Pass­word theft evolves at dizzy­ing speeds

Weekend Argus (Saturday Edition) - - MEDIA& MARKETING -

WASH­ING­TON: Mil­lions of peo­ple count on pass­word man­agers to safe­guard their ac­counts and help them keep track of their pass­words. By serving as a sort of master-key for their ac­counts, pass­word man­agers can en­cour­age good dig­i­tal hy­giene, such as us­ing long, com­plex and unique pass­words.

But a ma­jor vul­ner­a­bil­ity in one of the most pop­u­lar pass­word man­agers, LastPass, shows how even the tac­tics users hope will pro­tect them on­line can still leave them vul­ner­a­ble – and how just hard it is to keep up with what tech­nol­ogy to trust.

Tavis Or­mandy, a mem­ber of a Google team that hunts for un­known soft­ware bugs, dis­cov­ered the LastPass prob­lem this week, call­ing it a “com­plete re­mote com­pro­mise”. A dis­tant at­tacker could po­ten­tially take over users’ LastPass ac­counts and gain ac­cess to their troves of pass­words – at least, if they vis­ited a web­site de­signed to ex­ploit the vul­ner­a­bil­ity while us­ing the LastPass browser ex­ten­sion with Fire­fox, ac­cord­ing to a blog post from LastPass.

LastPass pushed out an up­date on Wed­nes­day fix­ing the prob­lem. It also ac­knowl­edged an is­sue that sim­i­larly ex­posed user pass­words and was dis­closed to LastPass by se­cu­rity re­searcher Mathias Karls­son last year.

The com­pany fixed the prob­lem Karls­son dis­cov­ered when he told them about it, but it wasn’t made pub­lic un­til Wed­nes­day when Karls­son pub­lished a blog post ex­plain­ing the bug. In­dus­try best prac­tice is for re­searchers to wait un­til af­ter prob­lems have been fixed to talk about them, but com­pa­nies don’t al­ways an­nounce when they’ve made ma­jor cor­rec­tions.

This isn’t the first time pass­word man­agers have had se­cu­rity prob­lems. In 2014, re­searchers un­cov­ered se­cu­rity prob­lems in LastPass and four other pass­word man­agers. Last year, re­searchers were able to sneak a ma­li­cious pro­gram into the Ap­ple App Store that could steal pass­words from iOS and OSX’s built-in Key­chain pass­word man­age­ment tool, as well as from pop­u­lar pass­word man­ager 1Pass­word.

Ear­lier this week, a govern­ment agency also waved de­vel­op­ers away from another com­mon ac­count se­cu­rity strat­egy: us­ing SMS text mes­sages to de­liver two- fac­tor au­then­ti­ca­tion codes. Two-fac­tor au­then­ti­ca­tion is one of the best, ba­sic steps peo­ple can take to se­cure their ac­counts. It works by hav­ing a user ver­ify their iden­tity by us­ing another method be­yond a pass­word, most of­ten by en­ter­ing a code sent to them via SMS.

But the Na­tional In­sti­tute of Stan­dards and Tech­nol­ogy ar­gues us­ing SMSes for two-fac­tor au­then­ti­ca­tion shouldn’t be con­sid­ered se­cure be­cause the num­ber as­so­ci­ated with an ac­count might change hands or the code might be in­ter­cepted if sent to a num­ber reg­is­tered through an on­line ser­vice, in­clud­ing Skype or Google Voice. In­stead, the guid­ance sug­gests al­ter­na­tives such as us­ing se­cure apps for two-fac­tor au­then­ti­ca­tion, al­ready of­fered through Google. – Wash­ing­ton Post

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.