This week, I’m going to cover some of the high profile hacks that have happened recently, including Lastpass, Kaspersky, and the White House’s Office of Personnel Management (OPM). My hope is that by learning more, you can avoid being hacked, stay more secure, and know what to do if you have been hacked.
Just as predicted, there have been a huge number of hacks this year, including very notable ones like Lastpass, Kaspersky, and the White House’s Office of Personnel Management (OPM). Here are some lessons learned from those hacks in order to help you stay more secure, as well as tips for what to do if you've been hacked..
The first and most recent hack I want to talk about is in regards to Lastpass. I’ve done a podcast on Lastpass in the past for using it as a way to securely manage your passwords for all of your web accounts and payment information.
First of all, if you are using Lastpass to store your passwords, you should go change your master right now. Go on, I’ll wait for you ...
Alright and we’re back! According to Lastpass, on June 15th, they publicly announced that they noticed suspicious traffic on the network and stopped it immediately. They assured users that their encrypted data was not taken, and that the only user emails, hashed master passwords, and secret questions were stolen. Now, that’s pretty bad for a company whose sole business is to secure your information.
However, it’s not as bad as it could have been. Although information was stolen, the most important part was that the master password was still hashed. If you’re not familiar with how Lastpass works, you basically have to remember one password, which safeguards every other password that you use online.
When Lastpass stores your master password, it hashes it just in case something just like this happens. Without going into the nitty gritty of hashing and cryptography (if you’re interested I have a podcast on that subject), basically the hackers would have to break your hashed master password.
Due to the fact that Lastpass uses an extremely long and slow hashing function, if an attacker were to focus its efforts to break a user’s hashed password, it would take an extremely long amount of time. I’m talking hundreds of thousands of years. Without your master password, the hackers would only have your email, security question, and that unusable password, which isn’t much to go off of. Still it is recommended that you change your password, and set up some form of two factor authentication.
The next hack I would like to talk about is that of one of the world’s leading research facilities for malware. You are probably familiar with their top notch antivirus solution. While a Kaspersky researcher was doing some work, he noticed some odd network traffic and decided to look into it. Come to find out it was an extremely sophisticated piece of malware that shared similarities with Stuxnet (a virus that was used to slow the Iranian nuclear program).
After a computer was compromised, most likely do to a fishing email, this malware made its way into Kaspersky’s network. Now, let’s be clear, we are talking about one of the world leaders in computer security. This was not your typical network. It would be like comparing robbing a bank to breaking into Fort Knox!
To be able to perform this attack so stealthily, this attack used a combination of Microsoft operating system vulnerabilities, along with stolen digital certificates from the company Foxconn. If this company sounds familiar, well it should, because it makes hardware for a few companies you may have heard of, such as Apple and Dell.
The digital certificate that was stolen was the equivalent of stealing the badge off of a bank security guard. It let the hackers right in because the certificate was trusted. It doesn’t stop there, because once they were in, the hackers took over multiple servers using the certificates and Microsoft vulnerabilities.