LastPass update

As a disclaimer: I used to be a LastPass customer up until last year and have since cancelled my subscription and moved to 1Password where I became a certified partner. Some observations below are based on a hypothesis, mainly because LastPass has not provided the information.

Today LastPass provided some more insight in the breach or breaches they have encountered over the last 8 months. As many have seen the sheer fallout of the entire cybersecurity world was enormous, mainly on three fronts.

  • LastPass had observed previous security related issues and have not addressed them properly over the course of a many years
  • The first notice did appear to negated the significance of the breach and lack of details
  • The notice leaned towards LastPass not accepting responsibility if customer credentials were exposed because “best practices” were not followed.

All these, more or less, ensured that a mass exodus of customers happened and many have either ended up with competitors or have taken things into their own hands and started to use other solutions that they had better control over.

The detailed response that LastPass published can be found here.

There are a few takeaways that we can pull from this.

  1. The incident response team that handled the first incident did not take it far enough to investigate any further loopholes and take precautionary measures in time to prevent subsequent breaches. It turned out that the speed of operation by the threat actor, created opportunities of further exploiting weakness in the various services LastPass uses.
  2. The vulnerability of a company provided laptop with insufficient security measures in place as well as allowing the threat actor to interfere with logging facilities and destruction of logged information itself hampered the investigation and elongated the timeframe to put in countermeasures.
  3. Home equipment of engineers was compromised in order to tail-gate access methods and therefore be able to access the required data that was needed to further compromise parts of the environment that LastPass uses.
  4. Existing MFA methodology did not work because of this.
  5. A large amount of countermeasures and actions taken after each of the incidents basically means that from a security infrastructure, policies and procedures perspective, each did not exist, or was simply insufficient to prevent this to happen.

I’ve seen the problem mentioned in #5 happening within many companies. Reason for that is mainly contributed to funding. LastPass’ parent company is LogMeIn who wanted to segregate LastPass into a separate company. This often happens to make it easier to either sell off that entity, have it listed as a separate company for an IPO or to enable different legal and financial rules and regulations for that entity. The consequence of this is that enormous pressure is put on revenue and profitability. Basically everything has to make way for this. Cost-cutting exercises like reduction in functions, off-shoring jobs to low-cost countries or, indeed, reduce funding in areas which do not contribute to either revenue or profitability such as tech-support, internal systems-administration, security etc. This is not new and happens every day in almost every business.
All goes well when the company has not been targetted by malicious actors or organisations. When you hold valuable information from a variety of sources, you own a real treasure trove when this includes access credentials of thousands of people with millions of credentials. In the case of LastPass you can rest assure this is/was the case.

When looking at the scope and timeline of events and the apparent methodology used by the threat actor you can safely assume this was not done by some run-of-the-mill guys with a few hours to spare. This would’ve involved a significantly resourced organisation with enough means and methods to identify the scope and methods that could be used to launch such an attack. Obviously, you would also need some luck. If the LastPass developer in the second instance would’ve patched his home network before the malware could be placed, the entire exercise may not have happened. There are a lot of ifs, buts, thens in stories like this but it most often comes back to discipline and funding. If companies cut corners on one side, holes may open up on the other.

It is up to the CISO’s of this world to identify the weaknesses in their environments and have the executive board make decisions to balance the risk vs costs. As mentioned above, when companies are in a transition phase, the seesaw most often balances in favour of the cost savings. Don’t be surprise if your company will also be in such a precarious scenario when you make the same decisions. As in the LastPass case, your seesaw will significantly be destroyed as you won’t have much to balance with.

The fallout in the case of LastPass would be massive. When looking at the feedback in the various forums there is no IT person left that would ever sign up with LastPass again. The detrimental handling of the security related issues over many years has seen such a significant drop in trust in the company that no-one, who has done even the slightest of product comparison, will even think of considering LastPass again.

Even with the latest communication sent to affected people, LastPass is still hiding away the information via obscure blog links in a tiny 6px font at the bottom of their home page. There is a link in the chat-popup that indirectly guides you to the same page.

To be honest, when an issue of this scale happened, there should be a blinking banner of at least 600×200 pixels warning people to take notice. I guess the marketing and sales teams would simply be out of a job then, I guess.

