2022-12-29

The big LastPass data breach and what to do about it

You may not want to spend time reading such a long post as this and carrying out the actions suggested below, but if you're a LastPass user this breach is a big deal and deserves your full attention.  At the very least I suggest reading this post in its entirety so that you can decide what and how bad your risks are, and how much effort they are worth to mitigate.

What happened?

If you're a LastPass user, you'll want to be aware of a (recent?) major data breach that occurred sometime in the last four months, in which (probably all) customer vault data was stolen.  This is one of a (large and increasing) number of analyses of the breach available:

Note especially that the data breach contained not only your end-to-end encrypted (E2EE) vault (with user ids, passwords, and notes for all the entries) -- as you'd expect from any password manager breach -- but also a lot of unencrypted information for each user: 
  • company name
  • end-user name
  • billing address
  • email address (you probably want to assume that this is both the main email id and, if set up, the security email id)
  • telephone number
  • the number of iterations for PBKDF2 
  • the IP addresses from which the user has accessed the LastPass service (you probably want to assume that this is not only the last access but also history, for an unknown period of time)
  • the full URL stored in every entry in the vault
  • LastPass Authenticator seeds and phone numbers database, but only if you enabled the Cloud Backup option for LastPass Authenticator

The last two items above, and especially the last one, present special security and privacy risks.

You might want to also read the (very thin) LastPass notice itself:

LastPass hasn't stated how many customers were affected, so it's best to assume that it's "all", or at least that you have been affected.  But note that, according to this notice, if you are a Business customer that has implemented LastPass Federated Login Services, you are not affected by this breach.

What are the risks?

Before we get to what you can do, it's important to understand that as a LastPass user your vault is now out in the wild (and whether your LastPass account had 2FA enabled at the time of the breach makes no difference.)  Attackers will go to work to try to crack the data, and, depending on how strong your master password (MP) was at the time of the breach, your breached vault will be decrypted soon, later, or never.  And, separately, attackers now have a list of all the accounts in your vault, via the unencrypted URLs.  And they also have the other personal information listed above.

Nothing you do now can change this.  In particular, changing your current MP now or deleting your LastPass account now won't make any difference to the data that's already there.  But there are still many actions you can take to mitigate the resulting risks, including changing weak or reused passwords on clouds accounts listed in your vault.

The risks that you face right now stem from at least these sources:
  • the LastPass breach itself,
  • weaknesses in your use of LastPass,
  • weaknesses in your use of cloud accounts and the Internet in general, and
  • weaknesses in LastPass's security and privacy.

What to do?

Based on the information released by LastPass and on others' analyses, and making some assumptions/guesses, this is my rough view on some mitigation actions you can take beginning right away.  The order of these actions could be debated, but this will give you a good place to start from.  Ideally, though, you'd want to read some other analyses too, to help you decide what and how bad your risks are, and how much effort they are worth to mitigate.

Be (even more) on the lookout for phishing attempts, since attackers now have a list of all your accounts; ensure you fully understand how phishing works and how you can reduce your risk; and become more cybersecurity aware and knowledgeable generally 

If the MP on your account (which is the one on your current vault) is weak (or reused), you're at an ongoing risk of attack from the Internet, so:

change your MP to a strong one (and don't use for it any password you've ever used before)

If you have TOTP 2FA on your LastPass account, then, based on LastPass's advice:

regenerate your TOTP authenticator's seed, as described here: Regenerate a key for the Google Authenticator in LastPass - LastPass Support -- but Authy is a better choice than Google Authenticator

but if you're using LastPass Authenticator to protect LastPass, move instead to a new TOTP authenticator app, e.g., Authy 

If you don't have 2FA on your LastPass account, you're again at an ongoing risk of attack from the Internet, so

turn on 2FA in your account; a good option for most people is TOTP 2FA, such as Authy -- LastPass Authenticator is not a good option  :)

If you use LastPass Authenticator, switch all accounts using it to a new authenticator app/service, such as Authy (the best option), Google Authenticator, or Microsoft Authenticator. 

This is mandatory (because of the breach) if you had LastPass Authenticator Cloud Backup enabled; if you didn't, it's still highly desirable.

Do not choose the authenticator built into your future new password manager (see below), because you want defense in depth.

