But for most they need something easy to use and understand - or they won't use it. Which is fine if you're that type of user. Because I saw plenty of that in the past week. I know a lot of security geeks are ready to recommend super-secure systems that you host yourself, don't include syncing, etc. And their past issues seemed to be handled well enough. I used to include LastPass at the top of my list of recommended credential managers as it was something most users could readily use, was cross-platform, integrated with browsers well, etc. This time though it was a combination of the extent of the breach and how they handled it that has collapsed the trust for many - myself included. LastPass has had issues in the past, but then so have most vendors. A lot of people use, or should I say used, LastPass. There was some lively discussion about this internally at F5 as well. The infosec fediverse was pretty much non-stop chatter about this, as well as the press, etc.
#SOME LASTPASS IPS FULL#
Presuming we do indeed now have the full scope, of course. But it wasn't until December 23rd that the full scope, including the loss of customer data, was disclosed.
#SOME LASTPASS IPS UPDATE#
The next update on November 30th ( previously on TWIS) was the first indication that the scope may be larger. The initial disclosure on August 25th, and the first update on September 15th, stressed that the breach was only to the development environment.
#SOME LASTPASS IPS PASSWORD#
I'm not sure I agree with that, but it certainly wasn't great that the full extent of the issue, with customer password records being downloaded, was only revealed months after the initial disclosure. The timing was itself the subject of a lot of negative reaction, as some feel like it was deliberately withheld until the Thursday just before xmas in an attempt to bury the news.
Sure, technically the new broke just before xmas, but I think the holidays delayed some of the reaction into the new year. So, what lit the infosec world on fire last week? I know my feeds were full of one thing - LastPass. ~ LastPass, oh, I gave you my creds / But the very next day you gave them away / This year, to save me from breach / I'll give them to someone diff'rent ~/ Stay tuned for more content from the F5 SIRT, we have a lot in the pipeline.
Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures by Arvin Fopalan.Avoiding Common iRules Security Pitfalls by Jordan Zebor.Using iControl REST API to manage F5 BIG-IP Advanced Firewall Manager (AFM) by Tikka Nagi.That's not only TWIS, but several other articles you may find valuable. Same results, but TWIS is easier to remember.Īdditionally, all of the content created by the F5 SIRT is also tagged with, wait for it, F5 SIRT. Actually, there are two tags - TWIS and series-F5SIRT-this-week-in-security. All of the This Week in Security articles are tagged, so you can easily find all of them. Let's hope that 2023 is a good year.Ī couple of things I want to plug, in case you weren't aware.
I hope everyone had a good holiday season. Hello, MegaZone is back this week as our rotation continues.
0 kommentar(er)
