Rich Kulawiec on 31 Jan 2017 02:47:26 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Lastpass - friend of foe

On Tue, Jan 17, 2017 at 09:24:11AM -0500, Rich Freeman wrote:
> I'd go a step further and argue that the design was flawed simply due
> to the fact that RSA was ever in a position to have the credentials on
> the tokens.

And I would agree with you.

Incidentally, I noticed this recent article about Lastpass this morning.
(Which is why I'm following up.)  It demonstrates that they're lying
about this claim:

	"LastPass encrypts your Vault before it goes to the server using
	256-bit AES encryption. Since the Vault is already encrypted
	before it leaves your computer and reaches the LastPass server,
	not even LastPass employees can see your sensitive data."

Here's the article:

	PSA: LastPass Does Not Encrypt Everything In Your Vault

What the author doesn't note is that there (at least) three more serious
privacy/security problems that arise from this.  (And this is based on
just a couple minutes' thinking over coffee #1, so it's likely to be

The first is that anyone with knowledge of the sites in your vault knows
which sites to use when they try to spearphish you.

The second is that the same knowledge provides an attacker with clues
about your identity.  How useful those clues are will depend on which
sites are present and the relative uniqueness of those sites, e.g.,
seeing that person X has stored passwords for Google and Reddit really
isn't much help.  But seeing that they've also stored passwords for
underwaterhockey.blah and goat-staring.blah will really narrow down
the possibilities.

The third is that correlation of this knowledge across users will provide
clues not only about identities, but about relationships.  To use the
previous example, if there are two and only two users with those four sites
stored, then there is a very high probability they are related in some way
(or are the same person).

In all three cases, these bits of knowledge combined with access
timestamps and access IP addresses will yield additional identifying
and correlating information. [1]   It will also provide geolocation
clues and suggest time windows for attacks.

The author of the Lastpass piece recommends an alternative called Bitwarden,
but since their home page contains this sentence:

	Because your data is hosted in our secure cloud environment,
	you can access it from anywhere, on any device!

I think we can dismiss them permanently on inspection.  ("secure cloud" is
an oxymoron.)


[1] Deanonymizing users, once one has a substantial amount of data like
this, is probably much easier than it looks on the surface.  (I've spent
some time over the past decade studying exactly that.)  For an analysis
of a recent article (and a link to the original):

	One More Time With Feeling: 'Anonymized' User Data Not Really Anonymous
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --