After PSN. Who's next?

[phitsc]

http://blog.lastpass...ty-notification.html

[zridling]

I don't get it. What am I reading here, could you clarify?

[ewemoa]

It sounds like LastPass is saying they may have had a breach -- PSN is a reference to the recent SONY incident, perhaps?

[Renegade]

Ouch.

When I worked at ESTsoft, they got around that problem entirely in ALPass Online.

Instead of storing salt and the like, the database had strong encryption and was only ever decrypted on the client. (IIRC) If you ever forgot your password, you were screwed though because YOU were the only one that ever had access to it. As such, warnings were BIG and LOUD.

[phitsc]

I don't get it. What am I reading here, could you clarify?

-zridling (May 05, 2011, 05:25 AM)

Yeah, sorry about being a bit woolly here. Like ewemoa said: PSN is Sony's Playstation Network which was hacked a week or two ago. Basically, 77 million user's private data including password and possibly credit card information was stolen.

The message about LastPass just reminded me that, assuming Sony's IT guys are not complete idiots, what could happen to them could happen to others as well.

[TheQwerty]

Briefer version of the LastPass post: They saw an increase in activity on their server network and from one of their databases, but have been unable to identify the cause and are thus treating it as an intrusion.

It's possible that an intruder got the server's salt, users' e-mail addresses and their salted master-password hashes.  This means they could attempt to brute-force the hashes in the hopes of uncovering some passwords, use these to log in, and then would have access to the user's stored passwords.

To prevent this LastPass are forcing all users to reset their master-passwords, while they rebuild/verify the affected machines, and explore the anomaly.


It's nice to see LastPass taking the correct actions as Sony stumbles around for another month.

[tomos]

Re LastPass:

I was not forced to change my master password, but I did. It proceeded to re-encrypt everything.
now though, when I log in, I'm getting this message:
-------------------------------------
An error has been encountered while loading your site
Please relogin
------------------------------------
it is recognising the new password - it actually briefly showed my page on one attempt, but with most text not showing & with some weird unicode characters. I dont even know if I have a backup of this stuff (but I did just recently import most of it from Roboform).
So I suspect a problem with their re-encryption...

[40hz]

Happened to Ashampoo in April, although they took pains to let us know customer credit card information was supposedly not part of what got compromised.

Which data were stolen?

The stolen pieces of information are data of addresses such as name and e-mail address. Billing information (e.g. credit card information or banking information) is definitely not affected, because our shop service contractors are concerned with this data and it is not stored on our system.

This is the letter they sent out to their customers.

OK...who's next? 

[superboyac]

This is exactly why I go out of my way to avoid cloud services.  Especially passwords...I don't see how people are comfortable storing ALL of their passwords in the cloud with another company.  I don't care what they say about encryption and security...it just doesn't seem wise to me.

[phitsc]

This is exactly why I go out of my way to avoid cloud services.  Especially passwords...I don't see how people are comfortable storing ALL of their passwords in the cloud with another company.  I don't care what they say about encryption and security...it just doesn't seem wise to me.

-superboyac (May 05, 2011, 08:57 AM)

The cloud is just so damn comfortable for certain things, especially for us geeks who are using multiple devices and computers.

But I agree with your concerns. Even if cloud service companies try to do everything to keep our stuff safe, there are still people operating these companies, and people just make mistakes. Also, while one can prove mathematically that encryption is safe, there is still all this technology around it that is not free of bugs.

[superboyac]

This is exactly why I go out of my way to avoid cloud services.  Especially passwords...I don't see how people are comfortable storing ALL of their passwords in the cloud with another company.  I don't care what they say about encryption and security...it just doesn't seem wise to me.

-superboyac (May 05, 2011, 08:57 AM)

The cloud is just so damn comfortable for certain things, especially for us geeks who are using multiple devices and computers.

But I agree with your concerns. Even if cloud service companies try to do everything to keep our stuff safe, there are still people operating these companies, and people just make mistakes. Also, while one can prove mathematically that encryption is safe, there is still all this technology around it that is not free of bugs.

