038f02fc23

bitcoin

Multiple Linux Backdoors Discovered Targeting Bitcoin Core Developer -LukeDashJr

The problem with Full Disk Encryption (FDE) on remote managed servers is that FDE significantly lengthens server outages. 
Every scheduled outage by the facility now requires your input to bring up your server.

This is especially problematic if your hosting facility does not provide remote admin tools like Dell iDRAC or HP iLO.

So effectively for every scheduled and non-scheduled outage your server experiences you would need to drive over to the remote facility to input your FHD password. That is an annoyance most would rather live without.

tl;dr FDE is great for mobile devices and VMs in public cloud, but a pita for physical servers in remote colo.
Remember: There is no perfect security. There are only tradeoffs.

You may have read or received an email regarding the Lastpass breach and that a bit more data was taken than initially expected.

Lastpass claims that the breach was in their integration platform and not production. With about 1,500 organizations that rely on Lastpass API integration, this is a massive breach with a much wider blast radius.

Lastpass claim while your master password is safe, URLs linked to the API integration may have leaked including metadata such as end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. 

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Being one of the top 4 password managers i would expect quite a few Bitcoiners use Lastpass to securely generate and store their passwords, to store their intimate notes, and maybe even to store their passphrases and probably even seed words to their crypto wallets.

Here are some Password manager best practices to focus on in the new year:

1. Choose a password manager with known good reputation, preferably an open source password manager.

2. Assume your password vault will be stolen so make sure you protect with a mighty strong and long master password.
On your phone enable the use biometric authentication so that you do not have to type in your mighty strong and long master password each time you need to retrieve a password or create a new password for a website.

3. Get into the habbit of routinely rotating the passwords in your password safe, including the master password.

4. Enable 2FA on your password manager, and enable geolocation if it supports that as well.

5. Remove browser extensions from unknown or dubious sources. An extension with permission to interact with a page is inherently able to access anything from that page, including an auto filled password or Bitcoin addresses. 
Similarly, a malicious extension can modify the contents of form fields and network requests/responses to misuse the authority of the current user login context.

Happy Holidays.