The LastPass situation has become one of those “drip, drip, drip” situations where information is coming out one drip at a time. To recap the story, LastPass was pwned back in August with source code being stolen. At the time, the company said this:
In a letter to its users, the company’s CEO Karim Toubba explains that its investigation hasn’t turned up evidence that any user data or encrypted passwords were accessed.
Then a few months later, LastPast admitted that user data was accessed:
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.
We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.
That was bad. But what I am about to tell you is worse. LastPass CEO Karim Toubba posted this update on the company’s blog:
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms, please see here.
There is no evidence that any unencrypted credit card data was accessed. LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment.
That qualifies as worse. The threat actor may try to brute force their way into these vaults. Or they may use social engineering or phishing attacks to get access to these vaults. Thus LastPass users should be prepared for the worst and expect that attacks are inbound.
Given the fact that worse and worse information keeps coming out about this hack, I have to wonder if it is time to dump LastPass and move on to something else more secure? As in local storage as opposed to cloud storage for your passwords. For example, I use eWallet and store my passwords in iCloud as well as my NAS. While the NAS is local, I admit that iCloud isn’t. But I would have more trust in Apple storing an encrypted file that they don’t have access to versus LastPass at this point. Especially given they have been pwned before, though they deny this. The bottom line is that this is a very bad look for LastPass. And if you use or have used LastPass, you should consider changing every password you have as they suggested in their latest disclosure as well as watching out for attacks.
Elon Musk Terminates More Twitter Employees…. While A Key Programmer That He Brought In Quits
Posted in Commentary with tags Twitter on December 23, 2022 by itnerdIt seems that more layoffs are happening at Twitter which is a sign that things are not going his way.
Additional Twitter employees were terminated Thursday as part of ongoing, rolling layoffs under new owner Elon Musk, including from the public policy and media and entertainment teams, according to tweets from affected employees.
As part of Thursday’s layoffs, the members of Twitter’s public policy team who had remained following last month’s mass layoffs were again cut down by about half to around 15 employees, a former Twitter employee with knowledge of the layoffs told CNN.
Among the public policy team’s responsibilities are working with outside advisory groups such as the Twitter Trust and Safety Council, which the company disbanded earlier this month. It also manages human rights programs to protect vulnerable users like activists, engages in transparency efforts, works with government agencies and helps to ensure compliance with global regulations. The public policy team had more than 60 employees prior to Musk’s takeover, the former employee said.
Thursday’s exits come after Musk laid off about half of Twitter’s workforce last month shortly after his takeover, and later pushed out additional employees, including through an ultimatum requiring them to work “hardcore” or exit the company. Musk’s team — seeking to cut costs at the struggling company that the billionaire purchased for $44 billion — has continued to lay off hundreds of additional Twitter staff since then, including top engineering and legal talent, according to the former employee and multiple recent reports.
On top of Elon being a Grade A scumbag for terminating people two days before Christmas, this is going to further erode Twitter’s ability to protect Twitter users and to make sure that they don’t run afoul of various laws around the planet. But Elon doesn’t care about any of that as it has been proven since he took over at Twitter. I guarantee that he will care at some point. And that day is coming.
Related to this, Elon brought in “Geohot” who is also known as George Hotz, Hotz is best known as the guy who performed a successful jailbreak on the Sony Playstation 3 and then promptly got sued by Sony because of that. He also once had a high-profile feud with Elon when he told a Bloomberg reporter that the Tesla founder “kept changing the terms” after tapping him for a job at Tesla. Hotz then went on to found a startup promising to outdo Tesla in self-driving technology but stepped down as its CEO at the end of October 2022. Elon recently hired him as an “intern” at Twitter to help him to fix the Twitter’s search and scrolling functions. But it looks like he’s now out. And he did it in a way that Elon would have done it.
Apparently he didn’t take this poll too seriously because this happened next:
He lasted four weeks at Twitter. Read into that what you will.
Related to this, both Hotz and Musk held an online chat on Twitter Spaces going over the drama facing the social media company and various related topics. I found a recording of this and pasted it in below:
Some notes if you’re a TL:DR sort of person:
Because this is a privately held company, there’s no way of verifying the truth of any of the above. But given that he continues to cost cut by downsizing people. I question the veracity of the statements that Elon made in this Twitter Space. But this along with more recent events that I have listed above shows that Twitter is in for more chaos. And that chaos will not be taking a break for the holidays.
Leave a comment »