Just a few weeks after LastPass confirmed hackers had stolen a copy of users’ encrypted password vaults comes the news of another password manager data breach. NortonLifeLock has recently notified approximately 6,450 individuals that their accounts have been accessed by unauthorized individuals and that their Password Manager accounts are at risk.

Gen Digital, which owns NortonLifeLock, started detecting account compromises on December 12, 2021, when its intrusion detection system started generating alerts in response to a high volume of failed login attempts. The investigation confirmed that LifeLock customers were being targeted in a credential stuffing attack, which commenced on or around December 1, 2022.

NortonLifeLock confirmed that its systems remain secure and have not been hacked, but customer accounts had been subjected to unauthorized access. NortonLifeLock said the compromised accounts contained information such as first names, last names, phone numbers, and mailing addresses. NortonLifeLock was unable to confirm if customers’ Password Manager accounts had been compromised but could not rule out the possibility that the hackers may have validated users’ logon credentials and gained access to their password vaults. This would be more likely if users’ Password Manager keys were the same or similar to their Norton account passwords.

A credential stuffing attack is a low-complexity attack on accounts that involves trying multiple combinations of passwords that have been obtained from data breaches at unrelated services. Hackers compile password lists from multiple data breaches and try to use those credentials to access accounts on other platforms. These attacks involve using known username/password combinations in the hope that users have reused the same username and password combination on multiple platforms.

NortonLifeLock reset the passwords for all affected accounts and took other steps to counter the efforts of the unauthorized third party and has strongly recommended affected users change their Norton passwords immediately, as well as all other accounts that share the same password and all passwords the affected users’ Password Manager accounts. Users that set unique passwords for their Norton accounts were not affected.

Account breaches such as this are all too common and succeed due to poor password practices. A password manager can improve security, but only if password best practices are followed. A password manager can contain a user’s entire collection of passwords, sensitive information such as credit card details, and private documents. It is therefore essential to set a long, complex, and unique password for the password manager and activate 2-factor authentication. A passphrase of at least 12 characters is recommended.

The post NortonLifeLock Warns Customers About Potential Password Manager Breach appeared first on HIPAA Journal.

The Office of Inspector General of the U.S. Department of the Interior (DOI OIG) has identified bad password management and enforcement practices at the Department of the Interior that are placing critical IT systems at risk. These basic password errors are all too common in the healthcare industry and make it far too easy for malicious actors to gain initial access to networks for ransomware attacks and other nefarious purposes.

An inspection was conducted of the password complexity requirements of the department to determine if its password management and enforcement controls were effective and would likely prevent malicious actors from using brute force tactics to gain unauthorized access to accounts. The DOI OIG identified several password management weaknesses and many weak passwords. 4.75% of accounts were secured using variants of ‘password’, which could be cracked instantly by a malicious actor. Password-1234 was being used to protect 478 unique, unrelated accounts, with 5 of the 10 most reused passwords including the word password and the number sequence 1234.

While the DOI had implemented minimum requirements for password complexity, these rules were out of date and no longer fit for purpose. There were also many instances of users setting passwords that met those requirements but were still incredibly weak, such as P@s$w0rd and Changeme$12345. There were no time limits set on passwords, which meant even moderately complex passwords were vulnerable to brute force attacks. Further, when accounts were no longer used, they were not disabled in a timely manner, which placed a further 6,000 accounts at risk.

Attempts were made by DOI OIG to crack passwords and within the first 90 minutes of testing, 16% of DOI passwords had been correctly guessed. Over the entire test of 85,944 department passwords, 18,174 (21%) were cracked, including 288 accounts with elevated privileges and 362 accounts of senior government employees. In addition to these password management failures, the DOI had not consistently implemented multi-factor authentication. The DOI OIG analysis revealed 89% of high-value assents did not have multi-factor authentication enabled despite multi-factor authentication being a requirement for 15 years. Further, when asked to produce documentation of which accounts had multi-factor authentication enabled, a list could not be produced.

The DOI OIG pointed out that the ransomware attack on Colonial Pipeline in 2021, which resulted in the shutdown of the fuel pipeline to the Eastern Seaboard of the United States causing massive disruption to almost half of the country’s fuel supply, occurred as a result of a single password being compromised. The password management failures identified by DOI OIG are all too prevalent across federal, state, and local governments and public and private organizations.

The DOI OIG made several recommendations for improving password management and enforcement, including tracking MFA, ensuring it is applied for all accounts, setting new minimum requirements for password complexity in line with the latest password recommendations of the National Institute of Standards and Technology (NIST SP 800–63), implementing controls to monitor, limit, and prevent the use of commonly used, expected, or compromised passphrases and passwords, and ensuring inactive accounts are disabled promptly.

The post Password Management Howlers Identified at U.S. Department of the Interior appeared first on HIPAA Journal.

Passwords can provide a good level of security, but all too often users choose weak passwords that present no challenge to hackers. Many of the most commonly used passwords can be cracked almost instantly. A recent study by NordPass involved an analysis of a 3TB database of passwords and found ‘password’ to have been used to secure 4.9 million accounts, with the next weakest password – 123456 – used on 1.5 million accounts.

Security awareness is improving, but many users still set weak passwords for convenience despite the risk of accounts being compromised. It is also common for users to set the same password for multiple accounts. This bad practice puts users at risk of credential stuffing attacks. If the password is compromised on one platform, all other accounts with the same username and password combination can also be accessed.

One of the most cost-effective and easiest ways to improve password security is to provide employees with a password manager. Password managers suggest strong, unique passwords, auto-fill them when they are needed, and they store the passwords securely in an encrypted vault. While password managers can significantly improve security, a recent Security.org survey of 1,047 U.S. adults for its Password Manager Annual Report 2022 has revealed an alarming practice that is putting users of password managers at risk of identity theft.

Password managers help to eliminate bad password practices as they make it as easy and convenient to set a strong password as a weak one. If users set strong and unique passwords for all of their accounts, that is far better than setting easy-to-remember passwords or reusing the same password on multiple accounts. One potential weak point is the master password that is used to secure the password vault of the password manager. If that password is guessed, it doesn’t matter how strong all the other passwords are as a hacker will be able to decrypt them and retrieve them from the user’s password vault. The master password for the password vault must therefore be long, complex, and unique.

The Security.org survey revealed that some users commit the cardinal sin of password manager use – failing to set a unique password for their password vault, and the number of people committing this sin is alarmingly high. 25% of respondents that use a password manager admitted to reusing their password manager master password for multiple accounts, despite that practice being incredibly risky. Worryingly, even though security awareness is improving, the practice of reusing master passwords is increasing. Last year, 19% of password manager users admitted to reusing their master password on multiple accounts. The survey also revealed that almost half of password manager users who had their identities stolen had reused their master password on multiple accounts.

Businesses that are considering providing a password manager to their employees to improve password security should take note and ensure that they stress the importance of setting a strong, unique password for the password manager and the importance of also setting up 2-factor authentication for the password manager.

Confidence in Password Managers Remains High

Confidence in the security of password managers remains high, although the data breaches experienced by LastPass have taken their toll. Last year, LastPass was the most popular password manager, yet the survey indicates it has fallen to fourth spot, behind Google Password Manager, iCloud Keychain, and Bitwarden. The LastPass data breach did not expose passwords, but it was enough to trigger many users to switch to alternative providers. Despite these two breaches, only 23% of respondents believe password managers to be unsafe.

Interestingly, 28% of non-password manager users said they didn’t use these tools because they thought them to be unsafe; however, 50% of users admitted to using the same few passwords for all of their accounts, 46% said their passwords are saved in a file on their computers, and 43% save passwords in their browsers, all of which are far riskier security practices than using a password manager.

The post Improper Use of Password Managers Is Increasing appeared first on HIPAA Journal.

LastPass has confirmed that hackers have gained access to a third-party cloud storage service that contained customer data, although no user passwords were compromised.  The hacking incident is linked to the security breach that occurred in August 2022.

In August, a hacker successfully compromised a developer account that provided access to the LastPass developer environment. Source code and proprietary technical information were stolen, although no user information was compromised, and password vaults remained secure.

The latest announcement by LastPass CEO Karim Toubba is about a separate incident.  Information stolen in the August breach allowed access to be gained to a third-party storage service that is shared by LastPass and its affiliate, GoTo (formerly LogMeIn). GoTo issued a similar breach notification in the past few days.

LastPass said both incidents were investigated promptly, with assistance provided by the cybersecurity firm Mandiant. The investigation into the breach is ongoing, but it has been confirmed that access was gained to some portions of the information of its customers. The types of information compromised have yet to be publicly disclosed.

Password managers are naturally a target for hackers as they are used to store the entire collection of passwords of their customers. LastPass is naturally a target being one of the most popular password managers. The company claims to have 33 million registered customers and serves more than 100,000 businesses. For security reasons, password managers typically are based on zero-knowledge architecture. That means that the password manager provider does not have access to customers’ encrypted password vaults. As was the case in the August breach, Toubba stressed that “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”

Despite being a target for hackers, using a password manager is still considered to provide better security than not using one, as they allow users to improve their password practices and set unique, complex passwords for each account and avoid password reuse on multiple platforms. Naturally, a very strong password should be set for the master password that secures password vaults, and 2-factor authentication should be implemented.

Earlier this month, LastPass released a Psychology of Passwords report which suggested that while security awareness training programs are being increasingly provided by businesses, they do not appear to be having much of an effect on eradicating poor password practices such as password reuse. Respondents to the survey claimed to be aware of password risks but were choosing convenience over security and were still reusing passwords on multiple platforms and engaging in poor password practices. Passwordless authentication can solve these password problems, but until the technology is implemented, password managers are the best solution for improving password security as they make it easier to follow password best practices.

The post LastPass Confirms Customer Data Breached in Hacking Incident appeared first on HIPAA Journal.

Passwords are an inexpensive and convenient form of authentication. While passwords can provide a high degree of protection, in practice they are a weak point that is commonly exploited by threat actors to gain access to internal networks and sensitive data. Brute force attacks are conducted to guess weak passwords, credential stuffing attacks succeed because people reuse passwords on multiple platforms, and employees divulge their passwords by responding to phishing emails.

Many of these attacks targeting passwords succeed because employees engage in risky password practices, such as setting easy-to-remember passwords or using the same password for multiple accounts. Businesses can take steps to eliminate these bad password practices by providing security awareness training to teach employees password best practices, enforcing password complexity rules, and providing a password manager; however, risk can only be reduced, not eliminated entirely. Employees will make mistakes, and some will circumvent the rules.

The best approach for businesses to eliminate password risks is to do away with passwords altogether and adopt passwordless authentication. Passwordless authentication is a broad term covering multiple methods of authentication, including biometrics, security keys, and specialized mobile applications. The problem for businesses is implementing passwordless authentication for an entire workforce is costly and challenging.

Half of Businesses Have Implemented Passwordless Authentication or Plan to

Bitwarden, a leading open source password manager provider, has recently published the findings from its annual password decisions survey, which shows an increasing number of businesses are embracing passwordless authentication. The survey was conducted on 800 IT decision-makers (400 Us / 400 UK) across a range of industries and revealed almost half of the respondents have either deployed or have plans to deploy passwordless technology. The main benefits of passwordless technology were seen to be improved security (41%), a better user experience (24%), increased productivity (19%) and minimizing the burden on the IT department (17%).

Out of the businesses that have started to deploy the technology, 66% have one or two user groups or multiple teams using passwordless technology, with 13% having fully adopted it across the entire organization. The most common form – implemented or being considered by 51% of businesses – is something employees are – a biometric factor such as a fingerprint, voiceprint, or facial recognition technology. 31% use or are considering something an employee has, such as a phone, security key, or FIDO authentication. 47% of respondents said FIDO2 was an important aspect of their passwordless adoption.

The most commonly stated reason for not ditching passwords is the applications the businesses use are not designed to support passwordless authentication, which was a problem for 49% of businesses that have yet to go passwordless. 39% said end users prefer passwords or are reluctant to switch, 28% said they do not have the budget, 23% said there was leadership resistance, and 21% said they had limited talent and skills to implement it.

It is likely to take some time before most businesses can go fully passwordless, and in the meantime, passwords will continue to be used. On that front, the survey confirmed that risky password practices are commonplace. While 84% of respondents said they use password management software, 54% said passwords are stored in a document on their computer, 29% write them down, and over 90% of respondents admitted to password reuse, despite being aware of the risks. 36% reuse passwords on 5-10 sites, 24% reuse passwords on up to 15 sites, and 11% reuse the same password on more than 15 sites, which demonstrates why credential stuffing attacks often succeed. Fortunately, 92% of respondents said they are using 2-factor authentication in the workplace – an increase from 88% in last year’s survey.

When questioned why they believe people are reluctant to use 2FA to add security to accounts, 48% said they do not think people are aware of the benefits, 47% said they think passwords are strong enough, and 41% said they think its because they are unlikely to get hacked, with a similar percentage saying 2FA slows down workflow.

The post Adoption of Passwordless Authentication Grows But Poor Password Practices Persist appeared first on HIPAA Journal.

The ISO 27001 standard is currently being updated and the latest version is due for publication next month. The early indications are that, although the control domains will be significantly revised, there are only minor changes expected to the ISO 27001 password management controls.

The ISO 27001 standard is an international information security standard jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The aim of the standard is to help organizations better secure data by listing the necessary requirements for establishing an effective information security management system.

Organizations that meet the requirements of ISO 27001 can choose to be certified by an accredited certification body. Certification has the benefits of enhancing an organization´s reputation for data security (which can help attract new customers), reducing the number and length of security audits, and – in the healthcare industry – limiting enforcement action should a data breach occur.

