Norton LifeLock breach — what now?

Norton’s Password Manager was breached
Norton LifeLock

Norton’s breach of their LifeLock password vault is just a reminder to me that nobody should use a locked-in password vault solution. I am a fan of using a password vault from a provider for whom providing a password manager, is their core business.

Antivirus vendors like to bundle products, such as a proprietary password manager, in with their service. That provides ‘extra value’ to their customers. Similarly, LifeLock is a password vault, bundled in with Norton’s antivirus service. And because of that, this data breach feels even more inexcusable. Norton’s stock-in-trade is ‘cyber security’, and that is the opposite of facilitating a security breach.

It is time to move to another provider

Export your Norton LifeLock password vault as a CSV file, and then import the resultant data into Bitwarden. This DIY procedure involves manually configuring your generic CSV file, so that Bitwarden can interpreted your data. Email me if you want to hire me to help you transition from LifeLock to Bitwarden.

Norton’s LifeLock password manager was never as popular as Dashlane or 1Password, for example. Someone who wanted to transition away from either of them would find it simpler to move to Bitwarden, than moving away from LifeLock. This is not what you want to hear, but this may be your reality… Any serious password manager vendor makes it easy for users to pick up their data and leave. Here are Bitwarden’s own instructions for importing your password vault data into their password manager.

But, what about antivirus protection?

Yes, you would be ‘naked’ of you walk away from Norton entirely. You probably bought their product originally for its antivirus protection anyway. You c.o.u.l.d just stop using Norton’s LifeLock Password Manager and not walk away from their Antivirus entirely.

Alternatively, you cannot go wrong with ESET, if you need to ‘remain on an island’ — meaning if you are not having your devices monitored/managed by some Managed Service Provider, like myself.

As an MSP, I install only 'managed' protection for my clients to be informed of possible attacks on their devices.
Mr. IT is not affiliated with Bitwarden

I am into Bitwarden, but I am not affiliated with them. Firstly, you could use their product./service for free, and their paid plans are probably the most affordable ones in the Password Manager category. My ESET link is also not an affiliated link.

I recommend their ESSENTIAL SECURITY product, called ESET NOD32 Antivirus — which costs $39.99 CAD (per device). Or, if you want some extra annoying features, consider their ADVANCED SECURITY product, called ESET Internet Security — which costs $49.99 CAD (per device).

I do not recommend their PREMIUM SECURITY product because it includes a Password Manager. This product is called ESET Smart Security Premium — and it costs $59.99 CAD (per device). But, as started out saying (right at the top), I don’t believe that anybody should use a locked-in password vault solution.

Migrate your vault data to Bitwarden

If I was hired to be doing this for a client, this would be my approach. If there was a relatively small number of password entries to move over, I would not export/import their actual vault’s content. Instead, I would add the Bitwarden Password Manager browser extension to Chrome.

This browser helper is designed to capture the login credentials for your websites, as you log into your various accounts (using your LifeLock password vault). This is also a great opportunity to change your passwords, one-by one. Yes, it would be a lot of work, but it is safe to assume that all your passwords have been breached.

Remember, you will only be doing this because you are concerned about the Norton breach I mentioned. Ignoring the very real threat having your passwords known to criminals will lead to far more drama in your life. The damage to your reputation will also be incalculably complicated. This is not a time to procrastinate if you were a victim of the Norton breach!

How did Norton inform customers?

It is never easy for a company to tell the world that a breach happened on their platform. LastPass found it much harder to admit their breach outright, while Norton’s announcement came closer to ‘ripping off the bandaid’. LastPass’s announcement was as shady as they could possibly make it be. Their focus was more on minimizing further damage to their brand, which ended up being worse for everyone involved.

Gen Digital (the parent company of Norton LifeLock) warned some customers that their accounts ‘may have been compromised’. They admit outright that “an unauthorized third party knows and has utilized your username and password for your account”, to these users. They had detected a credential-stuffing campaign earlier in December of 2022. Their explicit warning is that “in accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number, and mailing address.”

While that is awful news, they put LastPass to shame for being honest and upfront about how bad the breach is. Unlike in the case of LastPass, this breach was limited to about 6,5000 Norton LifeLock customers. In the case of LastPass, they reluctantly admitted in the end that their breach affected all their customers.

In my post on the LastPass breach, I also urged affected users to you move away! I recommended that they not reuse their old master passwords either. I explained how to design a string of characters you use as their new master password. Check it out. My ‘formula’ guides you to compose a complex password which you can actually remember. You only need to remember one really good password to access your password vault… Why not use an impressive master password?

Moving to another Password Manager

In my post on the LastPass breach, I explain why I prefer Bitwarden. Dashlane and 1Password are excellent alternatives, but Bitwarden is based on open source technology. This means that their source code is open for anyone to inspect, modify, and enhance. This is absolutely not how proprietary software like Norton’s products, will ever work. This thought might scare if you are not familiar with the open source philosophy. However, transparency is a good thing, and brilliant contributions to software includes philanthropic people. Yes, some brilliant developers care about the greater good, not about making money.

