on a thumb drive.
Quote:
Originally Posted by Alan
Yes, I believe this is correct, you have to add new sites manually. The convenience of that strip plays into the hackers' hands as it can apparently be "spoofed".
|
Quote:
Originally Posted by Lsbcal
Generally the strip appears only after one is logging out of a new site. So it would seem to me that the timing indicates it is not a spoof. But that is maybe a small quibble and I guess I have to reluctantly agree that the best thing is manually setting up a new login.
|
You don't need to hamstring LastPass! True, a hacker could put a green bar up. The worst they could do is not put that site's password in the vault. Under your scenario, they've already got that site's password. Follow Rule#1 and go on with life as-is.
You can limit IP by country, shut off notifications, etc, if it makes you feel better, but if you think back to the original phishing problem, and really understand it, you'll realize it's not necessary to change the configuration at all. Just follow Rule#1.
|
|
|
01-20-2016, 12:11 PM
|
#45
|
Thinks s/he gets paid by the post
Join Date: Aug 2011
Posts: 3,604
|
Thanks nash031,
I think we are basically in agreement. My preference would be to use the secure web site just because of the long history of security via https (ie SSL/TLS protocol that dates back to the days of Netscape).
The browser extension may also be safe if you trust that LastPass did a good job in the programming of it.
I just wanted to make sure that I didn't miss something when the original advice looked like it was to not use the secure web site to login.
I think we are good here. Again thanks for the clarification.
-gauss
|
|
|
01-20-2016, 09:35 PM
|
#46
|
Thinks s/he gets paid by the post
Join Date: Jun 2013
Location: Bonita (San Diego)
Posts: 1,795
|
Quote:
Originally Posted by sengsational
As scary as this phishing attack is, I do think that most of us would realize something was amiss when the master password dialog appeared on a blank page and not on top of the page we were on (see image).
The reason why clicking on the LastPass icon in the brower's tool bar is safe is that there is no vulnerability there. I'm sure hackers have tried, but they have not succeeded in getting their code to run when you click on the LastPass add-in button. Contrast that with clicking anything in the view port. THAT is where the phishing problem is.
Correct. If you don't want to get phished, follow Rule#1: only type your master password only if you specifically asked for the login dialog from the add-in button. Problem solved.
Since the encrypted vault is in the cloud, it makes the master password more valuable to a hacker than, say, a vault on a thumb drive.
You don't need to hamstring LastPass! True, a hacker could put a green bar up. The worst they could do is not put that site's password in the vault. Under your scenario, they've already got that site's password. Follow Rule#1 and go on with life as-is.
You can limit IP by country, shut off notifications, etc, if it makes you feel better, but if you think back to the original phishing problem, and really understand it, you'll realize it's not necessary to change the configuration at all. Just follow Rule#1.
|
I think this phishing scam differs based on browser, as the originator pushed it on Chrome and said Firefox would be more difficult to spoof. Not sure about the blank page and how that interacts.
__________________
"So we beat to our own drummer in the sun;
We ask for nobody's permission to run.
I just wanna live in a world like that;
Now I'm gonna live in a world like that!" - World Like That, O.A.R.
|
|
|
01-21-2016, 11:56 AM
|
#47
|
Moderator
Join Date: Oct 2010
Posts: 10,723
|
Quote:
Originally Posted by nash031
I think this phishing scam differs based on browser, as the originator pushed it on Chrome and said Firefox would be more difficult to spoof. Not sure about the blank page and how that interacts.
|
If this thing is so easy to host, I'm surprised there isn't a site that does it without the password field, just to demonstrate exactly how it would look (but with declarations that it's a demo of a phishing attack for learning purposes).
|
|
|
01-21-2016, 03:46 PM
|
#48
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Dec 2008
Location: On a hill in the Pine Barrens
Posts: 9,720
|
Quote:
Originally Posted by sengsational
If this thing is so easy to host, I'm surprised there isn't a site that does it without the password field, just to demonstrate exactly how it would look (but with declarations that it's a demo of a phishing attack for learning purposes).
|
Early in the thread is a link to the discoverer Web page. There is a description of how it was done, with screen shots. From what I recall, he had a functioning exploit set up, but took it down once the company acknowledged the vulnerability.
|
|
|
01-26-2016, 01:53 PM
|
#49
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 17,262
|
Steve Gibson has a good explanation of the LastPass phishing attack and what LastPass had done about it and what we should be watching. Find the LostPass episode and the explanation is in the last 35 minutes.
https://www.grc.com/securitynow.htm
Basically, there is no perfect defense against a phishing attack on any app not just LastPass and the user must be watchful. LastPass has shut some holes and beefed up some security that makes this attack much harder to accomplish. For example, LastPass will now warn people if they are entering their LP master password into something that isn't Last Pass.
