LastPass Breached But Don’t Give Up On Your Password Manager

In the news recently has been that the Password Manager service LastPass was infiltrated and password vaults were stolen. The jist of it is that attackers were able to gain access to the company’s development environment and by extension raid a backup environment for customer password vaults.

Understandably a lot of people out there who have used LastPass will be very worried. For the IT profession there will begin questioning over how this has happened and how we should be responding when consulting. From my perspective this isn’t a post to defend LastPass, explain the attack or analyse what they should’ve done. That’s a whole separate subject matter and whilst these questions are important what I’m going into here is about the general theory of password managers, the immediate impact to users on the data loss and the potential security responses to it.

With the LastPass hack the vault that was stolen and much of the data in there was encrypted. In the December 22nd post from Karim Toubba the stolen data is described as:

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
Karim Toubba, LastPass, December 22nd 2022

The attacker was able to go and retrieve customer data pertaining to their account details such as their email address, billing address, phone numbers and IP addresses that were used to access the vault. Whilst this would appear that customers got off lightly this data is still sensitive and we’ll go into that in a bit.

Concerning the stolen vaults each one was protected with AES-256 encryption using a secret derived from the user’s master password. If users have gone with the security defaults of a 12-character password and 100,100 iterations on the Password-Based Key Derivation Function (PBKDF2) then it would take a considerable amount of processing power – potentially millions of years with the technology we currently have commercially available – to crack a properly secured vault. The attacker would have to keep hold of the trove long enough for a weakness to be found or wait enough time for the right computing power to be available and by which point the data could be useless anyway.

Based on what LastPass has said I would remain cautious but anything hyper-sensitive in the vault such as email accounts, banking or financial accounts, social media accounts and medical accounts I would instantly change as a swift precaution.

As touched on above however is that customer data was not kept encrypted. Arguably the biggest risk LastPass users now face is that the attacker has enough information to go targeted phishing against victims to either get the master password for the vault or for specific websites of interest they’ve identified.

My recommendations on password managers still stands the same and that is to combine a password manager with a separate multi-factor authentication (MFA) tool for the vault and contained logins. At the moment my favoured tools are Bitwarden combined with Yubikeys. An important note on what I’ve just said there: I do not use Bitwarden to store MFA codes. Whilst I think that it might be a good idea to add MFA codes to a vault if you for some reason have to share the account with a team on balance they really should be separate. Also a good point to make is that MFA backup codes don’t belong in the vault either.

YubiKey. Tethered to an old Intel Xeon so it can’t escape.

Yes there is considerable argument that an offline password management tool like Keepass is a much safer option but that in itself brings its own problems. What happens if you lose the vault and your backup is insufficient? What happens if you can’t get to the vault in a critical moment because it’s not with you on person? What if the vault is stolen from you and you didn’t apply security practices as good as you thought? As always with security it’s a battle between doing the most secure thing and most convenient option. Personally I stick with the online option so I don’t have to worry about any of this.

In short: don’t give up on password managers. The benefits of having them far outweighs going back to a shared password for all your accounts. As long as LastPass users had a decent master password on their vault, applied MFA to sensitive accounts, changed passwords for anything hyper-sensitive and most critically watch for phishing attempts then I would hope that victims will remain safe from mass attacks.

I Survived Consulting in 2022

That’s it for 2022. I packed away my work laptop and phone after submitting my final timesheet of the year. Overall it’s been a great year working hard, responding to the challenges of modern working and supporting organisations whatever their mission may be.

Lots happened for me in 2022. Professionally I ascended to membership of the British Computing Society, passed a few Microsoft exams and also formally adopted permanent working from home. In my private life I helped pull off a successful beer festival and bonfire as part of Mirfield Round Table, I got close to my goal of swimming 10k by swimming…9k…but I also had my heart broken a couple of times :’-(.

Key Anticipations for 2023

It’s getting a lot cloudier out there. For my part in this I’m going to be focusing a lot lot more on cloud hosted applications whether that be lifts n’ shifts to public cloud VMs or migrating clients to cloud native solutions. Fact is they don’t want anything “on-prem” anymore. Fine by me.

I also anticipate we’ll be talking more about general ethics in IT. Whether that be privacy concerns, making the profession more inclusive or ensuring that we are safeguarding the planet for future generations we do have our work cut out for us and it’s critically important we rise to that challenge.

We’re also inevitably going to see a lot more challenges regarding security, stability and connectivity. As we move to (arguably) post “Wintel” desktop and server world to one that’s more cloud native and ARM powered we will see opportunities and problems arise. A constant challenge of mine is getting applications into the hands of users in a variety of settings, devices and conditions. My personal challenge for 2023 and beyond will be to make sure I can do that for people who aren’t “Wintel native”.

However your 2023 looks I wish you a Merry Christmas and a Happy New Year.

Letting Go…

Last week I was involved in a brutal massacre. A total of 10 innocuous work shirts were killed off (alright, taken to the local charity shop). In view of the fact that some of us in IT aren’t going back into the office anytime soon – if ever – it made absolutely no sense keeping the offending unoffenders only to take up the wardrobe space. Give everything a purpose right? They have therefore been retired. Forcibly.

What’s next for workplace fashion you ask? No idea to be honest. Polos, T-shirts, jeans, hoodies, everything I never thought I could get away with now all normal work attire. Just as long as you’re presentable on video calls you can do it. The dream has be realised. Irons and ironing boards everywhere quake in fear of what happens next.

Ubuntu 21.10 “Impish Indri” Released

This week’s big release has been Ubuntu 21.10 codenamed Impish Indri. This is an interim release with 9 months of support from Canonical.

There are lots of changes to talk about here. This release brings Linux Kernel 5.13, Firefox as a snap by default, GNOME 40 with horizontal workspaces as well as tweaks to the UI, touchpad gestures and zip password support in Nautilus as a few examples.

I’ve installed this to my Dell XPS 9360 this week. So far I’m really liking the horizontal workspace change. It’s admittedly a feature I’ve never got used to working with for Ubuntu and Windows alike but I’ve decided to give it another go.

The change to Firefox as a Snap app is a controversial choice given the reception of snaps. Personally I’m not noticing much of a difference and so long as security updates come in on time I don’t think I’ll be too bothered about it.

You can upgrade your existing Ubuntu distribution to 21.10 now but if you haven’t tried Ubuntu now’s a really good time to Download Ubuntu 21.10 and see it for yourself. As before if you get the torrents I’ll be pleased to serve you the bits.

Windows 11 Launch Next Week

Microsoft will be releasing Windows 11 on October 5th 2021. The anticipated OS will bring a fresh look and core improvements to the operating system.

I have not yet used Windows 11 myself however initial impressions are that the revised user interface looks smart and overall more cohesive than before. I also hope that the vision for the development of the OS is more complete. I felt that Windows 10 ended up more of an “us too!” project following trends set out by other OSes instead of focused goal to improve the OS that we all work and play on. Let’s not forget release 1803.

This will be the first Windows OS since Windows Vista that I’ve not upgraded to on release. This is regrettable however it’s down to the fact that I’ve not upgraded hardware due to Spectre & Meltdown and then the COVID-19 pandemic and thus have no hardware that can support it. For all the controversy over the TPM and processor requirements I think these are becoming overblown. TPM should be available as part of any recent PC or easily obtainable through an add-on module. The processor requirements increasingly look like it’s a performance question when virtualisation based security is active. Older devices have to emulate the CPU instructions that HVCI needs thus incurring a performance penalty. It is absolutely the wrong timing for Microsoft to push steeper requirements. It’s absolutely not the best time to be adding to e-waste issues by encouraging users to throw out hardware. Fortunately Windows 10 will still be available and supported.

I really do feel that we’re in a different world now. Mine and your primary computer are arguably no longer a Windows machine but the phone that you’ve got in your hand. For that reason I won’t be chasing the latest and greatest Windows release.

