LastPass have confirmed that a hack on a staff member’s home PC led to a massive cyber security breach on the company.
The second stage of the attack used data stolen in LastPass’s August breach, cross-referenced with other stolen information, to launch a targeted sting on one of their DevOps engineers – installing a key logger on the staff member’s home PC which resulted in the loss of yet more data.
LastPass confirmed the attacker was able to steal the user’s master password, gaining access to corporate vault resources and shared folders. In the process, encrypted notes and decryption keys needed to access LastPass production backups based in Amazon Web Services (AWS) – cloud-based storage and critical database backups were also compromised.
Since the August 2022 breach, when LastPass source code was stolen, the company has admitted the breach also saw the theft of account usernames, hashed passwords, and some Multi-Factor Authentication (MFA) settings belonging to end users.
Unfortunately LastPass also acknowledged that saved URL for each password entry was unencrypted, giving potential attackers an obvious clue to the purpose of each set of credentials.
The breach highlights the way remote working culture has introduced significant new digital risks – such as the danger of home users accessing work data, resources and applications on devices that sit ‘outside’ of company cyber security protections.
LastPass is believed to be used by over 85,000 businesses and 30 million end users.
For Cyber Security Expertise & Support, please contact our team today.
SMS-based two-factor authentication, where the user typically receives a passcode text message to their smartphone that acts as a secondary confirmation of who they are, has been a staple of online banking and many other secure online services needing two-factor authentication (2FA) for over a decade.
However many now believes even SMS can be intercepted, and would rather sign users onto authenticator apps or issue secure keys with encoded passcode generation.
Official Microsoft statistics state that users who enable Multi-Factor Authentication (MFA) on their accounts to verify identity block 99.9% of all automated account breaches. Using SMS-based two-factor authentication should not ‘stop’ doing so (despite the flaws of SMS, any 2FA is better than none) but users should consider swapping to other methods.
However this modification to Microsoft’s advice will see more of a driving force behind MFA as specifically biometric, authenticator app or secure-key based, rather than relying on mobile networks for one-time passcodes.
For cybersecurity expertise and support, please contact out IT team today.
Password managers help users remember all their passwords – but can be a much more powerful tool for dramatically limiting the damage in the event of a single account being compromised.
Criminals increasingly use credential-stuffing attacks where automated tools use previously-breached account details to gain access to the user’s other accounts.
A good password manager ensures you can use a strong, randomly generated and distinct password across each of your accounts to prevent any single breach putting other data at risk.
Keeper can also notify users when breached passwords are identified online, integrate with single sign on tools such as Active Directory, and enforce multi-factor authentication – all important considerations for organisations needing to maintain cybersecurity standards across large teams.
For added convenience, Keeper is available via the web, Windows/MacOS desktop clients, browser extension and Android/iOS mobile app.
For Cybersecurity advice and expertise, please contact our team today.
Cloud storage giant Dropbox is beta-testing a new password manager app – ‘Dropbox Passwords’ – by invitation only.
Password managers allow the user to generate and store encrypted, complex passwords for many user accounts inside a single piece of locked software and autofill them into websites and applications – making it easier to use diverse, complex passwords across all of your IT.
Password managers are measure increasingly recommended by respected cybersecurity authorities – including the UK National Cyber Security Centre. Options like 1Password, Lastpass and others are already well established, although Dropbox is likely to have significant reach to business customers considering using a password manager for the first time.
Unlike bigger rivals such as Microsoft’s Office 365 and Google’s G-suite, Dropbox do not offer workplace document editing apps – leading the company to explore new avenues for branching out beyond file-sharing and cloud-storage.
These plans have included Dropbox Paper (a collaboration and project management tool), integrations to other growing challenger-platforms such as Slack and Zoom, and now password management.
Principally a cloud-storage company that helped establish file-sharing in the minds of those who had never used it before, only time will tell if Dropbox can establish a broader brand for securing a cloud-first IT business world.
Google Chrome 79 will contain a Chrome hacked password alarm to notify at-risk users.
‘Password Checker’, which first appeared in October, will regularly compare user passwords saved in-browser against publicly-known data breaches.
The service will feel familiar to those who’ve tried the (often terrifying) but essential https://haveibeenpwned.com/ – which shows visitors where their email addresses have been compromised.
Chrome’s update is being gradually rolled out to new users, and is available within Settings > People > Sync and Google Services > Other Google Services, and is named ‘Warn you if passwords are exposed in a data breach.’
The alert mechanism is just the latest in a series of attempts to push users to safer browsing: 2019 also saw Google Chrome actively warn users of websites without valid security certificate, and penalise such websites in Google search rankings.
Chrome 79’s new hacked password alarm mechanism should prompt systematically when account credentials need password updates, and allow users to keep their accounts secure.
For IT support and cybersecurity expertise, contact Lineal today.
Cyber crime is finally set to become the UK’s most common crime type, following inclusion in the latest crime figures from the Office for National Statistics (ONS).
This re-classification comes only days after news headlines emerged that an Eastern European crime group successfully used ‘Dridex’ malware to steal over £20m from UK bank accounts via thousands of infected PCs in the UK.
The 2015 National Strategic Assessment from the National Crime Agency estimates that losses due to cyber crime in the UK now amount to a staggering £16 billion annually. The NCA also asserted that the theft of large amounts of private companies’ data still faces ‘considerable under reporting.’
Nowhere is this more threatening than for those in the financial services industry, where both reputations for reliability and access to funds make IT security of paramount importance, requiring compliance with the strictest procedures for identity validation, network safety and fraud detection.
All businesses need to be prepared for the future, where cyber crime is likely to become more sophisticated and UK companies may be expected to demonstrate greater data protection measures. This week Microsoft promoted it’s Financial Services Compliance program in connection with Office 365 – making assurances (aimed squarely at businesses in the financial sector) of direct access to staff and resources to ensure that Microsoft Office cloud services comply with financial security regulations.
Greater awareness of cyber crime amongst Government figures, the media and the public can only be a good thing, but ultimately it still remains very much up to the individual to ensure their IT systems are secure – before the worst happens.
More than 70% of businesses fail after significant data loss. Lineal can install a range of security measures to safeguard your business IT systems and data – enquire today via: http://www.lineal.co.uk/contact/
Data breaches can lead to a massive loss of trust among customers, so how do you ensure your IT remains secure?
Despite what many online sign-up forms would suggest, the ‘strongest’ password is not necessarily long and complicated. Whilst complexity makes a password harder to guess or crack with a ‘brute force’ testing of combinations, most security breaches occur from stolen passwords, either physically or by malware attacks.
Very complex passwords do not help in this respect: users still need other IT security, such as antivirus software, errors are more common when typing (particularly on handheld devices) and employees may find complex passwords harder to remember – undermining data security by writing down their login details. The ubiquitous sticky note attached to the monitor is still a trusted solution to working with complex password policies in some organisations!
Routine password changes are a sensible precaution for most businesses, but can make it harder for employees to remember their passwords, leading to the same problem in which users are locked out of work accounts, copy passwords across accounts, or write passwords down at risk of theft.
Phrases can help avoid this problem by making passwords easier to recall: ‘Lineal15theB3st’ is preferable to a 15-digit numeral because a touch of personality adds memorability. Beware profanity though – just imagine trying to explain it to technical support later on!
Here at Lineal we’d also advise against ‘Remember Me’ automated sign-in functions, as well as Windows 10’s new Wi-Fi password sharing ‘Wi-Fi Sense’ Feature, as these make your chosen password redundant.
If you want to see where the future of online security is going, follow the money: most online banking incorporates a two-stage authentication process, requiring both a password and a unique alert code texted to the customer’s mobile phone for identification. This is already a free optional setting for Google, Facebook, Twitter and other popular websites.
Lineal’s advice is to stick to the following basics:
Avoid physical theft:
Don’t write your passwords down on a post-it note on your desk! Microsoft has a practical tip: if you absolutely must write a password down, do so in a safe place, without labeling it as a password or to which account it refers. Substitute words should also be used to hide the true password, for example writing ‘Fruit8£’ could refer to a password of ‘Apple8£’.
Don’t use an easily guessed word, such as your name, your company’s name, 1234, the name of something on your desk, the word ‘password’, or anything similarly obvious.
Never tell anyone your password, and change your password if you suspect it has been compromised.
Ease of Access:
If you struggle to remember your passwords, use a password storage program to store some of them. Remember to use a secure password for the program.
Mitigate against your own forgetfulness by setting up alternate password recovery options, allowing you to choose more varied, difficult passwords.
Consider where users will need to log in from – take full advantage of using numbers and special characters ( ! , £, %, * etc.) for keyboard users.
Preventing digital theft:
Use different passwords for your most important accounts, such as online banking.
Use two-stage authentication.
Maintain up to date anti-virus security software and firewalls on your work desktops, and don’t download untrusted software or open suspicious emails which could be phishing or contain password stealing malware.
Consult IT specialists to ensure office networks are protected from outside attacks.
Your security should always be strong enough to give peace of mind. Lineal can provide expert advice and support for securing your IT systems: why not get in contact with us here?
Our website uses cookies to improve your browsing experience: you change your consent preferences here, however denying consent may adversely affect certain website functions. Privacy Policy.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.