Disable User
Posts
I'm selling the script to LastPass: the movie and quick tips for a secure workplace

I'm selling the script to LastPass: the movie and quick tips for a secure workplace

Security weekly

Disable User
March 02, 2023

Hi and welcome to another Security weekly. Where we laugh, we cry and share the latest and greatest in security and tech news.

In this week's edition:
📽️ I’m selling the script to LastPass: the movie.
🖥️ Quick tips to make your workplace considerably safer
❔Disable User Explains: Clean Desk Policy
🔥 the quick and dirty

Reading time: 03:42

I’m selling the script to LastPass: the movie.

Jonah Hill if you’re reading this (doubtful): hit me up!

Ok before I go off on a total rant. I promise this is the last time I talk about LastPass.

Well, unless the next story that unveils is even better. But I doubt that’s possible.

Anyway

So after all the fuss of the previous breaches, on Monday I received an e-mail from LastPass.
Because it was rather lengthy, I’ll give you the TL;DR version:

“Dear Valued Customer” - that’s ballsy Lastpass, real ballsy.
“We are giving you advance notification because we recognize that, as LastPass Business Administrators, you may need additional time to prepare your organization. “ - Aka we want to safe face and make the situation seem less horrible than it is.
And then two posts written by a lawyer, with 2 links. One blog post, and one Security Bulletin. - The blog basically said the previous breach was way worse than expected. The bulletin was a plan of action for admins.

As if the only possible action to take is not getting your stuff and running away. As fast as your little legs can carry you!

totally not pixelated, good job.

BUT! I almost forgot the best part.

“Given the sensitive nature of this information and to give you time to implement the Security Bulletin changes, we ask that you please treat this information as confidential until it becomes available to the public later this week. “

Now that’s beautiful. Months of cover-up, only to partially come out and ask us to “keep this a secret”.
No more hiding those true colours, LastPass?

So I guess you expect me advising some other options now, right?

Well, that’s not as easy as it sounds.

While I’d love nothing more than sharing some good password managers with my trustworthy readers, that’s dangerous advise to give.

Password managers have a big target on their back. So in my opinion they’re all going to get hacked/breached at some point.
So I might recommend one now, that get’s hacked tomorrow.

I can hand out some tips on selecting a password tool though:

Make a list of the functions you want - divide them into must haves and nice to haves. Don’t give in on your must-haves.
Where and how is your data stored? - Lastpass claimed they didn’t have access to your data. That was a blatant lie.
How did they handle previous incidents? - How the company handled previous incidents tells you a lot.
Be prepared to move your data out when the sh#t hits the fan -
Don’t, and I repeat, don’t use a password book - A weird trend I saw right after the first news of the LastPass hack. People storing their password in a paper booklet.

As tempting as it may seem, don’t do it.

Quick tips to make your workplace considerably safer

I had a piece on the difference between SIEM and SOAR in the pipeline, but I’ll keep that for next week.

After reading this article, I thought it was a better idea to hand out some tips for a secure work environment.

LastPass says employee’s home computer was hacked and corporate vault taken

Already smarting from a breach that stole customer vaults, LastPass has more bad news.

arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault

These tips are not just for home environments, they’re a mix of both. But they work anywhere.
Most companies have these tips/rules setup in a Clean Desk Policy.
A document you should be able to cite by heart, if it was up to me.
But I understand not everyone has the same fetish for information security as I do.

Lock your screen, always. Even if you're 'just grabbing something off the printer'. 5 minutes turn into 20 reaaaaaaal easy.
Hardcopy (personal) information should only be on your desk if you're actively using it - Otherwise classify, or shred it. No excuses. And btw, stop printing every goddamn thing. It's 2023.
Have a clean desktop - That goes for both digital and physical. Put everything where it needs to be, and clean up your junk. If your desktop is full, so will your mind be. (that's some Yoda wisdom right there)
Get a separate virusscanner - While Windows Defender is pretty good, it’s not enough.
Encrypt your data storage - yes, also the portable ones.

Clean/Clear Desk Policy

A (company) policy that ensures all information is stored appropriately and a person follows basic rules to ensure information is protected.

tldr: be tidy and comply.

The quick and dirty

Kaspersky's 2022 spam and phishing report - 48% of all mail is spam. Yikes.
LastPass DevOps Engineer Targeted for Cloud Decryption Keys - let’s keep the LastPass breaches on the frontpage
Windows 11 KB5022913 causes boot issues if using UI customization apps - If you’re using a customization app, you lose either way.
BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11 - this is reaaaaaally worrying. Hoping this get’s taken care of.
Meme of the week