__________________
Comparison is the thief of joy
The worst decisions are usually made in times of anger and impatience.
|
|
|
01-26-2016, 04:05 PM
|
#50
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: May 2006
Location: west coast, hi there!
Posts: 8,809
|
It would be cool if Lastpass presented a user with a user chosen image when asking for the password i.e. a customized popup.
|
|
|
01-26-2016, 05:27 PM
|
#51
|
Recycles dryer sheets
Join Date: Aug 2014
Posts: 94
|
I had the most difficult time loging in today. Entered password about a dozen times and it wouldn't log me in. First time that has happened. After reading these replies, I promptly changed my password. I've always used the extention button in chrome. I hope nothing has been compromised because I am totally dependent on this pw manager.
|
|
|
01-26-2016, 07:14 PM
|
#52
|
Moderator
Join Date: Oct 2010
Posts: 10,723
|
Quote:
Originally Posted by Lsbcal
It would be cool if Lastpass presented a user with a user chosen image when asking for the password i.e. a customized popup.
|
That seems like something that would be effective, but indeed does not address the vulnerability.
You identify yourself to the fake LastPass, then, quickly in the background, the bad guy, acting like you against real LastPass API, grabs your custom image, then presents it back to you. It's no more than an annoyance to the bad guy.
These custom images are good for simple instances where it's a redirection attack as opposed to a man in the middle attack.
|
|
|
01-26-2016, 09:20 PM
|
#53
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: May 2006
Location: west coast, hi there!
Posts: 8,809
|
Quote:
Originally Posted by sengsational
That seems like something that would be effective, but indeed does not address the vulnerability.
You identify yourself to the fake LastPass, then, quickly in the background, the bad guy, acting like you against real LastPass API, grabs your custom image, then presents it back to you. It's no more than an annoyance to the bad guy.
These custom images are good for simple instances where it's a redirection attack as opposed to a man in the middle attack.
|
Probably I don't understand this situation. Maybe you can tell me where I'm wrong?
Isn't the presentation a bogus web page with a generic Lastpass login? Firstly, the actual thing I see on my system is a Lastpass popup with my email in one of the top input boxes. Let's assume I have not trained myself to normally look for that (probably true). And also that I don't realize the browser page has a "frozen popup". Incidentally I bet the Lastpass login could be redesigned to pull the users eye to his email fill in. Like coloring it in with magenta or something. Here is what we are talking about :
Also I have mine setup so that the email is filled in. How would the man in the middle fill that one in? Or is he relying on people normally filling this in manually plus the password?
Didn't my Lastpass popup come from a browser extension on my machine? If so then it could possibly be customized by me and reside on my machine. The guy in Eastern Europe wouldn't know about this and is just mimicking a generic.
On my phone this behaves differently so I guess I'm just talking about one desktop machine and not trying to propagate the customization to more machines.
|
|
|
01-27-2016, 09:58 AM
|
#54
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Dec 2008
Location: On a hill in the Pine Barrens
Posts: 9,720
|
Security images are being phased out. If you search that topic, there lots of interesting discussion.
The option of customizing your login page locally is intriguing.
|
|
|
01-27-2016, 10:08 AM
|
#55
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: May 2006
Location: west coast, hi there!
Posts: 8,809
|
Quote:
Originally Posted by target2019
Security images are being phased out. If you search that topic, there lots of interesting discussion.
The option of customizing your login page locally is intriguing.
|
I don't know about that. Vanguard phased it out. My local Fed Credit Union phased it in.
Score 1 to 1.
But maybe in the case of Lastpass it is not needed for the issue we are discussing. Just select the remember Email option and then train yourself to look for it on each login. Plus, of course, make sure you asked for Lastpass to popup i.e. it wasn't presented out of the blue by a window you just opened.
|
|
|
01-29-2016, 08:56 AM
|
#56
|
Moderator
Join Date: Oct 2010
Posts: 10,723
|
Quote:
Originally Posted by Lsbcal
Probably I don't understand this situation. Maybe you can tell me where I'm wrong?
|
It sounds like you understand how it all works, except maybe how the man in the middle attack works in a security image situation*. Actually, I think you get that too, since you had the idea of pulling the image from the browser plug-in.
I don't have a pat answer on the ability of the L ostPass hack to populate the email address if that option is checked. Off the top of my head, I'm not sure how they'd know the email address, so yet another head scratcher beyond seeing a login box that you didn't ask for. I didn't see that written-up as a weakness in the L ostPass attack, but sounds like it is.
