Pricing
Contact
Login
Start Free Trial
Back

The Uncomfortable Implications of the LastPass Attack

Jan 06, 2023

Several weeks ago, one of my news feeds served me an article about how people continue to pick the very worst passwords possible: everything from ABC123 to their own first and last name. Considering how easy it is for hackers to guess, buy, or break passwords, the bar for picking strong passwords is getting higher than ever – meaning the difference between bad and very bad passwords is non-existent.


Password strength wasn’t what was interesting about this article. What stuck out for me was how persistent the password problem has been – years of training, explaining, pleading, and sometimes even incentivizing haven’t done much to get people to use stronger passwords.


A password manager like LastPass was supposed to be the solution. It offered a streamlined way to turn every password into a strong password, enter the login details automatically, and keep everything safe inside an encrypted vault. LastPass seemed like a win-win: stronger security plus streamlined access. But then we learned through a story that’s been unfolding in recent weeks that attackers managed to steal some of those vaults. And if they manage to crack them open, they will have access to the login credentials for many thousands of personal accounts.


I had originally planned to write about the LastPass attack as a sign that passwords are on their last legs and woefully in need of replacement. But I think most people held that opinion even before the LastPass attack. What’s more, alternatives to passwords have never been more numerous or viable, so I’m confident the era of password protection is coming to a close (whether or not I write about it).


Something besides the password angle stood out to me as I read more about the LastPass attack. Specifically, I was struck by how much LastPass bungled things at every turn, first with their own security, and then with their response to the attack. The problem was not passwords (they were the victim, really). Rather, the problem was LastPass, which promised to protect passwords and then failed at the one thing it was supposed to excel at.


Which leads to an uncomfortable but unavoidable line of inquiry: What other protections are less secure than they seem? Have other vendors made promises that they can’t or won’t honor? Is there any way to know for sure whether you’re as safe as you think? Can anyone really count on cybersecurity?


Vendors are a Weaker Link Than You Think


There has been growing awareness that the IT products a company uses could get weaponized as part of supply chain attacks, which have received a lot of attention lately. And while companies understand that some vendors are stronger than others and some products are weaker than alternatives, we tend to see any protection as better than nothing. The LastPass attack reveals that’s a dangerous line of reasoning.


Reports suggest that security standards and practices at LastPass have been slipping for years, but the extent of that was not apparent until the attack (plus another attack 6 months prior) forced the company to make disclosures. Effectively, the company spent years cultivating trust, then used its positive reputation to let security slide without people noticing.


If it can happen at LastPass, it can conceivably happen anywhere. And with the pandemic and its aftereffects putting so many companies through internal turmoil, who knows where else has become a shell of its former self, waiting for an attack to expose formidable security measures as brittle defenses. And if it can happen to something as fundamental to security as a password vault (the crown jewels for attackers), logically any asset could currently be exposed because of the potentially bogus defenses around it.


If that sounds hyperbolic, take a quick mental review of the security stack. Can you be confident that all of the vendors included therein are taking security as seriously as necessary, particularly when it may conflict with the bottom line? My point is that strong defenses can turn into weak ones without anyone noticing.


Of course, SLAs and other contractual obligations can help mitigate this. But even with those obligations in place, sometimes companies go south – suddenly, swiftly, and surprisingly. And when they are involved with cybersecurity, users often get caught up in the collapse.


The possibility that you’ve surrounded yourself with paper tigers is certainly a frightening thought. But, I must admit, it’s remote (LastPass is an outlier). And there’s a silver lining: it takes less time to vet and review vendors than it does to detect and respond to threats.

#Cybersecurity #Authentication #LastPass #Vendor #Password






The recent attack on LastPass has people questioning if they can trust password managers. But there's a bigger issue lurking underneath - can you trust ANY security vendor?

Tags

  • #cybersecurity

  • #password

  • #vicarius_blog

  • #LastPass

  • #Authentication

  • #Vendor

users/photos/cl63q9kls03si09n2e51cdpu2.jpeg

Written by

Paul Lighter

Recent Posts

  • 1

    Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)

    j00sean (https://twitter.com/j00sean) July 11, 2023
  • 2

    CVE-2021-38294: Apache Storm Nimbus Command Injection

    Zeyad Abdelazim June 20, 2023
  • 3

    CVE-2023-21931 & CVE-2023-21839 RCE via post-deserialization

    Mohammad Hussam Alzeyyat June 19, 2023
  • 4

    Have you missed them? The new reports feature is here!

    Noa Machter May 14, 2023
  • 5

    CVE-2021-45456 Apache Kylin RCE Exploit

    Mohammad Hussam Alzeyyat April 30, 2023

Related Posts

By Akos Jakab
Sep 13, 2023

CVE-2023-27524: Authentication Bypass in Apache Superset - exploit

Exploit script to run any OS command or connect back to your reverse shell on both the database server and Superset server.
By Akos Jakab
Sep 11, 2023

CVE-2023-27524: Authentication Bypass in Apache Superset

Apache Superset versions up to and including 2.0.1 are susceptible to a critical session validation vulnerability.
By j00sean (https://twitter.com/j00sean)
Jul 11, 2023

Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)

Write-up for another forgotten Windows vulnerability (0day): Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape, which was not fully fixed as CVE-2022-44666 in the patches released on December, 2022.
last_chanse_04.png

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 14-day trial
Start Free Trial!

Have questions?

By submitting this form, you agree to be contacted about vRx and other Vicarius products.

Vicarius develops an autonomous vulnerability remediation platform to help security teams protect their assets against software exploitation. Consolidating vulnerability assessment, prioritization, and remediation, Vicarius strengthens cyber hygiene and proactively reduces risk.
We're hiring!

Support

support@vicarius.io

Sales

sales@vicarius.io

Marketing

info@vicarius.io
Product
Product Overview
Vulnerability Management
Patch Management
Patchless Protection
Auto Actions
Reporting
Network Scanner
xTags
0-Day Detection
Solution
Solution Overview
Case Studies
Knowledge
Research Center
Apps & OS Patch Catalog
Videos
Articles
Docs
Company
About
Investors
Partners
Trust
Careers
Pricing
Pricing
Compare
vRx vs. Automox
vRx vs. ManageEngine
vRx vs. Rapid7
vRx vs. Tenable
vRx vs. Tanium
vRx vs. RMMs
vRx vs. Vulcan
vRx vs. PDQ
vRx vs. Qualys
vRx vs. SentinelOne
vRx vs. BigFix

Copyright © Vicarius. All rights reserved 2022. Privacy Policy and Terms of Use