A security expert criticizes the excuse of the data leakage incident by the password management application ``LastPass'' as ``full of outright lies''

Security expert Vladimir Palant said the statement issued by LastPass was ``full of omissions, half the truth, and full of blatant lies.'' I'm here.' I'm criticizing it with specific details.

What's in a PR statement: LastPass breach explained | Almost Secure

Mr. Parant first pointed out that the statement was issued on December 22, just before Christmas, ``may have been done intentionally to reduce the number of reports.''

From the very first paragraph, I have been scrutinizing the contents of the statement. LastPass wrote, ``In our commitment to transparency, we would like to provide an update on ongoing investigations,'' but Parant said, ``The law requires immediate disclosure of a data breach. , and it has nothing to do with 'efforts for transparency,'' he said.

Next, LastPass said, ``While there was no access to customer data in the August 2022 incident, some source code and technical information was stolen and used in an attack targeting another employee.'' explains. However, Parant said, ``We are trying to treat the August 2022 incident and the subsequent data breach as separate events. It is typical of what is called 'lateral movement' used by attackers.'

In response to LastPass's explanation that ``the cloud storage accessed by the attacker was physically separated from the production environment,'' Parant said, ``Given that there was a full copy of LastPass in the cloud storage, it is reassuring. Or is it a transfer of responsibility that the data was not taken out from LastPass' servers?'

Also, regarding the description, ``Encrypted fields are protected with 256-bit AES encryption and can only be decrypted with a unique encryption key made from each user's master password using a zero-knowledge architecture.'' calmly pointed out, 'It masks the simple fact that only the master password prevents threat actors from decrypting data, and if it is guessed, it's over.' In other respects, Mr. Parant also reveals the facts hidden in the LastPass statement in detail.

Parant isn't particularly hard on LastPass, and other security experts are doing the same. Jeremy M. Gosny, who once recommended the use of LastPass, has been calling for people to stop using LastPass and use Bitwarden and 1Password since around 2017.

Jeremi M Gosney :verified:: 'I recently wrote a post detail…' - Infosec Exchange

Mr. Gosny lists the reasons for abandoning LastPass as follows.

・LastPass's claim of 'zero knowledge' is a complete lie, LastPass tracks which sites users are logged into, and disabling tracking does nothing (is not disabled).
Most vaults are unencrypted, only some fields are encrypted.
・The encryption itself is crap.
- Terrible confidentiality management. Encryption keys always reside in memory and are never erased, vault decryption keys and revoked one-time passwords are stored in plaintext on each device and can be viewed without root or administrator privileges.
・Browser extensions are terrible. Full of bugs such as stealing authentication information. All are easy to identify and fix, but not addressed.
・The API is garbage. There are too many problems to count.
・There have been seven large-scale security breaches in the past 10 years.
・Have a history of ignoring security researchers and vulnerability reports, and do not participate in the informatics or password cracking communities. Vulnerability reports are better left unattended for several months, but some are never recognized and resolved. Sometimes the contact information for the security team was wrong.

``I'm not recommending you quit LastPass, but I'm suggesting that you run away from LastPass as far as possible based on this history,'' Gosny said.

in Software,   Security, Posted by logc_nt