Alternatively, organizations that do not want to commit to implementing a full information security management system can implement selected controls. Although this means the organizations will not qualify for ISO 27001 certification, the controls still help protect data from unauthorized access, raise awareness of data security among the workforce, and mitigate the risk of a data breach.

Existing ISO 27001 Password Management Controls

Currently, the existing ISO 27001 password management controls can be found in Subsection 9 of Annex A – The “Access Controls” domain. There are fourteen controls divided into four control groups in this domain:

9.1 Access Controls

• 1.1 Access Control Policy
• 1.2 Access to Networks and Network Services

9.2 User Access Management

• 2.1 User Registration and Deregistration
• 2.2 User Access Provisioning
• 2.3 Management of Privileged Access Rights
• 2.4 Management of Secret Authentication Information of Users
• 2.5 Review of User Access Rights
• 2.6 Removal or Adjustment of Access Rights

9.3 User Responsibilities

• 3.1 Use of Secret Authentication Methods

9.4 Application Access Controls

• 4.1 Information Access Restriction
• 4.2 Secure Login Procedures
• 4.3 Password Management System
• 4.4 Use of Privileged Utility Programs
• 4.5 Access Control to Program Source Code

Because of the complexity of provisioning, managing, reviewing, and adjusting users´ access rights, many organizations looking to comply with the ISO 27001 password management controls implement a vault-based password manager such as Bitwarden, whose “Security and Compliance Program” is itself based on the ISO 27001 standard.

The advantages of vault-based password managers are that they are effective across all devices and operating systems, password policies can be applied by universally, by group, or individually, and each vault can be secured with 2FA. Admins can add and remove users, apply and adjust RBACs, and share passwords among authorized users securely through the password manager.

Vault-based password managers are also zero-knowledge solutions. This means that, although it is still necessary to sign a Business Associate Agreement with the vendor if sharing ePHI through the password manager – nobody other than the authorized user(s) is able to access and view data stored in a vault without the master password and access to the 2FA authenticator method.

Anticipated Changes to the ISO 27001 Controls in 2022

In July 2022, an updated version of ISO 27001 – the “Final Draft International Standard” or “FDIS” was distributed among National Standards Bodies for formal approval. The National Standards Bodies will vote on the update version by the end of September; and provided the vote is in favor of the updates, ISO 27001:2022 will be published in October 2022.

Although the ten clauses of the standard only have language changes, Annex A – which contains the required controls – has been revised significantly. The fourteen control domains (A.5 to A.18) are being compressed into just four control domains, there are 11 new controls, 23 controls have been renamed, and 24 controls merged with other controls. The four new control domains will be:

A.5 Organizational Controls (37 Controls)

A.6 People Controls (8 Controls)

A.7 Physical Controls (14 Controls)

A.8 Technological Controls (34 Controls)

In the context of ISO 27001 password management controls, most of the existing controls in the former Access Controls domain (A.9) will be dispersed among the four new domains. However, some existing controls will be merged into new controls – for example, the content of A.9.2.4, A.9.3.1, and A.9.4.3 will be merged into a new control A.5.17 “Authentication Information”.

Other new controls that may apply to password management (depending on whether an organization saves data in the cloud or uses activity monitoring software) include A.5.23 “Info Security for Use of Cloud Services”, A.8.12 “Data Leakage Prevention”, and A.8.16 “Monitoring Activities”. A.8.32 “Change Management” may also be relevant to some organizations.

Be Sure to Adjust Your Password Management Controls as Necessary

When the new ISO 27001:2022 is published, certified organizations will have three years to make any necessary changes to their information security management system in order to maintain their accreditation. Non-certified organizations that have implemented selected controls can continue using the existing controls as best practices or adjust them as necessary.

Undoubtedly vendors of password managers will release information about how organizations can comply with the changes to the ISO 27001 password management controls; and, if your organization has already deployed a password manager, be sure to sign up to their newsletter, follow them on social media, or subscribe to their blog to keep up to date with the latest recommendations.

The post Minor Changes to ISO 27001 Password Management Controls Expected in Updated Standard appeared first on HIPAA Journal.

The open source password manager provider, Bitwarden, has raised $100 million in funding which will be used to provide greater support for its user community and accelerate product development to help the firm achieve its long-term goals more rapidly. This is the first funding round to be publicly disclosed by the company. The funding round was led by the private equity firm PSG, with previous Bitwarden investor, Battery Ventures, also participating.

