|
|
LastPass Users Vulnerable to Devastating Phishing Attack
01-17-2016, 03:43 AM
|
#1
|
Dryer sheet aficionado
Join Date: Apr 2013
Posts: 43
|
LastPass Users Vulnerable to Devastating Phishing Attack
People using LastPass to manage their financial passwords now have a new concern: a devastating phishing attack. LastPass has not been "hacked," but because it displays messages within the browser, as a webpage, these messages can be faked with pixel to pixel exactness allowing even a normally cautious user's master password and even two-factor authentication to be compromised. These are possible due to the way in which the LastPass interface has been designed. At a conference yesterday, Sean Cassidy, CTO of Praesidio demonstrated such a phishing attack, and then posted instructions to replicate it in Github, under the name "LostPass":
https://github.com/cxxr/lostpass
You can read more about how it works at Mr. Cassidy's blog:
https://www.seancassidy.me/lostpass.html
For a less technical discussion, here are two news articles that have been published:
LastPass has serious flaw called 'LostPass' -- your passwords and more are at risk
ShmooCon: LastPass design elements create perfect Phishing opportunity | CSO Online
Mr. Cassidy did contact LastPass, who subsequently issued an update, but he suggests that their patch has in some ways made things worse. The alert that was implemented now confirms to the attacker that the user ID and password are valid.
Here are the suggestions that Mr. Cassidy posted in his blog for users while they wait for LastPass can roll out better user protections:
• Ignore notifications in the browser window
• Enable IP restriction (only available to paid plans)
• Disable mobile login (although other attacks could use non-mobile API)
• Log all logins and failures
• Inform your employees of this potential attack
For those considering alternative password managers, he recommends:
• Browser extensions are riskier than native applications
• An API makes it easier to steal a lot of data
• Store only frequently used and low risk data in a password manager
__________________
Many people take no care of their money till they come nearly to the end of it, and others do just the same with their time. -- Johann Wolfgang von Goethe
|
|
|
|
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!
Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!
You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!
|
01-17-2016, 06:10 AM
|
#2
|
Thinks s/he gets paid by the post
Join Date: Jan 2007
Posts: 1,240
|
Thanks for posting this.
There was a kerfuffle online among users when LastPass was sold to another company a few months ago.
Would LastPass be safeguarded if it lived on a USB device and you only logged on when you knew you were the one initiating things?
So - to the ER forum - do you care to post about your choice of password keeper, your password strategy and how secure it is?
Shall we go back to the little pieces of paper hidden under our keyboards or the Post-It notes stuck to the edge of the screen?
|
|
|
01-17-2016, 09:13 AM
|
#3
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: May 2006
Location: west coast, hi there!
Posts: 8,808
|
Maybe I don't understand the problem here but it seems there is a simple solution for Lastpass users:
Train yourself to never click on a link that is presented to you or anything like a presentation in a browser window. This is the same as email good practice i.e. go to the source you know to be safe rather then a possibly compromised window or link.
That means for Lastpass if you think you need to login, click the Lastpass icon on your toolbar (for Firefox anyway) or click on the Lastpass icon on your phone.
Does this sound right? I'm no security expert but am a bit paranoid about security.
|
|
|
01-17-2016, 09:22 AM
|
#4
|
Thinks s/he gets paid by the post
Join Date: Aug 2007
Posts: 2,858
|
This is good info. I agree that this Phishing attack can work, but it doesn't mesh with how I use Lastpass. It would require me to visit a website with malicious code installed. Almost all of the sites I visit I either launch from Lastpass or visit directly. The only case where I could have a problem is if I mistype a website address, which is unlikely. And even in that case I think I'd suspect something odd.
Plus, as an additional step, I also have two-factor authentication setup for all my important accounts. This means that even if Lastpass is hacked, I still have an added layer of protection. This is important since I assume that Lastpass (or any password repository) is not a 100% secure.
I'm glad you posted this. It'll definitely make me more cautious on how/where I enter my Lastpass master password. From now on, I'll only do this through their extension. I'm also going to check if I can enable e-mails for login attempts or anything else that will tell me when my account is accessed.
__________________
Eat, Drink and Be Merry.
|
|
|
01-17-2016, 09:31 AM
|
#5
|
Thinks s/he gets paid by the post
Join Date: Jul 2011
Posts: 1,283
|
I use keepass on a thumb drive. I recently purchased a wireless one for occasional tablet use. I back-up to another thumb drive. Not as convenient but I think safer than cloud. And, if my computer is stolen or breaks, I have my passwords
|
|
|
01-17-2016, 09:33 AM
|
#6
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 17,173
|
Thanks for the update.
I wonder that if instead of worrying about encrypting everything, the security experts should be finding ways to make sure these fake sites are much harder to create.
