LastPass, Mastodon, and AI/ML - Dec 31st - Jan 6th - F5 SIRT - This Week in Security

Editor's introduction

Hello, MegaZone is back this week as our rotation continues. I hope everyone had a good holiday season. Let's hope that 2023 is a good year.

A couple of things I want to plug, in case you weren't aware. All of the This Week in Security articles are tagged, so you can easily find all of them. Actually, there are two tags - TWIS and series-F5SIRT-this-week-in-security. Same results, but TWIS is easier to remember.

Additionally, all of the content created by the F5 SIRT is also tagged with, wait for it, F5 SIRT. That's not only TWIS, but several other articles you may find valuable. Most recently that's included:

Stay tuned for more content from the F5 SIRT, we have a lot in the pipeline.

LastPass

/~ LastPass, oh, I gave you my creds / But the very next day you gave them away / This year, to save me from breach / I'll give them to someone diff'rent ~/

So, what lit the infosec world on fire last week? I know my feeds were full of one thing - LastPass. Sure, technically the new broke just before xmas, but I think the holidays delayed some of the reaction into the new year. The timing was itself the subject of a lot of negative reaction, as some feel like it was deliberately withheld until the Thursday just before xmas in an attempt to bury the news. I'm not sure I agree with that, but it certainly wasn't great that the full extent of the issue, with customer password records being downloaded, was only revealed months after the initial disclosure. The initial disclosure on August 25th, and the first update on September 15th, stressed that the breach was only to the development environment. The next update on November 30th (previously on TWIS) was the first indication that the scope may be larger. But it wasn't until December 23rd that the full scope, including the loss of customer data, was disclosed. Presuming we do indeed now have the full scope, of course.

The infosec fediverse was pretty much non-stop chatter about this, as well as the press, etc. There was some lively discussion about this internally at F5 as well. A lot of people use, or should I say used, LastPass. LastPass has had issues in the past, but then so have most vendors. This time though it was a combination of the extent of the breach and how they handled it that has collapsed the trust for many - myself included. I used to include LastPass at the top of my list of recommended credential managers as it was something most users could readily use, was cross-platform, integrated with browsers well, etc. And their past issues seemed to be handled well enough. But I can no longer recommend LastPass.

I know a lot of security geeks are ready to recommend super-secure systems that you host yourself, don't include syncing, etc. Because I saw plenty of that in the past week. Which is fine if you're that type of user. But for most they need something easy to use and understand - or they won't use it. The most common features I see requested are multi-device, cross platform support - Windows/MacOS, Android/iOS, perhaps ChromeOS, etc. - with syncing between devices. And browser integration for ease of use.

I'm sure I'll get a lot of flak for this, but for many users the password manager built into Chrome or other browsers is probably fine. I heard the groans. I'm aware of the issues, but if the tradeoff is between using bad, but easily remembered, passwords - or the same password everywhere - or using the built-in manager, the latter is the better option. They check many, if not all, of the boxes. If you're a Chrome browser user and use the built-in manager it'll sync across the desktop, Android, and ChromeOS transparently. I'm not an Apple user but I understand their ecosystem is similar via the iCloud Keychain. I can barely get my father to not use the same password everywhere, let alone try to get him to deal with 3rd party password managers.

For users looking to step up I saw a few leading contenders emerge from the discussions:

  • 1Password - This seemed to be the top recommendation for those looking to move from LastPass to a similar commercial product with a better track record.
  • Bitwarden - This was a top recommendation, and it is open-source.
  • KeePassXC - This seemed to be a favorite mostly from the geekier users.  Also open-source.

Note, none of this is an endorsement by F5, Inc, the F5 SIRT, nor even myself. Personally all of the discussions made me curious about Bitwarden, as I haven't previously checked it out, so I'm planning to do that to see what it is like. If you have a favorite password manager, or have feedback on these, leave a comment below.

Mastodon Tramples Twitter

The other big subject of discussion I've seen lately is the continued corrosion of Twitter, and the resulting migration to the Fediverse. I don't want to get into the politics here, though I certainly have my opinions, but from a strictly functional standpoint I've been getting far more errors from Twitter in the past couple of months than for the previous several years. Error messages, content not loading, links failing, etc. It is kind of painful. But the security connection is somewhat meta - a huge swath of InfoSec professionals who used to be active on Twitter have pulled stakes and moved to the Fediverse, mostly various Mastodon instances. And primarily, at least for my circles, that's Infosec.Exchange and DefCon.Social. It is social media, and if the people I want to follow and interact with are moving, that's a reason for me to do so as well - so I did.

