Some thoughts on the latest LastPass fiasco

There are a few engaging lessons we can learn from the latest LastPass fiasco:

Apparently, the bad actors involved in those incidents also infiltrated a company DevOps engineer’s home computer by exploiting a third-party media software package. They implanted a keylogger into the software, which they then used to capture the engineer’s master password for an account with access to the LastPass corporate vault. After they got in, they exported the vault’s entries and shared folders that contained decryption keys needed to unlock cloud-based Amazon S3 buckets with customer vault backups.

First, let’s dispense with the notion that password vaults like 1Password or LastPass are problematic. For as long as some applications and services rely on passwords, there is no better alternative for securing your online accounts.

Let’s also dispense with the notion that using a personal computer for work is inherently problematic. BYOD policies are pretty standard and effective. The fact that the attackers infiltrated an engineer’s home computer is irrelevant, and there is little evidence that employer-issued computers are any more secure.

An employer-issued computer cannot be trusted to be more secure than a personal one. Employers install software meant to monitor employees in the name of security. That software may include key loggers. 

Your work computer may be configured to route all network traffic via a corporate proxy or a SaaS security service. Your SSL traffic may be intercepted and, at the very least, logged. Like LastPass exposed vulnerabilities, who is to say that a SaaS security service is immune?

One may inevitably use their work computer for personal tasks. At the very least, you’ll have to use your work computer to set up your benefits and 401k and upload copies of your government IDs. You may need to log on to check your pay stubs or download your tax documents. All of these personal activities are reasonable on a work computer. It may be far more likely that your personal passwords will leak out via your work computer than your employer’s corporate secrets via your home computer!

It would be best if you were very paranoid. There are bad actors and incompetent people who will one day leak your private data, and it will happen. There are things you can do, though.

  1. Configure MFA on your password vault. Do not use a software-based token generator or SMS for this. Use a phishing-proof security key. I setup a YubiKey for my family 1Password account.
  2. When using your 1Password vault on a work computer, be aware that the second factor is only verified on a new device once. It is not used to decrypt your vault. Only install your vault on truly trusted devices. (Hint: your work computer isn’t one of those devices, see my notes above).
  3. Use MFA with all of your accounts. A YubiKey can be used as an OTP generator, but it can only manage ~32 secrets on one key. You also need to keep a backup. I configured YubiKey as a second factor for my most sensitive accounts, including those used as SSO: Apple and Google — the rest I allow to be managed by 1Password.
  4. Always check the lock icon in the browser. This article from Opera explains how to use it better than I can.

It’s good to be paranoid about your online security. 

Employers are rightfully paranoid about corporate secrets being compromised by bad actors. Some of the worst data breaches were caused by employees. 

Employees, however, should be equally paranoid about their personal secrets being compromised for the same reasons. If corporate secrets can be leaked due to a colleague’s mistake or malfeasance, so can your personal data entrusted to your employer.

Act accordingly and trust no one.