Dynamic data safety: Purandar Das on encryption and beyond

Secure Talk - Purandar Das 

Justin Beals: Hello everyone. And welcome back to Secure Talk. We have an exceptional guest with us today. I'm very excited for our discussion. We're chatting with Purandar Das, who is the CEO and founder of Sotero.

Purandar Das: Justin, thank you for having me. My pleasure. 

Justin Beals: Obviously, Sotero is a great company. I've been looking at the products. We're going to dive into some of your work around cyber security. But one of the things we love to start our discussions with is a little bit about early influences for you and working with technology or cyber security pre-college. What got you interested in the technology space?

Purandar Das: Oh, great question, actually. So I had a cousin who was a, was a CPA, but one was also interested in technology and he started a software consulting business. I was, it was probably pre high-school for me. Uh, and he managed to rope in my bigger, my older brother into his business to help him out. I was the guy that was left out.

So I, I kind of started to hang around with them and see what they were doing. That actually got me interested in computers slash technology. From then on, it's always been something that I've, uh, wanted to get into, ironically, kind of started to, to look at my educational and my education. And I went into mechanical engineering.

I was always, I loved cars. That's essentially what got me into mechanical engineering. Cars and planes and, and kind of going through it was interesting, but I always had technology and computers in the back of my mind. So graduating from mechanical engineering, unfortunately I also had the opportunity to work a day on a factory floor after I did my undergrad.That one day convinced me that I was not meant to be a mechanical engineer. 

Justin Beals: You were ready, ready to get back in front of the keyboard.

Purandar Das: So that's the, the education and my career. 

Justin Beals: I'm always surprised at how many people like started with a kind of a vision for their life, like mechanical engineering or something quite different and wound up in this field of work.It's, I think sometimes the cross fertilization is very powerful. 

Purandar Das: I tell people about this all the time. I mean, the fact that I have a mechanical or an engineering background for an education has been critical. The analytical thinking the exposure to a wide variety of subjects topics has just made my career more fruitful. In technology, then I think it would have been if I had just gone straight into being a technologist. 

Justin Beals: Certainly a little bit of sibling rivalry along the way. Yeah. That's excellent. And so you have two degrees, both in mechanical engineering, but then you worked as a chief technology officer for a number of organizations.How do you find that leadership role as a CTO? 

Purandar Das: It's certainly interesting, but it's also challenging because I'm sure with your background as well, Justin, the CTO role covers a lot of different areas and responsibilities. A lot of it is what the industry that the company is in the stage that it's in, the challenges that it's facing, but it's also what's the problem for the day, right?

What's the problem for today? And those things change constantly. And then you have to deal with a large number of people. And in many of today's companies, especially on the tech side, the CTO ends up managing the largest number of associates of people in the company. So the, the challenges that it brings is massive.

One of the things that I've said, my computer says that I've learned something. From everybody that I've ever worked with, right? I mean, leadership is great when you're telling, when you're kind of managing the process and being the guy that's being the person that's setting the direction, et cetera, but if you listen, you learn something from everybody that you interact with some good, some bad, but mostly very positive and gives you a different perspective on everything that you interact with. 

Justin Beals: Yeah. I found in some of my work as a CTO that it was a lot of planning and then throwing it out three or four days later.

Purandar Das: Absolutely, Yeah.

Justin Beals: The hard part is, is that you finally get this role. You're a leader. You've got this idea that you're gonna have an impact, but then you need to be willing to throw out that impact to your point of learning from the team around you.

Purandar Das: Yeah. I mean, that's the biggest key. I think in being successful in that role.I mean, you have to have a plan. Absolutely. Right. I mean, in the general direction in the sense, but not. Being ready to adapt and not being ready to accept input is usually a warning sign that that individual is going to fail.

Justin Beals: Absolutely. So you've now moved into work at Sotero Soft as the CEO. That's a difficult transition unto itself. You're moving from engineering into pure form management. To a lot more engineering for the business. Yeah, 

Purandar Das: Absolutely. I mean, it, it brings a lot of other challenges, right? I mean, you're, you're thinking about customer service. You're thinking about go to market, finding the early customers, then trying to scale that, then building an organization as also providing strategic direction and leadership.

