last pass

A Perfect Example of How Counting on Cloud-Based Platforms Can Go Wrong

Written by Bill Hogan:

If you’ve heard me talk about the risks associated with Cloud solutions, you’ve probably heard my example discussing the dangers of consolidating sensitive data into one location, like having a street lined with small mom & pop businesses and a high-end jewelry store. If you’re a criminal, you could rob one of the mom & pop stores and get a little loot – or you could rob the jewelry store and get a real haul.

We see this with Cloud-based services that bundle financial, medical, or other sensitive data. They are the ‘jewelry stores’, and criminals will go to extraordinary lengths to break in and since so many ‘jewelry stores’ have been moving to Cloud based services – criminals have been really focused on ways to compromise Cloud based services (they are now, in essence, becoming experts in breaking into jewelry stores – so that is all they do), so we can expect significant climbs in both frequency and severity of compromises (https://www.axios.com/2023/03/07/hackers-cloud-breaches-cybersecurity ). Unfortunately, other factors can make their job significantly easier. Some examples, to continue the jewelry store analogy (with links to articles about Cloud based solutions failing in catastrophic ways):

  1. An owner who doesn’t keep the security systems current or gets the budget system
    1. https://www.bleepingcomputer.com/news/security/t-mobile-hacked-to-steal-data-of-37-million-accounts-in-api-data-breach/
    2. https://www.bleepingcomputer.com/news/security/toyota-mercedes-bmw-api-flaws-exposed-owners-personal-info/
  2. The landlord is using the same door key for all of their buildings and one got in the hands of bad guys – so they cleaned out all the stores
    1. https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/
  3. Poor maintenance of the building
    1. https://www.techspot.com/news/97325-thousands-paypal-accounts-breached-credential-stuffing-attack.html#commentsOffset
  4. Sloppy employees
    1. https://www.bleepingcomputer.com/news/security/toyota-discloses-data-leak-after-access-key-exposed-on-github/
  5. Poorly designed or implemented security procedures
    1. https://www.bleepingcomputer.com/news/security/hyundai-app-bugs-allowed-hackers-to-remotely-unlock-start-cars/
  6. Not regularly reviewed/audited by independent third parties
    1. https://www.bleepingcomputer.com/news/security/dropbox-discloses-breach-after-hacker-stole-130-github-repositories/

When it comes to Cloud-based compromises, we see examples of every one of these at least monthly – and often weekly (and sometimes daily). So how do you protect your data? Well, there are several things you can do:

  • From your side:
    • Use different passwords for each vendor/website
    • Use 2FA (two-factor authentication) with an authenticator app (like Google’s Authenticator), and do NOT use Texting/SMS-based authentication (unless that is the ONLY option available)
    • Encrypt the data before providing it to the vendor (so if the vendor gets compromised, all the criminal gets is a useless encrypted blob of data)
    • Don’t use Cloud vendors who aren’t significant players – saving money here pretty well guarantees you’ll regret it
    • Minimize the data to what you need for your business. The approach of “let’s capture everything just in case we need it someday” means a data breach will be a much bigger issue
  • From the vendor side:
    • Don’t use Cloud vendors who don’t have the resources to have very deep security staff
    • Don’t use vendors who aren’t actively investing in their infrastructure/security
    • Avoid vendors who were recently purchased – usually, that can mean trouble, especially if the original firm’s staff or resources are cut
    • Try to be aware of ownership changes or changes in business models – both tend to lead to trouble
    • Avoid vendors who haven’t had their security independently audited
    • Avoid vendors who don’t have a Bug Bounty program

In February 2023, GoDaddy reported a multi-year breach (the intruder was in their internal systems for years). Compromised in the breach (which was actually a combination of multiple breaches by the same bad actor on March 2020, September 2021, and finally in December 2022) were user credentials, customer websites (which were randomly being redirected to malware sites – to infect site visitors), GoDaddy employee credentials, and GoDaddy source code. Using our model from above, they failed in these ways:

  • An owner who doesn’t keep the security systems current or gets the budget system
  • Poor maintenance of the building
  • Poorly designed or implemented security procedures
  • Not regularly reviewed/audited by independent third parties

Knowing all of that – let’s discuss LastPass…

As you may know, they have had a major compromise, and we are actively recommending moving away. The breach was a long time coming, and the details have been slowly coming out. Here’s a rough chronology:

  • The first step in the wrong direction was LogMeIn’s purchase in October 2015. Before that, LastPass was actively being maintained and improved (and being reviewed by outside security researchers) – so all was well. After the purchase, marketing was turned up – but maintenance (and associated infrastructure) was falling behind. Additionally, correct deployment of security changes for the entire customer base was being ignored.
  • The LastPass founder and the real energy behind LastPass left LogMeIn in October 2017
  • LastPass was spun out of LogMeIn in December 2021. It appears ongoing maintenance took another hit here. So at this point, the approach seems to have been: marketing, maximizing income, and minimizing expenses. But when it comes to security on the Internet, at least keeping up is a requirement.
  • The criminals looking to compromise LastPass decided to focus on the Senior Developers, who were the only four people with the access needed. They successfully compromised the home computer (using one of the programs they had on their home computer) to install a key-logger (which records every keystroke the Senior Developer used to connect to the company VPN). Once they had that – they walked right into LastPass’ corporate network (this is a method we actively look to prevent when VPNs are set up as we recommend).
  • In August 2022, LastPass announced a compromise of a single account on their developer platform and explained that customer data was safe
  • In December 2022, LastPass announced another compromise (which used data from the first compromise) – but this time, encrypted customer data was taken from their backups.

