Simple Steps to be Cyber Secure in Maritime

Threat actors breached LastPass cloud storage and stole customer vault data


LastPass has shared a notice to its customers on 22nd December, just before Christmas, that hackers have gained unauthorized access to LastPass cloud storage that contains customers vault data. LastPass states that the breach was made possible using information gathered from the incident in August 2022.

Attackers was able to breach and gain access to LastPass cloud storage using “cloud storage access key and dual storage container decryption keys” that were stolen from the developer’s environment. With access to the cloud storage, the threat actor was able to copy information from the backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers and the IP addresses from which customers were accessing the LastPass services.

Using the gained access to LastPass cloud storage as well as customer information, threat actors can get copy of customer vault data from the encrypted storage container that holds information of the customer in a proprietary binary format that contains unencrypted data information such as the website for the classified information and fully encrypted sensitive data that includes usernames, passwords, secure notes, and form-filled data.


These customer vault data’s that were stolen are fortunately encrypted using a 256-bit encryption that can only be unlocked using a unique encryption that are derived from each user’s master password. Toubba states that the master passwords of customer are never stored on LastPass systems and LastPass does not maintain it. Customers are therefore warned that attackers will attempt to gain access to their breached master password using brute force. Attackers will find it difficult and time-consuming to gain access to their master password if they have been following the recommended password policy as recommended by LastPass. Toubba states that “it would take millions of years to guess your master password using generally available password-cracking technology.”


The Aftermath of the LastPass Disclosure being torn apart by security experts.

Following the public disclosure of the LastPass data breach, many cybersecurity experts have criticized the statement to point out that the statement makes people feel more secure but hard to trust the password manager over the series of incidents occurring in a short span.


A blog post written by Wladimir Palant, security researcher known for helping originally develop AdBlock Pro, criticizes on the LastPass statement as “full of omission, half-truth and outright lies”. He accuses the company of trying to portray the August incident, in which LastPass claims "some source code and technical information were stolen," as a separate breach when, in fact, the company "failed to contain" the breach. Some of his criticisms center on how the company has framed the incident and how transparent it is being. He also draws attention to LastPass' admission that the compromised information included "the IP addresses from which customers were accessing the LastPass service," claiming that if LastPass was keeping track of every IP address you used when using its service, the threat actor could "create a complete movement profile" of its users.

Palant also criticizes the company’s post for painting its password-strengthening algorithm, known as PBKDF2, as “stronger-than-typical.” The idea behind the standard is that it makes it harder to brute-force guess your passwords, as you’d have to perform a certain number of calculations on each guess. “I seriously wonder what LastPass considers typical,” writes Palant, “given that 100,000 PBKDF2 iterations are the lowest number I’ve seen in any current password manager.”

Another blog post written by Jeremi Gosney explains his recommendation to move to another password manager. “LastPass’s claim of ‘zero knowledge’ is a bald-faced lie,” he says, alleging that the company has “about as much knowledge as a password manager can possibly get away with.” Since LastPass never sees your master password—the key that hackers would need to unlock the stolen vaults—it asserts that its "zero knowledge" architecture keeps customers protected. Gosney acknowledges the fact but argues that the statement is deceptive. “I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no — with LastPass, your vault is a plaintext file and only a few select fields are encrypted.”


The fact that LastPass has defied requests to encrypt information like URLs for years is a sticking point. Palant draws attention to the possibility that hackers may target specific people if they knew where people had accounts. Threat actors are curious about the information you have access to. Then, they could create carefully targeted phishing emails only for those individuals who would merit their time, he added. Using the example of a password reset link that hasn't been properly expired, he also draws attention to the fact that URLs saved in LastPass occasionally may grant users more access than they had meant.


LastPass’ post has even elicited a response from a competitor, 1Password. On Wednesday, the company’s principal security architect Jeffrey Goldberg wrote a post for its site titled “Not in a million years: It can take far less to crack a LastPass password.” In it, Goldberg calls LastPass’ claim of it taking a million years to crack a master password “highly misleading,” saying that the statistic appears to assume a 12 character, randomly generated password. “Passwords created by humans come nowhere near meeting that requirement,” he writes, saying that threat actors would be able to prioritize certain guesses based on how people construct passwords they can remember.

Despite the fact that Palant shares a similar sentiment in his blog, it is usually best to accept a competitor's word with a grain of salt. He asserts that using a single GPU to crack a password normally would take about 25 minutes, however using the same technology to guess a password formed by rolling dice would take about 3 years. It should go without saying that a motivated attacker aiming to get into a given target's vault could probably use multiple GPUs, perhaps slashing the required time in half.

Goldberg goes on to explain the way how attackers can take advantage of the resources available by giving an approximate cost breakdown of bruteforcing a password. He exclaims that "the “millions of years” claim is based on poor assumptions about guessing speed. As it happens we have estimated through a cracking competition that the cost of cracking passwords hashed with 100,000 rounds of PBKDF2-H256 is around six US dollars for every 232 guesses. (The difference between our 100,000 rounds of PBKDF2 and LastPass’s 100,100 rounds is so small that we can ignore it.) Because of how powers of 2 work, the cost of making 233 guesses is would be 12 dollars, the cost of making 234 guesses would be 24 dollars. Ten billion guesses would cost about 100USD."


The fact that this hack isn't conclusive evidence that cloud-based password managers are a bad idea is one point on which multiple security experts, including Gosney and Palant, appear to concur. This appears to be in response to those who promote the advantages of password managers that are entirely offline. Of course, there are advantages to this strategy that are readily apparent; for example, hackers will pay more attention to a corporation that keeps millions of people's passwords than they will to a single person's computer, and it is far more difficult to access data that is not stored in the cloud.


Characteristics of a good and strong password


  • Is at least 12 characters long. The longer your password is, the better.
  • Uses uppercase and lowercase letters, numbers and special symbols. Passwords that consist of mixed characters are harder to crack.
  • Doesn't contain memorable keyboard paths.
  • Password is unique for each account you have.


UPDATE

This article has been updated to include security experts feedback from the article THEVERGE.COM published discussing about the aftermath of the LastPass disclosure. (29/12/2022)

REFERENCE


About the Author

Ruben George