The LastPass Breach: 3 Steps You Need to Take Immediately

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• 10 Easy Ways to Immediately Boost Your Online Security – Resilience Cybersecurity & Data Privacy
• 8 Useful Small Business Cybersecurity Tips You Need to Know – Resilience Cybersecurity & Data Privacy
• LastPass Announcements (August 25, 2022, September 15, 2022, November 30, 2022, and December 22, 2022)
• LastPass confirms attackers stole some source code – The Verge (August 26, 2022
• LastPass’ latest data breach exposed some customer information – The Verge (November 30, 2022)
• LastPass reveals another security breach – engadget (December 1, 2022)
• LastPass Security Breach – Schneier on Security (December 2, 2022 + Comments)
• LastPass got hacked again, and this time it affects customers – PC World (December 22, 2022)
• Hackers stole encrypted LastPass password vaults, and we’re just now hearing about it – The Verge (December 22, 2022)
• What’s in a PR statement: LastPass breach explained – Almost Secure blog (December 26, 2022)
• The LastPass disclosure of leaked password vaults is being torn apart by security experts – The Verge (December 28, 2022)
• Not in a million years: It can take far less to crack a LastPass password – 1Password Security Blog
• LostPass: after the LastPass hack, here’s what you need to know – Graham Cluley
• Why we all Need a Password Manager – Imperva
• 5 Password Manager Perks You Might Not Be Using – WIRED

Episode Transcript

Brian: Welcome and thank you for joining us here at the Fearless Paranoia podcast where we seek to demystify the complex world of cybersecurity. I am Brian, the cybersecurity attorney.

Ryan: And I’m Ryan and my cybersecurity architect

Brian: And we are here to help everybody out try to understand what’s going on in the cybersecurity today we’re going to be talking about something that has been in the news. But if you’re not in cybersecurity, or big into tech, it may not have gotten your attention. And it relates to events concerning the password manager LastPass. Now, I’m not going to speak for Ryan here. But when I say regardless of what is said or discussed in this episode, I am a huge, huge supporter of and proponent of password managers, I think that there’s literally no comparison to the security that they give. And it actually, in my opinion, is one of the rare cybersecurity advancements that not only increases your security, but also increases convenience. Right up. Do you have any word on that as well?

Ryan: No, I couldn’t agree more, I think one of the biggest tragedies that will end up coming out of what happened to LastPass is that there’s going to be people that are just going to say, See, I told you, so you shouldn’t have put all your stuff all your eggs in one basket, all your passwords in one spot, this is what happens, this is what you get. And they’re gonna go back to writing down their stuff on a physical notebook at their desk, wait and have coffee spilled on it or waiting to be picked up or waiting for something worse to happen. password managers are a phenomenal tool. Yes, it does come with potential risks, just like everything else does in the cybersecurity space. But this really and we’ll get into this later in the conversation. This really was not a worst-case scenario. But it was starting to kind of inch heavily in that direction. And it wasn’t because of password managers, the concept behind them or their general use, it came down to bad practices by the producer of the specific password manager. Outside of that, I would say that absolutely. Please work towards password and identity best practices, please use a password managerand produce good strong passwords. And hopefully you run into a better luck than any of those with LastPass.

Brian: And one other important thing to bear in mind, we’re gonna be talking here a little bit about the breach and the timeline of events. And there’s a lot of editorial discussion about what happened, why LastPass made some of the decisions they made and how it made this a really bad breach, we’re not going to be focusing on that with maybe a narrow exception later on in the episode. We’re focusing on what you need to do following the breach and what the kind of things that breach exposed and how you can make sure you’re protected not just if you’re a LastPass user. But specifically, if you are a LastPass user, you really need to be paying attention to this stuff. But what I will do is I will include some links in the resources on the Fearless Paranoia website that can take you to some discussions about some editorial analysis. But the first thing I want to do is talk about the timeline of events here. And I want to talk about three essential dates here. The first one is in August of 2022. This is when we found out about a breach from LastPass. And the public announcements at the time were very clear, there was source code and from LastPass was accessed. But and this is key, no customer data was taken right. Fast forward to December 1, 2022. We then receive subsequent information from LastPass that some customer data may have been accessed, but really nothing more than that. Then fast forward to December 22, 2022, also known as one of those dates where no one’s left in the IT department, but LastPass on their own way out the door to their own holiday celebrations released what was a stunner of an announcement. So yes, customer data had been taken in what they call the second breach. And that data included full backups of all of the vaults in the LastPass system. But don’t worry, they haven’t broken the encryption. Ryan, walk us through what we now know, or at least what we think we know happened in these three announcements that LastPass made.