If the MP on your breached vault was weak (or reused), your breached vault might be decrypted by an attacker, so:

for every important account in your breached vault that has a weak or reused password and either doesn't have 2FA enabled or (if you think the seeds might have been stolen) uses LastPass Authenticator:

change those passwords to strong and unique ones

(To find weak or reused passwords, use the Security Dashboard tool from inside your LastPass vault.  This of course searches only your current vault, not your breached vault.)  

The old Password Iterations setting on LastPass accounts was too low, so:

In your LastPass vault > Account Settings > Show Advanced Settings > Password Iterations, change the value to 600,000.  (It's a good idea to first do a vault export as a backup just in case something goes wrong with the vault re-encryption that this change will trigger.)

Because all the URLs in your vault were included in the breach, for every important account in your breached vault -- unless you've deleted the account since the breach -- review the URL: it might contain something it shouldn't, like a token or password.  If it does, you might want to change the password on the account.  You can't know what exactly was in your vault at the time of the breach, so the best you can do is review your current vault.  (Added 2023-01-03)

For every important account in your current vault (which attackers now have a list of from your breached vault) that has a weak or reused password, an attacker might be able to figure out the password, so:

change those passwords to strong and unique ones

Note that 2FA does provide additional protection but never rely on it to save you from a weak password

Turn on 2FA for all your accounts that support it, using your new authenticator app/service

Register all your email addresses with the Have I Been Pwned service; it will notify you if any of those addresses is part of a future data breach. 

Have I Been Pwned: Check if your email has been compromised in a data breach

Switch to a new password manager, such as Bitwarden (free/paid) or 1Password (paid)

(Note that there's no particular urgency to move off LastPass, as long as you've completed the actions above.)

N.B. The LastPass breach does not mean that password managers, or even cloud-based password manages, are a bad idea: properly used, they are the best mix of security and convenience for managing your ever-growing set of account credentials. (Passwords themselves, though, are inherently insecure but a much better replacement is slowing being introduced, viz. Passkeys.) Yes, Bitwarden and 1Password could be hacked just as happened with LastPass. Your protection – for LastPass, Bitwarden, 1Password, and any other Zero Knowledge / end-to-end encrypted (E2EE) service -- is a strong master password. 

Don't use your LastPass MP -- either the current one or the one on your breached vault --- for your new password manager!  You need to choose a new MP.

Bitwarden and 1Password are highly regarded, are likely better at disclosure of security and privacy breaches, appear to have better security (including internal processes) and encryption, encrypt the URLs in the vault, and have regular third-party audits done.  1Password has a stronger encryption key scheme, viz. its Secret Key.  Bitwarden is open source.

1Password's Secret Key can be thought of as some random characters -- roughly 6 -- added behind the scenes to your master password.  This provides some additional protection for server-side breaches such as the one that happened to LastPass.

The process is relatively simple: export your LastPass vault then import that data into your new password manager.  File attachments don't export with the vault so need to be separately dealt with.  

When you're certain that you've moved all your vault data over, delete your LastPass account.  If you use LastPass Authenticator, switch all remaining accounts using it to your new authenticator app/service before deleting the account.

For every account in your new password manager vault that has a weak or reused password (at this point only less important accounts should remain), unless it's truly unimportant:

change those passwords to strong and unique ones

What's weak vs. strong?

It's complicated!  You could do some reading starting from this Google search:

"strong password" "weak password" "entropy" - Google Search

Weak and strong are not black and white, and there are many different views on the subject, but you could start with these very, very, very rough ideas -- just my guesses -- about whether a password is "weak" or "strong".  There are of course many possible caveats, special cases, and exceptions.  Tweak these ideas as you see fit.

For regular cloud account passwords, weak could mean, at a bare minimum:

the password looks reasonably random (and with at least 3 of lower case, upper case, digits, and symbols) but is less than 12 characters long, or

the password does not look reasonably random and is less than 15 characters long

For your password manager MP, which is protecting information of higher sensitivity than your other cloud accounts, weak could mean, at a bare minimum:

the password looks reasonably random (and with at least 3 of lower case, upper case, digits, and symbols) but is less than 17 characters long, or

the password does not look reasonably random and is less than 20 characters long

How to create a strong password or MP? 

