While some feel the most important news of the week was the release of the "Twitter Files" by Elon Musk, for those of us in the security industry, it was the news of another Lastpass data breach.
Lastpass is a password manager published by the company LogMeIn and used by more than 33 million people. Arguably, it's the most popular password manager that is not a feature of an operating system or web browser. This August, the company announced it had been breached after attackers compromised a developer account.
It appears the company failed to entirely mitigate the attack as the current breach seems to be the result of a persistence mechanism installed during the previous breach.
I use last Lastpass as my password manager. I like the tool so much that I pay for it.
I’ve been asked my opinion several times over the past week and well…
I use LastPass because I tried all the rest. I had previously used the service until LogMeIn initiated its fee structure. “I’m not paying for a password manager” was my thought. There are so many other options, paying for such a simple tool seemed stupid. After jumping from tool to tool for a bit I came right back to where I started, with my credit card in hand, and happily paid the four-dollar-per-month fee for a family subscription.
As of now, I’m staying with Lastpass as my password manager. I’m not pleased with their poor performance, but I’ll offer some grace.
By the grace of God go I. In today’s security climate, no person nor company is immune from a security incident that lands them on the front pages. This is no time for hubris.
Where am I going to go? The other services are targets also and probably have just as much of a chance of losing my data as Lastpass does – again.
The company claims no customer data is compromised since it is stored encrypted on their servers and can only be decrypted on the user’s device.
Hopefully.
Caller ID - It’s just a hint
Scam victims who are technology deficient will cling to Caller ID displays on their cellphones like it’s a late ‘90s AT&T cordless. Having no idea about VOIP calling or number spoofing they see those numbers as gospel.
International law enforcement from ten different countries collaborated to take down a crimeware-as-a-service system known as “ispoof” that allowed criminals to target anyone in the world through spoofed calling numbers.
This Naked Security article does an excellent job not only detailing the arrest but also explaining how call spoofing works and it’s history. They also provide some useful tips to prevent becoming a victim of a spoof. Number 1 being - Caller ID is nothing more than a hint, not a confirmation of who is calling you.
NO DAMN CONTROLS!!!!
We have two stories this week where non-profit community organizations were victimized by one of their board officers. I want to scream out “where are the damn controls?”, but I’ve been involved in so many of these investigations that I know the reality. There are no controls.
First is a woman who has been arrested for stealing 10K from a local high school band booster organization. Well, actually, she stole 14K but has possibly paid back four thousand of it.
Second, and most devastating, is the treasurer of a volunteer fire department whole pocketed $355K over a four year period. Good Grief! Almost four hundred thousand dollars and no one caught it for four years???
Does crime pay?
The FBI and CISA released a joint advisory providing technical details on the Cuba ransomware group. Although the released was intended to highlight the groups techniques, tactics, and procedures (TTPs) and provide security teams a list of indicators of compromise (IOCs), the real nugget was the inclusion of their known bitcoin wallets. An analysis of the wallets revealed the group as brought in over sixty (60) million dollars in ransom payments. Ransomware isn’t going away anytime soon.
https://www.cisa.gov/uscert/ncas/alerts/aa22-335a
Virtual currency is for the kids
At one point my kids would have much rather had V-Bucks than cash. V-Bucks is the virtual currency used within the online gaming world of Fortnite. However, they are not virtual currency natives and that desire changed when they realized V-Bucks wouldn’t put gas in the car or buy them Taco Bell.
This Wall Street Journal article details the popularity of the Roblox gaming system and Robux, the digital currency that fuels it. And these kids don’t understand anything but virtual money.
Don’t dismiss this, as soon you will be policing these virtual worlds.
The Rest…
Darknet markets generate millions of dollars selling your data. https://theconversation.com/darknet-markets-generate-millions-in-revenue-selling-stolen-personal-data-supply-chain-study-finds-193506
Prolific business email compromise (BEC) group named “Lilac Wolverine” is hammering U.S. businesses says Abnormal Security. https://therecord.media/nigeria-based-group-lilac-wolverine-using-covid-19-emotional-lures-in-bec-scams/
Could this be Nebraska’s largest bank fraud ever? https://nebraskaexaminer.com/2022/12/02/state-investigating-what-could-be-nebraskas-largest-bank-fraud/
Cool Job
*Internship* - OSINT. Proofpoint. https://proofpoint.wd5.myworkdayjobs.com/en-US/ProofpointCareers/details/OSINT-Part-Time-Intern---Undergrad_R8452?q=threat
Senior Fraud Investigator - Republic Bank. https://recruiting.ultipro.com/REP1012REPFB/JobBoard/7e033ecd-92de-4c57-91ba-ab4886be1628/OpportunityDetail?opportunityId=e3569dcc-6b56-403b-81be-e512a88b94a6
Cool Tool
100% free online tools - for just about everything. https://toolsocean.com/
Irrelevant
Apophenia - The tendency to perceive meaningful connections between unrelated things and has also come to describe a human propensity to unreasonably seek patterns in random information, such as can occur while gambling. https://en.wikipedia.org/wiki/Apophenia
Thanks For opening this weeks issue. Welcome new subscribers! I appreciate your willingness to give me a few minutes of time each week.
Matt
“CONFLICT CANNOT SURVIVE WITHOUT YOUR PARTICIPATION.” - someone better at conflict than me.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space are my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.