Security Now 256

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 256

Security Now 256: LastPass

News & Errata

4:42 - 5:27

  • Microsoft shipped an update for 64 bit Windows last week in an out of cycle update

5:28 - 10:04

  • Versions of Google Chrome prior to v5.0.375.86 have multiple security vulnerabilities

10:05 - 12:25

  • Adobe is disabling the ability to launch executables via Adobe Reader by default and have a blacklist of programs that can't be launched via Reader, even if this option is enabled
  • However they didn't do it properly and a hacker just needs to put the program name in "quotes" to bypass the blacklist
  • Here is a workaround for this bug

12:26 - 14:14

  • Microsoft has detected that more than 10,000 PC's have been infected through the Windows Help function zero day security flaw
  • This flaw will be fixed on Tuesday 13th July 2010

14:15 - 19:53

  • Last week Comodo put out a press release asking Qualus to qualify its statement that "22 million SSL servers with certificates that are completely invalid because they do not match the domain name on which they reside, meaning about only 3% of SSL certs in use are actually valid"

19:54 - 25:31

  • If a plugin becomes unresponsive in Firefox, it will allow you to just refresh the tab and not have to reset the whole browser
  • Initially Firefox would wait 10 seconds before deciding a plugin had become unresponsive but "Farmville" frequently makes Firefox hang for more than 10 seconds and so it was not working for many Firefox users
  • So Firefox has changed the timeout period to 45 seconds

25:32 - 25:57

  • IBM has formally switched to Firefox

25:58 - 29:01

  • Youtube had a cross site scripting vulnerability in their comments submission that was exploited recently
  • Google has now fixed this vulnerability

29:02 - 31:07

  • The Indian government has demanded that Skype, RIM (Blackberry) and Google give them the ability to decrypt their user's content as an anti terrorism measure
  • RIM cannot do this as their software only allows the end user to decrypt their own content

31:08 - 32:59

  • Google is expanding their suspicious login location technology
  • It will now work on all their web based services

33:00 - 40:44

  • There were some news stories claiming that Skype's encryption has been cracked
  • This is NOT true
  • Shaun O'Neil (Not thought to be his real name) has claimed that he has reversed engineered Skype's encryption
  • He has reversed engineered some pieces of what Skype is doing that before Skype had kept propriety
  • Skype uses the RC4 cipher which when used correctly is extremely secure
  • Skype is using RC4 properly but hadn't published details of the keys and initialisation vectors in order to prevent people from creating knock off Skype clients
  • This is now known as it was reverse engineered by Shaun

40:45 - 43:23

  • Steve and Leo discuss creating a better version of Skype
  • You could have a perfect recording of a conversation by having another channel in the background which makes up for lost packets
  • The live stream would still have drop outs but at the end of the recording the second channel would produce a perfect recording of the conversation for playback later

43:24 - 47:21

  • All Starbucks in the USA now have free wifi
  • This makes it a perfect place for a hacker to sit and sniff packets
  • The windows firewall allows local file sharing on the LAN which is convenient for home networks but a major problem when your using open wifi

Spinrite Story

47:22 - 49:50 Paul Bye (Rochester, Minneapolis)

Spinrite recovered data from a broken hard drive and fixed a hard drive in a TiVO

User questions

1:34:40 - 1:34:54

Leo and Steve mention an iphone calculator app called "42" which they love. (Surely named for the HP42 not hitchhikers guide) Which app were they talking about? Searches on itunes give multiple answers. I am guessing it is "PCalc RPN calculator by TLA Systems". Yes?


52:28 - 01:53:00

The Problem

  • Since the early UNIX days usernames and passwords have been used to provide security
  • Assuming a system is secure and password based then the one vulnerability is guessing a password
  • Passwords need to be 'gibberish' and long
  • E.g. 'a' is not a good password as it is easy to guess with a dictionary or brute force attack
  • 'aa' is still not a good password as there are only 26^2 (676) possible 2 letter passwords which can easily be tried in a short amount of time with a brute force attack
  • The longer your password is the stronger it is
  • a-z, A-Z, 0-9 and +,- gives us 64 possible characters to use in a password and each character give us 6 bits of password strength as 64 is the same as 2^6
  • As you add 1 more character to the password each time you get 64 TIMES (x) more strength

The Solution

  • So the problem is you want a long, gibberish password but you dont want to use the same one all the time
  • This means you need many long, gibberish passwords that are hard to remember
  • What you want is a way to securely manage these passwords and this is what LastPass provides
  • It has plugins for many browsers to make it easy to use
  • It also works on many mobile devices
  • It also can generate bookmarklets which work in any browser
  • LastPass can also automatically fill in forms for you and it has a secure vault where you can store notes

Is LastPass Secure ?

  • All the encryption is done locally on your own computer
  • No one but you ever gets the key to decrypt your data and the creators have gone to great lengths to ensure this
  • When you log in your email address and password are joined together although your email address is sanitized slightly by being converted to lower case and having whitespace removed
  • A hash is then taken of this string using SHA 256
  • This is now your cryptographic key that your system uses to encrypt and decrypt your data
  • All the data held by LastPass is encrypted
  • To identify yourself to LastPass they add your password to the previous hash they obtained by hashing your password and email address and then hash this string
  • This hash is your unique ID
  • Then you send your unique ID and username to LastPass to identify you and since this contains your password hashed into it twice, no one can produce this key but you
  • So LastPass never gets your cryptographic key
  • They never even save your unique ID on their servers
  • Instead when you create your account they create a unique 256 bit token to save with your account
  • Then when you login they take your unique ID add it to the unique 256 bit token and hash it then this is used to find your data
  • LastPass also frequently backs up their database

This is great but what if LastPass goes away ?

  • They have a stand alone executable called 'LastPass Pocket' which is a personal database decrypter
  • You can export your database in encrypted form and use this program to decrypt the data
  • You can export your database in plain text into a CSV file
  • Plugins also keep a local copy of this data, and all plugins can export your data

LastPass' additional comments here:

  • You don't need Pocket as the extensions for IE, Firefox, Chrome, Safari and every mobile application keep an up to date copy locally which you always have access to even offline
  • You can export your data back into IE or Firefox with the plugins

  • Steve recommends using 10 character passwords containing upper and lowercase letters and digits
  • This is 5.94 binary bits of equivalent strength
  • 5.94 * 10 = 59.4 equivalent bits of binary strength
  • 2^59.4 = 7.6 X 10^17 possible combinations of passwords

  • LastPass is free except for some mobile applications
  • LastPass does reserve the right to display adds though although they currently do not
  • There is a premium version for $12 a year

  • Logging into LastPass is made safe as they support:
    • "The Grid" which is a grid of random letters and numbers which you have to then provide samples from to login
    • You can kill your grid and generate a new one at any time
  • You can also kill any bookmarklets you create
    • You can generate your own one time passwords through the web interface and print them out
    • They also support multiple Yubi Key's
  • You can also set up when you want to authenticate with LastPass
  • A premium feature is something called 'Sesame'
    • This is a software one time password generator which you download

  • You can import data from nearly every other password manager
  • Even if they were told by a court to provide a copy of your database it would be encrypted and unreadable by anyone without the key which only you have


Go To Assist

Production Information

  • Edited by: Erik
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.