Re: [PLUG] Lastpass - friend of foe

[Rich Kulawiec <rsk@gsp.org>]

On Sat, Jan 07, 2017 at 09:46:21PM -0500, Tim Allen wrote:
> I've been using LastPass for a while, and am dreading the day when they
> inevitably get hacked and I have to change all my passwords. 

You *should* dread that day, especially if it's already history.

Given that you have zero visibility into their security, how do you
know this hasn't already happened?  How will you know when it does?

A judicious attacker will not make obvious blunders like announcing
the hack on Twitter or trying to sell the entire database en masse.
They'll look at what they've harvested and very carefully, very slowly,
crack and use only the worthwhile credentials one at a time.

Given that approach, how will LastPass know?  And if they do figure it out,
why should they tell you?  Again: you have zero visibility into
*their* security.  So if the attacker doesn't do you the favor of
alerting you, why should they, when it will damage their business model?
Surely you don't expect them to commit corporate suicide in order
to protect you.  Why should they?  Your data is not *their* data.
Your users/customers are not *their* users/customers.  They can
remain silent indefinitely with full deniability ("we didn't know").
So...why should they speak?  What, exactly, is in it for them?

There is no way for you to tell the difference between the states
"secure" and "compromised" because you've put your passwords
into a black box you can't control and can't watch.

And it gets worse: you are a target of value V1.  Maybe V1 is large.
Maybe it's small.  But we can reason that it's unlikely an attacker
will spend 10*V1 to attack you, because it yields lousy ROI.  Nobody
spends $250K to rob a bank with $25K.  So absent some other one-off
factor like politics or ideology or a really serious personal grudge,
your threat model doesn't need to include an attacker spending 10*V1.

However: you're only one target.  What's at sitting at LastPass is
data of value V = V1 + V2 + V3 + ... + Vn, where n is the number
of operations who've done what you've done.  You don't know what n is.
You don't know what V17 or V283 or any of the others are because you don't
know who they are or what their value is.  So you don't know what V is.
The only things you know are (a) it's larger than V1, potentially MUCH
larger, and (b) as n increases, V increases.  You have signed yourself up
for a threat model based on V...NOT V1.  You have thus not only taken on
a much larger risk, you don't know and can't know how large that risk is.

This is the point where you should be sweating, getting off LastPass,
and changing all your passwords as fast as you possibly can.

---rsk

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug