43 comments

[ 2.6 ms ] story [ 86.2 ms ] thread
It states in the article that among other things, Autho and LastPass credentials were stolen. I’m a 1Password user so am not familiar with those password managers. Don’t they encrypt the credentials making theft of the data useless? Or am I missing something?
Not sure, but reading that I was assuming that the malware was able to intercept the master password for these services. So the attackers could log into those accounts.
Ah ok yeah that makes perfect sense - if it was keylogging then all bets were off.
SAASPASS is a password manager that unlocks on the desktop only with multi-factor authentication. There is no master password to be stolen.
Multi-factor means more than one factor.

Something you have + something you know are multiple factors.

There should still be a password. If there isn't, then it's single factor auth.

Also, SAASPASS looks really interesting. Thanks for sharing. Going to take a much deeper look into this now.

EDIT: Nope, change of plans. The account recovery flow depends on SMS, which isn't safe given how easy SIM-jacking is: https://saaspass.com/how-to-recover-saaspass-id-account/

Ideally when you have a less capable device-based solution to "Something you have" like a FIDO token you want the user to enter their password (a "Something you know" factor) into that device, not the general purpose computer.

So now the password isn't in the computer at all and can't be stolen from it.

For example to sign into the web site for my bank account I need to enter a PIN into a chiclet keypad device they gave me, it spits out a one-time code and I type that into the web site. You can't steal the PIN from my PC, even if you have some kind of super zero day exploit and co-operation from the OS vendor, because the PIN gets typed into a separate device that doesn't even have a USB connector. You might as well try to use the PC to steal cash out of my wallet.

Actually not. There is account recovery options that include a separate custom question and answer (password let’s say), and also the option of cloning it from another device as well. Those two different methods mitigate against SIM jacking.
See this link from today: https://news.ycombinator.com/item?id=22016212

The parent's whole point was that this service doesn't have a master password. Nope, instead it has a 4 digit PIN and SMS as it's base flow, with security as an optional extra.

A password manager shouldn't need to be caveated to be recommended. It's too important for that.

No password managers really help in this scenario, as the attackers have access to the machine the client runs on. Any malware will simply wait untill you unlock it, and then siphon out any credentials.
True in that case as that has nothing to do with the password manager. Any password that you would type in manually is also vulnerable.
So what you're saying is, they need 2FA for their 2FA
You can also probably extract everything from memory if the password manager is unlocked, I'd guess.
1Password automatically locks after some predetermined amount of time - wonder if those other two do as well. I guess it doesn’t really matter, though, if the malware is smart enough to be reading mem it’s probably smart enough to just wait until the db is unlocked to copy.
> 1Password automatically locks after some predetermined amount of time

only if enabled. Just like any password manager out there.

for what it's worth, it's enabled by default to 10 minutes.
If your pc is in any way compromised, and no 2fa is enabled (and the 2fa device is not compromised as well), you must assume everything is or has been available to the evil actor. Sometimes, its a drive-by download or a dropper malware that will install other virii. You will never really know what went in or out your pc...
Auth0 isn't a password manager. It's an authorization platform. If they stole Auth0 API secret keys and/or saved logins to the Auth0 management portal, they'd have access to other users' accounts but not passwords.
Can anyone please explain to me how all this ransomwares work? Ok, they send infected email, some worker opens it and what next? How did it manages to encrypt every other computers on the network? Isn't it should have root/admin privieleges to do such thing? And why is it so hard to prevent? I would really appreciate any answers.
You get a much bigger ransom for encrypting the list of customers who haven't paid yet, which is critical for the company to stay in business, than by encrypting the OS and software that could just be reinstalled. [1]

And if the company has everyone save their work on a shared network drive that lots of users have write access to, you don't even need to spread to other computers.

Plus of course, there are the classic means of spreading within a network - scan machines on the network for vulnerabilities, infect anything executable on shared drives, phishing e-mails that genuinely come from another employee's computer, keylog or brute force an admin password....

[1] https://xkcd.com/1200/

The gist of it is gathering credentials from the initialy compromised machines, and using them to access other computers on the network. A lot of this is possible because of the way Windows handles authentication between computers. Mimikatz is a tool that really made this method of lateral movement much easier for attackers, and Microsoft has been slow to adapt defences. Over time the attackers will eventually gather some admin credentials, and then it is really game over.

It is hard to defend against, unless you want a system that constantly prompts you for your password everytime you want to do something. Frequent password prompts is not really good for security either. Current mitigations really just slow down the attacks and gives you time to respond. If they are left alone they will manage to gather credentials over time.

https://github.com/gentilkiwi/mimikatz https://www.sans.org/reading-room/whitepapers/detection/mimi...

