The LastPass Breach: 3 Steps You Need to Take Immediately [Podcast]



LastPass

In August of 2022, LastPass announced that they had been the victim of a cyberattack. The hackers had penetrated their security and stolen some company information, including source code. But, they assured the world, no customer information had been accessed. Fast forward to November 30, and LastPass issued another statement: there had been another breach, and this time, some customer information appeared to have been accessed.

But nothing further. Until December 22, as everyone was leaving for the holidays. LastPass announced that this most recent breach (separate and distinct from the original breach, but likely by the same actors and using information stolen in the first breach) was bad. It turns out that the customer data that had been taken was, well, all of it. The hackers had stolen an entire backup of every user’s vault. Fortunately, LastPass said, the hackers did not have the decryption keys, which meant that the information in the vaults should be reasonably safe.

Except, as it turns out, even that statement of reassurance by LastPass wasn’t exactly… honest.

In this episode of the Fearless Paranoia podcast, we discuss what happened in the LastPass breach, including how the hackers appeared to gain access to LastPass’s user backups, and what kind of information they took. We also discuss what this breach means for LastPass users in general, and provide three things all LastPass users absolutely need to do immediately to keep themselves safe. Check out the episode:

For more information, resources, and a transcript of this episode, check out the original post.

Eufy’s Blunder – Don’t Promise what You Don’t Provide [Podcast]

eufy privacy blunder

Eufy made a name for itself as a video baby monitor company that provided peace of mind – in the form of top-of-the-line security to protect your privacy. It turns out their promises were more than a little bit hollow. When you promise things like end-to-end, military-grade encryption; when you promise things like no data stored in the cloud; when you promise things like only your device has access – those are all major security promises.

When you make those promises about a video baby monitor – one that not only involves a one-way video feed of your child sleeping, but a two-way audio feed (meaning you can talk to your baby from the other room), you had freaking well better know what you’re talking about! And when you’re given information that your security is falling short of those promises by a security researcher, maybe take them seriously.

Oh, and incredibly important extra point here – when a respected tech journal calls and asks for a comment, don’t flatly deny the existence of the problem and then disappear.

Those are all things that happened to Eufy, a subsidiary of the company Anker, this week. It’s bad.

For more information, resources, and a transcript of this episode, check out the original post.

8 Lessons from the Uber Hack [Podcast]

uber hack

So, right from the start, let’s clarify – this is about the Uber hack that occurred (or was discovered/publicized) in September of 2022. In fact, it was a rather unique breach of an oft-breached company. The hacker who breached Uber appears to have used very basic phishing techniques to initially gain access, and then took advantage of – well, I guess you could say the need people have for human communication – to get a remarkable level of access within the company.

It appears that he didn’t steal anything, didn’t seek to make any money. In fact, he documented the breach and then told the world about it.

So how did this person manage to exploit the internal systems of a company that should have some remarkable security – given how much personal information they have on millions and millions of people? We discuss that and more in today’s episode:

For more information, resources, and a transcript of this episode, check out the original post.

The Open SSL Vulnerability – What is it and What Can Be Done? [Podcast]

open ssl

There are key systems that run the basic technology and internet services that we use every day. Many of them have been around, in some way shape or form, for decades. Even more recent versions tend to be based on open-source programming, or built on open-source code. So what happens when it’s discovered that some part of one of those basic systems, the ones that we rely on, a LOT, has a problem?

Open SSL, or secure socket layer, is the basis for a lot of the secure communication on the internet, and has been for years. If you communicate via electronic device, especially if that communication spends any of its time in an encrypted form, you likely use this system. And it’s got a problem. How big? Well, since it’s open source and used by tons of programs and applications, nobody really knows.

In this episode we discuss how you and your business can take steps to protect yourself from this and other major vulnerabilities in critical systems. Or, at the very least, how you can limit or minimize any potential damage.

For more information, resources, and a transcript of this episode, check out the original post.

When is a Cyber War a Real War? [Podcast]

cyber war

When your business, or a business you rely on, is the victim of a cyberattack, there is always a price that you pay simply for being the victim. There are emergency IT costs, data recovery costs, identity theft protection, investigations, lawsuits, and sometime even fines by the government. Most businesses seek out insurance to protect themselves from being completely wiped out by events like this. It’s the reason why cyber insurance policies are so important (and why they’re getting so expensive).

Or at least that’s what we thought before. Before WannaCry. Before NotPetya. Before the types of acts that we had come to attribute to common criminals became the kinds of things nation states started doing instead of (or in preparation for) going to war.

Nation State-sponsored cyber war, even when it isn’t actually part of an actual war, are oftentimes considered to be different than regular cybercrime – particularly by insurance companies. So if you’re collateral damage for some country’s most recent step into cyber war, are you protected?

For more information, resources, and a transcript of this episode, check out the original post.

Pin It on Pinterest