Rich Kulawiec on 17 Jan 2017 06:04:04 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Lastpass - friend of foe


On Tue, Jan 10, 2017 at 11:09:41AM -0500, JP Vossen wrote:
> Something else I haven't seen yet:
> 
> https://tech.slashdot.org/story/17/01/09/0521217/browser-autofill-profiles-can-be-abused-for-phishing-attacks
> 
> Browser Autofill Profiles Can Be Abused For Phishing Attacks

[snip]

I saw that too.  It's quite clever.  But when reading it, it's worth
keeping in mind that the exploits that are published in the press are only
a subset of the exploits known in the security community are only a
subset of the exploits known on the darknet are only a subset of exploits
that exist.  Shorter version: it is highly unlikely that is as bad
as it gets.

This is the security equivalent of a warning shot.  Let me explain why
I think that's so by using another security company as an example
(and both of these articles are worth reading):

	Researchers Uncover RSA Phishing Attack, Hiding in Plain Sight
	https://www.wired.com/2011/08/how-rsa-got-hacked/

	RSA admits SecurID tokens have been compromised
	https://www.helpnetsecurity.com/2011/06/07/rsa-admits-securid-tokens-have-been-compromised/

Someone retrieved a message (mistake) from a spam folder (mistake) and opened
the attachment (mistake) with a Microsoft (mistake) application (mistake)
on a Windows (mistake) system with Adobe (mistake) Flash (mistake) that
had access to all or a substantial part of their internal network (mistake)
and to the Internet through a default-permit outbound firewall (mistake).

Shortly thereafter: 40 million (!) compromised tokens.  Oops.

If you were one of their customers, you probably weren't the target.
(Although *some* of their customers most certainly were.)  But you
lost anyway.  Because someone took the time to carefully spearphish
a handful of specific people and they burned a 0-day in the process.

Now granted, they had a lot of help from the IT staff, who implemented
some worst practices in security.  But this wasn't a casual act.
Someone invested time and money in this because they judged the
payoff worth it.  It was planned and executed very competently against
a company whose entire business is security. [1]  They had one job.

RSA painted a bullseye on themselves large enough to be seen from space
because they accrued information deemed sufficiently valuable by (at
least) one adversary who had the resources to acquire it.  And then
they started making mistakes (see above) which, in combination,
made them sufficiently vulnerable that (at least) one adversary
was successful.

I think LastPass is doing exactly the same thing.

I think it's only a matter of time.  I'd like to be wrong about that,
for their sake and for their sake of all their users, but long and
bitter experience suggests I'm not.

---rsk

[1] Pointed question: do you think that this is the first successful
attack against RSA, or do you think it's merely the first successful
attack against RSA that we know about, or merely the first successful
attack against RSA that *they* know about?
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug