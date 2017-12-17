Windows 10 Bundled a Password Manager with a Security Flaw (bleepingcomputer.com) 48
An anonymous reader writes: A Google security researcher has found and helped patch a severe vulnerability in Keeper, a password manager application that Microsoft has been bundling with some Windows 10 distributions this year... "This is a complete compromise of Keeper security, allowing any website to steal any password," Tavis Ormandy, the Google security researcher said, pointing out that the password manager was still vulnerable to a same vulnerability he reported in August 2016, which had apparently been reintroduced in the code.
Based on user reports, Microsoft appears to have been bundling Keeper as part of Windows 10 Pro distributions since this past summer.
The article reports that Keeper issued a fix -- browser extension version 11.4 -- within less than 24 hours.
So.. rename it "Giver"?
Seems to me that a lot of these types of breaches may be intentional due to pressure from agencies who want the ability to spy on users and don't care what the repercussions are. Patch published breaches and create another one when things quiet down.
Hanlon's razor applies here: never attribute to malice that which is adequately explained by stupidity. In the case of Microsoft, there's plenty of stupidity to go around: when it comes to security and bugginess, they couldn't code their way out of wet paperbag
How come coding errors always reduce security by accident, rather than increase security. Configuration scripts will allow password-free logins by mistake.
Security is hard task with a fragile result. There's a quote that I can't precisely recall, something along the lines of "Security is like math, except it matters which kind of pen you use to write it". It's vastly easier to leak information accidentally, than to accidentally keep everything secret that should be.
On the other side of the coin, let's suppose someone did accidentally do things right. Even if they don't know how they did it, that's not an accident. That's just doing things right, and not the s
Sometimes you can make a password management system that takes your single secret password (or a keyfile), adds the host name and the username, tosses it through a SHA-512 HMAC, then uses the first n characters, n being the max the site allows. The nice thing about this method is that the password can't be figured out even if an attacker gets your site passwords.
My ideal password manager would be one that synced to a cloud provider, but had each device have its own private key, and a record so it can unloc
If it is still UN-patched one has to assume it is by design..
Somebody's gotta say it.. (Score:5, Insightful)
Windows 10 IS IN ITSELF a MAJOR security flaw... I think its too precious to call out one tiny piece of Windows 10 and complain about its security flaw.... Of course I will be ruthlessly downmodded by the Windows astroturfing squad... Do your worst, as MOST of us with half a clue know I'm right...
The networking components of Windows 10 are security flaws; auto-update, remote administration enabled by default, Samba, web-browsers auto-connecting to Facebook, Google, Amazon Web Services, Yahoo etc...
https://en.wikipedia.org/wiki/... [wikipedia.org]
A password manager alone does not increase your security. Rather, it enables the use of much stronger passwords and enables having unique passwords for each resource, while also allowing the password list to be securely backed up for disaster recovery. With those combined efforts, the attack surface for an individual is reduced tremendously.
The days of individual attacks are long gone. Unless you're a high-profile political dissident, nobody cares about your personal computer. Rather, you're just one of a h
It's from Porter Industries, with fancy new headquarters in the basement of Lubyanka Square, Moscow.
PorterPass : At least you know the NSA won't be spying on your passwords!
"I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages," said Tavis Ormandy, the Google security researcher who discovered the recent vulnerability.
Looks like, keeper is installed, but the user needs to somehow "login" to keeper for this flaw to trigger. Then it injects some privileged UI into pages, it says. A malicious site can use click jack to steam password.
Looks like, the victim should login to keeper, and then visit a malicious website. Not clear whether it is adding this privileged UI only into Edge/Internet Explorer or if it is injecting it into Chrome and Firefox as well.
If Chrome/Firefox users are not affected, this gives one more reason
Trusting Microsoft is your first mistake (Score:3)
Trusting Microsoft was your first mistake. I don't trust those idiots to do anything. I wait years between upgrading Windows OS (no choice but to use MS due to critical software). I was on XP for years, finally upgraded to 7. I have no intention of going to Windows 10 until security updates for Windows 7 expire. I worry that with the update treadmill of Windows 10, it may turn out to be a perpetual bug cluster F*** since they can always just push out a new patch to fix what they broke in the last one.
The most secure way to store your passwords is on a piece of paper next to your computer. For added security, abbreviate the parts of the password with a reminder rather than the actual part, so that only you can decode the reminder and create the actual password. The odds of someone breaking into your house, being interested in your password list and further figuring out you password hints to reconstruct your actual password are so minuscule as to be essentially zero. The odds of some organization that you use being hacked and compromising your information or login and password are far more likely.
Until we start taking hacking more seriously: criminal charges for negligent security at corporations (i.e. not using best practices) and heavy corporate fines on a per victim level, and life sentences with no parole, etc. for hackers and black bagging non-extradition offenders (or just blocking/blacklisting non-extradition/bad actor countries), the hacking epidemic will continue to grow.