Quote:
Originally Posted by target2019
The option of customizing your login page locally is intriguing.
|
+1 I wonder why they haven't done this. If the image is local, I can't see how it could be presented from javascript on a page, which is the way this phishing attack works.
* The typical man-in-the middle attack with a security image goes like this: The user thinks they're talking to the real web site, but are talking to the bad-guy and goes to the login page (fake login page), where the user enters the userid (not password, yet) (or some javascript on the page sends a cookie). The bad guy reads and immediately sends the same request to the real server. The real server sees exactly what it would have seen in a legit logon, dutifully presents the security image to bad guy, who then presents it to the user, who thinks everything is legit, and then supplies the bad-guy with the password.
|
|
|
01-29-2016, 10:02 AM
|
#57
|
Administrator
Join Date: Jul 2005
Location: N. Yorkshire
Posts: 34,125
|
Quote:
Originally Posted by sengsational
* The typical man-in-the middle attack with a security image goes like this: The user thinks they're talking to the real web site, but are talking to the bad-guy and goes to the login page (fake login page), where the user enters the userid (not password, yet) (or some javascript on the page sends a cookie). The bad guy reads and immediately sends the same request to the real server. The real server sees exactly what it would have seen in a legit logon, dutifully presents the security image to bad guy, who then presents it to the user, who thinks everything is legit, and then supplies the bad-guy with the password.
|
Great explanation, thanks.
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Enough private pension and SS income to cover all needs
|
|
|
01-29-2016, 11:29 AM
|
#58
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Dec 2008
Location: On a hill in the Pine Barrens
Posts: 9,720
|
Quote:
Originally Posted by Lsbcal
I don't know about that. Vanguard phased it out. My local Fed Credit Union phased it in.
Score 1 to 1.
But maybe in the case of Lastpass it is not needed for the issue we are discussing. Just select the remember Email option and then train yourself to look for it on each login. Plus, of course, make sure you asked for Lastpass to popup i.e. it wasn't presented out of the blue by a window you just opened.
|
If you search, you will find that security images are no longer considered a great idea. Most companies have more secure options like tokens or MFA. If a company us just now phasing in security images, they are behind the curve.
Have no comments on lastpass use.
|
|
|
01-29-2016, 11:33 AM
|
#59
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Dec 2008
Location: On a hill in the Pine Barrens
Posts: 9,720
|
Quote:
Originally Posted by sengsational
It sounds like you understand how it all works, except maybe how the man in the middle attack works in a security image situation*. Actually, I think you get that too, since you had the idea of pulling the image from the browser plug-in.
I don't have a pat answer on the ability of the LostPass hack to populate the email address if that option is checked. Off the top of my head, I'm not sure how they'd know the email address, so yet another head scratcher beyond seeing a login box that you didn't ask for. I didn't see that written-up as a weakness in the LostPass attack, but sounds like it is.
+1 I wonder why they haven't done this. If the image is local, I can't see how it could be presented from javascript on a page, which is the way this phishing attack works.
* The typical man-in-the middle attack with a security image goes like this: The user thinks they're talking to the real web site, but are talking to the bad-guy and goes to the login page (fake login page), where the user enters the userid (not password, yet) (or some javascript on the page sends a cookie). The bad guy reads and immediately sends the same request to the real server. The real server sees exactly what it would have seen in a legit logon, dutifully presents the security image to bad guy, who then presents it to the user, who thinks everything is legit, and then supplies the bad-guy with the password.
|
From a few articles, I understand that in tests, too many users ignored the absence of the security image, and will just keep going, deeper and deeper into the abyss of theft.
|
|
|
01-29-2016, 11:55 AM
|
#60
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: May 2006
Location: west coast, hi there!
Posts: 8,809
|
Quote:
Originally Posted by target2019
If you search, you will find that security images are no longer considered a great idea. Most companies have more secure options like tokens or MFA. If a company us just now phasing in security images, they are behind the curve.
Have no comments on lastpass use.
|
The Fed Credit Union that introduced this is highly security concious. At least they are really up front with a lot of it including 2FA. It depends a lot on how the image is presented i.e. design elements. If you log in multiple times a month your expectation gets set. In my humble opinion, I'd rather have the security image then not. At worst I'd think it was just redundant.
But then we don't really get to vote on the institutional security setup, except maybe with our feet.
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
» Recent Threads
|
|
|
|
|
|
|
|
|
|
|
|
|
» Quick Links
|
|
|