Ubuntu 21.04 Released

Canonical have today released Ubuntu 21.04 dubbed Hirsute Hippo (apparently that means “hairy”). This is a short-term support release with 9 months of updates to be had.

Ubuntu 21.04 Hirsute Hippo — Hairy Indeed

There are a number of changes including support for joining Microsoft Active Directory, support for the Wayland server by default and a visual refresh among other things. Of course you’ll also be getting a more recent version of the Linux Kernel specifically number 5.11.

I have yet to get my trusty XPS 13 out to commence an update but if you get the torrents you’ll be served by yours truly from my NAS whilst I go visit the pub for the first time in about 5 months.

Will Acorn End Up Winning the PC War?

We’re probably all aware by now of a certain fruity tech company has decided to jump the Intel ship for their laptop and desktop lines after pleasing results in the phone and tablet markets. Mac fans, reviewers and interested tech peeps have been receiving the first machines powered by the M1 chip and the initial reviews have been intriguing to say the least.

There was a lot of hype around the Apple event on November 10th, 2020 and then a lot of scepticism around the performance claims. Performance numbers were missing and comparisons were made to older Mac hardware running previous generation Intel processors. When the store went live the concern was voiced regarding memory topping out at 16GB. I understand you creative types need a lot of it. The memory and storage upgrade prices are also absolutely appalling to my delicate Wintel eyes. It costs £200 to double the storage from 256GB to 512MB or 512GB to 1TB. 2TB will set you back £800. Not a completely fair comparison but you could have yourself two 2TB NVMe SSDs for that price.

Initial reviews suggest that the hype is actually real. I’ve been skim reading reviews and Apple has apparently delivered. This news has made me happy for a number of reasons. The PC market needs a shake up and the Wintel stranglehold in both the PC and server market needs challenging. But there’s also another nostalgic reason I’m reminiscing about.

Some of you may remember the old Acorn computers at school. Back in my day we had one Acorn computer per class of around 30 kids. I don’t exactly remember what model of Acorn they were but it was the first computer I got to use. There were many crude drawings made in the paint program and there was a cool game about setting sail as Christopher Columbus to try and find America which nobody beat mostly due to crew mutinies and inclement weather leading to a sinking (should anyone remember the name of the game and have a link please comment as I would love to play it again).

Eventually by the time I reached year six (age 10) someone found some spare pennies in the budget and so the venerable Acorns were replaced by Intel powered Windows 98 machines at my school. Acorn computers eventually disappeared from the market but their ARM Holdings subsidiary lived on to become the dominant designer of CPU architectures in the world. Although not owned by a UK shareholder any more I am thrilled that a home grown company has reached the top in the tech world.

The long term question will be how this affects the PC from this week. I have had doubts about the Microsoft ecosystem both consumer and business when it became apparent that the mobile strategy was being abandoned and eventually when the “next” Windows (i.e: Windows 10) was sold to the market as a service and not a product. There doesn’t seem to be much interest in the store and UWP is met with arguable hostility as well. Microsoft’s focus under Satya Nadella has been cloud and Windows is looking very much vulnerable to a changing world. People’s main drivers aren’t their PCs or laptops any longer. It’s their phones and Microsoft decided to abandon that race long ago.

I was considering a new Ryzen based PC build to replace my ageing Intel Core i7 6800K, GeForce GTX 1080 Founders Edition, 32GB DDR4-2400 RAM, 1.75TB SATA SSD system but current events conspire against me as things seem to be in short supply. With Apple bringing ARMageddon (sorry) however what does that mean for PC Gaming builds anyway? There’s a cool video been posted* with someone testing editing a 144 track Billie Ellish song in Logic Pro fully loaded with plug-ins on both a basic M1 Mac Mini with 8GB RAM and a 10-core i9 iMac with 64GB RAM. I don’t fully understand what I’m looking at but apparently it’s surprising that the M1 Mac Mini can handle it at all. If Apple gear can also deliver similar value for gaming well what do I need this tower for?