It's been challenging, but truly it's been rewarding. Spent a long time in the corporate space being the CTO, but kind of the entrepreneurial journey has been extremely exciting and interesting as well. 

Justin Beals: Yeah. I think one of the things that served me well when I was a CTO and moving to the CEO role was that practice you have to have of telling a story about the technology.

Purandar Das: They say this, right? Founders are usually the best salespeople. And that's for a reason. One is the obvious reason is you know what the product is, so you can, you can talk about the vision, the capabilities and what it solves, but you also bring a passion to it. Because if the, if the, as the founder, you completely believe in the product that you're pitching out there.

So it's not like, it's unlike a professional sales person pitching the thing. There is a lot of credibility that founders can and do bring to a sales process. 

Justin Beals: Yeah, I had a really great mentor once tell me great CEOs sell. Justin all the time. That's what they're doing. And it's, it's multifaceted though.Sometimes it's attracting the right talent to your team. Sometimes it's in tracking, attracting investment to the vision of the firm. And sometimes it's attracting customers. Yeah. 

Purandar Das: Yeah, it's a nonstop process, right? I mean, you're, you're continuing to sell the vision and the journey to the investors because they can tend to be impatient or they want to keep hearing good things about progress.

The employees also want to keep hearing about where the company is, how it's doing, how we're going to solve the challenges that they see in their individual areas. I mean, Inthe context of a sales short, but they want to be assured that what they're doing matters and that they're not doing something that's not going to be meaningful.

Customers want to keep hearing about the evolution of the product, how you care for them, how you're going to be there to help them. Solve the challenges or help fulfill the promise on which they bought this product. 

Justin Beals: Yeah, absolutely. So, Brandar, you have a very unique expertise, not only your startup and what you're working on, but one of the things that I noticed is your expertise in data and data encryption.

And as a matter of fact, you co authored a patent for IBM in this space. One of the things that I'm a little curious about is what's your thoughts on the effectiveness of our encryption algorithms today? 

Purandar Das: Encryption algorithms are absolutely fine, right? The question becomes is how effective are they at solving specific challenges for data protection?

When you think about encryption for data in transit, What we have today is fantastic. Nobody's going to, at least based with today's computing, nobody's going to break it. Right. But when you think about the same encryption that's used for data protection, if it depends on what you mean by data protection, if you're talking about protecting data from being stolen off a disk, that encryption is fine.

But if you're thinking about preserving privacy, preserving security, as the data's being used, it's completely inadequate. So it just depends on what it is. And I think encryption has a good and a bad name. It's usually viewed in some perspective as a panacea for everything related to data privacy, which is not true at all.

The other perspective is that encryption is, imposes terrible latencies, and it's usually a process killer and a friction creator. That's not true either. It just depends on using the right, algorithm, the right product for the right problem. 

Justin Beals: You mentioned this term in use and certainly as a CTO, when I've been designing architectures, we've been like, okay, how is our database encrypted?

And then how are we encrypting the web server traffic? But there's, As the more you dig in, as you're doing the architecture work, you realize there are little gaps where things are decrypted and re encrypted, decrypted and re encrypted. And the in use, uh, seems to be an emerging space for solutions. Is that right?

Purandar Das: It is. So, I mean, to begin with, there's, a couple of misconceptions, right? In use actually has multiple connotations to some people in use means keeping the data encrypted between the end user or application at the point of consumption all the way to where it's stored and where it's put in storage, right?

Which is fine. That's the journey. The fact is that the data in storage is not encrypted. So when you look at it from that perspective, it's not the little encryptions, decryptions that were data stolen. It's actually at the point of storage, because that's where data is available in bulk. And that happens to be a database or a file, a file server or a file share, right?

So our perspective on in use is keep the data in storage, encrypted, even at, even while it's being used or queried. That's our perception, perception of in use, right? Because if you think about it, data written to disk is encrypted, right? Nobody can make a copy. Nobody can steal the data. If that were the case, why are the hackers and criminals and all those malicious people getting their hands on data? they're getting it because while the data is made accessible or available for use, it's completely unprotected. So they can get into the network, get in through an application, get in through a firewall, and get their hands on data.

That's the bigger problem. That's the bigger, bigger vulnerability. And that's what we mean when we say we solve this problem with the museum. 

