Re: [Full-disclosure] Lastpass Security Issue
Ryan, The blog post indicates severe security lapses; for example: Why did the asterisks server have connectivity to the db? If there was some kind of mashup I would expect it to have limited connectivity but I'm not aware of anything like that. If these guys are in the business of security they need to go beyond best practices- take PCI DSS for example; one of the first steps is to limit the Cardholder Data Environment. Different routed and filtered subnets with internal firewalls. I've got a million other suggestions, but w/o further research or information it would be just guessing. Where there is smoke... That being said, lapses happen all the time. I think they are handling it the right way and being over cautious- no one wants to get the notification of a compromise the other way. I sincerely hope they use this an opportunity to review their entire security lifecycle. Policy -- Procedure -- Control -- Audit--Refinement In a different regulatory environment they'd have to follow specific security regimens and audit frequencies with statistically relevant samples. I'm sure the entire team over there is putting in 110%; good luck guys. Liam -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Ryan Sears Sent: Thursday, May 05, 2011 6:39 AM To: full-disclosure Subject: [Full-disclosure] Lastpass Security Issue Hey all, Early this morning the folks over at LastPass decided to issue a warning about a potential security issue based on the fact that they detected some anomalies in their logs. http://blog.lastpass.com/2011/05/lastpass-security-notification.html Basically the post outlines the fact that even though they've investigated everything they can think of, they still noticed data potentially being exfiltrated from one of their DBs, as more information came out then was going in. Because of the fact they can't account for the traffic from any legitimate source, they're being paranoid and assuming the worst (that someone found a SQL injection presumably). Even though their passwords were all salted, they're still forcing everyone to change their master password. Those using 2-factor are relatively un-affected, although they have to change their master passwords as well. This might leave some people who use lastpass in 'Re-enable account hell', where they have their email password stored on lastpass, but can't verify and login to lastpass without clicking an activation link in their email. This can be solved by using one of the plugins in offline mode with your old master password. I'm not sure why they didn't mention it, but this has solved a lot of people's problems. All in all IMHO these guys take security quite seriously. They noticed an anomaly, investigated and hours later posted something about it on their blog. I'm not sure why no emails have been sent out, but there has been speculation that it would have taken too long (http://blog.lastpass.com/2011/05/lastpass-security-notification.html?sh owComment=1304571300013#c1232708813079521918), which I don't really agree with. That should've been their first step IMHO, and that's where they fell on their face a bit with all this. They DO put impressive security measures into place when something does happen though, as seen in the XSS bug found. They implemented HSTS, X-Frame-Options, CSP, which I've only seen used in super rare cases: http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html They're also implementing PBKDF2, so that makes me feel as though with every security issue they're dealing with they don't just identify and re-mediate, but actually restructure their infrastructure in order to hedge against any potential future attack vectors. I personally see this as the best response of any company I've ever seen from a security standpoint. Thoughts? Ryan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Lastpass Security Issue
They've said nothing about what they're going to do to the server with said anomaly. Wouldnt be happy until a full reinstall. On Thu, May 5, 2011 at 11:39 AM, Ryan Sears rdse...@mtu.edu wrote: Hey all, Early this morning the folks over at LastPass decided to issue a warning about a potential security issue based on the fact that they detected some anomalies in their logs. http://blog.lastpass.com/2011/05/lastpass-security-notification.html Basically the post outlines the fact that even though they've investigated everything they can think of, they still noticed data potentially being exfiltrated from one of their DBs, as more information came out then was going in. Because of the fact they can't account for the traffic from any legitimate source, they're being paranoid and assuming the worst (that someone found a SQL injection presumably). Even though their passwords were all salted, they're still forcing everyone to change their master password. Those using 2-factor are relatively un-affected, although they have to change their master passwords as well. This might leave some people who use lastpass in 'Re-enable account hell', where they have their email password stored on lastpass, but can't verify and login to lastpass without clicking an activation link in their email. This can be solved by using one of the plugins in offline