The sole responsibility for this issue starts and ends with LastPass.
For a security focused company, there is no excuse for a threat model to not include insider threats, vulnerable software inside an employees network, and potential phishing of employee credentials.
If it wasn't going to happen through Plex, it would have happened through something else.
Them pivoting like this is such a bad faith attempt at pinning the blame on a company that did everything right with regards to security. They should own up, and not try and throw another company under the bus. Even naming Plex as part of the attack chain seems disingenuous at best.
The article really doesn't do anything of the sort, and honestly neither does the statement. LastPass acknowledged that the issue had been patched for "75" versions, and discussed how it wouldn't have mattered if they had practiced proper isolation.
edit: Or not, or with major qualifications. That quote was mislabeled in the article
> a malicious party installed a keylogger onto a senior engineer's home computer through an exploit in Plex, the personal cloud service for movie storage and streaming, and was able to break into corporate-level caches as a result
> "For reference, the version that addressed this exploit was roughly 75 versions ago," a LastPass spokesperson said.
Irrelevant, what's relevant is how come LastPass employees can access sensitive customer information on their production from a personal laptop
Because you've a comfy desktop setup with more screens than the average laptop can support and multi-monitor KVM setups are tricky?
With enough 2FA and a thin-client approach to the user's machine it seems pretty safe. Even if an attacker gets passwords through a keylogger, the 2FA will detect and block attacks.
Yes, this is the problem. This is a decision plex inc. made when deciding their business risk appetite. If your company hasn't threat modeled working from home at this point, there is not much you can do to help. Due diligence and due care have failed you.
Beyond that, it would have been avoided if LastPass implemented strict policies about accessing corporate systems using a personal computer. You can't control a 100% what happens on a corporate system, but allowing a personal device, which introduces a larger attack surface with all these softwares present, to access that kind of sensitive data with all the potential is highly irresponsible.
Sure, Plex had a security flaw, and the system owner didn't update its software in a timely manner, but ultimately the responsibility falls upon LastPass who allowed this system to access their network in the first place.
For a business that focuses and sells a product based upon good security practices, the optics are quite damaging for their reputation.
> But it turns out that the engineer had a big part to play in this major failure as well.
> "For reference, the version that addressed this exploit was roughly 75 versions ago," a LastPass spokesperson said.
Quite the game of blame deflection going on.
Whether or not the employee was running an outdated version of Plex or every bit of malware known to man on their personal computer has no bearing on the company's security breach. How was the attacker able to cross the corporate security boundary? Did the employee have access to company/customer data from their personal computer? Was this in breach of company policy, or is this generally allowed? If the former, why was this access not monitored and flagged? Answers to all of these are conveniently skipped in favor of "see it was an old version of Plex, case closed".
Never mind that the unspoken secondary effects of someone running Plex on a machine, I.e. they’re probably using it to watch pirated media, which they’re probably acquiring using the same computer. I say this as someone that loves Plex. But yes, LastPass hired someone that’s this careless, and they had a structure that allowed this carelessness. Utterly unjustifiable.
I'm not sure why you would inherently assume using Plex means they likely pirate their media. I have a home server running plex where I store all the ripped bluray disks, CDs, and other media I buy.
Right. We're going to blame the engineer for not updating every piece of software on earth they have installed when updates break stuff every other time, and when managing updates takes a full time job these days?
Give the man a break. The blame simply is on not practicing proper isolation and keeping work to a secure and controlled environment.
In fairness Plex does tell you when the server needs an update. It's orange on black on the header bar. I've yet to miss an update anyway. It takes seconds, haha
Maybe don't install crap on your dev machine if you're not going to keep it updated.
Blame a normal person? Nah. A senior engineer with keys to the castle? They should really know better.
> The blame simply is on not practicing proper isolation and keeping work to a secure and controlled environment.
I'm only arguing against not blaiming "the act of missing an update on a personal device". That's nigh impossible to achieve across the board for all software we use.
I'm not arguing he's blameless. I agree that Plex is blameless. I also agree that LastPass needed a better threat model for privellage escalation/insiders attacks.
That's why you chuck Plex on a NAS, an old workstation, at least wrap it up inside a virtual machine.
... at LEAST least run it as it's own user.
Not your dev machine for a security company!
I promise I don't usually buy into a scapegoat. This is a unique situation. Almost any other company and it's a forgivable mistake. Any other role it's a forgivable mistake. Hell, any other seniority and it's a forgivable mistake.
Bro you are responsible for all my passwords, could you give half a fuck about basic security?
Part of the problem here is that Plex is included in so many different VMs, NAS images, SaaS offerings, etc. That it can be incredibly difficult and/or obscure to update it. I know I personally ran into issues with FreeNAS where once it was running I had no incentive to update. That shouldn't be how these offerings work. They should be encouraging updates.
How does one figure out if any of their home systems is affected? I have 5 Linux installations(dev machines, router, nas, rpi, etc), multiple docker instances, a couple of windows machines and half a dozen phones at tablets at home.
What’s the best tool to find out if any of them is hacked?
Assume it will be hacked. Assume the bad guy is just sitting there patiently waiting for you to fuck up. Assume it has been hacked.
Even if you are perfect, and you wont ever be, some dumb little thing can come up like Docker bypassing your firewall entirely and baring your database's passwordless arse to the internet[1]. Or like in this case you'll have forgotten to update Plex for 3 years.
Protect the data as well as the machines. Isolate everything that can be the best way it can be. Pull your backups rather than push. Don't leave sensitive data around if it doesn't need to be there. Encrypt data at rest where possible. Don't allow HTTP access to directories named .git if you're in web hosting - of course don't store a repo in the served web directory, but know someone is going to do it anyway. Pre-emptively disarm any footguns you come across. Label them at least.
The best tool is experience, but I'd at least have some monitoring too. I use Zabbix myself because it was the first monitoring tool I used, but you can use whatever you fancy. This is not an install and sorted application, you need to learn how to use and configure it too..
Sorry as I type this I realise I definitely don't know my knowledge well enough as I'm having trouble simplifying it into a HN comment. This is a too-close-to 20 year career and counting in fairness haha.
Learn how to be the bad guy. Guard against your skills. Improve your skills. Repeat.
Stuff like running through hackthissite.org might be a decent place to get started on offence-based defence.
My question is: are these recent hacks purely the result of incompetence, or is it also because LastPass is targeted more often by hackers due its popularity?
For a security focused company, there is no excuse for a threat model to not include insider threats, vulnerable software inside an employees network, and potential phishing of employee credentials.
If it wasn't going to happen through Plex, it would have happened through something else.
Them pivoting like this is such a bad faith attempt at pinning the blame on a company that did everything right with regards to security. They should own up, and not try and throw another company under the bus. Even naming Plex as part of the attack chain seems disingenuous at best.