Quote:
“I think that the security industry's view of Phishing is naive at best, negligent at worst. Phishing is the most dominant attack vector and is used by everyone from run-of-the-mill CryptoLocker types to APTs,” Cassidy wrote.
“The real solution is designing software to be Phishing resistant. Just like we have anti-exploitation techniques, we need anti-Phishing techniques built into more software. Software security evaluations should also include how easy it is to Phish said software.”
|
__________________
Comparison is the thief of joy
The worst decisions are usually made in times of anger and impatience.
|
|
|
01-17-2016, 09:38 AM
|
#7
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: May 2006
Location: west coast, hi there!
Posts: 8,808
|
Quote:
Originally Posted by kiki
...
Plus, as an additional step, I also have two-factor authentication setup for all my important accounts. This means that even if Lastpass is hacked, I still have an added layer of protection. This is important since I assume that Lastpass (or any password repository) is not a 100% secure.
...
|
Good point about 2FA. My 2FA accounts ask for authentication should a user login from another computer. They could be set up to require 2FA from any computer but that means it is not as convenient.
|
|
|
01-17-2016, 01:19 PM
|
#8
|
Thinks s/he gets paid by the post
Join Date: Jan 2008
Posts: 1,495
|
Quote:
Originally Posted by davef
I use keepass on a thumb drive. I recently purchased a wireless one for occasional tablet use. I back-up to another thumb drive. Not as convenient but I think safer than cloud. And, if my computer is stolen or breaks, I have my passwords
|
This. Exactly.
Of course LastPass had something nasty happen. It was only a matter of time. It's a hacker's paradise. I've said it before: my brother has worked with the cloud since its inception including security and has warned it is not at all as secure as the public has been led to believe. Ask anyone who works with it. Nothing in the cloud is safe.
|
|
|
01-18-2016, 07:29 PM
|
#9
|
Thinks s/he gets paid by the post
Join Date: Jan 2008
Posts: 1,495
|
|
|
|
01-18-2016, 08:04 PM
|
#10
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 17,173
|
From what I understand LastPass security was not breached. Rather, LastPass users were tricked into revealing sensitive information. I am not sure what LastPass or any others can do about that. Even if you have all your passwords only on hard copy and locked securely away, if a criminal tricks you into typing it into a computer, they have it.
Tricking and fooling people into revealing sensitive information has nothing to do with whether or not it is in the cloud.
That said, I agree that all is not as safe as we are lead to believe. These boys and girls have got to get a handle on this, or we will all be going back to spending cash at brick and mortar stores.
__________________
Comparison is the thief of joy
The worst decisions are usually made in times of anger and impatience.
|
|
|
01-18-2016, 08:25 PM
|
#11
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: May 2006
Location: west coast, hi there!
Posts: 8,808
|
Quote:
Originally Posted by Chuckanut
...
Tricking and fooling people into revealing sensitive information has nothing to do with whether or not it is in the cloud.
...
|
I agree. Just today I was ready to do a sales tax return for DW. The email from the state of California had a link to their site. It did go to what appeared to be a legitimate login page. I did not use that page.
That is a terrible practice on their part...I think. They should require me to look up the link in a reliable browser. Or can I totally rely on the Google browser link to bring up the .gov site safely? I hope so. Anyway, that is how I got to the login page.
Then I look at my bank's email and there is a link to their login page. Then I look at Vanguard's email and another login page link.
Am I wrong about this?
|
|
|
01-18-2016, 08:38 PM
|
#12
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 38,012
|
Quote:
Originally Posted by Options
|
This deserves its own thread. Lots of taxAct users here.
__________________
Retired since summer 1999.
|
|
|
01-18-2016, 09:07 PM
|
#13
|
Thinks s/he gets paid by the post
Join Date: Jan 2008
Posts: 1,495
|
Quote:
Originally Posted by Chuckanut
From what I understand LastPass security was not breached. Rather, LastPass users were tricked into revealing sensitive information. I am not sure what LastPass or any others can do about that...
|
Here's what they can do/should have done:
Internet Safety: Protecting Your Financial Transactions
Quote:
When is a website secure for financial transactions?
Before sending any sensitive or financial information online, you want to know that you are communicating with a secure site. Secure sites make sure all information you send is encrypted—or protected—as it travels across the Web. The https address heading and your browser's security symbol are two signs indicating you are on a secure site.
|
Emphasis added.
On the prior LastPass breach:
Hack Brief: Password Manager LastPass Got Breached Hard | WIRED
Specifically:
Quote:
On Monday password manager service LastPass admitted it had been the target of a hack that accessed its users’ email addresses, encrypted master passwords, and the reminder words and phrases that the service asks users to create for those master passwords.
How Serious Is This?