Ryan: Absolutely. So what this really stems down to is the fact that incident response is a tough thing to do. There’s no like push button that just kind of says hey, where is everything that’s impacted and where all have they been. And so it takes a lot of time to really kind of dig out all of these different persistence points and different activities that occur on the network. And so incident response is usually a labor of a serious period of time. So when the first date that you mentioned the end of summer last year occurred, that’s most likely when the first actual notices of an intrusion were picked up by somebody or some system or something. At some point, somebody made a mistake and moved loudly inside the network. At some point, they probably started having their activity discovered and isolated as well. But at that point, again, you’re usually steps behind the threat actor at that point, they’re already starting to target the things that they’re after and look for opportunity to get at that data or get at those systems real quick just to talk about incident response in general. Incident Response is an interesting beast all on its own. So when you First identify an incident occurring at a business, a lot of businesses, especially when you get to be the size of company like LastPass. There’s a lot of moving pieces in businesses nowadays. And so the threat actors have gotten really good at this type of lateral movement and persistence and driving into those areas. And they know what they want as well. And PII customer data is a huge target, because it opens up a lot of opportunities for them both to monetize the data directly, or to use it to pivot into other things. Source code is obviously a big one source code is great, because you can sometimes sell it, you can sometimes use it, look for new opportunities, new zero days, new ways to fork the software, and maybe make money by producing a competitor. I mean, there’s all a variety of different things. And so there’s no doubt that there was for sure persistence, probably laid during the late summer months, early autumn. And as the incident response activities were continuing to go on at LastPass, they did their initial reporting as required by numerous different regulatory agencies. And that’s probably what they knew at the time. Over time, they probably started digging in heavier and following the tracks of these threat actors through their system and eventually came across access into these backup systems. I think there’s gonna be a lot of speculation in this space until Incident Response documentation comes out or until an actual statement comes out, stating exactly what happened. It’s all gonna be a little bit speculative.

Brian: You know, it’s interesting that you just mentioned that the lateral movement, and I think I’ve read some of that, that there’s a lot of suspicion, that’s what happened here, I would encourage our listeners to actually go back and listen to our episode discussing the Uber breach where the hacker didn’t take anything and decided to talk to the media. And the result is that we have this great blueprint for how a hacker would gain access to these systems by moving laterally in that particular case, he literally convinced someone on Ubers slack messenger program to allow user authentication. And there’s evidence that that’s basically what happened here is that the access to the vaults only became successful when through a lateral movement, they gained the authorization and it was that second part, whether it’s a second breach, or 1(a) or second part of the first breach is when they took what is what really got everyone’s attention here, the backups of the vaults.

Ryan: There was a couple things apparently, you know, again, if source code is stolen, that affects the company that affects the software and to some extent the users. But it depends on how that’s used, whether or not it has user level impact. If a user’s personal data stolen, that now has direct user level impact, obviously, something as important as the actual vaults that we go to them to protect. So we expect them to be the experts in the field and to be good stewards of that data. And so we hand it to them, hopefully, also knowing that if that data is to be stored somewhere, that data would be protected the way that it should be. And it was set to some limited extent pieces of it.

Brian: We’re gonna get to that here in just a second. But the crux of this is that these hackers through what was obviously a long thought out and long plan system of penetration, persistence, and theft, the holy grail of LastPass as data is these vaults. So we’re gonna shift into our discussion of what you need to do. Now, this is primarily intended for subscribers of LastPass, three things that you absolutely need to do, but it actually is helpful to anyone with a password manager, because this type of response could apply if a hacker got really any access to your personal website use data. So we’re going to talk about three things that need to be done first, change all your passwords to you have to be much more aware of a heightened social engineering phishing risk that you are now at and three, we all need to be very, very reluctant to engage in blaming the victim. In this particular case, we’ll get into what that means when we get to the topic. So I just want to start with changing all your passwords. So Ryan, what was taken was a backup password vault, what did they actually get, the hackers?

