The Prevailing winds of the Lastpass Breach — How it affects you!

hacking, cyber, security, hacker, technology, web, coding, internet, face, mask, identity, hack, virus, danger, protection, anonymous, code, crime, criminal, firewall, illegal, password, spy, stealing, thief, illustration, font, graphic design, art, graphics, clip art, Free Images In PxHere

Photo by mohamed_hassan from PxHere

Understanding the Lastpass Breach

Let us be clear about this, people really don’t truly understand what is going on with this breach.   It however will not stop the threat actors from taking control of your data if they get a chance.   This means they will go after the websites you will visit or maybe impersonate you in some way to get the access they are seeking.   Either way it isn’t like we can just sit back and do nothing.

“It is possible to crack those passwords,” Melissa Bischoping, director of endpoint security research at Tanium, said via email. “Instead of running the math to determine how complex your password would be to crack with modern equipment, it’s best to go ahead and do some credential hygiene.” — CyberSecurity Dive

Credential hygiene is necessary in our day to day routines because it helps stops theft of our accounts and our personal information.  However that doesn’t that the Meta data associated with your vault was encrypted, in fact it wasn’t and can be used to exploit this issue.   So even if they don’t brute force yoru password vaults, they can do fishing or means to get the access they are seeking so they can get even more information about you to use against you.

The Lingering effects of Password Managers

Password managers are a necessity in today’s time because of the all too common breaches.  Even if Lastpass wasn’t breached, some other site or sites would of breached and you’d still have to change your password or add multi-authenticator access to prevent any authorized access.  This goes without saying, we will see other breaches and it will not just be Lastpass.   Sooner or later some other Password manager will be a target and we will see this again but that shouldn’t deter you from using a Password manager it is the one tool we will always need to create even better Passwords than we could by our selves.    Although Many in the Security field are advicing users to go to another Password Manager.  I too have not like the taste of what Last Pass has done.  They way they made it sound less important that it truly is but that just might be because they’re lawyers got involved.   Either way I will suggest three things to better help you even if you keep Last pass.

  1.  Check your interations and make sure you have them high.   I think the minium we should have is over 500,000 interations to make sure they can’t be hacked the next time as easily.   Also if they are low, now is a good time to bump them up even though it makes you more of a target right now.  This will help in the future, in case there is another breach.
  2. Change all your imporant sites passwords, don’t just wait to get hacked might as well go through and see which sites you are truly using right now and go ahead and change your password and if you can add an authentication method to help protect you incase there is another hack down the road.
  3. Create a new masterpassword which isn’t anywhere close to what you have now.  If you can create your own acronym with a minium of 12 digits that would help. (What is an acronym?)  I suggest not using the most common acronyms but creating one that you can only remember and use that.   It may take some time but it could be something you have to say everytime you type in on your computer, just don’t let everyone else hear it.

Those Password Managers

Finally, let’s talk about your choices in this matter. Even though I talked about this in the previous post, we should at least look at the ones that might want to go another service.  Here are a few of them that I saw around the internet:

  • Bitwarden  — This is the one I perfer to go to because it is so opened sourced and you have several options to choice from.   It is where a lot of people are going right now after the LastPass Breach, I am sure of it.
  • 1Password —  This one I only know about through what i’ve heard.  I’ve heard good things about this but there are not many options to those who are wanting free.   This is good because they’ve been in this for quite sometimes.  I’ve heard of this company for MANY years and still has some great value to give to their users.
  • Dashlane — I’ve never heard of this product but it comes highly recommended by other because of how security focused they are.  You will have to pay a yearly subscription fee and there is only a demo version that means you do not have a free version.
  • Roboform — I’ve talked about Roboform way in the past and still it was a very useful password manager when I was using them 10 or so years ago.  So they must ast least be doing something right to still be in the business.   I haven’t explored them lately but I might just do that again to see how they are doing.