Justin Beals: Yeah, because you know, it's, I think it's, we all want to be assured that we're doing the right work. And see this, I'm an AWS user and not so good with Azure, but I see the setting on the data store and I'm like, let's turn on encryption, let's make sure that's working. But to your point, it could be almost a false positive that we've, we've had the encryption we expect. 

Purandar Das: And there's also another re and, and I mean you, it's not a broad brush, but if you think about the, the genesis of encryption, for many organizations it was because they had, there was a regulat regulatory or a cyber insurance mandate to encrypt data.

So they look at the thing and to your point say, Hey, there's a setting here that says encrypted data. Let me do it. I'm all set. But obviously as we're learning the, the folks on the other side of the tracks, the bad people are much smarter. Then people that try to implement this and that's where the problem is.

Justin Beals: Yeah, and there's always a little chink somewhere, just like a buffer overflow type hack or something like that where we can find a little chink in the armor that even makes encryption weaker or tougher to support. 

Purandar Das: And all you need is one, one point of access to get in, right? Once you're in the entire defense that you build, It's all gone. And that's really, that just is a function. It's a positive sign that there's so many ways to get in, because in some ways it actually speaks to the complexity of integration and the complexity of solutions that are available out there. And that's what drives businesses. That's so many applications and so many different devices can talk to each other and share information.That's the positive. The negative is it just creates so many points of weakness. 

Justin Beals: Yeah. I've had this perception that managing data security does feel like a Sisyphean task, right? And to your point, our digital infrastructure at our companies and our relationships with our customers, it's all designed to distribute the data in Exponentially efficient ways.

How do you approach just my mindset perspective data security, especially if you're a CTO or a security leader in house? 

Purandar Das: Yes. So you brought up something, right? I mean, we both acknowledge and I think we both understand that. Businesses today and the, the economy across the globe in general is successful because of the connectivity, and the ability to share information and, and the amount of time it's reduced to actually share information, and make decisions. That's what's driving many businesses, and that's the great aspect of it. The challenge is, if you think about it, we're evolving from a model where all, all applications, all data, all compute was stored within one location, quote unquote, a data center.

 Now we've blown that apart. And we are trying to take the same security model, the same security products and capabilities that worked, whether they worked well or not, was working on, on those, close and close data centers and trying to put them in place and hope that they're going to be successful on a completely different part.

The cloud is evolved. Global connectivity is world mobile devices are exponentially grown. So there has to be a different mindset when security was thought of in the, the closed space in the data center space, right data protection was not really that relevant because they said we can lock down. 

When you take that and open up the data to a million more devices. Hundreds of thousands of users, tens of thousands of users, thousands of applications, and you put this data somewhere else where it's not as locked down that becomes a huge weakness with your data is not protected. 

Justin Beals: Yeah.

Purandar Das: So what we tell people, my suggestion is that you start to think about data security from the inside out. What are people trying to get to? It's your data. So let's focus on making sure your data is secure, even if somebody were to break into the network. That security starts with, obviously, the, the governments in terms of monitoring, real time monitoring and threat detection.

Yeah. But it also should include,, ability to keep the data locked down for all of the users that are not authorized to view or see it. 

Justin Beals: I've also noticed like a different attitude in myself and other technologists, where one of the first things we're doing is saying no to certain types of data. 

Purandar Das: Yeah, I'm sure in your work, you heard this in your role, you probably faced it as well and saying, I don't want to go to security because the response is going to be a no.

Yeah, you don't. Right. I mean, the ministry of no, as they make fun of the security teams, right? They're in a really tough situation. They've got all these mandates, the requirements that they need to put in place. They necessarily don't align with the data needed to be available, open and stuff. So they've got a tough.

Tough job in front of him. But the business has no patience for what they want to do. They're saying, I, my, my revenue, my job, my business depends on this data being made available, made being available easily and all the time. So you're looking at two different needs. 

Justin Beals: Yeah. It is an incredibly hard role.I think to support because you can drive the revenue forward, or you can say this is too dangerous. Unrealized risk. Yeah, 

Purandar Das: And I mean, even without even mentioning any of the examples every week now, it's a massive breach. Right? A ransomware attack, a massive breach. If you don't get both parts of this right, you either lose revenue or you could lose the company.