-phitsc (May 05, 2011, 09:06 AM)

That's why in the previous months I was asking so many questions about how to seamlessly connect to my own server using mapped drive letters.  I was trying to set up my own private cloud.  But it's so freaking complicated and seemingly impossible without enterprise equipment or software.  If I could set up a home server, and I can map folders/drives to other computers with a reliable connection, I don't need cloud services.

[Lashiec]

I guess they should change their motto, huh?

"LastPass. The TWO last passwords you'll ever need"

Security breach or not, the PSN and SOE fiascos should be the wakeup call for many companies to thoroughly review their security infrastructure, specially after the several high-profile incidents that occurred during the past months. So props to LastPass for acting when someone cries wolf.

[40hz]

I guess they should change their motto, huh?

"LastPass. The TWO last passwords you'll ever need"

-Lashiec (May 05, 2011, 09:20 AM)

As they will whoever finally succeeds in hacking LastPass.

Sad truth is, something like LastPass is such a visible and high value target for a team of criminal hackers that it's only a matter of time and resources.

Even encryption is becoming less and less effective as advances in hardware and clustering technologies are bringing capabilities that were once the domain of multi-million dollar supercomputers down to the desktop level. Most cryptography will eventually go the way of the dodo bird.

Nobody can even dismiss '"brute force" cracking techniques as being impractical any more. Today's multicore CPUs make it an extremely workable crack for most passwords people are able to commit to memory. One decent computer plus some free software (easily found and downloaded from the web) can get you past 99% of the passwords most people come up with. Even the so-called "strong" passwords. 10 or more characters? Piece of cake! Mix of uppercase, lowercase, numbers and symbols? No problem - got it covered! No "dictionary" words? Don't make us laugh...

Dangerous world out there. Watch where you put your keys.

---

P.S. I had a client's employee lock him out of a set of company spreadsheets after the employee was informed he might get laid off. Must have thought doing that would get him some job security rather than realizing it's a felony in many places. This employee used a complex 16-character highly randomized password to lock those files.

It took an i3 laptop and some open source freeware less than ten minutes to crack it.

Hayduke Lives!  

[tomos]

I was not forced to change my master password, but I did. It proceeded to re-encrypt everything.
now though, when I log in, I'm getting this message:
-------------------------------------
An error has been encountered while loading your site
Please relogin
------------------------------------
it is recognising the new password - it actually briefly showed my page on one attempt, but with most text not showing & with some weird unicode characters. I dont even know if I have a backup of this stuff (but I did just recently import most of it from Roboform).
So I suspect a problem with their re-encryption...

-tomos (May 05, 2011, 08:33 AM)

^ this is sorted now -
NOTE: they no longer store your password, which I guess is safer - but I dont know if it now works as renegade describes:

Instead of storing salt and the like, the database had strong encryption and was only ever decrypted on the client. (IIRC) If you ever forgot your password, you were screwed though because YOU were the only one that ever had access to it. As such, warnings were BIG and LOUD.

-Renegade (May 05, 2011, 05:30 AM)

[phitsc]

Nobody dismisses '"brute force" cracking techniques as being impractical any more. Today's multicore CPUs make it an extremely workable crack for most passwords people are able to commit to memory.

-40hz (May 05, 2011, 09:55 AM)

Check this out concerning brute force cracking of passwords. Was posted just recently somewhere.

[40hz]

Nobody dismisses '"brute force" cracking techniques as being impractical any more. Today's multicore CPUs make it an extremely workable crack for most passwords people are able to commit to memory.

-40hz (May 05, 2011, 09:55 AM)

Check this out concerning brute force cracking of passwords. Was posted just recently somewhere.

-phitsc (May 05, 2011, 10:12 AM)

Very cool article!

Interesting read, although some of it seems a bit optimistic, and doesn't quite match what I've seen in the field when it comes to cracking even supposedly random passwords. I'm also guessing the guy who recovered the passwords for my client used something a tad more sophisticated than a simple brute force crack tool when he did.

The security company I'm most familiar with has a 3-man team that can crack or penetrate almost anything they go up against in less than 24 hours. Admittedly, all three have hairy-scary 'spook' and 'black op' backgrounds. But this is exactly the type of team that would be sent to hit something like LastPass. These guys are white hats. But I'm sure there is comparable 'black hat' talent out there looking for work.

Definitely need to learn much more about this topic than I currently do.

[Stoic Joker]

Check this out concerning brute force cracking of passwords. Was posted just recently somewhere.

-phitsc (May 05, 2011, 10:12 AM)

Very cool indeed, thanks for sharing.

To-Do List:
 Add line "this is fun" to all hacking dictionary files.

[nudone]

Hmm, I'm now beginning to wonder if any password stored service is safe. This story is going to become increasingly common I suspect. Not good.

[Stoic Joker]

Hmm, I'm now beginning to wonder if any password stored service is safe. This story is going to become increasingly common I suspect. Not good.

-nudone (May 05, 2011, 11:48 AM)

My guess would be no ... Unless you're using a copy of f0dder's fskrit from an online file storage.

[zridling]

PSN is Sony's Playstation Network which was hacked a week or two ago. Basically, 77 million user's private data including password and possibly credit card information was stolen.

-phitsc (May 05, 2011, 05:50 AM)

Thanks for the follow up. Been following that story, and just as Amazon lost data last month, cloud security is hit or miss. Good thing I don't play online games.

[Renegade]

Nobody dismisses '"brute force" cracking techniques as being impractical any more. Today's multicore CPUs make it an extremely workable crack for most passwords people are able to commit to memory.

-40hz (May 05, 2011, 09:55 AM)

Check this out concerning brute force cracking of passwords. Was posted just recently somewhere.

-phitsc (May 05, 2011, 10:12 AM)

Good article. I was glad to see that they addressed the pass-phrase technique, especially as they showed just how good it is. I've heard people poo-poo on it as being useless.

[Shades]

The article is enlightening. Still, I can not help but think that people start to use common terms or something that is is closely related to them...making the attack that much easier than the suggested years it takes to crack it.

Seriously limiting the amount of logins per time interval and "penalty boxes" are key to the suggestions made in the article. But those are also good to implement in current applied protection schemes.

[Deozaan]

assuming Sony's IT guys are not complete idiots

-phitsc (May 05, 2011, 05:50 AM)

That's quite an assumption to make. Consider the following evidence:

In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers — and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.

-http://consumerist.com/2011/05/security-expert-sony-knew-its-software-was-obsolete-months-before-psn-breach.html

Also, I don't know exactly how it works, but the way the PS3 was finally hacked was the master key could be figured out because Sony used a static/constant number in the encryption scheme where there should have been a completely random number.

[phitsc]

assuming Sony's IT guys are not complete idiots

-phitsc (May 05, 2011, 05:50 AM)

That's quite an assumption to make. Consider the following evidence:

In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers — and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.

-http://consumerist.com/2011/05/security-expert-sony-knew-its-software-was-obsolete-months-before-psn-breach.html

Also, I don't know exactly how it works, but the way the PS3 was finally hacked was the master key could be figured out because Sony used a static/constant number in the encryption scheme where there should have been a completely random number.

-Deozaan (May 05, 2011, 10:02 PM)

I think that would be really embarrassing for them. Nevertheless, I'm tempted to assume that if they don't take the security of their main online system more serious, other's don't to so either.

[cthorpe]

Don't know how I feel about this one.  I do think they are taking the right steps, and they even admitted that they are taking the paranoid course of action.  Then again, it's not like they notified their users, as I only found out about this from reading this thread.

I started using LastPass when Roboform reneged on their lifetime update policy.

I tried KeePass, but it kept autofilling the wrong fields in Firefox.

More than once, I accidentally changed my wifi wpa keys because of it, and websites were constantly giving me errors after I filled in forms.

So now I am with LastPass.  My LastPass key is 32 psuedorandom characters that include uppercase, lowercase, numbers, and symbols.  I have my LastPass key stored in a KeyPass database that is protected with an 18 character key that I generated using the first letters of a specific sentence on a specific dvd that was sitting on my desk with uppercase and lowecase letters as indicated in the sentence and random punctuation thrown in.

I am pretty sure my LastPass is pretty well out of reach of brute force cracking at this time.