As you can see you have several choices to choose from if you decide you want to get away from Lastpass but ultimately you will have to decide what you want to do.  I am still going to possibly go to Bitwarden because of the open source or I might go back th Roboform if I can find my license that i had with them in the past.  I haven’t really decided I think Bitwarden would be my best choice because I know people can look at their code and help keep my passwords secure.   Are you planning on changing or staying with Lastpass?  Who will you be going to if you are going to change Password Managers?  Why not leave a comment and tell me your options.  I’d love to hear them and find out exactly what you are thinking about this LastPass breach.

Is it time to say NO to LastPass?

Lastpass Recent Incident

Lastpass in the recent has been an excellent password manager and I was one of the many supporters.   The problem with it now is that it is going down hill.   They seem to not want everyone to know just how severe this incident is and have not really done the job that we should of expected.   In December they sent out a small notice to people and reference their blog post.   Who is going to go look at a blog post around Christmas.   I sure as heck was to busy with other stuff to worry about a small email telling people to check out the blog post.   LastPass you should of done better and put out the warning bells for everyone to know just how much you screwed up.

In there blog post:

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Vault and Robbers

You see this isn’t very nice how much information they didn’t send out on the email.  This should of been “Danger, Will Robinson, Danger!” type of warning.  Yet, Lastpass didn’t sound the alarm.  Shame on you for not doing the right thing.   As you can see they got your vault data and mine, althought they can’t really use it without the master password but it is only going to take time and then they will have all our passwords for sites across the internet.   There’s the problem they don’t seem to care that it got out.   The threat actors will use GPU’s and other hardware to finally figure out one user at a time their passwords and it could be years before they get to yours or it could be next month depending on how good you Master Password was.   Was it long or was it Short?  What about enterations?  Did you bump it up to keep it from getting hacked and making it harder for them to figure out your Master Password?

The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took. Because of the hashing and encryption methods we use to protect our customers, it would be extremely difficult to attempt to brute force guess master passwords for those customers who follow our password best practices.

As you can see even Lastpass has stated they will eventually do that to each and every vault password they can, but did you their suggestions?  Probably not and I wouldn’t blame you because we don’t always have time to keep track of what they recommend.

They claim it could take thousand of years for threat actors to crack the Master Password:

f you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology.

However that isn’t alwasy true if they have enough computers put enough effort into cracking a vault it could be sooner and not later.   The way technology is growing and the speeds of comptuer now would mean threat actors could start usurping people processing powers and have thousands of computers world wide to crack the Master Password keys.   That is how Bitcoin came into being but we wouldn’t know it until it could be too late.

Is it time to switch to another Password Manager?

I’m inclined to switch to Bitwarden just because it is open sourced and I really feel like at least I won’t have to worry about my passwords being leaked.   I will also probably go through every site that I visit and change my password and also use 2FA (2nd Factor Authentication) to prevent threat actors from taking control of my accounts.   I’m going to explore my options but I am more and more thinking about going somewhere else where my data can be safer than with Lastpass.  What’s your throughts on this?  are you staying with LastPass or are you Planning to go somewhere else?

How Keyloggers work and why you should worry!

keyloggers

 

The History of Keyloggers

Keyloggers have been used ever since the dawn of computers.   It used to be a problem even in DOS(Directory of Systems).   If you haven’t used Dos that is normal, it hasn’t been used for years and years but it was still was a problem.  What are Keyloggers?  Well, to put it in a way that even those who might not know about computers will understand, is a program or app that will watch everything you do, this includes everything you might say, might type, and then report back to the person or organization who created the keylogger.   If your phone was infected they could use the keylogger to even know your GPS location and you would not even know it.   This is where it has gone in the past and I am sure it will get even worse in the future because of all the IOT(Internet of Things) we have being used to control our Fridge, or even our thermostat.

