The Sky Is Not Falling: Relative Risk and Security Vulnerabilities
By Matt Bennett
If you follow news articles about information security, you will notice that there is, almost literally, something new every day — login information being stolen, exploits and vulnerabilities discovered, and so on.
Worse still, many of these articles report vulnerabilities in the security systems that I and others recommend you use to protect yourself. What could be more discouraging than being told that all the work you did (following my advice, of course) to improve your information security posture was useless? Hang on, as there is a lot more to it than that.
So, online reporting (both news agencies and blogs) are good at quickly covering these kinds of breaches, and talking about how many people could possibly be affected. More technically oriented sites will also dive into the details of how vulnerabilities work, hopefully waiting until a patch has been released (often a matter of hours) to describe any of the steps involved. However, no one does a very good job of explaining the relative risk to you, a normal user — how likely this has or will actually affect your security. This is understandable, as stories about how a vulnerability requires an obscure set of conditions and is not that big a deal probably don’t get a ton of clicks. So let’s look at an example and then talk about risk and how much these things may weaken the security measures you have taken.
To illustrate, we will briefly discuss a widely-discussed vulnerabilities — the LastPass vulnerability discovered back in the spring, which did its best to break the internet with media attention. The LastPass exploit was completely technical in nature, having to do with a few particular lines of code within the browser extension. Taken on the surface this vulnerability is completely frustrating — this is supposed to be the way to make myself safer — and sadly may lead some people to believe that taking security measures is a futile exercise. On closer inspection, however, that’s not really the case. OK, here we go:
The LastPass vulnerability was discovered on March 25 by Tavis Ormandy from Google’s Project Zero, whom you might remember for his discovery of the Cloudbleed bug just a month prior, which I wrote about at the time. The vulnerability was specific to the Chrome and Firefox browser extensions. If the exploit was successful, it would in essence trick the extension into thinking it was communicating with Lastpass.com and reveal stored user data. Now, I get why that was scary, doubly so because LastPass is the place that all of this stuff is supposed to be safe. But let’s walk through all the conditions that had to exist in order for the vulnerability to actually be exploitable:
· You have to be using the LastPass browser extension (admittedly this is a lot of people).
· You have to either go to a malicious website or click on a malicious ad designed for the purpose of this exploit, probably lured there through some form of phishing attack via email.
· A cybercriminal sophisticated enough to engineer this attack (there is no evidence it was ever actually used in the wild) would have to suspect you were a LastPass user in order to target you with the phishing email in the first place.
Maybe feeling at least a little better? Let me circle back on one of the last points — this vulnerability was never actually used on anyone as far as LastPass can tell, and no one has claimed to be a victim of it. The first person to figure out it was possible is literally one of the best bug hunters in the world, so clearly it is not something simple. Further, even if someone had figured it out, you still would have had to click on a phishing link or an undetected malicious ad set up to utilize it. In addition, if you had two-factor enabled on a website, even if someone had stolen a password, it would have been useless for him or her.
This is a thing that is worth saying again — a lot of these highly technical weaknesses that are found were discovered by bug hunters: people who make their living (or part of it) from trying to find security weaknesses in software, for which they get paid by the software company (a bug bounty).
Security people love these things by the way — they have long drawn out discussions about how nothing is ever safe but it would still never happen to them because they have implemented obscure and terrible to use Option X, showing their superiority to the common folk. Admittedly, if you are a known information security professional then you have something of a target on your back, but still. You are way — way — safer using LastPass (or any other password manager) than using duplicated, easy-to-guess passwords on your own. Despite it and others like it getting a ton of media coverage, it is a needle in a haystack that took a professional bug hunter to find. In terms of risk to the average user, this is tiny.
This is a thing that is worth saying again — a lot of these highly technical weaknesses that are found were discovered by bug hunters: people who make their living (or part of it) from trying to find security weaknesses in software, for which they get paid by the software company (a bug bounty). For serious exploits on very widely used software, the bounties can run into the tens of thousands of dollars, so the incentive is strong and this is a good thing — these are people doing a service by finding potential vulnerabilities so they can be fixed before someone uses them in an attack. But, all too often those discoveries will get covered as if they were impending or ongoing attacks — in reality, with most bugs the only person who knows how to do it is the one who discovered it, and the way the bug bounty works he or she cannot disclose anything about how they did it until after the software has been patched against it.
So here’s the takeaway — while these things do represent some fractional measure of security risk, for the vast majority of people, the same best practices — strong passwords, two-factor, phishing awareness, etc. — are still the best defense. Instead of worrying about these things and their scary headlines, just keep doing the smart secure things you already are, and only pay attention when there has been an actual breach, like the recent Equifax disaster — those are events worth acting on. A lot of the rest you can safely ignore and be fine.