Fortunately, in conversations with our clients using LastPass – all of them followed our advice about using long unique Master Passwords. Additionally, the “Password Iterations” (more on this in a moment) were set to the currently recommended 100100. This means that the passwords in the compromised data are safe (for the moment). But, unfortunately, LastPass chose not to encrypt support info (like website URLs). So, the compromise didn’t expose your passwords, but it did directly expose the website URLs that were in the password vaults.

[If you’re interested in more about “Password Iterations” in a non-technical way: If you were to write your Master Password on a sheet of paper and someone found it in the garbage, your password would be compromised. If you tore that piece of paper in half, their job would be a little harder. If you tore it up a second time (into four pieces) – their job would be a little harder. But if you tore it up 100100 times, you’d only have extremely tiny pieces of confetti, making their job impossible. That’s “Password Iterations”.] LastPass left a large number of users (from before the October 2015 purchase) with a Password Iterations setting of 1. Which, back in the early days of LastPass, was ok, but now that’s woefully inadequate. They also were not enforcing strong passwords for older accounts. This means users with simple passwords and a low Password Iterations setting are VERY easy to pull out of the backup data. I fully expect these accounts have already been (or are actively being) compromised right now.

So, what now?

Well, let’s discuss where we need to be…

What we need in a password manager:

From a security perspective:

  • Has NO access to your data (under any circumstances)
  • Has ongoing independent 3rd party reviews
  • Has regularly scheduled independent security audits (shared transparently)
  • Supports high numbers for Password Iterations
  • Supports 2FA to confirm user login to the password manager
  • Hosting of cloud services via a major vendor
  • Applies additional Password Iterations to data stored on the cloud service
  • Uses additional encryption of the data at the hosting vendor
  • A Bug-Bounty program to reward independent security researchers for finding and responsibly disclosing issues
  • Compliant with: GDPR, CCPA, HIPAA, and SOC 3
  • Use of a memory-hardened encryption function (either Argon2 or Scrypt) that is highly resistant to GPU attacks (trust me, you want this!)

From a management/feature perspective:

  • Ability to manage user accounts
  • Ability to share passwords to other users within your company (for shared credentials – like the company Amazon account)
  • A health feature to identify issues like using the same password for multiple sites
  • Ability to import LastPass info
  • Ability to use on desktop or mobile
  • The ability to easily manage employee transitions
  • Stops passwords from leaving the organization

Should I use a password manager at all? Absolutely yes!

Why…

The problems with the old-school ways:

  • Same password (or a couple of passwords (usually slight variations)) for everything
    • If that password is compromised (for example, from the GoDaddy example above), it will be tested against lots of other sites (like financial, cell carriers, retail websites (for example Amazon), medical sites, PayPal, and Uber) to take over your life.
    • If someone in your life knows it and has a grudge, they could cause a lot of trouble
  • A paper sheet of passwords
    • Security for that sheet
    • What if the sheet is lost/damaged?
    • What if you are at home and the sheet is at work?
  • Excel/Word Doc
    • FYI – Adding a password to open the file makes little difference to someone who has tech skills (or Google) and wants to get in
    • If your machine is compromised with malware – that data is going to get out (and now you have more to worry about than if someone gets your paper with passwords on it – because that person could be anywhere)
    • What if you are at home and the sheet is on your computer at work?
  • Using the password manager that is built into the browser
    • Those passwords are available to any extension added to the browser – so if a bad extension is added, the entire password list is compromised.
    • If sync is not used: If the computer fails, or if you just move to another computer – the password list is lost.
    • If sync is used and the account used to sync is the user’s personal account: The user has full access to all the sites while at home and if they leave the organization, and you won’t have them.

So, interested in a solution that will address all these things for your business? If so, drop us a line (https://www.partnersplus.com/contact-us/) and we’d love to discuss the solution we are standardizing on for our entire base. Looking forward to hearing from you!

About Partners Plus, Inc.

Managed IT Services That Do the Work for You

Partners Plus, Inc. began in 1991 as an outsourced IT department after working as the Director of Programming and a Consultant for six years. For 30+ years now, we have been 100% committed to ensuring small- and medium-sized business owners have the most reliable and professional virtual CIO in the Delaware Valley. Our dedicated team of professionals will solve your IT nightmares quickly and without confusion on your part.

Our customer-specific memberships deliver your needs without overstepping your budget boundaries. From cloud services and data backups to ransomware prevention and Dark Web monitoring, Partners Plus is here to work with you and your expert company, dependable outsourced IT support and security.

Partners Plus has locations and services in the following areas:

Managed IT Services in PhiladelphiaManaged IT Services in DelawareManaged IT Services in Malvern