The Information gained by a Keylogger

Even today, we should be watchful of who might be looking over our shoulders.   It is even more difficult to do that in security because Keyloggers will tend to hide in the background and not show signs that you have a problem on the system or systems involved.  The information a threat actor might gain from using a keylogger is tremendously valuable.    I don’t say that lightly either, when a threat actor gains control of a system and wants to gain access to something even more secure this is one of the ways they can get the information needed to gain access to that really important documentations.   They can sit on a system for weeks to months without being noticed and gaining valuable information such as passwords, account information’s from banks to email addresses, Even your Social Security Number and even what websites you might of visited while the keylogger is installed on your device.  This is just a small part of how much information a keylogger can gain just by being on a system.   They can learn habits of the user, if you visit a site at 12:13pm almost exactly each day, then they will know what you are doing on your break or what you do at night if this is a system at home.  They could even know your location just by having a keylogger on your phone and be able to track you through the day to figure out your habits.

It’s not a victimless as you think

No matter how many times you hear of keyloggers, you probably don’t realize just the truth of the matter.   That the reason to install keyloggers into a system is for money, extortion, or blackmail.   These are just a few of the reason why a threat actor would do this.   They’re doing this usually for money but not always they will do this to make a statement or gain access to information.   This is where the value of keylogging comes into play, anything a user does can potentially show valuable information from black mailing someone because they are visiting sites we shouldn’t be visiting for pleasure or to get the information needed to impersonate someone to gain access or ruin someone’s credit.   All these can bring shame to the victim and make it even harder to survive.   This is one reason security has always been one of those hit or miss areas in IT.  As soon as we find the program, infection, or worm, they go about coming up with new ways to do it all over it.   You see we are always trying to analyze the structures of the programs they create and find them in the wild.    So as soon as we know about the program they have to change the program to be able to do it again on some other systems.

How the IATA travel pass can verify USA or other countries vaccine cards

Example of a CDC Vaccine Card

Verification of Vaccine Cards

Several countries around the world are wanting people to have a way to verify that people who are coming into their country has gotten the vaccine. There have been a number of news articles of people who have faked the vaccine card for one reason or another usually just because they don’t feel like they need to get the vaccine. Requiring vaccine cards have never been new or original in traveling around the world. There has always been countries that require vaccines like rubella or Hepatitis B vaccine to enter their countries. We’ve seen many countries who would like to proof of vaccine and proven ways to knows that it’s not forged.

Stopping the forgery

Each country is wondering how they can stop the forgeries of vaccine cards. No country wants to have take financial responsibility for someone who might get really sick due to the covid19. This is why countries are really wanting way to provide a way to know that someone has gotten the vaccine. The problem is that some people think they really don’t need the vaccine because of herd immunity, so why are they so worried about it. It’s one way to know that their immune system has been given enough protection from getting the severe version of covid19. I am sure there are other reasons and that is what I always hear.

The IATA Travel Pass Verification

When I say that IATA could verify that each vaccine cards in the USA or other countries to be authentic, is saying something that no other airline could do. If countries are looking to verify that the vaccine cards from countries that don’t want to share their vaccine data due to laws, such as the US. They can at least do some minor things while you register for a vaccine passport on their IATA travel pass app. I’m going to talk in length about this so please be patient and maybe someone will actually implement this in the IATA Travel Pass app.

There are several ways they can verify the picture of the vaccine passport to be authentic. They can have the Iata travel pass do image searches to see if there are images that are unique or close to the same exact type that is being submitted. There are several ways you can do that:

These are only two of several ways they can search the web and find out if it is not authentic or original, from the vaccine card that is being submitted.

Images not on the Internet

What if the criminals are being sneaking and keeping these cards off the internet. What options do the Iata Pass have to verify that it isn’t be used in other countries or accounts on the IATA travel pass? This is where it gets really interesting because there are several ways that can be used to verify that the vaccine card hasn’t been used in the past. They can get the Hash Value of the picture and store it in their servers for later on. Don’t worry, the hash value doesn’t save the picture on the server but keeps a copy of the hash value so they can search for that value and probably even keeps the account that it is associated with it for security reasons.

