Do you know how many times I've heard over the past few days how much the media is failing to follow the money in this story about the newly elected Rep. George #Santos? This story makes it clear that's exactly what happened.

https://www.theleaderonline.com/single-post/santos-filings-now-claim-net-worth-of-11-million (edit: replaced the paywalled WaPo story about how the MSM missed the big scoop with the big scoop itself).

So let's follow the money, shall we? Starting with Mr. Santos' latest filing for The #Devolder Organization, which is apparently responsible for his sudden unexplained wealth (Devolder is Santos' late mother's last name).

http://search.sunbiz.org/Inquiry/CorporationSearch/ConvertTiffToPDF?storagePath=COR%5C2021%5C0601%5C00184778.Tif&documentNumber=L21000206150

The organization lists its address as 336 N. Babcock St. Ste 104. The document also lists another organization at the same address but at Ste 101, called D&D International Investment Services Inc.

Both are affiliated with an individual named Devaughn #Dames, who appears to be both a physician and a CFO somehow. He's also very passionate about spreading his knowledge about how to handle your money wisely. His linkedin page mentions both companies. He also seems to be an IT expert; previous domains include https://web.archive.org/web/20160518071721/http://www.manageditsolutions.net/about.html

One of Mr. Dames' email addresses (dev.dames at gmail) was used to register the vanity domain devaughndames[.]com. Firefox didn't like what that site tried to do when I visited it, but it loaded an empty page that had the heading "Financial Educational Services." But the pop-up takes you to a domain called myuwe[.]net, which is for an entity called United Wealth Education.

Now, UWE is full of stock photos and videos, and there isn't much there about who runs it. And after spending a few minutes on this site, you'll probably come away with the conclusion that the site is tied to some type of scam.

Well, if you look up the name of what Myuwe[.]net used to be called -- Financial Educational Services -- you'll see they were shut down JUST THIS YEAR by the US Federal Trade Commission for being a giant pyramid scheme that bilked people out of more than $213 million.

https://www.ftc.gov/news-events/news/press-releases/2022/05/ftc-shuts-down-credit-repair-pyramid-scheme-financial-education-services-which-bilked-more-213

How's that for following the money? :) Wait, I'm not done yet.

#devolder, #devaughndames #financialeducationservices #myuwe #unitedwealtheducation, #FTC #georgesantos

He talked about electric cars. I don't know anything about cars, so when people said he was a genius I figured he must be a genius.

Then he talked about rockets. I don't know anything about rockets, so when people said he was a genius I figured he must be a genius.

Now he talks about software. I happen to know a lot about software & Elon Musk is saying the stupidest shit I've ever heard anyone say, so when people say he's a genius I figure I should stay the hell away from his cars and rockets.

Many of you have been asking for my thoughts on the #LastPass breach, and I apologize that I'm a couple days late delivering.

Apart from all of the other commentary out there, here's what you need to know from a #password cracker's perspective!

Your vault is encrypted with #AES256 using a key that is derived from your master password, which is hashed using a minimum of 100,100 rounds of PBKDF2-HMAC-SHA256 (can be configured to use more rounds, but most people don't). #PBKDF2 is the minimum acceptable standard in key derivation functions (KDFs); it is compute-hard only and fits entirely within registers, so it is highly amenable to acceleration. However, it is the only #KDF that is FIPS/NIST approved, so it's the best (or only) KDF available to many applications. So while there are LOTS of things wrong with LastPass, key derivation isn't necessarily one of them.

Using #Hashcat with the top-of-the-line RTX 4090, you can crack PBKDF2-HMAC-SHA256 with 100,100 rounds at about 88 KH/s. At this speed an attacker could test ~7.6 billion passwords per day, which may sound like a lot, but it really isn't. By comparison, the same GPU can test Windows NT hashes at a rate of 288.5 GH/s, or ~25 quadrillion passwords per day. So while LastPass's hashing is nearly two orders of magnitude faster than the < 10 KH/s that I recommend, it's still more than 3 million times slower than cracking Windows/Active Directory passwords. In practice, it would take you about 3.25 hours to run through rockyou.txt + best64.rule, and a little under two months to exhaust rockyou.txt + rockyou-30000.rule.

Keep in mind these are the speeds for cracking a single vault; for an attacker to achieve this speed, they would have to single out your vault and dedicate their resources to cracking only your vault. If they're trying 1,000 vaults simultaneously, the speed would drop to just 88 H/s. With 1 million vaults, the speed drops to an abysmal 0.088 H/s, or 11.4 seconds to test just one password. Practically speaking, what this means is the attackers will target four groups of users:

1. users for which they have previously-compromised passwords (password reuse, credential stuffing)
2. users with laughably weak master passwords (think top20k)
3. users they can phish
4. high value targets (celebs, .gov, .mil, fortune 100)

If you are not in this list / you don't get phished, then it is highly unlikely your vault will be targeted. And due to the fairly expensive KDF, even passwords of moderate complexity should be safe.

I've seen several people recommend changing your master password as a mitigation for this breach. While changing your master password will help mitigate future breaches should you continue to use LastPass (you shouldn't), it does literally nothing to mitigate this current breach. The attacker has your vault, which was encrypted using a key derived from your master password. That's done, that's in the past. Changing your password will re-encrypt your vault with the new password, but of course it won't re-encrypt the copy of the vault the attacker has with your new password. That would be impossible unless you somehow had access to the attacker's copy of the vault, which if you do, please let me know?

A proper mitigation would be to migrate to #Bitwarden or #1Password, change the passwords for each of your accounts as you migrate over, and also review the MFA status of each of your accounts as well. The perfect way to spend your holiday vacation! Start the new year fresh with proper password hygiene.

For more password insights like this, give me a follow!

The Intercept on the abuse of RICO, with a few quotes from me.

https://theintercept.com/2022/12/16/corporate-rico-environmental-advocate/