Ryan: Most everything. I mean, whatever you have stored inside your vault. So this would be your passwords essentially credit card information, other identities, saved notes, bookmarks.

Brian:   You’re listening to the Fearless Paranoia podcast. For more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms. Also, please share this podcast with anyone you think would find it helpful or useful. We rely on listeners like you to help get the word out about this show, and we appreciate the support. Now, time for some more cybersecurity…

Brian: Importantly here they did not hack or get access to the encryption they operate in what’s called a zero knowledge which quite frankly, I’ve had they had anyone outside of tech give a piece of advice on whether they want to be called the zero-knowledge company. They may have rethought that it was a play on zero trust, but they claim to have zero knowledge of your Master Password, which is true, they don’t have it. So that’s important to note whatever was encrypted in your vault is still encrypted unless they’ve cracked encryption or get your Master Password but that’s where the other shoe drops now, right?

Ryan: Yeah, absolutely right. So the problem now is beautiful with a password manager like LastPass, where they allow seamless access between devices. That means that at some point in time, they have to have a copy of all of that to be able to offer that up as a service. Some password managers are solely offline, but they’re not as usable. That’s what made LastPass really great. But that same piece that made LastPass really great meant that they had to keep a copy of that data. And that’s what ultimately did this in here was they use a cloud storage house to how how’s that data in its book, all it encrypted-ish format.

Brian: I gotta stop you there. Because I think that this is what caught most people, including every single IT person who I’ve seen or heard from or read about this breach, none of them were aware of the ”ish” part. What does it mean that information was encrypted-ish?

Ryan: I think that terms just really fun and current, but outside of the tangents would go off on encrypted-ish when we get to talking about LastPass means that vault information is encrypted. What LastPass did though, is they made what we in the business world would call an executive decision somewhere along the way to only encrypt what they deemed was probably the most important data or and again, that’s a little bit of an assumption. So I will put the disclaimer there. We don’t have the minutes of the meeting where they made that decision. Yeah, so they made the decision most likely balancing security versus usability, the more you can limit that decrypting re encrypting of that data over and over again, the faster that connection occurs. But in this case, when your whole purpose behind your tool is security, there should be no balance, it’s slightly unusable, then that’s what you get for using a fully encrypted Cloud Gate vote Password Manager. And that’s, I think, a trade off that most people would be fun accepting. But in this case, LastPass made the decision for us and never really said, you know that we’re not rolling, encrypting what we deem is the good stuff. They just kind of said, Yeah, our stuffs encrypted. And that was the stance. And so I think that people made an assumption, which was obviously wrong, that everything was like some of the others are like there’s an open source tool out there right now about a competitor of LastPass. That is one that a lot of people are flocking to, but they actively tell you, we encrypt every single field, this is not cloud offered. So there’s no copy of this anywhere except the copy that you have, they follow those same practices that LastPass just kind of strayed away from for some reason. But I would imagine it was most likely a balanced decision. And obviously, it’s one that’s coming back to bite them and even harder by a lot of their customers. Because to your point, it’s all the encrypted-ish data in there is all the stuff that we have to worry about being a problem, maybe months, years from now, at some of those vaults start to get bad.

Brian: That’s the reason why we’re talking about the first to change your passwords is that the bottom line is that these vault backups they have are still encrypted, but they’re only encrypted until the people who have them are able to break past the encryption changing your Master Password is not going to affect what was in those vaults. They have them as of the date they were taken. Therefore, you can’t do anything about what’s in there. So first and foremost, prevent there being an issue with them, eventually cracking whatever your Master Password was by changing them all.

Ryan: And even before you go change all the rest of it changes the master password first, then go change all the rest of them. The main reason being if say, they decide that Brian, your LastPass user and your password vault is really impressive to us, because we need to take over Fearless Paranoia.com. Because it’s a great website. And we use a browser, it’s

better business

Brian: And all seven people who have seen it, but yeah, they’ll be upset.

Ryan: And so they come tearing after your account. Well, as soon as they do crack your account, not only do they have all your other passwords do but if you haven’t changed your Master Password, that means they’re just logging into your LastPass account right behind all the new passwords that you’re resetting.

Brian: What a gift that would be to give to the hackers.

Ryan: Yeah, if you secure that one first, even if they crack that later, at least I can’t get into all the changes you’ve made since then. So now you’re fighting against the rate of update all the rest of your stuff. But to piggyback on your conversation. Number one, change all your passwords, but one a use this as a good opportunity to start deprecating some of your old accounts go through all that crap that you haven’t LastPass I have like 600 entries in my password manager go through and do some hygiene and just throw away all the old crap because all of that old identity all of that old internet presence is going to be stuff that’s going to come back to bite you especially if you’re never going to use it again, go shut it down, or at least make sure that you’re not sharing anything anywhere near there.

Brian: Yeah, let me jump in actually and say before you shut it down, log into those sites if you still can and delete your account. And even if it’s possible, submit a request for them to delete all of your data. Most websites now will comply with the CCPA requirements that allow users to request their data to be deleted. GDPR requires the same thing. And even though it’s not binding here in the US, a lot of companies will simply do it because it’s too hard to have multiple regimes. So don’t just delete your old files, close and delete your accounts with all these sites and ask them to delete your data.

Ryan: Absolutely limit your presence where you can where it makes sense to where you’re for sure not going to use anything again. And then make sure you protect all of the stuff that is critical. Make sure you take all of those really important accounts, your email is going to be a far more important account than almost anything else because that’s where all of your password reset structure come through. That’s where a lot of your identity shift can occur. But take those take your bank accounts, strong passwords, all unique passwords, preferably stored in a password manager.

Brian: LastPass has a great password generator, it can generate a 20 character strong password for you. And one of the most important features that password managers have is they make changing and updating your passwords relatively easy. So use that feature get those passwords changed.

Ryan: And for those times when we have to worry about people getting all of our passwords, put multiple factors of authentication on all your accounts, because you know what, if they do break, get all your LastPass passwords, and they’ve got everything else and they go and they hit your US bank account, and then all of a sudden they get a multi factor brown. Now it doesn’t even matter that they had your password because now they have another hurdle to jump over before they can get in there. And every one of those hurdles is enough of a deterrent to usually send them down an easier path in a lot of cases. And so just keep following smart practices with this stuff. And then things like the LastPass breach will turn into an inconvenience rather than a catastrophe.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian: That leads well into our next tip that you need to be much more aware of the social engineering risk because guess what, let’s say they do run into that situation where they’ve got a multi factor authentication block, they’re dealing with their next step, let’s just say it’s a bank account, banks are still willing to send out two factor authentication to cell phone numbers. So one of these hackers is going to do they’re going to try to social engineer their way into getting access to your phone. Now one of the biggest things that was not encrypted in all of these vaults was the URLs of all of these sites. So your passwords, yes, they were encrypted. The URLs were not. Now these hackers have a massive list of websites that they know that not only did you go to but that you had accounts know and accounts on. Yeah. And there’s also reporting that they had access to all of the IP addresses at which these accounts were accessed. Now, how effectively usable that is, Ryan, I’ll let you discuss that. But it does potentially give location information where you were when you accessed them. So this is a big deal. You need to be much more vigilant to the social engineering risk, right? How valuable is this information for social engineering purposes?

Ryan: I’ll start with the easiest ones to kind of rule out I think the IP information kind of scares a lot of people it might be usable to gain some further intelligence about stuff like what cell service you somebody uses or something to try and really get past MFA. You know, if you’re going to be a heavily targeted person that’s more usable for the average general user. A lot of those that might be able to give up who your ISP is or who your phone carrier is outside of that. I think it shouldn’t be a major issue. But the rest of that data is all very usable. And very important for the reasons you mentioned. The URLs, why that was unencrypted is absolutely probably one of the biggest slaps in the face in this entire deal. To me being in cybersecurity just knowing that if you can gain usable Intel and recon on somebody’s accounts that helps you a lot with being able to target your efforts. Like you said, if people need to get past MFA, if they want to try and target you for password resetting, all they have to do is say hey, there’s a problem with a password for your Wells Fargo account because they saw that you have a Wells Fargo entry and then they draft up a fancy email to a phishing site they have with Wells Fargo saying hey, you need to reset your password. somebody clicks it, it brings up a really crafty Wells Fargo page, they punch in their password. And then right away that threat actor goes to Wells Fargo site logs into your account changes your password updates all your security information and then plays around your account before you take the time to recognize what happened get all the Wells Fargo and there’s a lot of damage that can be done in those minutes leading up to that.

Brian: These guys are pretty good at what they do. And you would be surprised how convincing a mock up they can make up a website. Now they know all of the websites that you as a user have an account at and can target them that way. You can even take it to the next level person who has the Ashley Madison and Pornhub.

Ryan: And the embarrassing sites in your list.

Brian: Yeah. Makes you wide open for blackmail.

Ryan: Absolutely. So yeah, we’ll see a lot of interesting password spraying and credential stuffing coming out of this we will see a lot of doxing coming out of this because of what you just mentioned there. It’ll be really interesting to see what all the different threat actors try and pivot to use from this dataset. But this was a significant dataset, especially if somebody starts actively finding an effective or an efficient way to start decrypting some of these vaults quickly I think the fact that the majority of the passwords and notes that were encrypted in the vaults, that timeframe and the level of that encryption will at this point hopefully give everybody enough time if they’re being proactive right now to start bouncing all of their things before that actually becomes a major concern.

Brian: And that kind of leads me into the last thing, you have to not allow LastPass to blame the victim. I’ll link to their actual PR reports in the episode resources. But in their official statements, one of the things that LastPass did was declare that the encryption would take a hacker 3 million years to break. But they added a very important caveat, if you follow their recommended process for a password that I think it was 12 characters or longer and then had to meet certain requirements. But here’s the thing, that particular recommendation started in 2018. If you created a LastPass account before 2018, it was not mandatory, they also never prompted you to update your password to meet this new standard by advertising that passwords that complied with their recommendations would take this long to crack they are by omission stating that the ones that are cracked in less time did not meet their recommendations. And therefore the fault is on the people who did not follow their recommendations for strong password. That is, in my personal opinion, an important way of treating this particular situation. It also has the effect of lessening the urgency for doing those things that we’ve already discussed in this episode. If you think it’s going to take 3 million years to hack your account, you’re not going to be in a big rush to fix all your passwords, we have to keep the blame for this where it belongs, which is on the business decision. And I’m again, I’m assuming business decision of LastPass for failing to adequately secure the vaults and for failing to encrypt the information in the vaults announcing that all of the valuable information your company holds has been stolen on December 22, in an announcement that may have the effect of making people think it’s less serious than it is that critical error and one that, quite frankly, is something that probably will and should come up in both regulatory investigations of this breach and in lawsuits that will inevitably come from this. So I’m going to get off my soapbox now. Ryan, did you have anything you wanted to discuss on that particular issue?

Ryan: I mean, I think you’re right, I think that LastPass and any company that runs into a similar issue like this going forward is going to need to accept ownership of their portion of the failure. And in this case, here, the entire arrangement with LastPass between a user and LastPass is for LastPass to securely hold all of this data and make it usable to the user as a service in a way that they will be the only one able to make use of it just based on that alone. LastPass obviously failed in that aspect. They allowed that data to fall in other hands through bad practices, they allowed that data to be secured at a lesser standard than what it should have been especially considering the usefulness of that data. And so yeah, failures across the board. I think that it’s good for them to turn around and offer recommendations to users on how to keep their data safe. But not to say that there’s any reduction in liability or reduction in ownership of this incident on their part, should anything come from that, again, they should have actively communicated to all their users at this point. So anyone who is still sitting on one of those vaults should absolutely start making quick updates. Now, if you are one of those people, and you get past six months from now, now that blame starts to fall back closer to your side due to inaction. But at this point last time is obviously trying to cover themselves in the middle of a really rough time, which you can’t blame themselves for. But at the same point, you’re gonna come out of this a lot stronger in the end if you own up to it and just work with everybody to make sure that you get your problems sorted out and you work with them to mitigate any potential concerns or risks that your users might have due to your duty or failure at this point.

Brian: All right. Well, that’s it for us on this episode of Fearless Paranoia. You can find the links to the additional resources discussed at our website Fearless Paranoia.com and go to the post for this particular episode. We will also find a full transcript of the entire diatribe that I went on just a minute ago, plus the helpful stuff that Ryan actually shared. I want to thank you for joining us make sure to subscribe to our podcast on any of your favorite podcasting platforms. You can reach out to us on the website and on social media to post any topics that you’d like for us to talk about. On behalf of Ryan. I’m Brian, we are here for Fearless Paranoia. We hope that we will see you again next time. Thanks

Ryan:    And I’m Ryan, cybersecurity specialist.

Brian:   This is season one, episode one, the inaugural episode: Ransomware 101. Today we are talking ransomware at a very basic level. In this episode we’re gonna discuss the essential principles of ransomware. What is it, at its core? We’ll discuss the general concept of what ransomware is, why it is so disruptive, and why it’s so effective. Just remember, this episode is not meant to be a deep dive into all the individual aspects of ransomware. This is a general survey of the subject to make sure that you’re familiar with ransomware in general. We will be bringing the deeper dive into various aspects of ransomware in later episodes. This, however, is ransomware 101.

But before we get there, we want to remind everybody that you can check out our other episodes on Fearless Paranoia.com. You can also subscribe to our podcast through any of your favorite podcast subscription services. For additional information on how you can keep you your business, your family and anyone else safe from cyberattacks, please visit our website at www.resiliencecybersecurity.com to get tips, hints and suggestions and plans and procedures and everything you could possibly imagine to help protect yourself from cyberattacks.

It’s a Saturday night and for reasons passing understanding I’m working it’s 8:30pm. I open my laptop, and knowing that I’ve got some work to do, I open up my Dropbox connection where I put some documents in the day before at work. As I opened the box, something catches my eye. But not enough for me to think too much about it. The files that were there, they’re all their regular files, but they’re not quite the same. And I as glancing through, I can’t really figure out what’s different. I also noticed that the icons don’t seem to be loading properly. But that could just be my computer being my computer. I double click on a Word file that contains something I was working on. That’s when it’s confirmed that something’s wrong. Instead of one box opening two boxes open right off the bat, not a good sign. The first box opens up and it’s a bunch of gibberish, symbols, letters, any kind of order. And I’m really puzzled for a second. But then I see behind that document, the corner of the second document is open. That one doesn’t have symbols that one doesn’t have jumbled, jumbled language. It has text in bright colored font, they have my data locked up. And I can contact them at this email address to arrange to make a payment to unlock it. I’ve been hit by ransomware.

The story I’ve just told you actually happened. Fortunately, it was from back in the days when before ransomware became quite as insidious as it is now and we were able to resolve it with limited business interruption issues and other costs. In fact, the costs of reclaiming our system, clearing it up and everything, actually ended up being less than our insurance deductible. That’s something that doesn’t really happen anymore.

So what is ransomware? I think most people who follow the news or anything, read anything about computers, anything about business, anything about security these days, knows or has an idea of what ransomware is. But getting an understanding full technical definition requires expertise that exceeds most people and requires time that most people don’t have. Fortunately, we’ve got them both. And Ryan, the cybersecurity and IT specialist. So Ryan, walk us through what is ransomware?

Ryan:    That’s a fantastic question, Brian. I’m protecting against the defending against ransomware really starts from the core of just understanding what it is and how it works. And so what is ransomware? It’s software. This is a piece of code that somebody’s written, that encrypts data enacting very, very standard, very widely used encryption tools that are being used with custom algorithms, and makes it unusable to anybody other than the generator of that software to create a ransom-able environment or ransom-able situation where they can hold data of yours hostage and offer it back to you for what they consider to be a very reasonable cost. It’s no different than old fashioned kidnapping or theft for ransom or anything to that effect. The main difference here is these are things that are not happening in your front yard. These are things that are happening from people halfway around the globe, over the internet, you know, a tool that we all use every single day.

Brian:   So the concept it means it’s taking something hostage, and it’s the idea and I think, I mean, it’s been around forever, but the idea that something is worth more to you to get back than it may be worth on the open market. The idea of, even if your computer systems were full of personal information that might be sold on the dark web, that data is not that expensive on the dark web, but you were willing to pay a lot more to make sure it comes back or to use it yourself, then it then has actual intrinsic value.

Ryan:    Yeah, that’s great. You actually touched on a couple of really important points there, too. The first one is that the data is important to the generator, the owner of the data, and life is just not as easy to continue on with without having it back. Whether that’s a detriment to your business, this is core critical data that you don’t have backed up somewhere else. It’s data that is not recoverable easily. And so it’s, it’s got a certain level of value attached to it. Some of that data has just value purely to its owner. Some of that data is very valuable to a whole variety of people based on the nature of it. So not only do you have a situation where as your data gets into a situation where it’s been encrypted by ransomware, and it’s being held hostage, that data, again could just be valuable to you enough for you to offer a payment back to these criminals to get access back to your data. It could also be valuable to them from an extortion standpoint of what happens if we dump this data, are you going to be willing to pay us a little extra not just to get access back to it, but to keep us from publicizing the state out on the internet so that everybody else can have a copy of it too. And that’s been that’s been something much more prevalent and the ransom attacks popping up in the in recent times is that there’s almost a two-stage piece behind that ransomware attack where they attempt to profit twice from it. And again, it’s good from a business standpoint, but it’s, it’s terrible for the rest of us that are on the receiving end of those types of malicious attacks.

Brian:   You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Brian:   Yeah, I’ve been amazed recently how it does seem like ransomware while certainly was you know, when this stuff first became popular it was an effective term; extortionware almost seems like it’s the better term for the modern version, because ransomware evokes the concept of “we’re holding this until you pay us to get it back”; extortionware it is a much. I mean, and that is a a version of extortion. You know, kidnap and Ransom situation is one type of extortion, we are going to illegally get money from you, based on you either doing something or not doing something. We’re going to leverage you to pay by taking something valuable of yours and returning it back. But the whole concept of extortion, there is this idea that you can be compelled to do something not just based on the proposition of getting something back, but on a whole variety of levers. And I think, and we’ll talk about I definitely want to talk about this in greater detail, in a later episode, this concept you touched on as the what I’ve been seeing referred to as double and triple extortion, where the people doing the extortion actually leverage different ways of getting you to pay, one of which is not even approaching you with the ransom, but approaching your customers and letting your customers know that, you know, they have your data. And there’s the actual data about the customers. And I think one of the more famous examples of that recently was, I think, a Scandinavia, essentially a large psychiatric organization where they took people’s patient notes and contacted the patients that said, if you’re, you know, if your psychiatric doc doesn’t pay up this ransom, we’re releasing your psychiatric notes.

Ryan:    Yeah, it’s definitely taken a few different iterations. And it continues to find ways to become not just more effective, the malware families and especially the ransomware itself, but just the entire method of distributing it and how they’re utilizing it to draw maximum income capabilities out of the whole process has really kind of gone through, again, a whole series of evolutions, and I don’t see any of that stopping. A lot of it follows very standard criminal methodologies of just finding, you know, low hanging fruit, easy opportunities. And a lot of these ransomware attacks really kind of focus on, you know, those easily exploitable people. So again, folks like ones with medical issues where something is, you know, that’s really personal information, or going into a business and stealing source code from a software developer. That’s your bread and butter. Those are your trade secrets. That could be something as simple as a customer database where maybe it’s not critical to your business, but it’s certainly going to be critical to everybody who does business with you, which can turn into, you know, a major business impact later on if that data were to get out. And so it’s a constantly changing field. And it’s one that’s one that’s just going to keep getting more and more devious, which is why it’s more important than ever now that we put in to effect at the personal professional levels everywhere we can basic internet hygiene practices to stay safe from some of these because a lot of these attacks are taking advantage of and exploiting overlooked updates, overlooked resources, very well known exploitable holes that could be, they can be closed pretty easily with basic hygiene practices, basic updating and patching. And there’s a lot of just general hygiene practices that can really prevent, I’d say, I’d say a good majority I’d even go so far as to guess probably 90% of a lot of these are really avoidable incidents.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian:   Let me ask you real quick cuz I think that, you know, a lot of people who watch you know, any TV program that deals with computer issues, and usually deals with very poorly among most people, I think is this idea that encryption can somehow be cracked. I think in reality, cracking encryption really means having the password, having the key that unlocks the whole thing. And we’re definitely going to have an entire episode on just helping people understand the basics of what encryption is and how it actually works. But when we’re talking about encryption, you’re not cracking any of this stuff, unless you know the code, right?

Ryan:    So yes and no. in some instances, some of the less mature ransomware gangs have used very weak ciphers and some of their ransomware code that they’ve done, they’re developed and in some of those cases, and it’s been relatively trivial for some expert researchers to reverse engineer what was used. And so yes, some encryption, and in theory, all encryption really can be cracked, as long as you have enough time and enough resources to do all of the testing and all of the brute forcing. And part of the biggest problem is a lot of these lot of these encryption ciphers nowadays, even with extremely powerful supercomputers or distributed computing, or even if you were to find a way to wrangle the power of like an extremely sophisticated botnet, something where you’ve got a lot of computing resources to crack away at this, and we’re still talking years, decades, potentially centuries, in some cases, to crack some of these with current technology. So again, are they crackable? Yes, is the likelihood that they’re going to be cracked with any sort of, you know, in any sort of short timeframe or with any ease, it’s pretty, pretty safe to say no, in most of those cases, theoretically…

Brian:   it’s uncrackable. Practically speaking.

Ryan: In most cases, where the ransomware tools do get reverse engineered and do get cracked, a lot of times, it’s either because they’re using an extremely old piece of tooling in the ransomware. Or it’s because the ransomware gang itself has had some of their code repository or places where they’re holding some of those secrets, some of those passphrases keys actually gets compromised. And what they’re doing to other people actually happens back to them as their source code, their internal tools are taken by security researchers and then distributed on the internet, saying, Hey, here’s a tool to help you decrypt all of these things, because we broke into their infrastructure, you start to get into some interesting legal issues from that side, too. But again, it does happen from time to time that some of these things do get reverse engineered or do get broken, but it’s not something that one would ever want to count upon. The better approach is to certainly put plans in place to protect yourself from it. And to make sure that in the case that it does happen, you’re not counting on either having to pay a ransom or find a key to get back into it, that you’ve got a secondary plan in place to make sure that you can continue enforcing business continuity around the issue instead.

Brian:   So what is ransomware then fit in in the overall concept or context of a business getting hacked?

Ryan:    So the ransomware again, ransomware very rarely ever, the first stage of compromise ransomware is usually one of the end stages of compromise. That’s kind of the end goal is to apply the ransomware apply the ransom and collect and then finish whatever the business relationship is there, if you can call it a…

Brian:   Business relationship gets business conducted at the end of this meeting, the your signature, or your brains will be on this contract. Yeah.

Ryan:    And effectively, I mean, it is it is business. I mean, it’s a billion-dollar industry, you know, so rants Software is a huge business nowadays. It’s a legitimate business and most of our minds, but it is what it is.

Brian:   And so it’s this combination of really strong encryption and these ransomware groups knowledge of where to look for critical information, and most importantly, what constitutes critical information for businesses, health care, so facilities, even individuals that makes ransomware so disruptive to our modern economy system way of doing things. Absolutely. Well, in a nutshell, there it is. Ransomware 101. Want to thank you for joining us today. Look forward to seeing you again in the future. Don’t forget to subscribe to our podcast, you can do so through your favorite subscription service or on our website. Also, if you have a specific cybersecurity topic you’d like to hear Ryan and I address in our podcast, you can go ahead and send us a message on the Fearless Paranoia website at Fearless paranoia.com We hope to see you again next time. This is Brian and Ryan Fearless Paranoia signing off.