The "mimikatz" problem (aka memory protections on the lsass.exe process) has basically been solved by Microsoft, they call it "Credential Guard". It works by doing some trusted boot stuff and using the hyper-v hypervisor to protect certain regions of memory from even the OS itself.

It's pretty complicated and requires server 2016 or windows 10. More info here - https://docs.microsoft.com/en-us/windows/security/identity-p...

@mox1: ‘The "mimikatz" problem (aka memory protections on the lsass.exe process) has basically been solved by Microsoft, they call it "Credential Guard". It works by doing some trusted boot stuff and using the hyper-v hypervisor to protect certain regions of memory from even the OS itself.’

How about running the OS in a Virtual Machine, that evaporates on exit and you get a new clean image on each invocation.

“All the King's horses and all the King's men couldn't put Humpty together again”

> Isn't it should have root/admin privieleges to do such thing?

There are a lot of networks out there with fileshares configured far more permissively than they should be. Additionally, if the malware infects a machine that has cached domain admin credentials stored on it, it can use those to authenticate to the rest of the network and own the entire domain.

Yes, if best practice is followed, these tactics wouldn't work. Best practice is not always followed.

Some of them are probably fully automated, at least the process of the ransomware trying to grab any locally available credentials to touch as many servers as it can. These are probably the smaller dollar value attacks.

It sounds like this attack was by a more sophisticated group that compromised some initial system in that way, and then somebody actually went in to explore and determine how to spread the compromise around further. It seems to be difficult indeed even for large and sophisticated companies to defend against these types of attacks. Since somebody, or a team of people, has to do most of the compromising manually, they naturally demand higher ransoms.

I think this article just convinced me to get a Yubikey...
I attempted to use a Yubikey with GitHub, but when I tried to enable it, Windows gave me an on-screen "soft" 2F dialog instead of making any use of the device at all.

Seems related to something called "Hello"? Either way, I haven't found a way to disable it. Caveat emptor.

With which browser?
This was a while ago, so I don't quite remember. Either Chrome or Firefox.
Because GitHub obeys the part of the spec. which says sites need to allow multiple credentials, you should still be able to get where you're going (I haven't seen this "Hello" pathway) via a circuitous route.

1. Let the Hello stuff happen, GitHub will propose that you name it, why not "Hello".

2. Tell GitHub you want to enroll another token. The system will automatically disregard "Hello" because that was already enrolled, so this time it will enroll your Yubikey or whatever other tokens.

3. (Optionally, if you don't want "Hello" e.g. because it isn't your Windows PC you just borrowed it) Tell GitHub you want to remove "Hello".

Go for it. They're inexpensive, handy, and easy to set up and use. I currently use it for everything from logging in to my laptop and using sudo (via PAM) to SSH (gpg-agent) to logging in to GitHub and other sites (via U2F).
I'm still very confused as to how the hell they work. Do sites need to explicitly support them? Can I just use it for 1Password?

Also I am a bit of a scatterbrains so prone to losing things. What do I do if I lose my YubiKey, are there recovery options?

Do you use it in addition to an authenticator app or instead of? I am really confused as to the advantages it gives.

> Do sites need to explicitly support them?

The web site will need to support FIDO U2F, yes.

> Can I just use it for 1Password?

I've not used 1Password, so I don't know. The Yubico site should be able to tell you if a given thing is compatible.

> What do I do if I lose my YubiKey, are there recovery options?

Nope. Get two of them.

> Do you use it in addition to an authenticator app or instead of?

Sort of both. So if a site supports the use of an authenticator app but not FIDO U2F, I use the Yubico authenticator app. When opened, it stays locked until my Yubikey is tapped against my phone.

This is a common story with breaches, you often don’t find out about it till they’ve finished with you. It’s pretty scary. If you don’t have someone good who’s attention is on this then you’re open to being blindsided.
Ransomware - one of the last steps in a breach.
https://krebsonsecurity.com/tag/vcpi/

“In mid-November 2019, Wisconsin-based Virtual Care Provider Inc. (VCPI) was hit by the Ryuk ransomware strain.”

In 2020, this is not acceptable in terms of “computer” security, where opening an email attachment or clicking on a malicous link can totally compromise your business. The planets chief software architect has a lot to answer for.

Having everyone use iOS is an option.
Most of these tools exploit Windows. I never hear of any wholesale ransomeware attacks on companies with pure MacOS and/or Linux desktops (yes I know there are occasional individual apps that are malware but not ransomware).
How many of those companies are there?
> Moral of the story: Companies that experience a ransomware attack — or for that matter any type of equally invasive malware infestation — should assume that all credentials stored anywhere on the local network (including those saved inside Web browsers and password managers) are compromised and need to be changed.