![]() ![]() For example, take these sentences: “My name is Inigo Montoya. A strong password should be long and difficult for someone to guess. – Create a complex, unique password for every account. Here are some best practices we should all follow for our passwords any LastPass user who had taken these steps ahead of time would have been relatively safe during this recent breach. The LastPass breach is a reminder that it is easier to set up safeguards for our most sensitive accounts before a breach occurs than to try to protect ourselves afterward. Here are the lessons we can all learn from this breach to stay safer online. Every LastPass user has that data now in the hands of an adversary.” “I can look at all the websites you have saved information for and use that to plan an attack. “Let’s say I’m coming after you,” Ellis said. “I would consider all those managed passwords compromised.”Ĭasey Ellis, the chief technology officer of the security firm Bugcrowd, said it was significant that intruders had access to the lists of website addresses that people used. “It is very serious,” said Sinan Eren, an executive at Barracuda, a security firm. Many security experts disagreed with Toubba’s optimistic spin and said every LastPass user should change all of his or her passwords. He also said it was users’ responsibility to “practice good password hygiene.” Karim Toubba, CEO of LastPass, declined to be interviewed but wrote in an emailed statement that the incident demonstrated the strength of the company’s system architecture, which he said kept sensitive vault data encrypted and secured. That means hackers would then have to crack the encrypted master passwords to get the rest of the passwords in each vault, which would be difficult to do, so long as people used a unique, complex master password. Most importantly, the master passwords that users set up for unlocking their LastPass vaults were also encrypted. ![]() This would suggest that hackers could know the banking website someone used but not have the user name and password required to log in to that person’s account. It said that some parts of people’s vaults – like the website addresses for the sites they logged in to – were unencrypted but that sensitive data, including user names and passwords, were encrypted. 22, tried to reassure its users that their information was probably safe. LastPass, which published details about the breach in a blog post Dec. Thus, it serves as a stark warning about the consequences of not updating software.First, it’s important to understand what happened: The company said intruders had gained access to its cloud database and obtained a copy of the data vaults of tens of millions of customers by using credentials and keys stolen from a LastPass employee. Once the hacker gained access, they were able to acquire unencrypted data on customers’ account information, including email addresses and phone numbers, as well as a copy of customers’ encrypted password vaults. ![]() The hacker used keylogging malware that was installed on the user’s home computer to “capture the employee’s master password as it was entered, after the employee authenticated with MFA (multi-factor authentication), and gain access to the DevOps engineer’s LastPass corporate vault,” according to LastPass. This shows the attacker was already spying on the LastPass employee and may have thought of other ways to install malware on their computer. It’s vital to note that in order to attack the CVE-2020-5741 vulnerability, the hacker had admin access to the employee’s Plex Media Server account. For reference, the version that addressed this exploit was roughly 75 versions ago”, Plex explains. “Unfortunately, the LastPass employee never upgraded their software to activate the patch. Plex Media Server’s current version is 1. Tenable discovered and reported the flaw to Plex in March 2020, and Plex addressed it in version 1. Without initially acquiring access to the server’s Plex account, this flaw could not be used. The report said setting the server data directory to coincide with the content location for a library for which Camera Upload was enabled would do this. This issue allowed an attacker with access to the server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it”, said PlexSecurity. “We have recently been made aware of a security vulnerability related to Plex Media Server. A deserialization bug hitting Plex Media Server for Windows allows a remote, authenticated attacker to execute arbitrary Python code in the context of the current operating system user. The company officially informed users of the vulnerability, tracked as CVE-2020-5741, (CVSS score: 7.2) in May 2020. Facts of the Massive Data Breach Brought On By Engineers Not Updating the Plex Software ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |