LastPass Breach Compromised Customer Vault Data; Linux Kernel Vulnerability; Outdated IT Contributed to Southwest Airlines Cancellations

Aside from leaking customer data, which should be expected to leak after it was stored in the cloud, LastPass relied solely on a user-selected passphrase to protect the password information, and failed to encrypt some additional data included in the password vault. Competitors include a machine-selected random string in addition to the user-selected passphrase to create the encryption key. But aside from the technical details and shortcomings, this significant breach is the result of a business model that justifies subscription revenue by offering cloud-based services to synchronize password vaults across devices. Prior to implementing subscription-based pricing, some password managers offered local peer-to-peer synchronization not requiring the storage of password vaults outside of devices using them.

Johannes Ullrich

From a password manager perspective, based on the information we have this appears to be close to a worst case scenario. However, keep in mind it appears that the cyber threat actors have access to the encrypted password vault, not the passwords themselves. This means how long it takes for your passwords to be accessed depends on the strength of your Password Manager password (which should be VERY strong) and / or how LastPass approached the encryption of those vaults. Are Password Managers still a good idea? I feel absolutely yes. However, I would most likely use a different vendor (LastPass has had numerous problems in the past). In addition, this is where MFA is so important, as it provides that second layer of defense. Finally, Passkeys (FIDO / phishing resistant MFA) will help resolve many of these issues, making authentication not only simpler for people, but stronger.

Lance Spitzner

Think of a scenario like this where a threat actor obtains access to your backup data along with the keys to decrypt it, by leveraging compromised information to compromise an employee with access to those keys. Review the access controls you have on information stored in the cloud, particularly concentrated collections such as backups, ensuring they are strongly encrypted, and access to that data is monitored, then review the who and how you have controlling access to those keys. For data exfiltrated from LastPass, the sensitive data elements within those containers is protected by unique AES 256-bit keys derived from your master password which LastPass doesn't have. Even so, review stored accounts, enabling MFA wherever possible, and if you decide to switch password managers, don't update the LastPass repository with your revised credentials.

Lee Neely

The reality of attackers making off with entire vaults that also contain some unencrypted information that could still be considered sensitive or identifying is just too much. This is not LastPass’ first or second cyber breach. While LastPass has been handling their duty to report well, they have not been improving their cyber defenses sufficiently as a response to these breaches. My questions: 1) How is a data transfer of protected customer vaults not alerting? 2) How does an increase in traffic go unnoticed? 3) Finally, why is customer data kept in their vault unencrypted?

Curtis Dukes

It is to be hoped that 2023 will see the widespread adoption of Passkeys, the safest and most convenient mechanism for user authentication. While it will reduce the risk of fraudulent reuse of credentials, social engineering attacks against users, it will not reduce the responsibility of those in the IAM business for protecting the other sensitive data that they hold about their customers. It is not clear that they are up to the task; users must consider the risk.

William Hugh Murray

In a pre-holiday "Grinch move", ZDI released limited details on this vulnerability and likely included a likely inflated CVSS of 10. Parties involved did not bother to assign a CVE number. ksmbd is a kernel-level implementation of the SMB protocol, in part replacing the existing user space implementation provided by SAMBA. It has only been included in quite recent versions of Linux, and needs to be enabled for your system to be vulnerable. Patches have been available for a few months now, and the chance of you running a vulnerable version are low, but better guidance is needed to identify affected kernels. As a rule of thumb: Linux-based network storage systems, which implement SMB file sharing, and were procured this year, are possibly affected.

Johannes Ullrich

The bug affects the in-kernel SMB server designed to augment Samba, on systems running the Linux 5.15 kernel, such as Ubuntu 22.04. Odds are your enterprise apps are running on older kernels such as RHEL 8, so getting ahead of this may not be too bad. Check the kernel versions you have deployed, then for those running the 5.15 kernel, target first those with the ksmb module loaded.

Lee Neely

One of the first nationwide database applications was the American Airlines passenger reservation system, SABRE. AA built a new building in Briarcliff manor NY to house it. I trained under the developers of that system. (Yes, I have been in IT since the 50s.) Forty years later I worked on an engagement for British Airways. Passenger reservation occupied a couple of servers but equipment and crew scheduling, getting equipment and crew where the passengers were, was the big money making application. It is this system that failed Southwest. It did not fail because of hardware or software but simply because the design did not meet the requirements of the application. It did not have the data. And this in a world in which every crew member carries a network connected mobile computer.

William Hugh Murray

I am reminded of how hard it is to truly implement high availability (HA) with effective fail-over. While technology has advanced to make this easier, getting there from here takes concentrated effort, staffing and IT investment, including documenting interdependencies. Your applications have to be engineered for this architecture. Layer on top of that the complexities introduced with so much distributed and virtualized infrastructure, I've seen an increase in unexpected glitches, as we are all learning on the fly; it's a good thing we don't have adversaries looking for opportunities to take advantage of any weakness - oh wait...