There’s not a lot of sense in jumping to conclusions about all this yet but the shake-up appears to have happened and it would appear that Acorn is going to win the PC war after all.

*I won’t post the link as it’s hosted by a company I don’t like for tax evasion, privacy, lobbying and many other reasons.

Did Gov.uk Really Use an Excel Sheet To Track COVID-19 Cases?!?!

I’m going to let the whole thing settle down before I jump to any conclusions because let’s face it that’s as much exercise as some armchair political pundits have had for the whole crisis. I’ve also just had to peel myself from the ceiling reading a Reddit comment describing databases as “one of the lowest forms of computing”.

Take a deep breath. The UK.gov failed to disclose circa 16,000 cases of COVID-19 allegedly because of a technical problem that turned out to be the Excel spreadsheet they were using surpassed the 1,048,576 row limit in Excel.

No I don’t know either.

I usually steer clear of politics but seen as we have spent around £11 million quid on the initial contact tracing app which didn’t even work I feel like it’s all becoming a bit of a farce over there. Thank goodness Dido Harding is at the head of the new alphabet soup in charge of public health in England otherwise we’d be really in dire straits now.

Like I said before I’m absolutely not jumping to conclusions. I’m getting my exercise elsewhere and I’m coming on leaps and bounds with my sarcasm problem.

I’ve Been an IdIoT

From time to time we have to be the family’s IT support. It comes with the profession. Today I had work to do for Mum and Dad. The CCTV just wasn’t working. They were going on holiday, hadn’t checked the cameras in a while but they weren’t accessible from their phones. They really wanted them back before they went away.

The tell tale signs quickly came apparent after I logged in to the NVR (Network Video Recorder) which is a Dahua model. The camera list read “HACKED”, “CHANGE”, “FIRMWARE”. The issue with the device falling off the network turned out to be that a deliberately faulty IPv6 address had been set which also knocked out IPv4 communication.

Best I can tell they had fallen victim to an attack that appeared back in 2017. The default super user account for this NVR is ‘88888888’ and the default password is ‘888888’. Last time I’d checked out the CCTV I noticed this was in place and I really should have changed this. On Dahua NVRs this super user account should not be accessible from remote. The system should check if the access request had been made from local or remote and – in case of the latter – deny access accordingly. The flaw apparently is that this check isn’t properly done. The article linked also references a Facebook post which suggests that using Dahua’s DDNS also made it easy for the attackers to identify and target vulnerable devices. My parents were indeed using Dahua’s DDNS.

In other words the system was a sitting duck on the internet.

I can only assume someone out there has written a script to look for vulnerable Dahua devices exposed to the internet, log in via the admin account using default or easy to guess passwords and then apply setting changes to forcibly remove these devices off the internet. Malicious but also a public service. The device runs an embedded version of Linux and could have easily ended up part of a botnet if hacked firmware was uploaded.

To resolve the attack I reset the unit to factory defaults, uploaded new firmware to both NVR and cameras then set accounts with strong passwords using the XKCD method. I do not have a high trust of IoT devices but not being particularly happy about going up a ladder to replace the cameras this was the best I could do.

It should be noted that Dahua’s website is diabolical for finding firmware updates. You cannot just search a model number to find the device and associated firmware. I needed to check a load of firmware releases to see which ones were pertinent. I had a few attempts with what I thought was correct firmware but apparently wasn’t. I am thankful that the devices can do checks of the firmware to be installed because the risk of bricking the devices in this scenario is real.

In the industry we all know the lessons and we all recognise when a chain of events start happening and not get stopped then the results can be catastrophic. In the case of my parents I assume someone’s shut off network access deliberately but the reality is that someone could’ve used the CCTV access to determine that nobody was in the house. The cameras point to the drive where their cars are parked after all.

