This week safe: Lastpass Takeaway, Bitcoin Loss and PyTorch

We mentioned the LastPass story at the end a few weeks ago, but details were still a little scarce. The hope was that LastPass would release more transparent information about what happened and how many accounts were accessed. Unfortunately, it looks like the December 22 press release is all we'll get. For LastPass users, it's decision time.

To recap, an attacker used information from the August 2022 breach to target a LastPass employee with a social engineering scheme. This was successful, and the attacker was able to gain access to LastPass backups, specifically a customer account database and customer vaults. There was no official word on how much user data was included, but the indication is that it was the full data set. And to make matters worse, the encrypted vault is only partially encrypted. Logged URLs were exposed in plain text to the attacker, although usernames and passwords were still encrypted using your master password.

So what should a LastPass user do? It depends. We can assume that whoever owns the LastPass Vault data is currently dumping all available password lists into it. If you've been using a weak password - derived from words in any language or previously compromised - it's time to change all your passwords that were in the vault. They are burned.

Whether you stick with LastPass or switch to another solution, it's only a matter of time before your vault is cracked. Worse still, some old Lastpass accounts only use 5,000 turns of the Password-Based Key Derivation Function (PBKDF2) hash. New accounts are configured to use over 100,000 iterations, but some older accounts may still use the old setting. The result is that an attack against the encrypted vault executes much faster. The iteration count is almost certainly in the stolen data, so those counts will likely be tested first. If you are a long-time user, change all passwords stored in the vault.

There is good news. Vaults use a salt to accompany passwords - additional data that is built into the PBKDF2 feature. This means that the password cracking procedure must be performed individually per user. If you are just another uninteresting user, you may never be targeted for the crack. But if you're interesting or have URLs that look interesting, there's probably a better chance of being targeted. And unfortunately, it was plain text.

So how do the calculations compare? Luckily for us, [Wladimir Palant] worked out the numbers for us. A minimum complexity password, using the 2018 Rules for a LastPass Password, yields 4.8×10^18 possible password combinations. An RTX 4090 can sustain around 1.7 million guesses per second on an account using just 5,000 iterations of PBKDF2, or 88,000 guesses per second on a properly secured account. It's 44,800 years and 860,000 years to open a safe, assuming an RTX4090 is working there. Very rough calculations on the size of a three-letter agency data center would suggest that devoting the entirety of one of these data centers to the task would crack the least secure vault in less than 4 months . With an account using full security settings, that jumps to nearly six years. Keep in mind that this approach is a best-case scenario for an attacker and represents devoting a $1.5 billion data center to the task for an extended period of time. But that also assumes that you chose your password at random.

But here's the catch: While the risk is enough to drive you into action, changing your LastPass password isn't enough. Whether you stay with LastPass or switch to another solution, you'll need to change the master password first, then go through the grueling process of changing every password in your LastPass vault. The whole mess was definitely a failure on LastPass's part, and their post-incident report certainly leaves some transparency to be desired. The unencrypted URLs associated with each saved password are unfortunate. But the core tenet, that even LastPass can't access your saved passwords, seems to have held up.

Bitcoin Hacker Hacked

Luke Dashjr is a Bitcoin Core developer, the main signer of the Bitcoin Knots software, and suffered a major security breach. This may be an incident following a physical attack in November, where someone managed to reboot their co-located server from a flash drive and install a backdoor. This one was caught, and...

  Technology   Jan 7, 2023   0   69  Add to Reading List
This week safe: Lastpass Takeaway, Bitcoin Loss and PyTorch

We mentioned the LastPass story at the end a few weeks ago, but details were still a little scarce. The hope was that LastPass would release more transparent information about what happened and how many accounts were accessed. Unfortunately, it looks like the December 22 press release is all we'll get. For LastPass users, it's decision time.

To recap, an attacker used information from the August 2022 breach to target a LastPass employee with a social engineering scheme. This was successful, and the attacker was able to gain access to LastPass backups, specifically a customer account database and customer vaults. There was no official word on how much user data was included, but the indication is that it was the full data set. And to make matters worse, the encrypted vault is only partially encrypted. Logged URLs were exposed in plain text to the attacker, although usernames and passwords were still encrypted using your master password.

So what should a LastPass user do? It depends. We can assume that whoever owns the LastPass Vault data is currently dumping all available password lists into it. If you've been using a weak password - derived from words in any language or previously compromised - it's time to change all your passwords that were in the vault. They are burned.

Whether you stick with LastPass or switch to another solution, it's only a matter of time before your vault is cracked. Worse still, some old Lastpass accounts only use 5,000 turns of the Password-Based Key Derivation Function (PBKDF2) hash. New accounts are configured to use over 100,000 iterations, but some older accounts may still use the old setting. The result is that an attack against the encrypted vault executes much faster. The iteration count is almost certainly in the stolen data, so those counts will likely be tested first. If you are a long-time user, change all passwords stored in the vault.

There is good news. Vaults use a salt to accompany passwords - additional data that is built into the PBKDF2 feature. This means that the password cracking procedure must be performed individually per user. If you are just another uninteresting user, you may never be targeted for the crack. But if you're interesting or have URLs that look interesting, there's probably a better chance of being targeted. And unfortunately, it was plain text.

So how do the calculations compare? Luckily for us, [Wladimir Palant] worked out the numbers for us. A minimum complexity password, using the 2018 Rules for a LastPass Password, yields 4.8×10^18 possible password combinations. An RTX 4090 can sustain around 1.7 million guesses per second on an account using just 5,000 iterations of PBKDF2, or 88,000 guesses per second on a properly secured account. It's 44,800 years and 860,000 years to open a safe, assuming an RTX4090 is working there. Very rough calculations on the size of a three-letter agency data center would suggest that devoting the entirety of one of these data centers to the task would crack the least secure vault in less than 4 months . With an account using full security settings, that jumps to nearly six years. Keep in mind that this approach is a best-case scenario for an attacker and represents devoting a $1.5 billion data center to the task for an extended period of time. But that also assumes that you chose your password at random.

But here's the catch: While the risk is enough to drive you into action, changing your LastPass password isn't enough. Whether you stay with LastPass or switch to another solution, you'll need to change the master password first, then go through the grueling process of changing every password in your LastPass vault. The whole mess was definitely a failure on LastPass's part, and their post-incident report certainly leaves some transparency to be desired. The unencrypted URLs associated with each saved password are unfortunate. But the core tenet, that even LastPass can't access your saved passwords, seems to have held up.

Bitcoin Hacker Hacked

Luke Dashjr is a Bitcoin Core developer, the main signer of the Bitcoin Knots software, and suffered a major security breach. This may be an incident following a physical attack in November, where someone managed to reboot their co-located server from a flash drive and install a backdoor. This one was caught, and...

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow