Difference between revisions of "DBSA:2015-0006"

From Digibase Knowledge Base
Jump to: navigation, search
(Created page with "{{DBSAHEAD | TITLE=Lastpass Compromise | KEYWORDS=Lastpass, compromise, passwords, database }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' Lastpass Compromise '''Writeup:'...")
 
m
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
 
{{DBSAHEAD
 
{{DBSAHEAD
 
| TITLE=Lastpass Compromise
 
| TITLE=Lastpass Compromise
| KEYWORDS=Lastpass, compromise, passwords, database
+
| KEYWORDS=Lastpass, compromise, passwords, database, keys, rekey
 
}}
 
}}
  
Line 31: Line 31:
  
 
==Description==
 
==Description==
Lastpass is a service that permits people to store sensitive information, including keys and passwords in a central database that is unlocked with one master password for convenience. The contained information can be used for various services such as forums, blogs, website administrator logins, banking websites, purchasing/shopping sites, system administrative control interfaces and the like.  
+
Lastpass is a service which permits people to store sensitive information, including keys and passwords, in a central database which is unlocked with one master password for convenience. The contained information can be used for various services such as forums, blogs, website administrator logins, banking websites, purchasing/shopping sites, system administrative control interfaces, and many other sources requiring authentication.  
  
Recently there was a compromise that ocurred on Lastpass's network that permitted attackers to harvest the user database including email addresses, password hashes and salts (that enhance the password hash strength) among other information. The fact the salts and password hashes were compromised means a chance for the user passwords could be recovered through attack techniques.
+
Recently, there was a compromise which ocurred on Lastpass' network which permitted attackers to harvest the user database including email addresses, password hashes and salts (which enhance the password hash strength), as well as other information. The fact that the salts and password hashes were compromised means a chance for the user passwords to be recovered through attack techniques.  
  
 
Lastpass claims that the "Vault" data was not compromised.
 
Lastpass claims that the "Vault" data was not compromised.
 +
 +
This is not the first time such a compromise was incurred to Lastpass as a service in this manner. The last compromise on record was 3 May 2011, where there was a striking similarity to this incident as, again, password hashes and salts were compromised.
  
 
==Mitigation/Solution==
 
==Mitigation/Solution==
While it is strongly advised to at minimum rekey all stored private keys and change related passwords, it is also advised to reconsider usage of services such as Lastpass as authentication credentials are at the mercy of a third party's security practices that the users do not have exclusive control as to fully audit or otherwise restrict the service.
+
While it is strongly advised to, at the minimum, rekey all stored private keys and change all related passwords, it is also advised to reconsider usage of services such as Lastpass due to authentication credentials being at the mercy of third party security practices which users do not have exclusive control to fully audit or otherwise restrict services. It is especially relevant and should be considered that this incident has also occurred in the past and that there is no guarantee that it cannot happen again.
  
Given Lastpass's claims about "Vault" data not being compromised, it is still advised to consider that data stored could be at least partially compromised and act accordingly.
+
Given Lastpass' claims about "Vault" data not being compromised, it is still advised to consider the data stored to be at least partially compromised and act accordingly.
  
 
==References==
 
==References==

Latest revision as of 16:31, 15 June 2015

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Lastpass Compromise

Keywords: Lastpass, compromise, passwords, database, keys, rekey

DBSA ID: 2015-0006

Regarding: Lastpass Compromise

Writeup: Kradorex Xeron (talk) 17:00, 15 June 2015 (EDT)

Date: 2015 06 15

Last Modified: 20150615163108 by Gung-ho Gun

Who should take note: All Current and potential Lastpass users

Classification

Priority: HIGH

Rationale: Passwords may become compromised through credential leaks.

Severity: HIGH

Rationale: The service is used by people for the storage of highly sensitive information that may compromise up to and including financial information.

Spread of Issue: MULTI-PLATFORM MODERATE

Rationale: The service is fairly widely used on many different classes of devices

Description

Lastpass is a service which permits people to store sensitive information, including keys and passwords, in a central database which is unlocked with one master password for convenience. The contained information can be used for various services such as forums, blogs, website administrator logins, banking websites, purchasing/shopping sites, system administrative control interfaces, and many other sources requiring authentication.

Recently, there was a compromise which ocurred on Lastpass' network which permitted attackers to harvest the user database including email addresses, password hashes and salts (which enhance the password hash strength), as well as other information. The fact that the salts and password hashes were compromised means a chance for the user passwords to be recovered through attack techniques.

Lastpass claims that the "Vault" data was not compromised.

This is not the first time such a compromise was incurred to Lastpass as a service in this manner. The last compromise on record was 3 May 2011, where there was a striking similarity to this incident as, again, password hashes and salts were compromised.

Mitigation/Solution

While it is strongly advised to, at the minimum, rekey all stored private keys and change all related passwords, it is also advised to reconsider usage of services such as Lastpass due to authentication credentials being at the mercy of third party security practices which users do not have exclusive control to fully audit or otherwise restrict services. It is especially relevant and should be considered that this incident has also occurred in the past and that there is no guarantee that it cannot happen again.

Given Lastpass' claims about "Vault" data not being compromised, it is still advised to consider the data stored to be at least partially compromised and act accordingly.

References