Let’s conclude it by reiterating the standard points:

Default passwords (and arguably account names) aren’t acceptable for an internet facing device. I had an opportunity to change it and I didn’t. Whilst the admin account should not have been accessible remotely it was thanks to a firmware flaw. Changing that password could’ve stopped this attack in progress.
Firmware updates need to be done as often as they become available. Security issues happen. Pobody’s nerfect right? As soon as those vulnerabilities and fixes become apparent they need to be tested and deployed.
Trust is a weakness and no trust is owed to the average IoT device. The industry is notorious for bad security practices and abandoning devices within a short lifecycle. Ideally these devices shouldn’t be left open on the internet but placed behind a VPN where the access can be defended slightly better. That’s not a practical solution for most home networks so there must be an accepted risk.
I will reserve judgement on using a DDNS. The CCTV was registered with a *.dahuaddns.com address which I suppose makes it pretty easy to focus an attack if you can narrow it down to specific devices or a single manufacturer. I would suggest using a static IP instead but my parent’s ISP does not offer this. Comment below if you have anything to offer on this as I don’t know how much safer you are with a custom DNS.

I’m A Mechanical Man

This week I was supposed to be on holiday in Cornwall eating pasties and drinking Korev beer. Sadly COVID-19 has put a stop to that for now. Not to worry because Command & Conquer Remastered was released last week and I decided it would be a great way to fill some of the time off I have from work.

I first played Command & Conquer: Red Alert on my cousin’s PlayStation. It was the first strategy game I had ever played and I was hooked despite the pad being absolutely terrible for these kind of games. I then got hold of Command & Conquer for the PC, then Red Alert and the expansions, then everything up to the disappointing C&C 4 back in 2010 which was the last entry in the series. Needless to say Real-time Strategy (RTS) games have been my favourite and C&C my most beloved game series of them all. I’ve played a lot of the greats: Age of Empires, StarCraft, Total Annihilation, Total War, Civilization, Dawn of War. Not one of them in my opinion has ever come close to the classic blend of “thrills, spills and kills” (plus Frank Klepacki’s top notch soundtracks and the B-Movie FMVs of course).

I was very excited back when C&C Remastered was first announced and I’ve been following its development fervently. EA sought assistance from the original Westwood team that went on to establish Petroglyph and also Lemon Sky Studios who have leant their talents to other remasters in the art department. Frank Klepacki provided the remastered soundtrack to both Tiberian Dawn and Red Alert as well as joining forces with live act The Tiberian Sons to add their cover tracks in. The only slight disappointment has been that the source for the FMVs have been lost so AI enhanced upscales have been used and also LAN play has been held back for topical reasons.

And now it’s finally here. From the intro cinematic both of these remastered games speak volumes about the effort that has gone into the game. Both the classic installation sequences were re-done as an intro FMV. These really helped to set the tone for the C&C games and it’s an incredible touch. The upscaled graphics and sound effects are very crisp and look outstanding on my QHD monitor.

Gameplay remains quite the same as the original games. I have been playing through the original Tiberian Dawn GDI missions which I have found quite challenging. They don’t code ’em like they used to. Some missions are straightforward build base and eliminate opponent but some take the form of almost a puzzle. I’ve had to do quite a few restarts due to catastrophic failures but I’ve never felt frustrated.

It’s 1995 again and we’re storming the beach. Did you remember your suncream and sandals this time?

The bonus gallery unlocks a new video each time a mission is completed. These are fascinating to watch as they show each actor directed by Joseph Kucan doing multiple takes to get the perfect cut. A lot of work went into the original game and it’s great to get a look at the archives.

My most favourite part of the game is pressing the magic spacebar key. This switches the graphics between the upscaled assets and the original graphics. As a long time C&C fan I really love hitting the key as the action heats up. It really brings back the memories.

EA have also released the source code for the game DLLs on GitHub so we hopefully will see the mod scene for the game reinvigorated. Time will tell.

So overall a very pleasing release for C&C fans that I will be playing online for some time.