That depends. The severity of this latest LastPass’s hack—the first it’s experienced since it admitted to an earlier possible breach in 2011—is contingent on both the strength of a person’s master passwords and how long the breach went undetected. Given the encryption that LastPass describes, a strong, truly random master password is likely safe, says Joseph Bonneau, a Stanford cryptography researcher who’s focused on password security.
But “this is still pretty bad,” says Bonneau, particularly for users with weak passwords that are vulnerable to guessing. “If they can brute force any master passwords, the attackers could extract password vaults and decrypt them for lots of users or some high value targets.”
|
Emphasis added.
It happened before. It will happen again. Here's what dedicated, persistent hackers are capable of:
Hackers Breach FBI-Run Site, Email Account of Top Bureau Official
Beware the cloud.
|
|
|
01-18-2016, 09:08 PM
|
#14
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jul 2014
Location: Spending the Kids Inheritance and living in Chicago
Posts: 17,012
|
I use keePass as it resides local so no browser to interact with. I can put copies on thumbdrives or other laptops to take with me.
It works in Windows/Linux/ etc.
When I put it on a laptop, I put the encrypted password file with a truecrypt encrypted file, so if I lose the laptop, it's going to take the bad guys a long long time to crack it.
|
|
|
LastPass Users Vulnerable to Devastating Phishing Attack
01-18-2016, 09:21 PM
|
#15
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 17,173
|
LastPass Users Vulnerable to Devastating Phishing Attack
If a person uses weak passwords that are vulnerable to clever guessing or brute force attacks, not much is going to help. Criminals won't need a password manager, clever fake emails or other tricks. Using a weak password is basically tricking oneself. Not so good.
__________________
Comparison is the thief of joy
The worst decisions are usually made in times of anger and impatience.
|
|
|
01-18-2016, 09:22 PM
|
#16
|
Thinks s/he gets paid by the post
Join Date: Jan 2008
Posts: 1,495
|
Unfortunately, KeePass has been hit, too:
( Hacking tool swipes encrypted credentials from password manager | Ars Technica
OTOH:
Quote:
In fairness to KeePass developers, they have long warned users that no password manager can secure passwords on a compromised computer...
There's no doubt that password managers represent a single point of failure that could be catastrophic. Still, on the whole, they provide more benefit than risk when used correctly.
|
Emphasis added.
IMO, the chances of an individual computer being compromised (particularly with proper safeguards employed) are far lower versus that same information stored in the cloud (cloud PM's, by their very nature, represent a single source jackpot for hackers).
While I was working for a very well-known organization, IT showed me a computer screen of the globe, providing a live, multi-colored display of the number of by-the-second attempted breach attacks from all over the world on our organization (that IT was defending against, of course). It looked like a scene out of the movie "War Games". How could such a rich bounty target as LastPass not be under these same constant attack attempts? Why take the chance that one will eventually succeed, particularly since one already has.
|
|
|
01-19-2016, 05:39 AM
|
#17
|
Moderator
Join Date: Feb 2010
Location: Flyover country
Posts: 25,200
|
Quote:
Originally Posted by Lsbcal
They should require me to look up the link in a reliable browser.
|
Some people get it. I've always appreciated this note that appears on the email I get from a credit union:
Quote:
Notice: To help protect members from potential phishing attempts, Wright-Patt Credit Union does not provide direct links to our website in your eStatement notification. To access your most recent eStatement and copy of WPCU's Privacy Policy, please visit Wright-Patt Credit Union's website and enter your username and password in the member login area at the top of the page. Then click on eStatements from the Additional Services menu bar.
|
|
|
|
01-19-2016, 07:34 AM
|
#18
|
Thinks s/he gets paid by the post
Join Date: Oct 2009
Posts: 1,987
|
I just started using SplashID Safe and only use it from their app, I DO NOT use it from a webpage. It updates my 2 smartphones and 2 MacBooks nicely.
__________________
You do not have a soul. You are a soul. You have a body.
|
|
|
01-19-2016, 08:32 AM
|
#19
|
Thinks s/he gets paid by the post
Join Date: Jul 2004
Posts: 1,428
|
I've been meaning to ask the software gurus here - Even if a piece of software runs locally, how do you know that it doesn't call home and share a session?
|
|
|
01-19-2016, 08:38 AM
|
#20
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Dec 2008
Location: On a hill in the Pine Barrens
Posts: 9,687
|
Quote:
Originally Posted by Tadpole
I've been meaning to ask the software gurus here - Even if a piece of software runs locally, how do you know that it doesn't call home and share a session?
|
Look into network monitoring software. It will show ports opening. Can do this in other ways, like watch your router's log.
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
» Recent Threads
|
|
|
|
|
|
|
|
|
|
|
|
|
» Quick Links
|
|
|