The above is for the case where you are evaluating the strength of an existing password in order to decide whether to change it.  But when you are creating a new password, you probably want it to be much stronger than the above:

For regular cloud accounts, simply use the password generator built into your password manager: have it generate a random password using all 4 of lower case, upper case, digits, and symbols, and of length, say, 30 characters.  Choosing a randomly-generated password of that length essentially guarantees that it is unique, i.e., not reused.

For your new password manager MP, you need something strong enough but also very memorable, which can be a challenge. Here is my favorite algorithm: make up a long story you won't forget (maybe something that happened to you, that you did, that you want to do, etc.), add some punctuation, take the first letter of each word, and do some substitutions of several of those letters into digits and symbols.  This should give you a MP that is long and looks reasonably random, but which you won't forget (after a bit of practice).  I suggest 20 characters as a bare minimum, but more is better, and the more random it looks, the better too.  Try to use uncommon letters and uncommon symbols, e.g., not punctuation.

(This algorithm is derived from: Essays: Passwords Are Not Broken, but How We Choose them Sure Is - Schneier on Security, 2008)

Misc. Notes

There's a nice timeline of the breach here: LastPass Hacked – What Now? - Security Boulevard

---

Updates

2023-02-28: Updated text related to LastPass Authenticator to reflect new information from LastPass that the seeds and phone numbers database was part of the breach, and that LastPass recommends regenerating a TOTP seed protecting the LastPass service itself.

2022-12-20

Cybersecurity tip of the month (or so) - Kelowna Slack compendium #1

This is a listing of my posts on cybersecurity (and privacy) to the Kelowna (Tech) and/or Built in Kamloops Slack workspaces, starting June 2021, when I started keeping track of my posts.  My posts to these two workspaces were headed with "Cybersecurity tip of the week (or so)".  I'm logging my posts here because all posts disappear very quickly in Slack free workspaces.

 

2022-12-20

https://www.theglobeandmail.com/business/adv/article-ransomware-attacks-target-more-than-4-in-5-canadian-businesses/

A great article on the 2022 TELUS Canadian Ransomware Study.  Juicy tidbits:

  • 83% of Canadian businesses reported attempted ransomware attacks and 67% have experienced one.
  • The average ransom paid by Canadian organizations is $140,000. However, the real cost of a ransomware breach can be much higher.
  • "The data shows that while the ransom payment often gets a lot of attention, it accounts for only 16% of the direct costs of an attack. The total costs can exceed $1 million, which includes downtime for the company, the cost of mitigation and recovery, and regulatory fines."
  • Of those [organizations] that paid the ransom, only 42% told the TELUS survey that they had their data fully restored.

 

2022-11-30

If your org hasn't standardized on a password manager, hasn't issued it to all employees, and/or hasn't required its proper use (and the proper use of credentials) in the org's information security policy(ies), you absolutely should.

Here is a good article explaining why and how.  (And BitWarden is widely regarded as an excellent choice for a password manager.)

Why your remaining IT budget should be used on a company password manager | Bitwarden Blog

 

2022-11-06

This month's tip is actually an event: a free talk I'm doing at ORL Kelowna downtown at lunch time on November 9 (this Wednesday).

ORL's event page: Cybersecurity Essentials for Small Businesses and Professionals, https://orl.evanced.info/signup/EventDetails?EventId=67626

It's a dangerous (cyber) world! Join cybersecurity consultant Garland Sharratt for an hour-long lunchtime talk covering the most common security threats faced by businesses and how to protect against them.

Among the mitigation topics covered will be passwords, two-factor authentication, email and cellular, cloud services, websites, remote work, devices, user awareness, training, and finally, considerations for larger organizations.

 

2022-10-03

October is Cybersecurity Awareness Month!  Phishing is one of the top risks for most small and medium businesses, and the GOC has a page with resources on fighting it:  October is Cyber Security Awareness Month in Canada - Get Cyber Safe

 

2022-08-30

Only one in 10 worried about cyber attacks and that's a concern | National Post

This is probably because, it's been shown many times, most people think they are above average intelligence (which is statistically impossible).

If your employees fit the description in this article, despite the high level of cybersecurity risk today, you'll have to work hard to ensure they are properly trained in security awareness, e.g., how to detect phishing and other attacks.  And as a manager/owner you need to make sure you give your employees the right tools, such as a password manager (e.g., Bitwarden, 1Password, LastPass) and, at a minimum, a TOTP 2FA authenticator app like Authy.

