Re: [Full-disclosure] Lastpass Security Issue



+1 reason why people should never used centralized password / form storage
tbh.

On Thu, May 5, 2011 at 10:09 PM, Benji <me@xxxxxxxxx> wrote:

They've said nothing about what they're going to do to the server with said
anomaly. Wouldnt be happy until a full reinstall.

On Thu, May 5, 2011 at 11:39 AM, Ryan Sears <rdsears@xxxxxxx> wrote:

Hey all,

Early this morning the folks over at LastPass decided to issue a warning
about a potential security issue based on the fact that they detected some
anomalies in their logs.

http://blog.lastpass.com/2011/05/lastpass-security-notification.html

Basically the post outlines the fact that even though they've investigated
everything they can think of, they still noticed data potentially being
exfiltrated from one of their DBs, as more information came out then was
going in. Because of the fact they can't account for the traffic from any
legitimate source, they're being paranoid and assuming the worst (that
someone found a SQL injection presumably).

Even though their passwords were all salted, they're still forcing
everyone to change their master password. Those using 2-factor are
relatively un-affected, although they have to change their master passwords
as well.

This might leave some people who use lastpass in 'Re-enable account hell',
where they have their email password stored on lastpass, but can't verify
and login to lastpass without clicking an activation link in their email.
This can be solved by using one of the plugins in offline mode with your old
master password. I'm not sure why they didn't mention it, but this has
solved a lot of people's problems.

All in all IMHO these guys take security quite seriously. They noticed an
anomaly, investigated and hours later posted something about it on their
blog. I'm not sure why no emails have been sent out, but there has been
speculation that it would have taken too long (
http://blog.lastpass.com/2011/05/lastpass-security-notification.html?showComment=1304571300013#c1232708813079521918),
which I don't really agree with. That should've been their first step IMHO,
and that's where they fell on their face a bit with all this.

They DO put impressive security measures into place when something does
happen though, as seen in the XSS bug found. They implemented HSTS,
X-Frame-Options, CSP, which I've only seen used in super rare cases:

http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html

They're also implementing PBKDF2, so that makes me feel as though with
every security issue they're dealing with they don't just identify and
re-mediate, but actually restructure their infrastructure in order to hedge
against any potential future attack vectors. I personally see this as the
best response of any company I've ever seen from a security standpoint.

Thoughts?

Ryan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] Lastpass Security Issue
    ... anomalies in their logs. ... to change their master password. ... This might leave some people who use lastpass in 'Re-enable account hell', ... All in all IMHO these guys take security quite seriously. ...
    (Full-Disclosure)
  • RE: Current state of Anomaly-based Intrusion Detection
    ... You can fine it in security docs. ... the approach is that anomalies should not be identified ... Current state of Anomaly-based Intrusion Detection ... there are two different techniques that these systems work ...
    (Focus-IDS)
  • Re: Ubuntu Forums - FYI
    ... We use LastPass enterprise and the secure notes feature to easily, ... The problem remains that they are an American company, ... the security is only as good as the security of that back door. ... And the compromising of the paper is probably easier to check than the compromising of a local stored keychain, let alone data stored in "the cloud". ...
    (Ubuntu)
  • Re: [Full-disclosure] Lastpass Security Issue
    ... The blog post indicates severe security lapses; ... Why did the asterisks server have connectivity to the db? ... If these guys are in the business of security they need to go beyond ... Subject: Lastpass Security Issue ...
    (Full-Disclosure)