[langsec-discuss] lastpass hax - I think this is langsec

Falcon Darkstar Momot falcon at iridiumlinux.org
Wed Jul 27 21:35:17 UTC 2016


The usual framework is to use quantitative risk analysis and calculate 
exposure factor (the amount that will be lost in an attack, up to the 
value of the asset) separately from the (annualized) rate of 
occurrence.  It would be interesting to see someone actually document 
the relationship between target value and rate of occurrence, but most 
of the material about quantitative risk analysis in the context of 
information assurance has been complete handwaving, or else too 
complicated for anyone to actually use in practice, but existing 
frameworks look a little like doi:10.1016/j.cose.2010.02.002 
<http://dx.doi.org/10.1016/j.cose.2010.02.002>: a lengthy list of 
essentially unknowable contingent probabilities based on incomplete 
information.

Thinking about QRA I'd have to say that the desirability of a target for 
an attacker must factor into the periodic rate of occurrence, but I 
don't actually know anyone who is doing that as an established, 
documented practice (alas).  I think this remains an unsolved problem.  
How would you quantify the valence of lulz? Attackers aren't uniform in 
their goals either, and external events can affect valence.  Lastpass is 
interesting because it seems to be useful to basically any attacker, but 
this is true of surprisingly few targets.  Maybe that is a good place to 
start?

In a QRA framework, competent coding serves mainly to reduce the rate of 
occurrence of attacks.

--Falcon

On 2016-07-27 12:41, David Fetter wrote:
> On Wed, Jul 27, 2016 at 09:57:14AM -0700, travis+ml-langsec at subspacefield.org wrote:
>> https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/
>>
>> Something about FSRs and parsing.
> This brings up something that isn't actually in the realm of langsec,
> but since it came up here, I'll set out a few thoughts here.
>
> Even given supremely competent coding, which is not in evidence in
> lastpass, does the act of creating a target with that high a value
> /ipso facto/ make it more likely to be attacked successfully?  There's
> some game theory and non-equilibrium economics here that I'm really
> not competent to address.
>
> Are there any formal ways to address such questions?  Obviously,
> they're not strictly langsec, but since I'm such a n00b at matters
> security, I just don't know even what keywords to start my search
> with.
>
> Help!
>
> Best,
> David.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20160727/0961d590/attachment-0001.html>


More information about the langsec-discuss mailing list