Firewalls Don't Stop Dragons Podcast

SPECIAL: LastPass Breach

Listen Later

Right before Christmas, LastPass dropped a bombshell report explaining that bad actors appeared to have made copies of LastPass users’ encrypted password vaults. The information was a little short on key details, probably indicating that the investigation is ongoing and we will learn more in the coming weeks. However, we have already learned enough to know that the data breach did leak some important metadata contained in people’s password vaults and that any users who had less-than-secure master passwords should be worried that the encrypted contents may now be vulnerable to disclosure. That is about as bad as it gets. Today I will speak with a cybersecurity and authentication expert from CISA about this breach: what we know, what we don’t know, what we should learn from the incident, and (most importantly) what LastPass users should do about this.

Bob Lord is a Senior Technical Advisor for the Cybersecurity and Infrastructure Security Agency (CISA) and former Chief Information Security Officer (CISO) for Yahoo. 

Interview Notes
  • SPECIAL REPORT: LastPass Breach: https://firewallsdontstopdragons.com/special-lastpass-breach/
  • Twitter thread investigating what’s encrypted and what’s not: https://twitter.com/UK_Daniel_Card/status/1606012536582656000
  • Write-up by a security researcher: https://www.pwndefend.com/2022/12/24/lastpass-breach-the-danger-of-metadata/
  • Mastodon technical thread #1: https://mastodon.social/@[email protected]/109585049690097599
  • Mastodon technical thread #2: https://infosec.exchange/@WPalant/109590750504031700
  • My “diceware” passphrase generator: https://d20key.com/ 
  • My blog on creating strong passphrase: https://firewallsdontstopdragons.com/how-when-to-use-a-passphrase/ 
  • How to make stronger passwords: https://firewallsdontstopdragons.com/need-a-bigger-password-haystack/ 
  • Classic XKCD cartoons on passphrases: https://xkcd.com/936/ 
  • Consumer Reports Security Planner: https://securityplanner.consumerreports.org/
    • Further Info
    • Follow me on social media: https://firewallsdontstopdragons.com/contact/ 
    • Send me your questions! https://fdsd.me/qna 
    • Support me! https://fdsd.me/support 
    • Subscribe to the newsletter: https://fdsd.me/newsletter 
    • Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book
      • Table of Contents

      Use these timestamps to jump to a particular section of the show.

      • 0:00:47: Ep300 giveaway updates
      • 0:03:15: interview setup
      • 0:08:17: What do we know about the LastPass breaches?
      • 0:13:25: Were all LastPass users affected?
      • 0:15:03: How is my LastPass data secured, exactly?
      • 0:19:53: What is PBKDF2 and why are iterations important?
      • 0:23:10: Did LastPass increase the iterations for all users over time?
      • 0:26:46: Is any information in my password vault not encrypted?
      • 0:29:35: How do I know if my vault password is strong enough?
      • 0:36:13: What if I didn’t have a strong vault password? What should I do?
      • 0:41:47: Do we have any evidence that people’s vaults have been cracked?
      • 0:45:34: Did LastPass handle this properly?
      • 0:50:50: What can the government do to help here?
      • 0:53:30: Should LastPass users switch to a different service?
      • 0:57:11: Will passwordless authentication solve this problem?
      • 1:01:03: What are the key take-aways here?
      • 1:02:37: My take on the breach and what you should do about it
        • ...more
        View all episodesView all episodes
        Download on the App Store
        Firewalls Don't Stop Dragons PodcastBy Carey Parker
        • 4.9
        • 4.9
        • 4.9
        • 4.9
        • 4.9

        4.9

        64 ratings

        More shows like Firewalls Don't Stop Dragons Podcast

        View all
        Dan Carlin's Hardcore History by Dan Carlin

        Dan Carlin's Hardcore History

        64,186 Listeners

        Global News Podcast by BBC World Service

        Global News Podcast

        7,709 Listeners

        Hacked by Hacked

        Hacked

        186 Listeners

        This Week in Tech (Audio) by TWiT

        This Week in Tech (Audio)

        3,064 Listeners

        Security Now (Audio) by TWiT

        Security Now (Audio)

        2,006 Listeners

        The Daily by The New York Times

        The Daily

        112,401 Listeners

        Click Here by Recorded Future News

        Click Here

        418 Listeners

        Darknet Diaries by Jack Rhysider

        Darknet Diaries

        8,073 Listeners

        Clear+Vivid with Alan Alda by Alan Alda

        Clear+Vivid with Alan Alda

        3,758 Listeners

        Techlore Surveillance Report by Techlore

        Techlore Surveillance Report

        109 Listeners

        The Ancients by History Hit

        The Ancients

        3,311 Listeners

        The Rest Is History by Goalhanger

        The Rest Is History

        15,634 Listeners

        The Ezra Klein Show by New York Times Opinion

        The Ezra Klein Show

        16,010 Listeners

        Watchman Privacy by Gabriel Custodiet

        Watchman Privacy

        74 Listeners

        The 404 Media Podcast by 404 Media

        The 404 Media Podcast

        389 Listeners