For me, Bitwarden also provides the easiest way to access passwords and sensitive information, across my different platforms. I use Mac and Windows operating systems interchangeably.

I have converted clients’ computers from Windows to Linux when they would have had to throw their old devices away otherwise… Everyone I have helped to get onto Bitwarden, love how it works (once they have migrated their data). I want to remind you that Bitwarden, provides a tool to import password vaults from other providers.

And, since your exported password data still contains a lot of valuable information, delete that file when you are done.

When is a password good enough?

If you create a password you can remember, it may be too simple to be safe enough. Your master password must be good enough to protect your new password vault from being breached. Why not test your proposed new at Security.org’s How secure is my password? I would not settle for a password that seems like it may that a computer less than 1 million years to crack it. You don’t have to settle either.

Add a few strategically placed symbols to improve the quality of your master password.

Other security breaches to ponder

LastPass breach — should you move on?

— Norman Atterbury

The Meta Pixel allow sites to track you

Meta Pixel used to be known as Facebook Pixel

You are welcome to email me if you want to hire my services. Together we can minimize how social media tracks your online activities.

The Meta Pixel is a snippet of JavaScript code that allows websites to track visitor’s activity. According to this Meta Developers Document, it loads a small library of functions to track various actions that a visitor might make on a website.

Meta refers to these interactions (where website visitor’s actions are being tracked), as ‘conversions’. Tracked conversions appear in Meta’s Ads Manager where they can be used to measure the effectiveness of their ads. Conversations are useful in ‘ad targeting’, used for defining custom audiences and analyzing the effectiveness of their ‘ad campaigns’.

Facebook caught collecting information

The article called Facebook and Anti-Abortion Clinics Are Collecting Highly Sensitive Info on Would-Be Patients was posted on June 15 (2022) by Grace Oldham and Dhruv Mehrotra. Below is my brief overview of their compelling findings, unless you want to read their original article on The Markup.

They demonstrated that more than a third of the websites in question sent data to Facebook when someone made an appointment for an ‘abortion consultation’ or ‘pre-termination screening’. And, at least 39 sites actually sent Facebook details such as the person’s name, email address, or phone number.

How does Meta actually track us? In the mentioned article, Facebook and crisis pregnancy centers were using the data that ‘the pixel’ collects… Grace created a new Facebook profile in late April solely for this investigation. While logged in to Facebook, she visited the 294 crisis pregnancy center websites known to use ‘the pixel’ for tracking. And, she was clicking through each website and, when available, filling out appointment request forms. To minimize tracking, she conducted her research using a clean browser with cleared browsing cache.

In early May, Grace and Dhruv used Meta’s Privacy Center to download and review the data of the clean Facebook account. They found that Facebook retained data about her interactions with 88 percent of those crisis pregnancy center websites. They were also linking her online behaviour to her Facebook profile.

Facebook does not have an incentive to crack down on violations of its advertising policies. That costs them money to do. As long as they’re not legally obligated to do so, why would they expend any resources to fix this? The more data they get, the more targeted advertising they can do, and that’s the gravy train for them: targeted ads. If they’re proactive about cutting off sites like that, it impacts their revenue in multiple ways.

Serge Egelman, research director of the Usable Security & Privacy Group (UC Berkeley’s International Computer Science Institute)
Facebook explains the Meta Pixel

On their website, Facebook says: “If you’re logged into Facebook and visit a website with the Like button, your browser sends us information about your visit.

And: “If you’re logged out or don’t have a Facebook account and visit a website with the Like button or another social plugin, your browser sends us a more limited set of info.

Thanks to the Facebook Pixel, Meta is tracking everyone!

DuckDuckGo desktop browser

As a Mac user, I use the DuckDuckGo desktop browser app for Mac. I do that to minimize websites from tracking me. While the DDG browser uses the DDG search engine by default, one could change it to use another search engine of your choice. One could opt for the Google search engine for instance.

On the rare occasion that I may want to see a different set of search results (in the DDG browser), I would actually ‘use the Google search engine’ in my DDG desktop browser. Google arranges my search results to benefit their paying advertisers, not me. Obviously, I am their product, as would be the case with Facebook as well. It is not surprising that they are tracking my activities.

Even so, it does happen sometimes that I have a need to see another set of search results. I would not change my browser’s search engine setting, when this happens. I would simply type ‘google.com’ in the address bar of my DDG browser. Doing so would take me to https://www.google.com/. Thus, I would be using Google’s native search engine, embedded on their search page. Google can indeed track my search activity on their site. In this case, that level of tracking would be inevitable. I limit all the other forms of tracking as much as possible, for this very reason.

At that point, an unsolicited popup would remind me that ‘Google recommends using Chrome’, and that I could ‘more easily search on Google with their fast, secure browser’. I am steadfast and not lured by such proposed (popup) distractions. I use the DDG desktop browser for its tracking protection in the first place.