I'm not saying anyone needs to abandon Twitter - I still use my account mainly to follow those friends who remain there even if I've all but stopped tweeting myself. But if you do want to follow a lot of the activity in InfoSec social media circles I'd suggest at least checking it out. There are some useful tools and guides to help you get started:

There are several tools which can help you find your Twitter connections in the Fediverse:

You can also turn your Twitter archive into HTML with this tool Darius Kazemi.

I've been around long enough to have gone through BBSes, mailing lists, USENet, SixDegrees, Friendster, MySpace, Orkut, Google+, LiveJournal, etc. This is just one more evolution. I know there are other guides and tools, feel free to share your favorites in the comments. But let's try to keep it civil and not get into political arguments, etc. They're just tools and people can use whatever works for them.

The Robot Uprising

As we kick off 2023 there has a been a lot of chatter about artificial intelligence (AI), machine learning (ML), and the impact on information security. (Also a lot of chatter about 'AI Art', but that's a different, if loosely related, issue.) It is easy to dismiss AI/ML as sci-fi/fantasy content, something we don't have to worry about for a long time. But the future arrives sooner than you expect it to, and the models used by these systems are growing by orders of magnitude very, very quickly. GPT-3 has already been used to create working exploits, as well as analyze existing code - including obfuscated and decompiled code - for vulnerabilities. And GPT-4 is expected to be vastly more sophisticated and capable.

A few of our team members have been playing around with ML tools, including ChatGPT, and the results have been interesting, even surprising. Sometimes they do swing very wide of the mark, but a lot of the time they're producing pretty solid output. If not 'ready-to-use', at least a major leg up with some finishing work required. And, as I said, the models used by the various tools continue to improve at an astounding rate and the tools themselves continue to be refined. This will change the infosec landscape, for both attackers and defenders, and you ignore it at your own peril. I was fairly skeptical until recently, but I've come around after seeing some of the results. This is definitely a space to watch, and be ready to adapt to.

AI/ML is coming and it will shake up a lot of industries, for better and for worse. This is beyond lazy students trying to get ChatGPT to write essays for them. Be it art, content creation, or infosec, AI/ML is coming to shake things up. And, to quote Ani DiFranco, "Every tool is a weapon - if you hold it right."

 

Updated Jan 17, 2023
Version 2.0
  • Thanks for this week's roundup, MegaZone!

    I've been using Bitwarden for a few years and for me it's the best tool for password management. It's "free" but I donate to the project because it's so good and I want to help the project thrive.

    Thanks for the Mastodon links. I've been on the fence about diving in but I'll check those out and possibly give it a try.

    So far I've mostly just played around with ChatGPT but there have been two use cases where I was looking for some real help and I was impressed with the results.

  • I've used and recommended LastPass for so many years I can't even count. Many in my family use it as well. The *techie* in me sees a good reason to go try BitWarden or similar but the realist says:

    • Well - I do have a solid/compliant master password.
    • It took *SOOO* long to get the family accustomed to using it (and *suffering* the convenience tradeoff with security. The thought of dropping LastPass in favor of a different tool will be very painful.

    Something I haven't heard addressed; If the horse is already out of the barn and my private notes are already *in the wild* (albeit encrypted...so they say) then putting all my information into yet another resource seems like an additive risk rather than an improvement.
    I'm not one for *supporting* abject failure in a company but...Is the other guys' tech just THAT much better? Is the risk of compromise THAT much lower as to justify pulling the plug on one service for the other?

    I suppose if there is a real and continuing risk of further exposure - but I've also not heard that as being the case.
    "I'll take my answer off the air."

  • LiefZimmerman At this point the horses are out of the barn.  Nothing you do will help with that other than changing your credentials for every site, or at least the important ones, that you had saved in LastPass.  It is a fixed point in time - whatever they grabbed can be brute forced at their leisure, forever.

    At this point I would have to give a solid yes that other providers are better.  LastPass has had multiple breaches over the years, but this one exposed some pretty poor security practices on their part.  On top of the bad practices the way they handled the breach was just not acceptable, and more information continues to trickle out that just makes it worse.  As a security professional LastPass has burned every last ounce of trust I had in them - and I recommended them for many years and had used them myself.

    Since you really need to chance credentials anyway, to be safe, you may as well switch to a new tool before changing them.