Taking security concerns lightly?

Have questions about LastPass, or having problems using it? Ask for help here!

Moderators: admin, anatoly_LP, chantieLP, Israel, JoeSiegrist, robyn

Taking security concerns lightly?

Postby takoateli » Tue May 10, 2011 6:35 am

Firefox suddenly was claiming my master password was false and telling me I needed to log in again by typing my master password. I hadn't changed my password and this was before LastPass' recent security breach. It seemed to me this is how someone could attack LastPass, cause the client app to demand the password be typed again after having installed a keylogger. I contacted LastPass about my concerns and received a very nonchalant reply from LastPass.

Here's my communication with them. Read from the bottom up.

2011-05-10 06:24
You This really pisses me off that your customer service tech had such a blasé attitude about concern about security some time back and now here you guys are with egg on your face.

Maybe you could teach your own customer service people a little bit about having the right attitude towards your user's security concerns.

You KNOW this is going to effect your public reputation and your business.

This is from your own email to your customers:

Dear LastPass User,

On May 3rd, we discovered suspicious network activity on the LastPass internal network. After investigating, we determined that it was possible that a limited amount of data was accessed. All LastPass accounts were quickly locked down, preventing access from unknown locations. We then announced our findings and course of action on our blog and spoke with the media.

As you know, LastPass does not have access to your master password or your confidential data. To further secure your account, LastPass now requires you to verify your identity when logging in. You will be prompted to validate your email if you try to log in from a new location. This prompt will continue to appear until you change your master password or indicate that you are comfortable with the strength of your master password.

Please visit https://lastpass.com/status for more information.

Thanks,
The LastPass Team
2011-05-09 11:15
Israel Ticket CLOSED
2011-05-08 20:38
You http://www.theregister.co.uk/2011/05/05 ... ord_reset/

Still want to keep your head in the sand about security and act like I don't understand security? The cavalier attitude of your customer service specialist is why I cancelled my premium account on the 7th of April.

Start treating your customer's questions about security with a more reasonable attitude or you'll have more people defecting.

Lastpass' strong suit is security, not ease of use. There's plenty of other apps that take care of ease of use. My browser can remember my passwords. If you screw up in the area of security people will defect in droves.
2011-04-07 14:09
You Oh, OK. If my box is owned then it's owned so you guys don't have to think about security. OK.
2011-04-07 14:02
Israel If your box is owned, it's owned. There's no security in the software in the world that will protect you once that's happened, it's too late.

Are you blocking cookies in Firefox?
2011-04-06 10:08
You Amber, I think you don't understand. It's not that the session logs out and I have to log back in. I see that often. It's that suddenly FireFox was saying the saved master password is invalid. So I'm having to retype the master password. I didn't change the master password, so why is LastPass for FireFox saying the master password is not valid? So I have to retype the master password. If I had a key logger installed, that would be a security risk. If a black hat was to find a way to install something that a) corrupted the LastPass stored master password and b) installed a key logger, then all he'd have to do is wait till LastPass rejected the corrupted stored master password and the key logger grabs it when it's reentered. That sounds like a probably the easiest attack vector against LastPass. Think about it.
2011-04-06 09:57
Amber By default LastPass will keep you logged in, but if something ends your LastPass session (you logged off, or have one of your autologoff settings enabled, or you clear cookies or browser history when you close your browser) then you'll be prompted to enter your Master Password the next time you open Firefox. It's very unlikely to be a security risk.

Amber
2011-04-04 13:08
You Uninstalling and reinstalling kept the problem. So I just put the password in and it's OK. But I'm uncomfortable that it asked me for the password with no apparent reason.
2011-04-04 11:37
You It is only Firefox which is experiencing this issue. Safari's LastPass and Chrome's LastPass are logging in just fine.

I'll reinstall in Firefox and let you know if it's fixed up.

Just putting the password in FireFox might fix it up. I'm just wondering why it's suddenly asking for it. It seems like that would be how an attack against LastPass would appear. Someone would cause you to reenter your master password so they can get your password with a keylogger. Then they've have all your passwords.

If LastPass ever get hacked it's going to be really ugly since people are going to lose all their passwords in one fell swoop.
2011-04-04 11:19
Amber Hi Greg,

Have you tried logging in both via the plugin and the website at https://lastpass.com/ ? Does your password work in any of your browsers? If it seems to be isolated to Firefox, try reinstalling: https://lastpass.com/dl and login again.

Amber
2011-04-04 08:57
You I haven't changed my LastPass password in a long time. I have LastPass remember my master password. Now suddenly today Firefox says my password is not valid. Safari and Chrome are still good. So why would FireFox suddenly get all funny and not remember my password.

Greg
takoateli
 
Posts: 3
Joined: Fri Apr 08, 2011 10:57 am

Re: Taking security concerns lightly?

Postby quotidian » Tue May 10, 2011 9:09 pm

What seems to have happened is that you were told the truth. If your box is owned, there is no way for you to use Lastpass or any other password manager safely. If you're saving your master password to your harddrive, malware can just read the saved password from your HD, it doesn't even need to bother prompting you. If the password isn't on your HD, there are literally hundreds of other things it could do to get your password, all the way up to replacing your entire browser and lastpass plugin with a hacked version that sends them all your passwords instead.

Anyone who attempts to tell you that their application is invulnerable to local malware is lying to you.
quotidian
 
Posts: 180
Joined: Fri Nov 26, 2010 9:40 pm

Re: Taking security concerns lightly?

