lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <2697B86A359F6C43BF6FD44F8403D7172203A0@giga-dc001.GigaCo.local>
Date: Thu, 5 May 2011 09:24:38 -0400
From: "Liam Randall" <Liam.Randall@...aco.com>
To: "Ryan Sears" <rdsears@....edu>,
	"full-disclosure" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Lastpass Security Issue

Ryan,

The blog post indicates severe security lapses; for example:

Why did the asterisks server have connectivity to the db?  If there was
some kind of mashup I would expect it to have limited connectivity but
I'm not aware of anything like that.

If these guys are in the business of security they need to go beyond
best practices- take PCI DSS for example; one of the first steps is to
limit the Cardholder Data Environment.  Different routed and filtered
subnets with internal firewalls.  I've got a million other suggestions,
but w/o further research or information it would be just guessing.

Where there is smoke...

That being said, lapses happen all the time.  I think they are handling
it the right way and being over cautious- no one wants to get the
notification of a compromise the other way.  I sincerely hope they use
this an opportunity to review their entire security lifecycle.

Policy --> Procedure --> Control --> Audit-->Refinement

In a different regulatory environment they'd have to follow specific
security regimens and audit frequencies with statistically relevant
samples.

I'm sure the entire team over there is putting in 110%; good luck guys.

Liam

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Ryan
Sears
Sent: Thursday, May 05, 2011 6:39 AM
To: full-disclosure
Subject: [Full-disclosure] Lastpass Security Issue

Hey all,

Early this morning the folks over at LastPass decided to issue a warning
about a potential security issue based on the fact that they detected
some anomalies in their logs. 

http://blog.lastpass.com/2011/05/lastpass-security-notification.html

Basically the post outlines the fact that even though they've
investigated everything they can think of, they still noticed data
potentially being exfiltrated from one of their DBs, as more information
came out then was going in. Because of the fact they can't account for
the traffic from any legitimate source, they're being paranoid and
assuming the worst (that someone found a SQL injection presumably). 

Even though their passwords were all salted, they're still forcing
everyone to change their master password. Those using 2-factor are
relatively un-affected, although they have to change their master
passwords as well. 

This might leave some people who use lastpass in 'Re-enable account
hell', where they have their email password stored on lastpass, but
can't verify and login to lastpass without clicking an activation link
in their email. This can be solved by using one of the plugins in
offline mode with your old master password. I'm not sure why they didn't
mention it, but this has solved a lot of people's problems. 

All in all IMHO these guys take security quite seriously. They noticed
an anomaly, investigated and hours later posted something about it on
their blog. I'm not sure why no emails have been sent out, but there has
been speculation that it would have taken too long
(http://blog.lastpass.com/2011/05/lastpass-security-notification.html?sh
owComment=1304571300013#c1232708813079521918), which I don't really
agree with. That should've been their first step IMHO, and that's where
they fell on their face a bit with all this.

They DO put impressive security measures into place when something does
happen though, as seen in the XSS bug found. They implemented HSTS,
X-Frame-Options, CSP, which I've only seen used in super rare cases:

http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html

They're also implementing PBKDF2, so that makes me feel as though with
every security issue they're dealing with they don't just identify and
re-mediate, but actually restructure their infrastructure in order to
hedge against any potential future attack vectors. I personally see this
as the best response of any company I've ever seen from a security
standpoint.

Thoughts?

Ryan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