Justin Beals: Yeah. So, what do you consider the aspects of data security posture management? 

Purandar Das: It's a great question. I think it's that acronym is something that's evolving as we speak, right? I mean, DSPM to some people, posture management relates to policy management, right? To other people,, it translates to find all the data sources or data assets that I'm not aware of.

So data discovery, another set of people, it means classification, right? Who cares if I don't know where the data is, just tell me if there's sensitive data in there. And if they're sensitive or confidential data, make sure. You give me the tools  to protect right left on set in this are all the different data types.

You have data on-premise and databases. You have data on in the cloud in databases in file stores, and object stores to us. And I speak at this. I look at this as to us,  DSPM means all of the above. Right. It's, it's, it's discovery and classification, risk assessment and risk management, telling you where the data is and what you've been able to think, providing support for all of the different data forms, whether it's in the cloud, it's a file in the cloud, it's object stores in the cloud, its databases in the cloud, its databases on-prem, it's your file shares, files of one product that protects all of the data, right?

Then, it becomes governance and monitoring. Can you give me real-time? Monitoring for audit compliance and management, right? Which kind of [also bundles in into some access management, right? Are the right people getting access? The final piece of this is threat detection and prevention, right? And different big thing, if you look at DD, DLP or DDR is a big thing of a data loss, right?

Structured databases should also be able to detect somebody that's trying to exfiltrate or download data unauthorized. When you look at the unstructured files, file systems that are getting hit with ransomware attacks, it should be able to detect and defeat those attacks in real time. When you bundle this entire set of capabilities, that to us is what DSPM is, and that's what we built.

Justin Beals: Yeah, certainly. I think there's this. Oversight. And then what is our response? Like what I like what you tied together is it doesn't stop at classification or understanding where data lives. It understand it also is like what's our posture, like our our security surface. What are we doing about that? How are we actively engaged in the security surface?

Purandar Das: And again, our thing is bottom-up inside out. First thing when you find it, make sure it's protected. We put our encryption on it so that nobody can use it, even if they were to get access to it. Then we make sure all of the access that's going to it, the traffic goes through us. So we're validating in real time with our ML models if it's a threat, if it poses a threat, we're validating that it's the right user with the right privileges. At the right point in time from the right location, that's getting access to the data, and then we generate these audits so that you're not going to 100 different places to look at logs were bundling all of this into a couple of dashboards that says, here's all the activity.

But the ones that you want to look at, that's this. If there was a threat detected, then we've stopped the process and fired off alerts to your sock team to your network team and saying, take a look at this user on this process because they're behaving in an anomalous way. And we block them till you actually validate and verify that.

Justin Beals: I'm glad you brought up this aspect because I think that at Sotero, you call this a data detection response as part of your solution. When reading about your solution, it relies heavily on AI to detect and investigate. And in my humble experience building some AI-driven products, great data builds great AI solutions.

And so how not having trained security solutions, how do you think about the data for developing the models that you use for prediction and recommendation? 

Purandar Das: Yeah, I mean, I would say that what we've done, that is a massive industry by itself today, right? Because I mean, with the LLMs exploding, people are kind of thinking about two things.

One is the training data, like where do you get the right data for the right thing? That's. a science by itself. That's a good thing. The second aspect of that is, there's two aspects to the other, two sides to this one is, how do you keep the data protected? While you're using it for training, right? How do you make sure that it's sanitized and that it's not leaking confidential information?

Second, is when you inter, when you mingle this data with an open source LLM, how do you make sure your data hasn't leaked, right? So there's two aspects to this. For us what we do is we actually deploy the LLM locally so that, make sure that there's no data leaked. 

All of the interaction to an open source LLM happens in, through you. Our product in a controlled manner, where we make sure that no data is leaked to the open source. And we're just learning from that. Then what we do is we're building data sets and optimizing them for specific verticals like finance, pharmaceutical, telco. We built those data sets because that's where we have customers, and we're helping those optimize train data sets to drive learnings for us in that space.

Justin Beals: I think this is critical to accuracy on the predictions you get out of. machine learning models, right? Like if you can get enough, sometimes I'm willing to give up on the data set size for precision in the area of focus. And I get a more accurate model. 

Purandar Das: Absolutely. Otherwise, you're going to be inundated with false positives and crazy amount of signals that you really have no way of dealing with,  and it's going to be Nine months later, when somebody figures out when they're running some analytics on it. 

Justin Beals: Yeah, absolutely. We we had developed some employee productivity prediction tools, and we found that there was a sweet spot for number of records. It was about 500, but we get specific categories where we were really accurate in.

But when we started mashing together categories, that all got really murky. Absolutely. The other thing that stands out to me is to in our work, we've taken on a policy of Not really using the LLM externally hosted solutions for our internal product set features and bringing those in-house and I'm getting a lot of positive feedback from customers and potential customers that that's what they want as well.

Purandar Das: Absolutely. I mean, so, yeah, I mean, that is a huge concern, right? If you equate that to people get using a web browser to go on the internet, right? If the velocity of usage ever reaches that within an organization, think about how much information that you think is useless, but that is critical and proprietary when you bundle it across all of this usage, that somebody that has access to these collection of data sets can glean from it.

That's scary, right? I mean, one piece of data that you don't think is relevant. You throw it in there, and somebody else, two other people do the same thing, then you bring it all together because the model has the ability to link all of these and then say, you're kind of essentially now sitting on something that's extremely valuable and critical.

Yeah, absolutely. I mean, that's part of the problem that we're also trying to solve as a, as our platform for, uh, what we call as trusted AI, uh, interactions, the giving, uh, giving organizations the ability to interact with open source elements without leaking information. 

Justin Beals: Yeah. And it's such a black box, right?. Like once, how many models have we built where someone might say what's in it? And I'm like, I have no idea. You have no idea. Yeah. And now they're so. The outcome of the model it's designed to perform by creating more conversation. And that means the user is trying to entice the user to communicate with it, and so you get into a situation where it's, it's trying to answer the question. If you ask a question about data, it's consumed because you put it in there earlier. It may spit out exactly what it learned. 

Purandar Das: There's a very basic. Example that's really not related to AI or LLMs, but it's kind of, it, it ties into this, right? there, there is the, the, what they're called data brokers now, which I'm sure you heard on the dark web that are essentially gleaning stolen data from tens, if not hundreds of different sources and are able to build an extremely rich profile of the individuals, right? All the way from physical address, which is obviously fairly easy to get to, but the various email addresses, the various websites that you have credentials that plus the passwords that they've been able to steal.

So, and that data is available. This is being done manually. Think about the power of LLM on a model. And the computing that can be applied to random pieces of information that can be collated together to draw conclusions. 

Justin Beals: I mean, not to add any more firepower to the issue, but if I were a malicious actor, I might like to build a model, sell the model more than the raw data. Yeah, 

Purandar Das: I'm. It's not that far away, or it's not that outlandish. That's gonna happen as well. 

Justin Beals: Yeah, I think so. We're all sharing from the malicious side or the defender side, the attacker, the defender side, the same toolset. It's, it's kind of an intriguing 

Purandar Das: technology, same skill, same tool set. Absolutely. 

Justin Beals: Yeah, I mean, we look at, I was, just reviewing a little bit the LockBit takedown and, and, and reemergence and they had resilience controls for their own data. Yeah.

So I want to play forward the future here just a little bit. I think that you mentioned that today we feel like our encryption algorithms are in really good shape. However, you mentioned until we get a shift in the computing power, and certainly, I've been paying close attention to what's happening on the quantum side.

 I also see a lot more energy being put into here because I think there's a lot of data centers being built. We need to continue on the efficiency progress with computational power. We're going to build this next-generation set of tools. How do you think about future encryption and the work we're doing as quantum computing may come to bear?

Purandar Das: So, ironically, if you think about it, both quantum computing and AI are driving the next generation of chip development, right? Because the processing capabilities that are needed are so, so much more powerful than what's traditionally been built, right? So that, that is driving a lot of acceleration.

Quantum computing, people kind of look at it as purely from a negative perspective, right? And say quantum computing in the future can break today's encryption. Absolutely. I'm sure it can, right? It certainly cannot. The flip side of that is quantum computing. If it can quickly break encryption, it can also create equally strong encryption.

