data theft
LastPass: The Cloud is Public and Ephemeral
More or less, anytime I’m prompted, I’ll take the opportunity to say “The cloud, like its namesake, is public and ephemeral.” In his article, “A Breach at LastPass Has Password Lessons for Us All,” Brian X. Chen comes about as close as a mainstream press reports can without poking the apple-cart of corporate golden eggs over the wall in revealing how stupid it is for anyone to put any critical data on anyone else’s hardware.
The article covers a breach at LastPass, a password management service which invites users to store their password’s on LastPass’s computers somewhere in exchange for letting LastPass keep track of every website you visit that requires a password. For reasons that are a little hard to understand, rather a lot of people thought this was an acceptable idea and entrusted their passwords to what are likely important web services to some random company and their random employees that nobody using the service has ever met or ever will without any warranty or guarantee or legal recourse at all when the inevitable happens and there’s a data breach.
I suppose they believe that because the site appears to offer a service that looks like an analog of a safety deposit box, that there’d be some meaningful security guarantee just as users of gmail seem to assume that if you use gmail your email will be in some way “secure” and “private,” despite what the CEO of google tells you.
Obviously, LastPass was hacked and, obviously, every users’s secure account list (including their OnlyFans and Grindr accounts) and password database was exposed. This is guaranteed to happen eventually at every juicy target on the internet. It’s just probability: an internet service is exposed to everyone on the planet with a network connection (5,569,029,076 people as of today), and every target is attacked constantly (my own Fail2Ban has blocked 2,899,324 malicious packets) and even if they’re Google, they’re not smarter than the 5B+ people who can take a shot at them any time.
The most hilarious part of this is how idiotically fragile companies make themselves by chaining various “cloud services” into their service provision: LastPass was using a Cloud-Based Backup service that was hacked. People.. people.. that level of stupidity is unforgivable, but sadly not remotely criminal (though it should be). The risk of failure in a chained service increases exponentially with the length of the chain. Every dependency is a humiliation. This goes for developers too.
This breach means at least the attackers know every pr0n website millions of users have accounts on (as well as banks etc.) It isn’t clear how easily the passwords themselves will be exposed and LastPass’s technical description suggests a fairly robust encryption process which should be comforting if your master password is a completely randomly generated string of at least 12 characters you’ve managed to memorize, like n56PQZAeXSN6GBWB. If your password is some combination of dictionary words because you assumed, say, the master password was stored securely and you were only risking the password generator’s random passwords on sites (actually, not a bad strategy if you don’t then screw up security by using a commercial cloud-based password keeper that exposes your master password to global attack, but whatever), well if you did that check have i been pwned regularly for the next year and change every password you have.
The big lesson here is if you put your or your company’s data on someone else’s hardware, it isn’t your data any more it is theirs and you should assume that data is, or will soon be, public. So do not ever put critical data of any sort on anyone else’s hardware ever. It’s just stupid. Don’ t do it.
If you insist on doing so because, say, you’re not an IT person but you’d still like email or you’re a small company who can’t afford to hire an IT person, or who’s CIO has cut some side deals to “cut costs” by firing the IT staff and gifting the IT budget to his buddies running some crappy servers somewhere (and for some reason you haven’t fired that CIO yet), I’d suggest you have your lawyers carefully review recourse in the event of incompetence or malice. My personal starting point is to ask questions like the ones in this post and make sure the answers give comfort that the provider’s liability matches your risk.
What we need is a legal framework that makes every bit of user data a toxic asset. If a computer under your care has other people’s confidential data on it and that data is exposed to any parties not specifically and explicitly authorized by the person to whom the data is pertinent, you should be subject to a penalty sufficient to not just make a person who is harmed by the breach whole, but sufficient to dissuade anyone from ever taking a risk that could result in such an exposure again.
Companies who have business models that involve collecting and storing data about individuals should be required to hold liability insurance sufficient to cover all damages plus any punitive awards that might arise from mishandling or other liability. It is reasonable to expect that such obligations would make cloud services other than fully open/exposed ones with no personal data absurdly unprofitable and end them entirely; and this would be the optimal outcome.
Never put important data on anyone else’s hardware. Ever.
In early January, 2021, two internet services provided unintentional and unequivocal demonstrations of the intrinsic trade-offs between running one’s own hardware and trusting “The Cloud.” Parler and Gab, two “social network” services competing for the white supremacist demographic both came under fire in the wake of a violent insurrection against the US government when the plotters used their platforms (among other less explicitly extremist-friendly services) to organize the attack.
Parler had elected to take the expeditious route of deploying their service on AWS and discovered just how literally the cloud is metaphorically like atmospheric clouds—public and ephemeral—when first their entire data set was extracted and then their services were unilaterally terminated by AWS knocking them completely offline (except, of course, for the exfiltrated data, which is still online and being combed by law enforcement for evidence of sedition.)
