This weeks episode of Security Now discusses people de-obfuscating their LastPass vaults to see what metadata is in the clear as well as tools allowing you to check your own. Turns out there is quite a bit that allows an alarming amount of targeting if you used LastPass for banking, government etc. I’ll quote one of the most alarming bits:
But the FAR more worrisome fact that was revealed when our listeners checked the settings of their LastPass vaults was the degree to which many – and I do mean many – of their password iteration settings were found to be below the 100,100 iterations mark. And in a revelation that I’m still trying to get my head around, I heard from many listeners whose PBKDF2 iteration count was set to 1. Yes, 1 iteration. And thus the shocking title of today’s podcast.
…
We need to assume that the attackers obtained every user’s account metadata including their vault’s iteration counts. Those counts need to be recorded somewhere because no one’s vault can be decrypted without knowledge of the count. And LastPass would have backed it up since the loss of that would be even worse than the loss of the vault backups themselves. So, assuming that the attackers obtained the iteration counts for every LastPass user, as they probably did from LastPass’ backup, if opportunistic brute force decryption of user accounts was their intent it would be a reasonable strategy for the attackers to start with those LastPass users whose counts were ‘1’. Why would they not?Unfortunately, there’s a well-known expression to describe the situation in which all of those LastPass users who, at the time of this breach, had their LastPass password iteration counts set to 1. And that expression is “Low Hanging Fruit”.
Episode Notes: https://www.grc.com/sn/SN-905-Notes.pdf
Episode 905 on YouTube:
If you use/used LastPass and you haven’t already, you should change your high value logins/credentials ASAP.
EDIT: Added master to the title for emphasis.