Hackfest 2023 - Back to the Future

Lessons from LastPass: Beyond Secure Password Management
10-14, 10:00–10:50 (Canada/Eastern), Track #1
Language: English

LastPass is a popular password manager used from individuals through corporate levels. However, in 2022 it suffered two breaches, and only recently was the extent of the damage made known. An unknown attacker was able to take the literal keys to the kingdom, compromising everything stored in the LastPass vaults. This talk will bring to light why the LastPass events matter to everyone, even those who think they are safe using other password managers or no password managers. There are lessons here about sophisticated staged attacks that bypass defenses in place, and the increasing onus on businesses to manage IAM and BYOD


We hear it all the time - secure your passwords best with an application dedicated to just that. LastPass is a popular password manager used from individuals through corporate levels. However, in 2022 it suffered two breaches, and only recently was the extent of the damage made known. An unknown attacker was able to take the literal keys to the kingdom, compromising everything stored in the LastPass vaults. We will examine what was made known by LastPass and the media as we walk through the details available on both attacks. We will walk through the timeline of events and disclosures because it's important to note what came to light when, and how that changed the narrative. We will also examine the role played by BYOD, logging, and why we need to change with the times to detect behavoral anomalies.

This talk is presented in a "Lord of the RIngs" theme
OUTLINE
Password Managers: What and Why
- What they are and why we need to use them
What Could go Wrong
- A timeline of who's been hacked and multiple occurrences
- My personal experience using LastPass and switching to Bitwarden
LastPass: What Did go Wrong
- A basic anatomy of attack and timeline of events to show how what was stolen in Attack 1 was used in Attack 2
- They took both encrypted and unencrypted data
- They took data on browsing habits of users
- The engineer used his own device to access his corporate vault.
- This happens far more than we realize and we cannot effectively secure
A Tale of 2 Attacks
- A detailed discussion of what was discovered against what statements were made by LastPass over the months following the attacks
- Highlight where perceived security failed
- Call out how the crucial time to act at the beginning was lost
Key Takeaways
- Dwell Time matters
- BYOD – how do you manage
- Leverage logging and alerts
- Track for behaviour and anomalies
- What’s accessible in your dev environment
- Attacks are evolving past our defences


Are you releasing a tool?

No

Cheryl Biswas is a Strategic Threat Intel Specialist with a major bank in Canada. She has experience with security audits and assessments, privacy, DRP, project management, vendor management and change management. Cheryl engages in the security community as a conference speaker and volunteer, mentors, and champions women and diversity in Cyber Security as a founding member of the "The Diana Initiative".