Postby takoateli » Wed May 11, 2011 3:04 am

quotidian Wrote:What seems to have happened is that you were told the truth. If your box is owned, there is no way for you to use Lastpass or any other password manager safely. If you're saving your master password to your harddrive, malware can just read the saved password from your HD, it doesn't even need to bother prompting you. If the password isn't on your HD, there are literally hundreds of other things it could do to get your password, all the way up to replacing your entire browser and lastpass plugin with a hacked version that sends them all your passwords instead.

Anyone who attempts to tell you that their application is invulnerable to local malware is lying to you.


Maybe if you knew just a little about computer security you'd know that there's no magic word like "owned" or "pwned". There are varying degrees of control which a particular piece of malware can have on your machine depending on what it's infected with. That your machine has malware on it doesn't mean that it has full control of all processes and can perform any task.

But more to the point, it was just the blasé attitude of the LastPass rep, who offered no explanation why Firefox suddenly was saying my master password which I hadn't changed in a very long time was no longer valid and needed to be entered again, especially when non of my other browsers were saying that. Furthermore the LastPass rep didn't offer any meaningful suggestions. She merely said "if your machine is owned it's owned". Well then do nothing right? And is that really their official stance? If a customer's machine gets infected with something then we just throw up our hands? This is the response of a security company?

Because hackers often exploit a small hole rather than this concept that your machine is "owned" and they can do what ever they want, the symptom I was seeing seemed to be something that might occur if someone got a foot in the door which is 1) cause LastPass to require the user to retype the password and then 2) capture that password.

But Amber's response was everything's fine, but if you're "owned" it's over anyway.

And then how many days later was that when LastPass had their servers hacked? Maybe they had the same security policy internally... "Nothing to worry about, and if we get 'owned' it's over anyway". It would be funny if they weren't hosting all my passwords.
takoateli
 
Posts: 3
Joined: Fri Apr 08, 2011 10:57 am

Re: Taking security concerns lightly?

Postby XIII » Wed May 11, 2011 3:41 am

What's the purpose of your post?

(What do you want to achieve? What are you looking for?)
XIII
 
Posts: 388
Joined: Fri Oct 16, 2009 6:18 pm

Re: Taking security concerns lightly?

Postby skellam » Wed May 11, 2011 10:52 am

Sorry, but the customer service rep is correct. If your local machine is compromised, they can't prevent someone from obtaining your password. Maybe she could have used a more tactful way of explaining it to you but I'd rather have them tell me the truth. You are expecting an awful lot from a free service (or $1 a month if you are a Premium customer) to go in to great depth explaining how to protect your local system.. If there is evidence that you have malware on your system, the only way to be sure that you are in the clear is to re-install the operating system from scratch.
skellam
 
Posts: 3
Joined: Sat Jul 25, 2009 3:09 pm

Re: Taking security concerns lightly?

Postby Israel » Wed May 11, 2011 11:46 am

takoateli, I responded to your tickets via our support system.

I'd appreciate it if you responded there.

Your firefox session was likely being invalidated due to blocking third party cookies or some kind of caching issue - you can check here : http://www.lastpass.com/debug.php

If you're concerned about a keylogger on your machine, you can try using the onscreen keyboard to log in - I do realise the response may have been a bit short and we do take security seriously - it's just when you put forth that hypothetical scenario, of having a keylogger on the machine, it's really too late for any security software to protect you.

In my skr1pt k1dd13 days of yore, backorifice and bl4d3 being the tools du jour, I would consider your machine "owned" if I was able to capture all your keystrokes.
Israel
Site Admin
 
Posts: 1475
Joined: Tue May 04, 2010 9:40 am

Re: Taking security concerns lightly?

Postby glen4cindy » Wed May 11, 2011 3:45 pm

israel Wrote:takoateli, I responded to your tickets via our support system.

I'd appreciate it if you responded there.

Your firefox session was likely being invalidated due to blocking third party cookies or some kind of caching issue - you can check here : http://www.lastpass.com/debug.php

If you're concerned about a keylogger on your machine, you can try using the onscreen keyboard to log in - I do realise the response may have been a bit short and we do take security seriously - it's just when you put forth that hypothetical scenario, of having a keylogger on the machine, it's really too late for any security software to protect you.

In my skr1pt k1dd13 days of yore, backorifice and bl4d3 being the tools du jour, I would consider your machine "owned" if I was able to capture all your keystrokes.


As a bystander, and very satisfied LastPass user, I really love your response, israel.

I see here that you have a user, using a free service, that is having a problem with ONE browser, who is being given what seems to be adequate customer service, especially in light of it being a free service, and then, coming way out from left field and bringing in some idea of a key-logger, as if LastPass would somehow be responsible for a user having a key-logger on their system.

This scenario that this user is suggesting seems highly unlikely, and even if it happens to be the case, LastPass would hardly be to blame for something like this, as, it is ultimately the end user's responsibility to maintain adequate virus and malware protection on our PC's.

Thanks again for a great product.
glen4cindy
 
Posts: 4
Joined: Sat Oct 02, 2010 12:35 am

Re: Taking security concerns lightly?

Postby davei » Thu May 12, 2011 2:09 pm

I don't see how any of us could say LastPass takes security lightly. I think they've done a really good job - so far - with letting us know what could have happened in their network.
davei
 
Posts: 1
Joined: Mon May 09, 2011 6:39 pm

Re: Taking security concerns lightly?

Postby VegaPassesGas » Fri May 18, 2018 12:58 pm

security perhaps, but requiring turning ON all third party cookies certainly misses the mark when it comes to privacy. Turning off third party cookies helps prevent tracking across domains by the likes of the privacy experts at Facebook, Google, Twitter, et al. More things to block in other ways now.
VegaPassesGas
 
Posts: 5
Joined: Thu Sep 14, 2017 4:48 am


Return to General Support & Troubleshooting

Who is online

Users browsing this forum: No registered users and 44 guests