LastPass source code breach – incident response report released – Naked Security

Sophos Home protects every Mac and PC in your home
If the big story of this month looks set to be Uber’s data breach, where a hacker was allegedly able to roam widely through the ride-sharing company’s network…
..the big story from last month was the LastPass breach, in which an attacker apparently got access to just one part of the LastPass network, but was able to make off with the company’s proprietary source code.
Fortunately for Uber, their attacker seemed determined to make a big, quick PR splash by grabbing screenshots, spreading them liberally online, and taunting the company with shouty messages such as UBER HAS BEEN HACKED, right in its own Slack and bug bounty forums:
UBER HAS BEEN HACKED, boasts hacker – how to stop it happening to you

The attacker or attackers at LastPass, however, seem to have operated more stealthily, apparently tricking a LastPass developer into installing malware that the cybercriminals then used to hitch a ride into the company’s source code repository:
LastPass source code breach – do we still recommend password managers?

LastPass has now published an official follow-up report on the incident, based on what it has been able to figure out about the attack and the attackers in the aftermath of the intrusion.
We think that the LastPass article is worth reading even if you aren’t a LastPass user, because we think it’s a reminder that a good incident response report is as useful for what it admits you were unable to figure out as for what you were.
The boldface sentences below provide an outline of what LastPass is saying:
Cookie stealing: the new perimeter bypass

How to deal with dates and times without any timezone tantrums…

Serious Security: How to store your users’ passwords safely

We think it’s reasonable to say that our early assumptions were correct, and that although this is an embarrassing incident for LastPass, and might reveal trade secrets that the company considered part of its shareholder value…
…this hack can be thought of as LastPass’s own problem to deal with, because no customer passwords were reached, let alone cracked, in this attack:
S3 Ep98: The LastPass saga – should we stop using password managers? [Audio + Text]

This attack, and LastPass’s own incident report, are also a good reminder that “divide and conquer”, also known by the jargon term Zero Trust, is an important part of contemporary cyberdefence.
As Sophos expert Chester Wisniewski explains in his analysis of the recent Uber hack, there’s a lot more at stake if crooks who get access to some of your network can roam around wherever they like in the hope of getting access to all of it:
Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.
Follow @NakedSecurity on Twitter for the latest computer security news.
Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!
I’m a computer user from the 286 era, aware that I know about security as well as I know the constituents in pencil lead, it’s soft or hard.
I bought into Dr Solomon in the early days and have never regretted it.
In the intervening years I’ve had two glitched, resolved by Sophos, and intend to stay on the path I’ve come to trust.
I do read the articles and act where I’m able but in all honesty that’s the best I can, or want to do.
Some of us are like many drivers, we know how to drive but not how the engine works, so we leave problems to the professionals.


Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…

Post expires at 6:36am on Thursday March 23rd, 2023

Leave a Reply

Next Post

OSS News: Google, JFrog, Confidential Kubernetes, Meta-PyTorch -

Fri Sep 23 , 2022
As the open-source model continues to prove its sustainability in the enterprise, the software community is ramping up its security mindedness. That concern was evident in recent weeks as leading Linux groups led the way for better code security.Google announced a new initiative to zero in on software vulnerabilities. Already […]
%d bloggers like this: