Will LastPass Breach Poison Trust in Password Managers?

A data breach is no picnic for any organization, but for a company that makes its potato salad by protecting other people’s passwords, it’s the mother of all nightmares. Yet, that has happened to LastPass twice.

In 2011, the service found anomalies in its network traffic that forced it to reset all its users’ master passwords. To make matters worse, LastPass wasn’t prepared for the traffic surge from everyone trying to change their passwords at the same time, so performance headaches inconvenienced users further. A master password is used by users to protect the vaults where all their passwords for other services are stored.

The service recently came under attack again. The company last week alerted users that “suspicious activity” on its network was discovered and blocked on June 12.

“In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed,” CEO and cofounder Joe Siegrist wrote in LastPass’ company blog. “The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”

Confidence Razer

Although LastPass was confident that its encryption measures would protect a majority of its users, Siegrist wrote, the company was taking the precaution of requiring users logging in from a new device or IP address to verify their account by email, unless they had multifactor authentication enabled. He also recommended everyone change their master password.

While LastPass should receive plaudits for its rapid response to the attack on its systems, the question remains: Will bad press from the breach hurt the password management industry?

“The biggest concern for LastPass is whether trust has been shaken in users’ minds,” said TapLink CTO Jeremy Spilman.

“The brand impact of something like this can be tremendous,” he told TechNewsWorld.

“It doesn’t inspire confidence in consumers,” added Rob Shavell, CEO and cofounder of Abine.

There are two kinds of password managers, he told TechNewsWorld. One kind stores master passwords in the cloud; the other kind doesn’t. Storing master passwords in the cloud makes it easier for consumers to recover their stored passwords if they lose their master passwords.

If the only one with access to a user’s master password is the user, there’s an element of inconvenience, because if the master password is lost, so is the user’s data.

Still, “it’s more secure, because if a hacker gets into the database of the password management company,” Shavell explained, “they’d have to hack each user’s account separately, which would take a very long time and not be worth the effort.”

Minimal Damage

Any harm to the password management industry from the LastPass breach is likely to be short-lived, maintained Bill Carey, vice president of Siber Systems.

“I would consider it a minor setback for the password management industry,” he told TechNewsWorld.

“People are doing more online, so there’s really a growing need for users to have strong and unique passwords for all these websites, and since people can’t remember more than three or four strong passwords, there’s a need for a password manager,” Carey said.

“I don’t see any other technologies replacing the password any time soon,” he added, “so I think there will be a growing and continued demand for password managers.”

However, “none of us are going to be around for long if we continue to see more security breaches.”

Following the Money

Willie Sutton’s wisdom — he said he robbed banks because that’s where the money was — isn’t lost on cyberthieves, according to a report Websense released last week.

The financial services industry encounters security incidents 300 percent more frequently than any other industry, the firm reported.

“That’s an indication of how lucrative the sector is for hackers and attackers,” said Rajiv Motwani, director of security research for Websense.

An old but effective tactic being used by cyber-robbers is typosquatting — that is, creating domains that mirror those of legitimate financial institutions but may have a letter or two missing. One of the most common domain abuses is the use of “.co” for “.com.”

“Typosquatting isn’t new, but the level of sophistication is,” Motwani told TechNewsWorld. “They’re registering these domains en masse and customizing them to each victim.”

The technique seems to be working, as Websense estimates the average take for these attacks is US$130,000.

The report also found that cyberinsurance may be hindering real security adoption in financial services.

“Banks with cyber insurance policies aren’t necessarily fixing their security problems,” Websense reported. “Rather, they’re relying upon their policies as financial liability risk management. But even that assumption is flawed. Cybersecurity insurance is limited in its coverage, and only partially limits the financial impact of a worst-case cyber-attack scenario.”

Breach Diary

  • June 15. LastPass, an online password management service, alerts it users that it has discovered suspicious activity on its network and recommends all user master passwords be reset.
  • June 15. Millions of federal employees begin to receive notices from federal Office of Personnel Management that their personal data may have been stolen in data breach at the agency reported earlier this month.
  • June 16. U.S. District Court Judge R. Gary Klausner rules former employees of Sony Pictures Entertainment can sue the company for damages caused by the loss of personally identifiable information in a 2014 data breach.
  • June 16. St. Louis Cardinals confirm that they are under federal investigation to determine if members of their front office hacked into the Houston Astros’ internal database to steal information.
  • June 16. Kasperky Lab reports Duqu 2.0 malware that attacked its computer systems used digital certificate stolen from Foxconn, a Taiwan electronics firm known for making Apple products.
  • June 17. Charges are filed against Sadie Alexis Robinson, 21, and Emile Anthony Rey, 35, in Dakota County, Minnesota, for using information from Home Depot Breach in 2014 to clone credit cards the pair used to buy some $10,000 in gift cards at Target and Walmart.
  • June 17. San Luis Obisbo County in California DA’s office announces arrest of Lacey Fowler, 29, for improperly accessing computer data at Cuesta College.
  • June 17. Security researchers at Indiana University, Peking University and the Georgia Institute of Technology report they’ve found in Apple’s OS X and iOS operating systems vulnerabilities that allow malware to crack Apple’s password-storing keychain, break app sandboxes and bypass App Store security checks.
  • June 18. UC Irvine Medical Center reveals it is notifying 4,859 patients that their sensitive medical information may have been compromised by a hospital employee who looked at the information without authorization.

Upcoming Security Events

  • July 3. B-Sides Lisbon. Forum Picoas, 40 Avenida Fontes Pereira De Melo, Lisbon, Portugal. Free.
  • July 18. B-Sides Detroit. McGregor Memorial Conference Center, Wayne State University, Detroit. Free.
  • July 22-24. RSA Asia Pacific & Japan. Marina Bay Sands, Singapore. Registration: before June 21, SG$700; after June 20, SG$850.
  • July 25. B-Sides Cincinnati. Cincinnati Museum Center, 1301 Western Ave., Cincinnati, Ohio. Free.
  • August 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, $1,795; before July 25, $2,195; after July 24, $2,595.
  • August 4-5. B-Sides Las Vegas. Tuscany Hotel and Casino, 255 E. Flamingo Rd., Las Vegas, Nevada. Free.
  • August 6-9. Defcon 23. Paris Las Vegas, 3655 S. Las Vegas Blvd., Las Vegas, Nevada, and Bally’s, 3645 S. Las Vegas Blvd., Las Vegas, Nevada. $230, cash only at the door.
  • August 24-25. Gartner Security & Risk Management Summit. Hilton Hotel, 488 George St., Sydney, Australia. Registration: prior to June 27, AU$2,475; after June 26, AU$2,875; public sector, AU$2,375.
  • Sept. 12. B-Sides Augusta. GRU Harrison Education Commons Building, 1301 R.A. Dent Blvd., Augusta, Georgia. Free.
  • Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 28-Oct. 1. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31: member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31: member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1: member, $1,095; nonmember, $1,350; government, $1,145; student, $400.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels