Hello friend 👋
We're about to enter 2023! I hope you're all happy and healthy across the world as some of us celebrate Christmas and other cultures do not.
You may recall that I reported on the LastPass compromise in editions 4 and 18 of the newsletter. We've had a HUGE development with this compromise that genuinely demands attention from you, especially if you're a LastPass customer.
LastPass finally told us that the hackers that compromised their network actually stole customer password vaults! This is a big deal:
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
LastPass's Zero Knowledge architecture was designed and built by LassPass. I think it's fair to say that from what we've seen so far, designing something to be timelessly bulletproof is seemingly impossible. The hackers WILL be trying to get a hold of these master passwords through phishing or other means. They might also try to find holes in LastPass' Zero Knowledge architecture. There's a whole bunch of advice and information here on the LastPass blog.
I'm going to be watching this story closely, you should too.
You can get in touch with me by simply hitting reply. I respond to every email that hits my inbox.
Until next week,
Fun Things This Week
🎙My Latest Video
In this video, we're building wordlists to help crack passwords. This is something I might be doing if I were a hacker targeting a specific person's LastPass vault!
👾 Cool Tools
s3crets scanner is a little tool that helps you hunt for secrets uploaded to public AWS S3 buckets.
Shennina is an automated host exploitation framework. The mission of the project is to fully automate the scanning, vulnerability scanning/analysis, and exploitation using Artificial Intelligence. Shennina is integrated with Metasploit and Nmap for performing the attacks, as well as being integrated with an in-house Command-and-Control Server for exfiltrating data from compromised machines automatically.
If you've written a tool and you'd like me to see it, just drop me an email!
Whenever you’re ready, there are a few ways I can help you:
1. If you'd like to learn how to create content to raise your online profile, I have a free email crash course and a whole series of video workshops.
2. If you want to land a career in cyber security but don't know where to start, your best bet is through my SWITCHFIRE guide.
3. If you'd like to promote yourself or your business and help keep this newsletter free to its readers, you can sponsor it by dropping me an email.