Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Lastpass Security Issue
From: "Liam Randall" <Liam.Randall () gigaco com>
Date: Thu, 5 May 2011 09:24:38 -0400

Ryan,

The blog post indicates severe security lapses; for example:

Why did the asterisks server have connectivity to the db?  If there was
some kind of mashup I would expect it to have limited connectivity but
I'm not aware of anything like that.

If these guys are in the business of security they need to go beyond
best practices- take PCI DSS for example; one of the first steps is to
limit the Cardholder Data Environment.  Different routed and filtered
subnets with internal firewalls.  I've got a million other suggestions,
but w/o further research or information it would be just guessing.

Where there is smoke...

That being said, lapses happen all the time.  I think they are handling
it the right way and being over cautious- no one wants to get the
notification of a compromise the other way.  I sincerely hope they use
this an opportunity to review their entire security lifecycle.

Policy --> Procedure --> Control --> Audit-->Refinement

In a different regulatory environment they'd have to follow specific
security regimens and audit frequencies with statistically relevant
samples.

I'm sure the entire team over there is putting in 110%; good luck guys.

Liam

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Ryan
Sears
Sent: Thursday, May 05, 2011 6:39 AM
To: full-disclosure
Subject: [Full-disclosure] Lastpass Security Issue

Hey all,

Early this morning the folks over at LastPass decided to issue a warning
about a potential security issue based on the fact that they detected
some anomalies in their logs. 

http://blog.lastpass.com/2011/05/lastpass-security-notification.html

Basically the post outlines the fact that even though they've
investigated everything they can think of, they still noticed data
potentially being exfiltrated from one of their DBs, as more information
came out then was going in. Because of the fact they can't account for
the traffic from any legitimate source, they're being paranoid and
assuming the worst (that someone found a SQL injection presumably). 

Even though their passwords were all salted, they're still forcing
everyone to change their master password. Those using 2-factor are
relatively un-affected, although they have to change their master
passwords as well. 

This might leave some people who use lastpass in 'Re-enable account
hell', where they have their email password stored on lastpass, but
can't verify and login to lastpass without clicking an activation link
in their email. This can be solved by using one of the plugins in
offline mode with your old master password. I'm not sure why they didn't
mention it, but this has solved a lot of people's problems. 

All in all IMHO these guys take security quite seriously. They noticed
an anomaly, investigated and hours later posted something about it on
their blog. I'm not sure why no emails have been sent out, but there has
been speculation that it would have taken too long
(http://blog.lastpass.com/2011/05/lastpass-security-notification.html?sh
owComment=1304571300013#c1232708813079521918), which I don't really
agree with. That should've been their first step IMHO, and that's where
they fell on their face a bit with all this.

They DO put impressive security measures into place when something does
happen though, as seen in the XSS bug found. They implemented HSTS,
X-Frame-Options, CSP, which I've only seen used in super rare cases:

http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html

They're also implementing PBKDF2, so that makes me feel as though with
every security issue they're dealing with they don't just identify and
re-mediate, but actually restructure their infrastructure in order to
hedge against any potential future attack vectors. I personally see this
as the best response of any company I've ever seen from a security
standpoint.

Thoughts?

Ryan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]