Gab owns their own servers and while they had trouble with their domain registrar, such problems are relatively easy to resolve: Gab remains online. Gab did face the challenge of rapid scaling as the entire right-wing extremist market searched for a safe haven away from the fragile Parler and from the timid and begrudging regulation of hate speech and calls for immediate violence by mainstream social networks in the fallout over their contributions to the insurrection and other acts of right-wing terrorism.
In general customers who engage cloud service providers rather than self-hosting do so to speed deployment, take advantage of easy scalability (up or down), and offload management of common denominator infrastructure to a large-scale provider, all superficially compelling arguments. However convenient this may seem, it is rarely a good decision and fails to rationally consider some of the intrinsic shortcomings, as Parler discovered in rather dramatic fashion, including loss of legal ownership of the data on those services, complete abdication of control of that data and service, and an intrinsic and inescapable misalignment of business interests between supplier and customer.
Anyone considering engaging a cloud service provider for a service that results in proprietary data being stored on third party hardware or on the provision of a business critical service by a third party should ensure contractual obligations with well defined penalties explicitly match the implicit expectations of privacy, stewardship, suitability of service, and continuity and that failures are actionable sufficient to make whole the client in the event of material breach.
Below is a list of questions I would have for any cloud provider of any critical service. In general, if a provider is willing to even consider answering the results will be shockingly unsatisfactory. Every company that uses a cloud service, whether it is hosting on AWS or email provisioning by Google or Microsoft is a Parler waiting to happen: all of your data exposed and then your business terminated. Cloud services are acceptable only for insecure data and for services that are a convenience, not a core requirement.
Like clouds in the sky, The Cloud is public and ephemeral.
A: A first consideration is data protection and privacy:
What liability does The Company, and employees of The Company individually, have should they sell or lose control of The Customer’s data? What compensation will The Customer receive if control of The Customer’s data is lost? Please clarify The Company’s criminal and civil liabilities and contractual obligations under the following scenarios:
1) A third party exfiltrates The Customer’s data entrusted to The Company’s care in an unauthorized manner.
2) An employee of The Company willfully misuses The Customer’s data entrusted to The Company in any way.
3) The Company disposes of equipment in a manner which makes The Customer’s data entrusted to The Company accessible to third parties.
4) The company receives a National Security Letter (NSL) requesting information pertaining to The Customer or to others who have data about The Customer on The Company’s service.
5) The company receives a warrant requesting information pertaining to The Customer or to others who have data regarding The Customer on The Company’s service.
6) The company receives a subpoena requesting information pertaining to The Customer or to others who have data regarding The Customer on The Company’s service that is opened or has been in stored on their hardware for more than 180 days.
7) The company receives a civil discovery request for information pertaining to The Customer or to others who have data regarding The Customer on The Company’s service.
8) The company sells or provides access to The Customer’s data or meta information about The Customer or The Customer’s use of The Company’s system to a third party.
9) The Company changes their terms of service at some future date in a way that is inconsistent with the terms agreed to at the time of The Customer’s engagement of the services of The Company.
10) The Company fails to inform The Customer of a breach of control of The Customer’s data.
11) The Company fails to inform The Customer in a timely manner of a change in policy regarding third party access to The Customer’s data.
12) The Company erroneously exposes The Customer’s data to third party access due to negligence or incompetence.
B: A second consideration is a serial dependency on the reliability of The Company’s service to The Customer’s activity:
By relying on The Company’s service, The Customer typically will rely on the performance and availability of The Company’s products. If The Company product fails or fails to provide service as expected, The Customer may incur losses, including direct financial losses, loss of reputation, loss of convenience, or other harms. What warranty does The Company make in the performance of their services? What recourse does The Customer have for recovery of losses should The Company fail to perform?
Please provide details on what compensation The Company will provide in the following scenarios:
1) The Company can no longer perform the agreed and expected services due to reasons beyond The Company’s control.
2) The Company’s service fails to meet expectations in way that causes a material loss to The Customer.
3) The Company suffers an extended outage or compromise of service that exceeds a reasonable or agreed maximum accepted duration.
C: A third consideration is the alignment of interests between The Customer and The Company which may not be complete and may diverge in the future:
Engagement of the services of The Company requires an investment of time and resources on the part of The Customer in excess of any fees The Company may charge to adopt The Company’s products and services. What compensation will be provided should The Company’s products fail to meet performance and utility expectations? What compensation will be provided should expenditure of resources be required to compensate for The Company’s failure to meet service expectations?
Please provide details on what compensation The Company will provide in the following scenarios:
1) The Company elects to no longer perform the agreed and expected services due to business decisions made by The Company.
2) Ownership or control of The Company changes to an entity that is not aligned with the values of The Customer and which The Customer can not support, directly or indirectly.