Bitwarden has developed a popular password manager that is used by tens of thousands of businesses worldwide and millions of users, with the platform offering a wide range of functions to meet the needs of businesses and consumers. The platform is available in more than 50 languages, with around half of the company’s business coming from outside North America. The company is planning to use some of the funding to accelerate growth in the Asian and European markets, as well as South America and Australia, which are currently served through channel partners in those regions.

Bitwarden’s goal is to empower individuals by providing the knowledge and tools to help them keep themselves and their companies secure and prevent the growing number of data breaches that occur due to the use of weak or reused passwords. The platform allows users to easily set a complex, unique password for all accounts, and also has the capability to set unique usernames for each account.

The password management market is extremely competitive with many password management solutions available to help businesses and consumers improve password security. Bitwarden is planning to use a sizeable chunk of the investment to accelerate product development to better meet the needs of businesses. In addition to helping its clients protect their current SaaS systems, Bitwarden is planning on developing a new ‘developer secrets’ offering, to help companies with the application development process to store the many passwords and secrets used for their application infrastructure. There are currently limited password manager solutions that have this capability. For example, the current market-leading password management solution, LastPass, does not have those capabilities.

Bitwarden’s Chief Customer Officer, Gary Orenstein, said the open source nature of Bitwarden, the ability to self-host the solution, and the willingness of the company to provide a full-featured version of the platform to individuals set the solution apart from the competition. Bitwarden is also planning to use some of the investment funds to incorporate passwordless authentication into the solutions, such as biometrics, FIDO security keys, and passkeys, and improve integrations with single-sign-on systems. Orenstein said its customers have reported that privileged access management (PAM) technology doesn’t currently meet their needs. Orenstein said the company is planning to right-size current PAM tools by working first with individuals, and will then work with its business customers to solve their PAM needs.

“By taking a differentiated approach to password management — one that serves individuals and business, one that stands by open-source, one that makes a fully featured free version available to the world — I believe Bitwarden has leapt ahead in the market,” said Bitwarden CEO Michael Crandell. “The rapidly expanding Bitwarden customer base, including small and large companies alike, combined with a highly engaged community, in our view, continues to set Bitwarden apart from other solutions.”

The post Bitwarden’s $100 Million Investment will Accelerate Addition of Passwordless Authentication and Developers Secrets appeared first on HIPAA Journal.

A cyberattack and data breach has been reported by LastPass, the provider of the world’s most popular password management solution. According to LastPass, there are around 30 million users of its password manager solution globally, including 85,000 business customers. Notifications have been sent to customers to inform them about the cyberattack and provide reassurances that while some company data was stolen in the attack, users’ password vaults were not affected and the cyberattack did not cause any disruption to its products or services.

According to the notice, two weeks ago, LastPass discovered that an unauthorized individual had gained access to the account of one of its developers, which gave the attacker access to the LastPass development environment. LastPass said steps were immediately taken to contain the attack and prevent further unauthorized access, with the forensic investigation confirming the attackers stole portions of its source code and “some proprietary LastPass technical information.”

As is the case with many other password management solutions, LastPass operates under the zero-knowledge model, which means it does not have access to the encrypted password vaults of any of its users. Only individual customers are able to access their password vaults by providing the master password and passing multi-factor authentication checks (if MFA has been enabled). LastPass CEO, Karim Toubba, said, “We have seen no evidence that this incident involved any access to customer data or encrypted password vaults,” therefore, there is no need for users to change their master passwords.

LastPass said it is currently evaluating further mitigation techniques and will be taking steps to strengthen the security of its environment. This is not the first cyberattack to be experienced by LastPass. In 2015, the company experienced an attack in which hackers were able to obtain the usernames of certain customers, along with their hashed master passwords. A password reset was then enforced as a precaution, although since only hashed passwords were stolen, there was only a risk for users who had set weak master passwords.

LastPass users have also been targeted in a credential stuffing campaign. LastPass warned its customers in late 2021 that it had detected unusual, attempted login activity and had identified an uptick in security alerts related to user accounts. The investigation confirmed this was due to credential stuffing attacks, where threat actors use usernames and passwords compromised in third-party data breaches to try to access accounts on other platforms. These attacks can only succeed when there has been reuse of passwords on multiple accounts. If a unique master password is set for an account, it will be protected against credential stuffing attacks.

Successful cyberattacks on password managers are relatively uncommon and while such an attack could potentially give a threat actor access to a user’s password vault, password managers are still recommended and can greatly improve password security. All users of password managers should ensure they choose a long, complex, and unique password or passphrase for their password manager account and should set up multi-factor authentication. For even greater security, consider using the secure username generator of a password manager, if that feature is offered.

The post Source Code Stolen in LastPass Data Breach appeared first on HIPAA Journal.