LastPass' breach could've been stopped with a 3-year-old Plex update: Demonstrates danger of remote users not updating their systems
vor 2 Jahren
We learned more details about the second LastPass hacking incident last week — a malicious party installed a keylogger onto a senior engineer's home computer through an exploit in Plex, the personal cloud service for movie storage and streaming, and was able to break into corporate-level caches as a result. But it turns out that the engineer had a big part to play in this major failure as well.
Plex has revealed that the exploit in question took advantage of a vulnerability that was disclosed back on May 7, 2020. The company tells PCMag that, for some reason, the LastPass employee never updated their client to apply the patch.
So one very valid concern about remote workers, working from home, is whether they are actively patching and updating their computer system. Usually in a corporate environment desktop and portable computers are being managed and updated by central IT, but this is often not the case for home users, especially if they are using their own personal computers from home.
What possibly makes patching and updating even worse, is using Windows OS as the individual apps are not updated as part of the OS's daily updates check. With Linux, usually the OS as well as all installed apps are checked daily and updated from the update manager, regardless of whether the installed app is being opened or not.
What we already know about most end users (just think of pasword1234) is that they tend not to be scrupulous and disciplined about applying the best security practices...
See LastPass breach could've been stopped with a 3-year-old Plex update
#technology #security #patches #updates #remotecomputing
Plex has revealed that the exploit in question took advantage of a vulnerability that was disclosed back on May 7, 2020. The company tells PCMag that, for some reason, the LastPass employee never updated their client to apply the patch.
So one very valid concern about remote workers, working from home, is whether they are actively patching and updating their computer system. Usually in a corporate environment desktop and portable computers are being managed and updated by central IT, but this is often not the case for home users, especially if they are using their own personal computers from home.
What possibly makes patching and updating even worse, is using Windows OS as the individual apps are not updated as part of the OS's daily updates check. With Linux, usually the OS as well as all installed apps are checked daily and updated from the update manager, regardless of whether the installed app is being opened or not.
What we already know about most end users (just think of pasword1234) is that they tend not to be scrupulous and disciplined about applying the best security practices...
See LastPass breach could've been stopped with a 3-year-old Plex update
#technology #security #patches #updates #remotecomputing
December's LastPass breach was brought to you by a Plex exploit that was patched back in 2020
LastPass password manager hacked, but password data should be safe
vor 2 Jahren
LastPass, a password manager used by more than 33 million people around the world, said a hacker recently stole source code and proprietary information after breaking into its systems.
The company doesn’t believe any passwords were taken as part of the breach and users shouldn’t have to take action to secure their accounts, according to a blog post on Thursday.
Of course, this is one thing that Bitwarden would not have lost, as their source code is already open source but it is also why you don't want to have any backdoors (otherwise that would have been wide open).
See World’s biggest password manager hacked
#technology #security #LastPass #hacked #paswordmanagers
The company doesn’t believe any passwords were taken as part of the breach and users shouldn’t have to take action to secure their accounts, according to a blog post on Thursday.
Of course, this is one thing that Bitwarden would not have lost, as their source code is already open source but it is also why you don't want to have any backdoors (otherwise that would have been wide open).
See World’s biggest password manager hacked
#technology #security #LastPass #hacked #paswordmanagers
LastPass, a password manager used by more than 33 million people around the world, said a hacker recently stole source code and proprietary information after breaking into its systems.
How to easily export your passwords from LastPass and import into open source Bitwarden
vor 4 Jahren
Today the new LastPass pricing goes into effect and I still see a few people asking how to transfer their passwords out. The link below helps with that. Bitwarden is open source and probably the closest alternative to LastPass in terms of functionality, complete with 2FA built-in for use with websites (so no need for Google's authenticator).
Bitwarden has a free tier, but its premium subscription is $10 vs LastPass which is $36 (For individual per annum costs).
See Import Data from LastPass | Bitwarden Help & Support
#technology #opensource #lastpass #bitwarden #passwordmanager
Bitwarden has a free tier, but its premium subscription is $10 vs LastPass which is $36 (For individual per annum costs).
See Import Data from LastPass | Bitwarden Help & Support
#technology #opensource #lastpass #bitwarden #passwordmanager
Use this article for help exporting data from LastPass and importing into Bitwarden. You can export your data from LastPass from their Web Vault or from a LastPass Browser Extension: A previous version of this article stated that you needed to use the Browser Extension to export Form Fills (e.g. Addresses and Payment Cards), however testing by...
1Password has none, KeyPass has none... So why are there seven embedded trackers in the LastPass Android app? LastPass says you can opt out though
vor 4 Jahren
The Exodus report on LastPass shows seven trackers in the Android app, including four from Google for the purpose of analytics and crash reporting, as well as others from AppsFlyer, MixPanel, and Segment. Segment gathers data for marketing teams and claims to offer a "single view of the customer", profiling users and connecting their activity across different platforms.
LastPass has many free users – is it a problem if the company seeks to monetise them in some way? Kuketz said it is. Typically, the way trackers like this work is that the developer compiles code from the tracking provider into their application. Even the app developers do not know what data is collected and transmitted to the third-party providers, said Kuketz, and the integration of proprietary code could introduce security risks and unexpected behaviour, as well as being a privacy risk. These things do not belong in password managers, which are security-critical, he said.
The article below does give guidance though on how to disable it, although the code remains in the app.
See 1Password has none, KeePass has none... So why are there seven embedded trackers in the LastPass Android app?
#technology #privacy #lastpass #trackers
LastPass has many free users – is it a problem if the company seeks to monetise them in some way? Kuketz said it is. Typically, the way trackers like this work is that the developer compiles code from the tracking provider into their application. Even the app developers do not know what data is collected and transmitted to the third-party providers, said Kuketz, and the integration of proprietary code could introduce security risks and unexpected behaviour, as well as being a privacy risk. These things do not belong in password managers, which are security-critical, he said.
The article below does give guidance though on how to disable it, although the code remains in the app.
See 1Password has none, KeePass has none... So why are there seven embedded trackers in the LastPass Android app?
#technology #privacy #lastpass #trackers
Third-party code in security-critical apps is obviously suboptimal, but company says you can opt out