So it goes hand in hand. The question is, what happens to legacy encryption or data that was encrypted legacy that's in the wrong hands? That's a challenge, right? But from a, uh, practical perspective, quantum encryption driving decryption is also going to power more powerful encryption. So that's going to be a toss-up up right? The other side of that is there are a lot of companies. And I think most recently, a Dutch port has started to deploy a quantum network that's based on quantum entanglement, and that's actually increasing the, the, not purely the encryption, but mostly the key or the key complexity that's being used in the network. So they're making the networks by themselves much more stronger and more, uh, safer. 

Justin Beals: That's quite interesting. I hadn't thought of that. But beyond like encryption decryption, if you can change just simply the physics of the key size. Exactly. Utilizing quantum computing that can really, really shift the strength of the encryption methodology.

Yeah. So, The things that is just absolutely intriguing to me, too, is there the openness with which National Institute of Science and Technology have been driving quantum encryption methodologies? It seems a little different, like, in the past, I think, philosophically, we're like, we're gonna hold this encryption methodology close to our chest, we're not gonna share it too much, but they've been running a DARPA contest. Practically one of the leading. theories were recently shown to be hackable, but that's great, right? Like we've, we've absolutely proven something that needs to drop out. 

Purandar Das: If you go back in time and think about homomorphic encryption, right?

That was supposedly the panacea or the answer for all of encryption challenges and IBM for the longest time. Stat on it and try to build this in-house. They did this for probably over a decade. I may be wrong at the time, but for over a decade and then finally released the thing saying we're going to give it to the world.

It's not practical. They never were able to get it to work in a meaningful way. So they just gave up on it. What you mentioned and what's going on right now is the right way to do it. Why not include everybody that can help to make the product a better product and bring it to market faster is one thing.

The second thing it probably also tells you the urgency with which they're looking at the emerging problem. 

Justin Beals: Yeah, I think the urgency is good to hear. Yeah, yeah, because it's dangerous. We have a lot of past data that's encrypted in old technologies. 

Purandar Das: Yeah, and I think, I mean, that's also going to create ironically, uh, way to cake kind of a situation.

Because you have data structures, applications that are all meant to handle a specific size of data. When you increase the key size, that's going to dramatically increase the size of the data attribute or asset. So that'll be interesting to see what the retrofit into that is. 

Justin Beals: Yes. Well, Purandar, one of the things we love to do on SecureTalk is review a data breach or security issue with our expert guests.

And today we thought if you were open to it, we might talk a little bit about the LastPass breach, which has some interesting aspects of encryption. So, if you provide me just a moment, I'm going to talk about the breach a little bit, and then we can discuss our thoughts about it. Does that sound good?

Sounds good. Absolutely excellent. So we definitely like to be thorough in our background and I'll kick us off by saying last pass is a password management system. It's used to store multiple authentications to multiple systems, and it allows users to centralize their authentication credentials. and create differentiated credentials instead of using the same password for multiple systems.

when you use the same password for multiple systems, you create a security vulnerability that can result in credential stuffing. Now, on December 22nd, LastPass notified their customers of a cybersecurity incident that may put stored passwords of LastPass users at risk. A copy of their customer password vaults was stolen or exfiltrated in November of 22.

LastPass learned that an unknown threat actor had accessed a cloud-based storage environment. Leveraging information obtained from the previous security incident disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from a development environment and used to target another employee, obtaining credentials and keys to access and decrypt some storage volumes within a cloud-based storage service. 

Dan Gooden at Ars Technica reported and then confirmed that the attackers had exploited a known vulnerability in a Plex media serve that an employee was running on a home network and succeeded in installing malicious software and that allowed them to steal passwords and authentication credentials to exfiltrate last pass data.

The threat actor was able to copy, a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields, such as website usernames passwords, secure notes and form filled data.

 The vaults also contained encrypted data that included systems, usernames and passwords and multi-factor authentication information. So one of the things that we have here, I'm going to pause for a second. Purandar in the discussion, is that we've got a social engineering hack, exfiltration of data where most of the data was an encrypted format, which is great, right? Like we had this backup data. Yeah. Some wasn't, but you know, there's good work there. At least that we have that encryption going on. 

Purandar Das: Yeah, that's the basic, a good security, right? I mean, and that's the inside thing.