3) Control of The Company passes to a third party e.g. through an acquisition or change of control of the board and which results in use of The Customer’s data in a way that is unacceptable to The Customer.
4) The Company or employees of The Company are found to have engaged in behavior, speech, or conduct which is unacceptable to The Customer.
5) The Company’s products or services are found to be unacceptable to The Customer for any reason not limited to security flaws, missing features, access failures, lack of performance, etc and The Company is not able to or is unwilling to meet The Customer’s requirements in a timely manner.
If your company depends on third party provisioning of IT services, you’re just one viral tweet¹ away from being out of business. Build an IT department that knows how to use a command line and run your critical services on your own hardware.
1) “Toot” now. Any company that relied on Twitter should review this post, but given the rumors around unpaid hosting bills, the chances of recovering any losses from Twitter are dim. At least those businesses that built models around Reddit APIs share your pain.
Turn off windows update now!
If you haven’t already, turn off Windows update now. Microsoft has recently started installing Windows 10 spyware without consent. A good friend of mine had a bunch of systems at the company where he runs IT hacked by Microsoft over the weekend, which broke the certificate store for WPA-2 and thus their wifi connections.
To be clear, Windows 10 is spyware. Microsoft has changed their business model from selling a product to selling data – your data – to whoever they want. Windows 10 comes with a EULA that gives them the right to steal everything on your computer – your email, your private pictures, your home movies, your love letters, your medical records, your financial records – anything they want without telling you. “If you’re not paying for the product, you are the product.”
If this happens to you, I suggest contacting your state attorney general and filing a complaint against Microsoft. Hopefully a crushing class action suit or perhaps jail time for the executives that dreamed up this massive heist will help deter future corporate data thieves, though that’s certainly irrational optimism.
I wish I could recommend switching to Linux for everyone, but there’s a lot of software that still depends on Windows and a lot of users that will have a hard time migrating (developers: please stop developing for Microsoft). Apple seems unequivocally better in refusing to act as key player in bringing about Total Information Awareness. I’m not a huge fan of their walled garden and computers as overpriced fashion accessories approach, but it is far better than outright theft. For those that are slightly computer savvy, there’s Linux Mint, which is quite usable and genuinely free.
These instructions might help prevent that disaster of an update being visited upon you (and possibly law enforcement visits to come after Microsoft starts sifting through all your datas and forwarding on whatever they find). The latest reports suggest they aren’t enough, but it is the best I have found other than isolating your windows box from the internet completely.
Microsoft Spyware Now Being Installed On Win 7
If you’re the sort of person who isn’t entirely happy about the idea of Microsoft claiming the right to copy your personal files, photos, emails, chat logs, diary entries, medical records, etc over to their own servers to sell to whoever they want for whatever they can get for your personal data – into markets that already exist for insurance companies to deny you insurance based on algorithmic analysis of your habits or your friends habits or for financial institutions to set your interest rates based on similar criterion, or perhaps even for law enforcement to investigate you without a warrant, then OBVIOUSLY you would never, ever install Windows 10 under any circumstances.
Well, Microsoft seems to have fully jumped on the Google/Facebook gravy train and is now completely invested in stealing your data and selling it to the highest bidder (Apple has been exfiltrating your data for a long time, but so far for internal use). I’ve become more suspect of Microsoft’s updates since they made the Windows 10 advertisement an important (not optional) update (important for what? their bottom line, obviously). Turns out that the latest updates to Windows 7 are pushing Microsoft’s new business model of stealing your data for profit to Windows 7 and 8.
Staying safe is going to require ever more vigilance. It may be possible to block windows components from reaching out to microsoft’s servers at the personal firewall level and certainly it can be done at the corporate firewall level (and should be), but blocking Microsoft is a somewhat complex issue. You can’t run Windows safely without installing security patches because the underlying OS is so completely insecure that new, critical, exploitable flaws are discovered every single week. If you don’t constantly patch these security failures, you will be hacked by people other than microsoft. If you install the wrong microsoft patch, you will be hacked by microsoft. Debian anyone? Also, software developers developing enterprise software, please, please, please stop developing for that horrible, insecure, performance hobbling abomination of a tarted-up single-user OS “Server” and focus on a secure, stable server OS like FreeBSD. Please. I hate, hate having to fork over $1k to microsoft for each box to run their horrible OS just so I can run your software. Why do you support that extortion? Do you despise your customers that much? Stop.
If you care about corporate governance and data security or HIPAA compliance, you are probably violating some critical requirements by installing windows 10 or these new updates to your existing Win7/8 base if you do not block data exfiltration to Microsoft’s servers. This is spyware. These updates are stealing your data and sending it to Microsoft. If your business is subject to data privacy laws, these updates put you in violation of those laws. Microsoft is doing something that is extremely significant and extremely evil and completely wrong. Take action or you may very well be facing personal or corporate consequences. srsly.
