Conversation

MG
@_MG_
Does your Red Team get to target people’s home computers and networks? I am guessing that a great big “nope” for almost every company I know of.
14
214
MG
@_MG_
Seems plausible. I wonder if we will know for sure.
Quote Tweet
ippsec
@ippsec
Replying to @_MG_
Probably wrong, but man what a big coincidence that a media software package was attributed to the LastPass breach on Aug 12. And ~2 weeks later Plex announced a big breach. techcrunch.com/2022/08/24/ple
1
90
MG
@_MG_
Just to be clear: while there is plenty to criticize about the LastPass product, the transparency of what was posted today is great. It actually gives me some hope that I didn’t previously have. The attacks seen here could happen to any company. Most would have handled it much…
5
152
MG
@_MG_
It was Plex. They exploited Plex to get into the home network, installed a keylogger on a home laptop, and got the corp vault password because the home laptop was logging into it. Targeted high value employee shortly after the arstechnica.com/information-te
arstechnica.com
LastPass says employee’s home computer was hacked and corporate vault taken
Already smarting from a breach that stole customer vaults, LastPass has more bad news.
15
390
MG
@_MG_
4 people who have access to “the keys to the kingdom”. At least 1 of them was accessing them from a home computer. For how long without anyone noticing? If that didn’t raise flags, then it won’t for an attacker either. Helping them harden their home network is nice, but there needs to be some big cultural improvements & better controls/detections.
27K
Views
14
Retweets
2
Quotes
131
Likes
5
Bookmarks
MG
@_MG_
Seeing a lot of people ask “why didn’t 2FA stop this?” Well, I know of no password manager where 2FA protects anything but the account that is used to download your vault. Once you have the vault (which was probably on the home computer) all you need is the vault password. And…
Quote Tweet
MG
@_MG_
The above is detailed in this 2015 presentation by @algillera & @martin_vigo. Along with some other fun details that STILL WORK today. If you ever wanted to dump someone's entire LastPass vault, this is where you start :D blackhat.com/docs/eu-15/mat
Show this thread
3
36
MG
@_MG_
For anyone knocking LastPass for hiding the new updates (noindex, etc), you are missing an important detail. The new material is still under embargo between LastPass & their biz customers in an attempt to give them time to apply changes before the LastPass blog goes up. Biz…
Image
14
dwyur
@dwyur
it is still difficult to decipher if passwords were stolen or can be accessed. they state that through their "zero know architecture" LastPass does not know/store/maintain end user master passwords. then they say they might brute force attempt to decrypt the db copy
1
3
MG
@_MG_
Getting your historical vault contents is something that will likely happen eventually. But it’s not the only risk to be concerned about:
Quote Tweet
MG
@_MG_
Great writeup by @jmgosney on the collective security posture of LastPass, why you should run far away from it, and some suggested alternatives. Cliffs: LastPass DGAF infosec.exchange/@epixoip/10958
1
7
Show replies
MG
@_MG_
2FA on the vault? I know of no password manager where the 2FA protects the vault. It protects your account, which will let you download the vault. If you are on a computer that already has the vault, 2FA does nothing. (Not to mention the multiple ways you can get into the vault…
1
3
Show replies
Bill Robertson
@BillRob
For years now if, I require production access at home, I ask for a dedicated work machine I leave at home. Or a floater we share with non call support.
1