Or maybe there's no need to worry at all: "almost half [of business owners] said they were not concerned because they think their company isn’t an attractive threat to cyber criminals."  Don't believe it!

 

2022-08-11

If a security-minded organization like Twilio (you might know them for their excellent Authy 2FA authenticator) can be breached by phishing, your organization can be too.  Make sure your employee security awareness training program is very strong.  A slide deck or video once a year is not enough.

Twilio hacked by phishing campaign targeting internet companies | TechCrunch

According to the company, the as-yet-unidentified threat actor convinced multiple Twilio employees into handing over their credentials, which allowed access to the company’s internal systems. It

The attack used SMS phishing messages that purported to come from Twilio’s IT department, suggesting that the employees’ password had expired or that their schedule had changed, and advised the target to log in using a spoofed web address that the attacker controls.

Twilio said that the attackers sent these messages to look legitimate, including words such as “Okta” and “SSO,” referring to single sign-on, which many companies use to secure access to their internal apps.

 

2022-06-03

Privacy and security are quite related, but unlike security, privacy is a legal requirement.  So it pays to pay attention to privacy compliance and privacy incident response.  This article (by a vendor) has a nice checklist that all organizations should consider:

https://www.radarfirst.com/blog/a-12-step-program-for-privacy-incident-response-planning/

 

2022-05-05

Today is World Password Day!

  • It's a reminder that all your passwords (except for a few exceptions like device passwords/PINs) should be strong: random, long (a minimum of ~15 characters but why not choose 30), and unique (i.e. no password ever used for more than a one account).  This may sound hard to do but it's easy with a password manager (e.g., BitWarden, 1Password, LastPass).
  • To go along with strong passwords you should enable two-factor authentication (2FA) on all your accounts that support it.  For most users the TOTP type of 2FA (e.g., Authy, Google Authenticator) is a good balance of security and usability; use the SMS type of 2FA only if there is no other type available.
  • If you do nothing else, make sure your primary email account follows the above guidelines: if an attacker can take over that account, they can take over most of your other accounts by doing a password reset on them.
  • For larger organizations, Single Sign-On (SSO) is a nice way to get rid of most passwords for users.

 

2022-03-29

The Office of the Chief Information Officer (OCIO) of the Province of British Columbia publishes a nice weekly Security News Digest.  It's a quick read and a great week to learn more about cybersecurity and the threats facing BC businesses.

You can use this link to subscribe:  mailto:OCIOSecurity@gov.bc.ca?subject=Security%20News%20Digest%20Subscription%20Request

 

2022-03-05

https://montreal.ctvnews.ca/a-quarter-of-canadian-companies-have-been-victims-of-a-cyber-attack-in-2021-survey-1.5770718

  • "A quarter of Canadian businesses say they have already been the victim of a cyber attack in 2021"
  • "more than half (56 per cent) of Canadian organizations targeted by malware have paid the money demanded by cybercriminals"
  • "surprised that only 40 per cent of respondents plan to train their employees in [prevention]"

Good cybersecurity hygiene measures would prevent most cybersecurity attacks.

 

2022-03-05

https://montreal.ctvnews.ca/a-quarter-of-canadian-companies-have-been-victims-of-a-cyber-attack-in-2021-survey-1.5770718

 

2022-02-12

https://threatpost.com/sharp-sim-swapping-spike-losses/178358/

If you have a mobile phone and use SMS (text messaging) for authentication or two-factor authentication (2FA) -- and everyone does -- I recommend this great article on SIM swapping attacks.

I'll add these protections you should implement that are not mentioned in the article:

1. Put a strong, unique password on your cellular account login.  (The article mentions "variation of unique passwords" but that's not secure.)

2. Call up your cellular carrier and tell them you want to place a special password on your account to block malicious porting (= SIM swapping) of your phone number.

3. Put a PIN on your phone's SIM card.  (You do this from your phone.  This is actually to protect you in case your phone gets stolen, not to prevent SIM swapping.  The effect of a stolen phone is essentially the same as that of SIM swapping: your accounts that use SMS for authentication can get taken over.)

4. As for all passwords/PINs you have, make sure you store the three passwords/PINs above in your cloud-based password manager, and make sure you can access your password manager from all of your devices.

