Leo 's Favorite PassWord Manager, LastPass, Hacked For The 2nd Time !!!! Be Careful, If You Use...

[G+_Terry Henderson]

Originally shared by Terry Henderson

 

Leo's Favorite PassWord Manager, LastPass, Hacked For The 2nd Time !!!!  Be Careful, If You Use It Too !!!!

http://www.theregister.co.uk/2016/01/18/lastpass_in_2fa_lock_down_yeah_actually_thats_a_legit_attack/?utm_source=dlvr.it&utm_medium=facebook

[G+_Harry Maciolek]

Meet you at Security Now!

[G+_Travis Hershberger]

The register is proving itself even more of a joke.  This is classic reporting from the supposed news company.  I mean, who would have guessed that if you entered your username and password somewhere other than LastPass, why, hackers might get your username/password.  Yes, if you put the time-based security token key in as well they might get in your account.....  but how is this news?

[G+_Terry Henderson]

Travis Hershberger  I Use 1Password, I Was Just Warning Others.

[G+_Akira Yamanita]

While some of the mechanisms that allow the phishing attack to be more convincing (like any webpage being able to log you out of LastPass) are design flaws that need to be addressed, it's disingenuous to say that they were hacked a second time.

[G+_Thomas Brisco]

I took it as "maybe you need 2FA in your everyday life" message. :-/

[G+_Keith Mallett]

Oh.. Dark days indeed!

[G+_Akira Yamanita]

Thomas Brisco The phishing attack actually handles 2FA. It also exposes a limitation in that you can't get new login notifications if you have 2FA enabled.

[G+_Thomas Brisco]

Akira Yamanita - I see that now... Even the email verification looks weak, to me.

[G+_John Phillips]

How on earth is it possible to get past 2fa ?

[G+_Thomas Brisco]

From what I could see, they get your 2FA token from the phishing site - and they can use it within the "lifespan" of that token.

[G+_John Phillips]

Thomas Brisco

But don't they have to have your mobile phone as well?

[G+_Ben Reese]

John Phillips?

It depends on how the 2FA is implemented. The 2FA code I use for my job gives me a code that can only be used in a set time frame and can only be used once. Some systems don't have the single use policy. I think what they're saying is the token can be used a second time in that time frame which means they wouldn't need your phone.

[G+_Ben Reese]

As for password managers, I still trust LastPass with my personal passwords. They seem like a good compromise between security and convenience. For work stuff, I use KeePass so I can make sure I hold the vault. I just feel more confident in that method.

[G+_Ben Reese]

Wayne Hobbins?, I'd like to think the same thing, but Spear Phishing exercises show that even technical people can be caught.

[G+_Akira Yamanita]

Wayne Hobbins It actually works as a cross site scripting attack or from any web site controlled by the attacker. It logs you out, hides the real LastPass notification and presents a fake one that looks exactly like the real session expiration notice in its place. The place you are most likely notice a discrepancy is on the login page.

[G+_Akira Yamanita]

Wayne Hobbins That's just one of the methods. Any compromised site could also be used.

 

I never click the links either. I don't even acknowledge the fraud alerts by phone because they ask you for personal information without a good way to verify that the caller is from the bank.

[G+_Akira Yamanita]

Wayne Hobbins It just requires the code to run. That could be done through a compromised web site, cross site scripting, etc.

[G+_Ben Reese]

I once answered an email about a dead rich prince who willed me all his money. After a few exchanges on email, they even sent me a death certificate.