I am a strong believer in data privacy and extremely suspect of what I consider highly disingenuous business practices like Google’s but I recognize that there are reasonable people out there who think Google isn’t evil. However, this windows 10 issue, now being pushed to windows 7, goes well beyond Google taking advantage of people’s historical assumptions about the security of email to offer them a free look-alike honey trap to gather their data. Windows 10 and these Win 7 updates are intrusive, not merely misleading. Do not update. Srsly. Do not update. Block the spyware “hotfixes.”
- Russia considers banning windows 10
- Bit torrent trackers ban Windows 10 users
- Windows 10 steals so much data it breaks your data plan and costs you money
- Windows 10 is spyware, plain and simple, including a keylogger.
Stop Gap Fixes
In researching these updates, I came across this article on techworm that has a nice summary of the Malware updates Microsoft is pushing out (with some additional amendments I found):
- KB2952664 (this one reappears no matter how often you unselect it or hide it – so memorize it as evil)
- KB2976978
- KB2977759
- KB2990214
- KB3021917
- KB3022345
- KB3035583
- KB3044374
- KB3068708
- KB3075249
- KB3080149
- KB3112343
- KB3123662
- KB3123862 (new)
- KB3173040 NEW – “final” full screen nag advertisement for Win10 malware
With a whiff of irony, this google search “telemetry site:https://support.microsoft.com/en-us/kb” shows these patches and many more…
Do not automatically install Microsoft updates. You must turn that feature off or you will keep getting additional spyware installed. Go to windows update and verify your settings. I have mine set so windows downloads the updates (so the updates are waiting locally), but I don’t let windows install them automatically. That gives me a chance to review the updates and look for spyware.
When you get updates, you now have to check each one of them to find out if it is spyware or not. The list above is current as far as I know, but clicking on the “more information” link to the right of the updates list will get you microsoft’s marketing speak obfuscation of the true purpose. Any update that “adds telemetry points” or something like that is spyware. Uncheck the install and hide the update. Note that some of these were moved from “optional” to “important.” Microsoft is absolutely intent on stealing your data and is taking some pretty underhanded steps to make it difficult for you to avoid it.
If updates get past you or it turns out later that a seemingly important or innocuous update was spyware (the fun part is that you now have to be vigilant and look all this stuff up), then you can uninstall them from the “installed updates” control panel.
Work to be done
I’ll start looking into firewall settings to block communication to microsoft’s servers. This is a standard anti-malware technique and should work here, except that microsoft has so many servers it is more challenging to block them than your typical malware botnet.
We need something like a variant of Peer Guardian to block microsoft’s servers using the standard P2P crowd-sourcing model to keep the list up to date. I’m not aware of anything like this yet, but I’m looking. Microsoft has become more of an enemy to privacy than the RIAA ever was.
UPDATE: this superuser answer includes a list of telemetry endpoints to block at your firewall or router. Alternatively you can edit your hosts file and add these entries from DSL reports.
Larger Significance
This shift in business focus by Microsoft from providing a product people are willing to pay for to stealing data from people to sell on the commercial market has some significant lessons for the entire software model.
It isn’t just that Microsoft is now adopting Google’s business model of giving away “free” goodies as traps to collect product (you) to sell to the highest bidder, but that the model of corporate trust that underpins most of the security assumptions the internet is built on is manifestly false and unsustainable. If any hacker tried to create these spyware updates, locked-down computers that only install signed code would refuse to install them. Ignoring for the moment that the signed code model is idiotically flawed as signing keys are stolen all the time, this microsoft spyware is properly signed with legitimate keys. It will be installed on locked down computers without complaint and will not show up in commercial anti-virus software. But it is spyware. It contains keyloggers and extremely productive data exfiltration code that is currently copying wholesale data dumps from unfortunate victims to Microsoft’s servers in such volume that their data caps are being hit.
If a non-commercial third party (e.g. “hacker”) did this, they’d be prosecuted. It makes no difference to you that your data is being stolen by Microsoft rather than by some clever teenager in a former eastern block country: your data is being stolen. But the model that has been promoted, a model of centralized corporate trust to validate the “security” of your system has been utterly and irrevocably shattered. This isn’t an accident, isn’t something that better data management might have prevented, this is an intentional ex post facto rewrite of the usual, customary, and regular assumptions we have about the privacy of our computer systems and one that significantly impacts the security of almost everyone in the world: military, medical, legal, fiduciary, as well as personal.
And even if you trust Microsoft (for whatever bizarre, irrational reason), Microsoft is creating a whole series of security holes in their already crappy and insecure operating system that will be exploited by third parties. By adding keyloggers and data exfiltration tools to the core OS, they’re making it even easier for non-corporate hackers to jump on the data theft gravy train. Everyone profits but you. You lose.