In this Spotlight edition of the Security Ledger podcast, Rachel Stockton of LastPass * joins us to discuss the myriad of challenges facing companies trying to secure users’ online activities, and simple solutions for busting insecure user behaviors to address threats like phishing, account takeover and more.
In this episode of the podcast #162: according to the non profit that oversees it, the first disruptive hack of the U.S. grid happened in March of this year. Our guest, Joe Weiss, said it really happened more than a decade ago and that hundreds more like it have been overlooked or mis-classified. Also: Rachel Stockton of the firm LastPass* joins us to talk about changing users troublesome password behavior to make companies more secure.
In-brief: LastPass, the keeper of passwords for millions of security conscious Internet users said on Monday that its own systems were breached by hackers.
Researchers from the University of California, Berkeley have published a paper describing security holes in five, web-based password managers including LastPass, My1login and Roboform. According to the paper (PDF), four out of the five password managers inadvertently leaked a user’s credentials for stored web sites due to all-too-common web based security flaws like Cross Site Request Forgery (CSRF) and Cross Site Scripting (XSS). The researchers, Zhiwei Li, Warren He, Devdatta Akwawe and Dawn Song, all of the University of California Berkeley, said that they disclosed the holes in August of last year and that all of the affected firms and that all but one – NeedMyPassword – have since patched the vulnerabilities. All the password managers tested were found to contain one of a short list of security problems. Either they were vulnerable to classic web-based holes (like XSS), or they were found to be susceptible to user interface-focused attacks, like […]