Lee Neely

Unfortunate for travelers this event was the perfect storm – weather, volume, outdated computer systems, and processes. As organizations grow market share through mergers and acquisitions, the need to architect company IT systems and processes becomes critically important. Southwest Airlines experienced a similar event several months ago: that should have been ample indication of a serious infrastructure problem. Lesson re-learned.

Curtis Dukes

Any organization should limit the attack surface of mobile devices by limiting the number of applications installed. This doesn't just affect TikTok, but many application with unclear provenance should be avoided in particular if they collect sensitive information or have access to sensors on the mobile device.

Johannes Ullrich

You should be assessing the risk of applications on devices processing corporate data, prohibiting those which pose unacceptable levels of risk. Make sure you understand who has access to data, where it's stored, as well as what permissions the apps are granted. Pay close attention to BYOD use cases because you do not own those devices and you're legally on thin ice placing restrictions, so you'll need solutions which both isolate and track corporate data which also allow you to remotely wipe that information.

Lee Neely

The concern over TikTok is rooted in the ownership of the enterprise but all social network systems create and exploit sensitive personal information that would not even exist but for them. There is a systemic risk that this information will be abused by the nation states in which those systems are domiciled.

William Hugh Murray

The headline should probably read "Thousands of Citrix Servers are Compromised". If your system is still not patched: Assume it to be compromised.

Johannes Ullrich

Remember when you were certain nobody knew your stuff was not updated because "reasons?" Those days are gone, services like Shodan and Censys are really good at discovery and providing that information. Keep anything directly accessible to the Internet, including boundary protection and remote access services, at the top of your update and monitor list. If you're not patching because you can't get the downtime, you may want to recall that the cost of a single breach (CISA puts that at USD 10.1M for 2022) is likely more than the cost of implementing high-availability or the productivity hit for those few outages needed to stay current.

Lee Neely

So you restored priority services, and you're down to the supporting systems, do you take a break and send home the "tiger team" or do you keep moving until you're back at 100%? This needs to be part of your planning. Yes, that concentrated team of experts is costing you, but your business impact may be more. Be prepared for unexpected interdependencies, as well as unexpected systems which are operating. Review and testing of the BC/DR plan to make sure as much as possible is well known becomes so important.

Lee Neely

Another week, another ransomware attack. In recent NewsBites we’ve discussed that the global Healthcare sector is a specific target of cyber criminals. Organizations that make up that critical infrastructure sector can’t say they haven’t been warned. In this case, why weren’t the ample warnings that the sector is being targeted enough for the security team to revisit cyber defense plans and validate their security posture against ransomware attack.

Curtis Dukes

Hospitals continue to be the target of choice for extortion attacks. It is urgent that they isolate patient facing applications from public network-facing applications and use end-to-end application layer encryption for any applications that do both.

William Hugh Murray

Even with the attack, the Guardian is able to produce their printed edition with updated stories leveraging teleworking. This is a good example to support your BCP efforts, to include testing, which includes tangible results which are understandable in the board room.

Lee Neely

Fully understand your cyber insurance limitations, including scheduling regular reviews of your coverage to make sure updates haven't changed it. In this case the policy explicitly excluded coverage for "any threat, extortion or blackmail" including ransom payment. If you have questions, such as what constitutes physical damage, get clarification long before you file a claim. Review assumptions with your legal team, don't assume your team is better than the insurance companies' team.

Lee Neely

We continue to see enterprises prefer to assign the risk of ransomware rather than preventing it. It is not clear that the underwriters know how to write coverage that addresses the risk at a cost their customers are willing to pay and on which they can make a secure and adequate return. It may well be an over-constrained problem.

William Hugh Murray

The updates were released December 13th, you don't need to roll these back to get the fix, simply install KB5022553 on top of that update. Prioritize systems using SDN managed by SCVMM, then schedule updating your other Hyper-V installations for consistency.

Lee Neely

Netgear doesn't provide any workarounds for these vulnerabilities, you need to apply the updated firmware. You've set your home routers to auto-update, so not a big deal right? Make sure that you check periodically to verify those updates are happening. Also, double-check you're not exposing your admin interface to the Internet.

Lee Neely

In addition to applying the update, double check that you've employed segmentation and monitoring to ensure only authorized devices and users can access these OT components, and don't expose them directly to the Internet.

Lee Neely

This should not be surprising to anyone given that the Commander, US Cyber Command, has publicly stated that they will ‘defend forward’. This policy statement translates to execution of offensive cyber operations to protect critical infrastructure.

Curtis Dukes

Kudos to Cybercom for thwarting adversaries. Even so, be very careful with offensive operations, while you may think you're prepared for someone to poke back, consider their escalation model, particularly if construed as an act of war.

Lee Neely