Why do I use several browsers?

I use different browsers for different purposes, always optimized to limit the relentless tracking by the Meta Pixel and other trackers. I containerize activities into certain browsers. My personal favourite is the Brave browser. It is safe out of the box, but takes a bit of tuning to suppress some annoying things that I don’t need to see. I will write a ‘How To’ guide for this at some point…

Since I administer several Google Workspace accounts, I use the Chrome browser for that purpose. And, I do all my website administration and upgrades in the Vivaldi browser. While it also requires a bit tuning to suppress some features that I don’t use, it is lovely.

Google or Microsoft are usually the ones who attempt to lure me into switching to their browser… I do not appreciate that when I am inside any of the browsers that I use frequently. And also not when I am simply just using the DDG desktop browser. I use the DDG browser because it limits unsolicited tracking!

If you are not on a regular Mac user, there are other ways that you could get DDG protection. If you don’t want to wait for DDG’s Windows browser app to be released, add the DuckDuckGo Browser Extension to your browser. Or, you could install and use the DuckDuckGo Mobile App.

How Does the DuckDuckGo App/Extension Protect My Privacy? should answer any DDG questions you may have… DDG is great, but it is only one possible way to ensure that websites are not tracking you online…

Other private browsing options

You could use the Firefox browser and add the uBlock Origin browser extension.

uBlock is a free and open-source, cross-platform browser extension for content filtering, primarily aimed at neutralizing privacy invasion in an efficient, user-friendly method. And, if you’re going to be doing this, why not then also use Firefox’s Facebook Container add-on browser extension?

This add-on isolates Meta sites (including Facebook, Instagram, and Messenger) from the rest of your web surfing experience. It is an elegant alternative for setting boundaries for Facebook and other Meta websites, and limits effectively ‘where Meta can track you’.

You can further improve your security profile if you stop saving your passwords in your browser!

Move any saved passwords over to a proper password vault. Before 2023, I would have advised that you move to LastPass, but now I recommend that existing LastPass users move on ASAP. I am not getting affiliate commission for recommending Bitwarden, I simply trust them with the responsibility of keeping my password vaults secure!

— Norman Atterbury

LastPass breach — should you move on?

I used LastPass as my password vault
LastPass logo

I was urging my clients and family to use LastPass as their password vault. If you were one of these people, you probably know this did not end very well… and you could email me if you would rather hire my services, to handle this for you.

LastPass has not been handling their latest security breach in a manner that makes me confident that they are protecting everyone’s password vault! On December 22nd, 2022, their update said that “the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

It is safe to assume the attackers would have obtained the metadata associated with every user’s account! This makes future potential attempts to use brute-force decryption to crack open users’ accounts an undeniable possibility.

MOVE ON to another Password Manager

I prefer Bitwarden for my own use, although Dashlane and 1Password are excellent alternatives to my choice. I have used most Password Managers available, and any one (that is trustworthy) is better than thinking up ‘your own’ passwords, and writing them down. As a human, you cannot create passwords with enough entropy, i.e. not complicated enough — use a Password Manager!

Bitwarden is based on open source technology, which means they are being scrutinized every step of the way, unlike the proprietary (secret) technologies that almost every of their competitor cling to.

For me, Bitwarden is the easiest way to secure all of your passwords and sensitive information, and they provide a tool to import password vaults from other providers.

Do not reuse your old master password

Create a new master password, and then change all the passwords inside your newly established password vault. Since your old password vault was most likely among those which were downloaded, the attackers will keep it on a hard-drive until one of their minions can crack into it, one day…

You want to be sure that when that happens, every password in your old password vault will have been replaced with a new randomly created one.

Create an impressive master password

I recommend taking a line from one of your favourite books, and modifying it…

Remembering a sentence (that you could even highlight in an actual book) to reference, is relatively simple. Just be sure you join the words with a symbol, such as a hyphen or an ‘!’, and then capitalize the first letter in some of words, and add a few numbers and symbols.

THE LONGER IT IS THE SAFER YOU ARE

For instance, if you used this sentence (out of some book): The Bluebells represent the Party and Winston and Julia’s love affair.

And then converted it into: The-Bluebells-Represent-The-Party&Winston&Julia’s-love-affair-44 — to become the string of characters you use as your new password.

In the example above…
  1. the ‘blank spaces‘ became hyphens
  2. he word ‘and‘ became the symbol ‘&
  3. the number ‘44’ represents some year that is special for you — do not use your birth year
THIS WOULD BE A SAFE PASSWORD

Once you think you have come up with a password you can remember, why not test it at Security.org’s How secure is my password? Make sure it is in fact, good enough to protect your new password vault.

Do not settle for any password for which the results suggest that a computer might take less than 1 million years to crack it.

Other security breaches to ponder

Norton LifeLock breach — what now?

— Norman Atterbury