Imaging Hashing by pyimagesearch

As you can see it’s is really an easy process for phones around the world to hash a picture and send the hash to server to either use it to search for a copy or to record it so no other person can use it. I really suggest you go check out the pyimagesearch site and see all the ways that can be used to search for a duplicate hash. This would be a great resource for people to authenticate if they have a unique vaccine card or not.

Examine the Metadata

Metadata is according to Google “a set of data that describes and gives information about other data.” Basically when you take pictures with your phone, your phone records what type of phone was being used and many different things sometimes including the GPS location of the image being take. So they can examine the metadata and see a lot of stuff from the submitted picture of the vaccine card is coming from and also keep record of that information also in a database for reference for obvious reasons. They can also prevent photos being used if they have been edited before uploaded, for example there is a good little photo editor like Snapseed. It’s a great little app that can be used in Android devices to edit or change a photo.

Once it has been edited the metadata would show that it was edited by snapseed or any other photo editing software and thus should be thrown out for security reasons like that. So if someone is trying to get around the vaccine authentication they probably would have a very hard time in verifying there vaccine card.

This is what I would think should be implemented when making the IATA travel pass to help governments to know that the vaccine cards are as authentic as possible. I won’t say that people will not come up with ways to still submit forgeries, that will always be a problem. It however will make it more difficult for people to do that. It is my hope that we won’t have to use this for very long and this would just be a stop gap way to get travelers back to traveling around the world.

What do you think about this idea? Do you think they did this or do you think they will do this in the future? What’s your experience with the IATA travel pass?

Are you treating your passwords like Underwear?

Really nothing like underwear!

I am perplexed

Saw this meme or poster that I found on Facebook has me thinking about password security.   What is good way to tell people about Password security?  Is it as simple as this poster says?  We could use some really bad passwords over and over again!  Let’s explore the really good questions of this.   I’ll talk about what might be very well help with your password security.  Although these are just a few that stick out in my mind but they do help create a strong password.   I know I’ve talked about some of these in the past but sometimes it is good to talk about them again.

Password Manager

Now a days if you don’t have a good password manager than you are really not keeping your passwords safe.   Like the poster says we usually write down our passwords on a piece of paper on  the desk.   Instead we should securely put them in a vault somewhere.   Should we use something like Google to hold our passwords?   That’s a good start.   I’d be willing to bet they do a really good job of it.  I personally love Lastpass and have used it for years and years.   Even though there is a lot of balancing acts with a password manager and your lifestyle.   It can be helpful to keep your passwords safe and away from prying eyes.

Keep away from easy passwords

Easy guessable passwords will make you loose your accounts quicker than anything.   So keep away from those weak passwords and passwords that anyone can guess.  I did talk about those in the past about the top ten passwords that people use and you can bet most hackers will use them to try to get into yours or other accounts.   Using a good password manager plus letting them create a hard password is essential to keeping your accounts safe from hackers.

Two factor Authentication

I’ve always said having two factor authentication can also help you prevent your account from being hacked.   It will prevent a hacker from getting instant access to your account and even warn you that you’ve been hacked.   You can use something like YubiKey but since most of us have cell phones than I just use sms for verification.  I’ve even recommend Google Authentication for this purpose.   It is almost like a one time password and can save you money in the long run!

Don’t use same passwords

I have talked about this in the past also, but you should never use the same password twice on any of your really important websites like banking or electricity websites.  You can keep up to date on if you need to change your passwords by checking Have I been pwned website and seeing if you might need to change your password.   It’s never a bad idea to go and check every year to see if you need to change them.

If you are like me, you are constantly trying to keep your passwords safe and secure.   Do you have any recommendations or suggestions.   Why not leave a comment?  I’d love for you to share and talk about how you keep yourself safe.