 

2022-01-24:

This is actually a request, not a tip like usual. Over the last three years I've been doing lots of talks about cybersecurity and information security, almost one every two months -- and it's time for another one.

So if you're an SMB, my request is: What would you like to learn about? I often speak about the basics such as passwords, password managers, two-factor authentication, data backups, device hardening, and user awareness. But maybe there's something more advanced that you'd like to hear about?

If so, please DM me here.

 

2022-01-04:

This Security Planning tool from Consumer Reports is a great way to easily work on improving your cybersecurity over time:

https://securityplanner.consumerreports.org/

 

2021-12-07:

If you're looking for a Xmas gift to help friends and family with cybersecurity:

https://www.troyhunt.com/a-password-manager-isnt-just-for-christmas-its-for-life-so-heres-50-percent-off/

There's a 50%-off link in the article for 1Password Families.  1Password is probably the best password manager on the planet, and it's Canadian.

 

2021-12-02

This is a good high-level view (and a quick read) of how to secure your business:

Being prepared for the storm: maintaining a proactive cybersecurity strategy | LinkedIn

Highlights:

1. Understand the cyber threat landscape of your business

2. Conduct a comprehensive risk assessment -- and implied is: implement mitigations for the highest risks

3. Train employees to detect potential threats

4. Evaluate and test cyber incident response plan

 

2021-11-03

https://bitwarden.com/blog/7-tips-to-protect-your-bitwarden-account/

This is a great article that applies to any password manager (PM).  If you've implemented a password manager for you or your org, there is more to do!  Here are some additional suggestions that build on the article:

  • Treat as a crown jewel the email account that owns your PM account and all your other cloud accounts.  If baddies can take over that account, they can take over almost all your accounts by doing password resets.
  • You have to properly use a PM to get the value: it's not enough to just have a PM account and store your logins in it.  For starters, for your important accounts, change their passwords to long random strings, and use the PM to autofill your credentials into web login pages; that will make you very resistant to phishing.
  • Two-factor authentication (2FA) is critical for your important accounts, including your PM and email accounts.  Authy is an excellent 2FA authenticator app/service.
  • Backing up your vault is a great idea, but be aware that if you're on a Windows PC, your main drive is not encrypted unless you have enabled BitLocker (or the Device Encryption found on Microsoft Surface-type devices); so you'll need to store your PM vault export somewhere else.

If you or your org haven't yet implemented a PM, it's usually the very first thing to do (along with 2FA) to improve your cybersecurity. Three excellent PM to consider are BitWarden1Password, and LastPass.  Check out their business tiers if your org is multi-person.

 

2021-10-15

Information security tip of the month (or so):

For many organizations the plague has resulted in employees joining and leaving more frequently.  This article is a good reminder that departing employees can be a security risk and tells you how to reduce the risk.

https://www.welivesecurity.com/2021/10/14/employee-offboarding-companies-close-crucial-gap-security/

 

2021-09-14

A good overview of the security risks when employees leave the organization, especially when the offboarding process is weak:

https://www.csoonline.com/article/3631491/proofpoint-lawsuits-underscore-risk-of-employee-offboarding.amp.html

 

2021-08-14:

If you think that ransomware is just about malicious data encryption in place and that you can mitigate a ransomware attack by backing up your data, think again:

https://www.techrepublic.com/article/ransomware-demands-and-payments-reach-new-highs/

Criminals now typically use as many as four different techniques to squeeze victims into paying the ransom.

1. Encryption…

2. Release of data…

3. Denial of service attacks…

4. Harassment… the attackers contact customers, business partners, employees and news media to alert them to the attack, thus embarrassing the victim.

 

2021-06-14:

If ransomware worries you, and it probably should, this is a nice list of actions to take. It's aimed at critical infrastructure providers, but the Short-Term list applies well to any business.

https://tcblog.protiviti.com/2021/05/18/ransomware-crisis-11-actions-to-secure-critical-infrastructure/

One thing missing is security awareness training for all employees, execs, directors, etc.  I'd put this close to the top.

 

2021-06-04:

You’ve likely heard that passwords need to be strong and unique across your accounts, but you may not fully understand why. This excellent post will tell you everything you need to know.

https://nakedsecurity.sophos.com/2021/06/04/how-to-hack-into-5500-accounts-just-using-credential-stuffing/