mode with your old master password. I'm not sure why they didn't mention it, but this has solved a lot of people's problems. All in all IMHO these guys take security quite seriously. They noticed an anomaly, investigated and hours later posted something about it on their blog. I'm not sure why no emails have been sent out, but there has been speculation that it would have taken too long ( http://blog.lastpass.com/2011/05/lastpass-security-notification.html?showComment=1304571300013#c1232708813079521918), which I don't really agree with. That should've been their first step IMHO, and that's where they fell on their face a bit with all this. They DO put impressive security measures into place when something does happen though, as seen in the XSS bug found. They implemented HSTS, X-Frame-Options, CSP, which I've only seen used in super rare cases: http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html They're also implementing PBKDF2, so that makes me feel as though with every security issue they're dealing with they don't just identify and re-mediate, but actually restructure their infrastructure in order to hedge against any potential future attack vectors. I personally see this as the best response of any company I've ever seen from a security standpoint. Thoughts? Ryan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Lastpass Security Issue
On Thu, May 5, 2011 at 9:09 PM, Benji m...@b3nji.com wrote: They've said nothing about what they're going to do to the server with said anomaly. Wouldnt be happy until a full reinstall. From http://blog.lastpass.com/2011/05/lastpass-security-notification.html : We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself Is that what you meant ? Nick -- Current Earth status: NOT DESTROYED ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Lastpass Security Issue
Sorry, completely missed that part. My bad. On Thu, May 5, 2011 at 10:35 PM, Nick Boyce nick.bo...@gmail.com wrote: On Thu, May 5, 2011 at 9:09 PM, Benji m...@b3nji.com wrote: They've said nothing about what they're going to do to the server with said anomaly. Wouldnt be happy until a full reinstall. From http://blog.lastpass.com/2011/05/lastpass-security-notification.html: We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself Is that what you meant ? Nick -- Current Earth status: NOT DESTROYED ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Lastpass Security Issue
+1 reason why people should never used centralized password / form storage tbh. On Thu, May 5, 2011 at 10:09 PM, Benji m...@b3nji.com wrote: They've said nothing about what they're going to do to the server with said anomaly. Wouldnt be happy until a full reinstall. On Thu, May 5, 2011 at 11:39 AM, Ryan Sears rdse...@mtu.edu wrote: Hey all, Early this morning the folks over at LastPass decided to issue a warning about a potential security issue based on the fact that they detected some anomalies in their logs. http://blog.lastpass.com/2011/05/lastpass-security-notification.html Basically the post outlines the fact that even though they've investigated everything they can think of, they still noticed data potentially being exfiltrated from one of their DBs, as more information came out then was going in. Because of the fact they can't account for the traffic from any legitimate source, they're being paranoid and assuming the worst (that someone found a SQL injection presumably). Even though their passwords were all salted, they're still forcing everyone to change their master password. Those using 2-factor are relatively un-affected, although they have to change their master passwords as well. This might leave some people who use lastpass in 'Re-enable account hell', where they have their email password stored on lastpass, but can't verify and login to lastpass without clicking an activation link in their email. This can be solved by using one of the plugins in offline mode with your old master password. I'm not sure why they didn't mention it, but this has solved a lot of people's problems. All in all IMHO these guys take security quite seriously. They noticed an anomaly, investigated and hours later posted something about it on their blog. I'm not sure why no emails have been sent out, but there has been speculation that it would have taken too long ( http://blog.lastpass.com/2011/05/lastpass-security-notification.html?showComment=1304571300013#c1232708813079521918), which I don't really agree with. That should've been their first step IMHO, and that's where they fell on their face a bit with all this. They DO put impressive security measures into place when something does happen though, as seen in the XSS bug found. They implemented HSTS, X-Frame-Options, CSP, which I've only seen used in super rare cases: http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html They're also implementing PBKDF2, so that makes me feel as though with every security issue they're dealing with they don't just identify and re-mediate, but actually restructure their infrastructure in order to hedge against any potential future attack vectors. I personally see this as the best response of any company I've ever seen from a security standpoint. Thoughts? Ryan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
