bondcros.blogg.se

Lastpass hacker news
Lastpass hacker news








lastpass hacker news
  1. Lastpass hacker news how to#
  2. Lastpass hacker news software#
  3. Lastpass hacker news code#
  4. Lastpass hacker news password#
  5. Lastpass hacker news Offline#

We were continuously in a cycle of discovering faults, evaluating them, deciding the best way to adress them. We always tried to limit access to our various systems to those with a need to know.

Lastpass hacker news password#

In such an environment, a password manger is not optional. 500 employees and somewhere north of 4,000 critical credentials – device logins, service logins, accounts with 3rd party vendors, and more. The company I worked for prior to my retirement had approx. But in a professional environment, password management is a must. Most.people have relatively modest password management need. As Stuxnet showed us back in 2010, even an airgap can be compromised. Everything has flaws.You can divide systems into those that have been hacked and those that will be hacked. I first learned about LastPass after Steve Gibson of Security Now podcast gave it high marks.

Lastpass hacker news Offline#

(LastPass also provides a public explanation of how it secures password vault data against offline cracking, including using client-side PBKDF2-HMAC-SHA256 for salting-hashing-and-stretching your offline password with 100,100 iterations, thus making password cracking attempts very much harder even if attackers make off with locally-stored copies of your password vault.) In other words, even if the attacker had made off with password data, it would have ended up as just so much shredded digital cabbage.

  • LastPass never stores or even knows its users’ private decryption keys.
  • Lastpass hacker news code#

    This makes it believable for LastPass to claim that no modified or poisoned source code would have reached customers or the rest of the business, even if the attacker had managed to implant rogue code in the version control system.

  • Source code moving from the development network into production “can only happen after the completion of rigorous code review, testing, and validation processes”.
  • Of course, we only have LastPass’s own claim to go on, but given the style and tone of rest of the incident report, we can see no reason not to take the company at its word.
  • Although source code was stolen, no unauthorised code changes were left behind by the attacker.
  • This separation also makes it believable for LastPass to claim that no password vault data (which would have been encrypted with users’ private keys anyway) could have been exposed, which is a stronger claim than simply saying “we couldn’t find any evidence that it was exposed.” Keeping real-world data out of your development network also prevents well-meaning coders from inadvertently grabbing data that’s meant to be under regulatory protection and using it for unofficial test purposes.

    Lastpass hacker news software#

    Again, this is good practice given that developers are, as the job name suggests, generally working on software that has yet to go through a full-on security review and quality assurance process.

  • LastPass doesn’t keep any customer data in its development environment.
  • This is a good cybersecurity practice because it prevents an attack on the development network (where things are inevitably in an ongoing state of change and experimentation) from turning into an immediate compromise of the official sofware that’s directly available to customers and the rest of the business.
  • LastPass keeps its development and production networks physically separate.
  • Lastpass hacker news how to#

    How to deal with dates and times without any timezone tantrums…

  • The attacker “utilised their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication.” We assume this means that the hacker never needed to acquire the victim’s password or 2FA code, but simply used a cookie-stealing attack, or extracted the developer’s authentication token from genuine network traffic (or from the RAM of the victim’s computer) in order to piggy-back on the programmer’s usual access:.
  • Hats off to LastPass for admitting to what amounts to a “known unknown”. Many potential attack vectors spring to mind, including: unpatched local software, “shadow IT” leading to an insecure local configuration, a phishing click-through blunder, unsafe downloading habits, treachery in the source code supply chain relied on by the coder concerned, or a booby-trapped email attachment opened in error.

    lastpass hacker news lastpass hacker news

    That’s disappointing, because knowing how your last attack was actually carried out makes it easier to reassure customers that your revised prevention, detection and response procedures are likely to block it next time. The trick used to implant the malware couldn’t be determined.The attacker “gained access to the evelopment environment using a developer’s compromised endpoint.” We’re assuming this was down to the attacker implanting system-snooping malware on a programmer’s computer.The boldface sentences below provide an outline of what LastPass is saying:










    Lastpass hacker news