I'm a user of LastPass.com, and there's an issue which I find to be a blatant security problem, but I'm basically getting flamed when I try to discuss it over there. So in this first post in this forum, I'd like to ask the opinion of some outsiders.
LastPass is a password manager where all decryption is local, but is synced to a server with AES encryption. It runs as a browser-plugin. That part is fine.
The issue I'm having is that even though they allow Multi-Factor Authentication, such as YubiKey, you can disable YubiKey simply by clicking in an email that is sent to your main email address. Unfortunately, they refuse to allow this email to be sent to another address, and since you need to have LastPass associated with an email account that you actively use for billing reasons, it means that if you're compromised, I believe that the hacker already has everything he needs to bypass Multi-Factor Authentication, and take over your LastPass account.
When you log into LastPass, you use an email address, which is already printed on the screen, and a password, which you type. It then prompts you for Multi-Factor Authentication (YubiKey), which is checked with the Yubikey servers.
What I'm saying is that if you use a webmail account such as GMail, and you for whatever reason have malware running on your computer, chances are high that you've both had your email account compromised, as well as your LastPass login compromised, since a screencapturing keylogger can easily capture your LassPass credentials, and a man-in-the-browser or some other mechanism can easily take over your email account.
What I'm trying to make them do is either (1) do as eBay, and never print the full email address on the screen, or (2) send the reset-email to another email account than your main one, or via SMS, or via some other channel. Because again, the assumption is that if you have malware on your system, your email will also have been compromised, and then the attacker has everything he needs to disable Multi-Factor Authentication, and then log into your account using the credentials he already has captured.
This is catastrophic, since a LastPass account is likely to hold bank logins, credit cards, server logins, social security numbers, basically your entire life. Given that this attack is untargeted, i.e. the hacker doesn't even have to be looking for LastPass in particular, it could be very devastating.
The arguments coming back from LastPass include:
1.) We're small, we won't be attacked.
2.) Hackers give up after 2 minutes, they won't persevere.
3.) It's just an unrealistic attack, it won't happen.
4.) It's impossible to get anything installed in the browser that will capture your webmail login if the login is done by the password manager, i.e. it's impossible to capture the form submission.
5.) Your firewall will detect the upload of the capture feed.
6.) Your antivirus will catch the install of the malware.
I find that each of these arguments represent enormous denial about reality.
1.) In reality, you'll be attacked no matter what your size.
2.) Hackers don't give up. Many of them are highly paid by organized crime to do this exact work.
3.) It's fully realistic, and is already being done. CitiBank recently suffered great losses from this exact attack.
4.) It seems that if you control the computer, you can install anything anywhere without the user knowing.
5.) The firewall will not capture regular port 80 POSTs. You can easily evacuate data from the computer without triggering a firewall.
6.) Many threats are undetectable when they're new.
Could anyone please tell me where I'm going wrong? I find this attack not just possible, but probable.
July 2nd, 2010, 02:30 AM
Well you do have a point that putting all your eggs in one basket is a problem, but this is not much of a problem for lastpass.com since you rely on a compromised system. I had a longer post but my drunk self fudged up >.< In short though, if a system is compromised by a knowledgeable hacker, your hosed just wipe the thing. A lot of people relay on services that only offer a false sense of security like last pass.
If you broke their encryption scheme, they might listen to you, but merely stating that their service is bad, which from what you said is pretty bad, won't accomplish much. Good luck though
July 10th, 2010, 06:06 AM
I don't use LastPass.com, but from the perspective of two factor authentication, you are entirely correct in your claim that allowing this to be disabled by the registered e-mail address makes the second method of authentication all but completely useless. Since key capture is a common method of stealing user credentials, it is certainly a point of concern with any centralized encrypted wallet service. LastPass.com is actually one of the only services like this that I have seen offering the ability to use TFA, so the problem of a single login and a "key" that must be entered via keyboard to decrypt the digital wallet and expose a fun house of private data is shared amongst many different providers.
If LastPass.com actually made the TFA a requirement which cannot be disabled without a separate form of authentication that is not commonly used as you have recommended, it would probably be a welcome enhancement.
In less words, I believe you are right in stating the issue, but it is common amongst most if not all digital wallet services, so this is really a common design issue and not localized to this particular provider. It is a shame, though, that the TFA is really just fake security in this case.
July 10th, 2010, 10:14 AM
This isn't really an issue of hacking LastPass, more one of hacking their customers' machines.
The real problem is that it is too easy to turn off the token part of the authentication. I find that surprising as given that you have seen the wisdom of TFA, why would you want to disable it?
Which brings us to the obvious point that if you let your system get compromised that is down to you. If you are in the habit of conducting financial transactions over the net, I would suggest a dedicated machine with a hard wired (RJ45) connection to a dial-up ADSL modem. Don't use it for surfing or other stuff.
I don't know how YubiKey works, but the last token I used was from RSA (I think). It reset the single use authentication once every 60 seconds, which did not give a hacker much of a chance as it would be reset a minute later.
July 12th, 2010, 04:04 PM
I went over to the lastpass forums and I'm pretty sure I have read your posts. At least similar post to this one.
The replies seemed straight forward and the explanation on how the password hashes are created and used was well written.
Your question "Where am I going wrong"?
There are two answers IMO. You are not going wrong but:
1. You are working on a premise that there is such a thing as "unbreakable"
2. You have not downloaded and decompiled the binary file that installs the plug-in - nor have you taken said add in apart.
Unless you can create a "Proof of Concept" the argument is null.