The latest Wikileaks dump of Apple hacking tools, the LastPass vulnerabilities, and a new Android security report are discussed.
LastPass has fixed three bugs in the password manager discovered by Google research Tavis Ormandy in the last 24 hours.
Mike Mimoso and Chris Brook discuss the news of the week, including a wireless keyboard vulnerability – KeySniffer, NIST’s statement on 2FA, a LastPass remote compromise bug, and a new Tor paper.
A critical zero-day flaw has been discovered in the popular cloud password manager LastPass that could allow any remote attacker to compromise your account completely.
LastPass is a password manager that also available as a browser extension that automatically fills credentials for you.
All you need is to remember one master password to unlock all other passwords of your different online
LastPass has mitigated the effects of a new phishing attack presented this weekend at ShmooCon.
In a blog post , LastPass revealed that they “discovered and blocked suspicious activity on our network” and that it found “no evidence that encrypted user vault data was taken”.
LastPass seem to be transparent in sharing information about this security breach. They have provided what appears to be good technical detail about the information potentially compromised, along with the type of cryptography used to secure their user’s “Master” passwords.
The actual compromise of the ‘server per user salts’ and the ‘authentication hashes’ would allow the attackers to brute-force a targeted user’s password, but LastPass is claiming this information has been created using what is known as a ‘key derivation function’ called PBKDF2, considered best practice.
This makes it extremely difficult for attackers to brute-force the passwords in bulk and instead limit attackers to cracking one password at a time – meaning they would have to target a particular user (or use many computers to target multiple users).
However, the weakest link here is the compromise of ‘email addresses’ and ‘password reminders’. Two likely scenarios come to mind that may arise as a result of this compromised information:
(1) Phishing attacks to LastPass users is now very likely, if the attackers choose to send email pretending to be from LastPass to trick them into divulging their Master passwords.
(2) The password reminders may give the attackers clues when attempting to brute-force a password. Some users are known to provide password reminder clues that are very easy to interpret that almost reveal the password in full immediately.
Worse, the addition of the password reminder information to a phishing email may increase the success of that type of attack.
LastPass is right to advise all their users of this compromise, and hopefully all LastPass users are able to heed the warning and change their Master password, plus activate multi factor authentication options.
The positives in this case, however, appear to be the best practice use of cryptography in their storage of master passwords (i.e. PBKDF2) and the failure to access ‘encrypted data’ (stored passwords and Master Passwords). This is potentially down to LastPass having separate systems for this sensitive data.
If the attackers had been able to compromise the ‘encrypted user data’ then LastPass would surely be advising their users to not only change their Master password, but every other password stored within their accounts – and this would be a monumental task for all concerned.
Luckily no passwords were actually stolen in the attack on LastPass last Friday, according to the Company’s Blog: “In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed.” Nonetheless account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
Because of that everyone using the LastPass service will receive a mail, prompting them to reset their master password, according to the blog entry. On top of that the company will also require users who log in from a new device or IP address to verify their ID via mail if multifactor authentication is not enabled for the specific account.
Considering your stored passwords the blog says: “Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.”
So apparently there is no need to change every password you have stored with them. You can if you are really really concered for your accounts, but according to LastPass there is no need for it. Just make sure none of the other passwords you use is the same as the master password of your LastPass account.
The post LastPass Has Been Breached: Change Your Master Password Now appeared first on Avira Blog.
Now more than ever, its important to make sure your social media accounts are safe and secure. Here are our 6 top tips to make your social media accounts almost unhackable.
The post How to make your social media accounts (almost) unhackable appeared first on We Live Security.