It's like encrypt the data and build a mechanism to detect if there's a attack or a breach on the data that's in, in our opinion, my opinion is the basic. What needs to be in place. 

Justin Beals: Yeah. So what's kind of crazy about this story, though, is that it is continuing to emerge. And so in October 23 of 2023, almost a year later, Taylor Monahan, a lead product manager of Metamask, had been documenting crypto thefts via Twitter since March 2023.

So they had been analyzing some crypto thefts. Their team had identified a highly reliable set of clues that connected recent thefts targeting more than 150 people. Collectively, those individuals were robbed of more than 35 million worth of cryptocurrency. On August 28, Monaghan concluded that the common thread among nearly every victim was that they had previously used LastPass to store their seed phrase.

The private key needed to unlock access to their cryptocurrency investments. So there's a secondary issue going on here. Like, it seems like the exfiltration of the data gave the threat actor plenty of time to start to decrypt some very specific information. 

Purandar Das: Absolutely. I mean, if you look at the more, or the, uh, the more recent ransomware attacks or the pattern in how ransomware attack attacks have changed, it's less about making the systems inoperable that it just happens to be a by-product because great, you're going to make them, I mean, obviously it doesn't impact, especially if it happens to be in a medical field where lives are dependent on stuff, right. Yeah. But they're more actually interested in getting their hands on the data. Because that has long-term value for them. It's not just that you can hold the company hostage. If they hold you hostage and get you to pay. if you don't, then they're putting the data, releasing the data out in public. I think, I mean, you may recall the Washington DC breach, where they actually published police informant. Informants in cases, they put their names up there. 

Justin Beals: Yeah. 

Purandar Das: that's just one instance, right?

Think about all the sensitive data. Yeah, data exfiltration is actually has become the primary target of attackers. Because in this case, the last best case, it just gave them a lot of time to go sit through the data and then be able to link it to other data sources and say, what else can we do with this?

Justin Beals: And one of the things that I read that was interesting was that LastPass stated, and they gave some, um, information around, customers get to define the encryption level on the vault based upon the password length that they set aside for that vault. So if you picked an easy password for the vault, brute force attacks were possible within time, yeah, within computing power.

Yeah. And I, I think there's a thing here, Where we as technologists need to sometimes educate users or provide control guardrails, right? 

Purandar Das: Absolutely. I mean, yeah, I think we've all seen studies where the most commonly used password is password. 

Purandar Das: great. I mean, in some cases it's laziness. Some cases it's lack of awareness, right?

For the bulk of the users. I mean, we, you and I, right, for the most part tend to look at this and think about it as trained technologists. Because we've lived our careers here and we know when you take that to somebody that's not connected with technology, but is sitting in front of new technology, trying to get adopt new service, all of that is pretty scary, right?

So you tend to do the simplest thing and that happened. Unfortunately, that also happens to be the weakest thing, which is the password. 

Justin Beals: Yeah. And especially when you're dealing with encryption and it's based off that password key. And that's the level of encryption. 

Purandar Das: Yeah, 

Justin Beals: you're not thinking about that, but it seems like they're either. I guess what I would ask as a CTO, if I were building a feature set around this, is do we force a certain extent to the keywords so that we know it takes a certain amount of computing power to crack that encryption, or do we educate the customer that, hey, a password of an encryption key of this length would take a normal computer, you know, Three months. Is that what you want to give them the opportunity to do? 

Purandar Das: Yeah. I mean, I would tend to in this scenario where you're talking with people losing millions and their life savings, there's gotta be guardrails that says it can't be anything weaker than this because the risk that you run. It's them being empty of their life savings.

Justin Beals: Yeah, you know, as always, I want to express that we're really grateful to companies like LastPass for being public with this information. It gives all of us an opportunity to improve security across the board. And of course, this work is rife with mistakes and issues and learning opportunities for all of us.

Purandar, it has been so enormously helpful to have you on the podcast today. I really have enjoyed our conversation and we're very grateful that you've shared your expertise with us. 

Purandar Das: It's my privilege to be here. Thank you. I appreciate you having me. The conversation was fantastic. Thank you so much.

Justin Beals: Excellent. And thanks to all our listeners. We'll catch up with you next time on Secure Talk.