LastPass is a high profile case, mainly because it affects so many people around the world. The actual impact to customers has yet to be determined as credentials that were stolen are encrypted and it depends on further time and resources of the malicious actors to be exploiting these. The longer that takes, the less valuable the information becomes, as information will become obsolete pretty quickly.

Will the same/similar issue happen again with LastPass? Maybe. The latest updates they’ve posted on their blog seems to indicate there is an fair amount of damage control and emergency fixes rolled out but this does not mean that structural changes that underpin the entire organisation are being put in place.

LastPass info

Snippet of actions that have been or are going to be undertaken:

  1. With the assistance of Mandiant, we forensically imaged devices to investigate corporate and personal resources and gather evidence detailing potential threat actor activity.
  2. We assisted the DevOps Engineer with hardening the security of their home network and personal resources.
  3. We enabled Microsoft’s conditional access PIN-matching multifactor authentication using an upgrade to the Microsoft Authenticator application which became generally available during the incident.
  4. We rotated critical and high privilege credentials that were known to be available to the threat actor; we continue to rotate the remaining lower priority items that pose no risk to LastPass or our customers.
  5. We began revoking and re-issuing certificates obtained by the threat actor.
  6. We analyzed LastPass AWS S3 cloud-based storage resources and applied or started to apply additional S3 hardening measures:
  1. We put in place additional logging and alerting across the Cloud Storage environment with tighter IAM policies enforced.
  2. We deactivated prior development IAM users.
  3. We enabled a policy that prevents the creation and use of long-lived development IAM users in the new development environment.
  4. We rotated existing production service IAM user keys, applied tighter IP restrictions, and reconfigured policies to adhere to least privilege.
  5. We deleted obsolete service IAM users from the development and production environments.
  6. We are enabling IAM resource tagging enforcement on accounts for both users and roles with periodic reporting on non-compliant resources.
  7. We rotated critical SAML certificates used for internal and external services.
  8. We deleted obsolete/unused SAML certificates used for development, services, or third parties.
  9. We revised our 24×7 threat detection and response coverage, with additional managed and automated services enabled to facilitate appropriate escalation.
  10. We developed and enabled custom analytics that can detect ongoing abuse of AWS resources.

There are several additional workstreams underway to help secure our customers, which may require them to perform specific actions. Those are detailed in the section titled “What actions should you take to protect yourself or your business.”

When looking at the list above I must say I’m relatively flabbergasted that the majority has apparently never been on the to-do list as a structural process. I mean, still having obsolete/unused SAML certificates lying around or still having accounts enabled for users who are not longer active basically acts as a red flag on a bull. The most positive in the list is that they hired people from Madiant who are very thorough in their forensics and reporting.

So what is missing in all the above?

There is no mention of anything that shows an improvement in the actual product they sell. Even though LastPass has undertaken the above-mentioned activities, it does not guarantee the same, or similar, event can take place. The Lastpass product itself has some inherent flaws when it comes to security. There should also be a new focus on bringing the product itself to a much higher level. Providing a product which claims to encrypt the data you put in it and then turns out that a fair amount isn’t actually encrypted, is not a sign of a quality product and honesty of the vendor.
I’ll leave it to the reader to follow the various forums that have discussion threads on this.

Is there anyone to blame, class-actions anyone??

I don’t want to be in the shoes of the people responsible for making the decisions at LastPass. I also don’t want to negate the seriousness of the incidents that have been a precursor to the last two massive breaches. If sufficient measures would’be been put in place and security best-practises been followed, the scale of the breach would most likely not have been this big. There is never a 100% guarantee these things will not happen but there is a huge space between 0% and 99.9%. If decisions are made in favour of implementing cost-savings, that percentage will fall significantly and chances of anyone being able to exploit this are increasing exponentially. You can only hope that companies learn from this and do their utmost best to prevent this from even happening again. I don’t think any legal actions would be having an effect, seeing customers leaving in droves and a trust-level below freezing point should be enough deterrent for any executive to just follow the money.

Kind regards
Erwin van Londen

Print Friendly, PDF & Email

Subscribe to our newsletter to receive updates on products, services and general information around Linux, Storage and Cybersecurity.

The Cybersecurity option is an OPT-OUT selection due to the importance of the category. Modify your choice if needed.

Select list(s):