This Week in Security
August 22nd to August 28th 2022
Jordan here as your editor this week. This week I reviewed the LastPass breach, supply chain security efforts lead by the US government, and cryptocurrency bounties. Keeping up to date with new technologies, techniques and information is an important part of our role in the F5 SIRT. The problem with security news is that it's an absolute fire-hose of information, so each week or so we try to distill the things we found interesting and pass them on to you in a curated form.
It's also important for us to keep up to date with the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That's why we take the security of your business seriously. When you're under attack, we'll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.
Last week, the popular password management company LastPass experienced a data breach. According to the company’s blog post, compromised developer credentials were used by an attacker to infiltrate their development environment. At this time we know the attacker was able to obtain source code and "some proprietary LastPass technical information" before the attacker was isolated from moving further. This is an ongoing investigation so I want to caveat that additional details may come out later which expand the scope of the breach.
While quickly identifying and mitigating an active attack is extremely important, the benefits of designing a product architecture with security in mind from the beginning is what I think deserves a highlight here. A key component of the LastPass product architecture is that they make use of zero knowledge encryption (they call it "zero knowledge security"). Now the term "zero knowledge security" to the un-initiated may sound strange, it might even make you think they have zero knowledge of security, but this is not the case. Zero knowledge means LastPass doesn't have the master encryption keys (in the form of a password) the customer uses to encrypt their data. LastPass only stores encrypted secrets and cannot decrypt them, only the end user can do that. LastPass has zero knowledge of the encryption key used. Since there is no centralized key to protect the data, any breach of the system should only turn up encrypted data. Encrypted data is less valuable to an attacker, especially since brute force decryption of AES-256 is in the trillions of years time scale and is not feasible given modern computing constraints.
The key takeaway for LastPass customers is that currently there is no action required on your part and your data can be considered safe. The key takeaway for system designers should be that implementing a secure zero knowledge / zero trust architecture from the beginning can minimize the impact of a security incident.
Supply chain risk management is a topic that is slowly but surely gaining more traction across many industries. In support of this, the US CyberSecurity and Infrastructure Security Agency (CISA) has kicked off various working groups to help shape the future of Software Bill of Materials (SBOM). It's important to note that the working groups are not scoped to recommend or influence US government policy, instead the charter is to facilitate vendor neutral problem solving and collaboration in specific domains such as Cloud & Online Applications, On-Ramps & Adoption, Sharing & Exchanging, and Tooling & Implementation. While the groups are just starting on scoping some of the core problems to solve, I have found the community discussions to be insightful and am excited to see the output from these groups. During a recent meeting, I learned about a few promising technologies for sharing of SBOMs such as the CycloneDX BOM Exchange API and Digital Bill of Materials projects. I was also exposed to an interesting project named GUAC which aims to "create a means to ingest, validate and parse artifact information (i.e. in-toto attestations, SBOM, etc.) from various data sources and represent and store them in a knowledge graph". The complexity of managing multiple SBOMs for a modern enterprise is fundamentally a data management problem and I believe graph databases are an excellent technology choice for the use case. If you are interested in joining the working groups or the aforementioned projects, please visit the links below.
Ahead of a major event for the Ethereum blockchain commonly referred to as "The Merge", the Ethereum Foundation has raised the bug bounty payouts for critical vulnerabilities to $1 million dollars. This temporary 4x multiplier of their current bug bounty provides a great incentive for ethical hackers to work at discovering security issues. Performing pre-release penetration testing is a great way to discover vulnerabilities before deployment and a sign of a mature security program. As the Ethereum blockchain migrates over from a proof-of-work to proof-of-stake consensus mechanism, the stakes are high for getting it right and security is one of the top concerns. Perhaps surprisingly, this is not the largest bug bounty payout for vulnerabilities found in the cryptocurrency ecosystem. The largest recent payout goes to a vulnerability found in a "bridge", which facilitates transactions across divergent chains. If successfully exploited, the vulnerability would have allowed attackers to hold "the entire protocol ransom with the threat that the Ethereum Wormhole bridge would be bricked, and all the funds residing in that contract lost forever".
Along with the ethical hackers finding bugs in the cryptocurrency ecosystem, cyber criminals are increasing the frequency of their attacks as well. The US Federal Bureau of Investigation (FBI) recently issued a public service announcement, warning that criminals are increasing their exploitation of Decentralized Finance platforms citing "between January and March 2022, cyber criminals stole $1.3 billion in cryptocurrencies". Even with the recent downturn in value of crypto currencies, criminals will continue to abuse the ecosystem to seek their fortune, often attacking the trading platforms and smart contracts, as they represent the most likely part of the stack to have a vulnerability which can be exploited.
A quick congratulations to F5 employee Purvesh Kothari for winning the Girls Hack Village Mobile Hacking CTF at Defcon 30. Congratulations Purvesh !