LastPass has just released some additional details about their recent security incident in which an attacker exfiltrated users’ encrypted vaults, thereby forcing users all over the world to have to change all of the passwords stored in LastPass. I’m not going to rehash everything they say; you can go read it yourself. However, I think it is valuable to show how, once again, what LastPass has chosen not to say is as significant as what they have, perhaps even more so.
This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware.
Why was a DevOps engineer with full access to production data and decryption keys allows to access sensitive, confidential company resources from a home computer not under LastPass’s administrative control? As an information security professional, I find it inconceivable that a company with a risk profile as high-risk as LastPass’s would allow access to internal systems from computers not under their control. I’ve worked at companies with far lower risk that prohibited this.
What “third-party media software package” was exploited? Was the exploit a zero-day, or was there a patch for it which the employee had not installed?
Under the fixes section of this article, LastPass further writes:
We assisted the DevOps Engineer with hardening the security of their home network and personal resources.
This is absolute garbage. Here is what this should have said, and just to be clear, this is the minimum that a company like LastPass should be doing:
- We have enacted a policy prohibiting employees with production access from accessing LastPass internal resources from non-LastPass-owned devices, and put in place technical and policy processes to enforce this policy.
- We have enacted a policy requiring up-to-date endpoint protection software to be present on all devices used by employees with production access, and put in place technical and policy processes to enforce this policy.
- We have enacted a policy prohibiting unapproved software from being installed on devices used by employees with production access, and put in place technical and policy processes to enforce this policy.
- We have enacted a policy requiring the prompt installation of OS and application security patches on devices used by employees with production access, and put in place technical and policy processes to enforce this policy.
Again: the above is not what LastPass says they’re doing. It’s what I say they should be doing but apparently they’re not.
It is astounding that LastPass did not already have these policies in place and enforced. It is astounding that even after this breach they have not enacted and begun enforcing these policies.
At this point the conclusion is unavoidable that the security culture at LastPass is irredeemably broken and that no one should be relying on LastPass to keep their passwords secure.