Password Managers Share a Hidden Weakness

We at WIRED have recommended password managers for years. They are, arguably, the only practical and convenient system for creating and implementing unique, sufficiently strong passwords across every online account in your life. But the risk—at least when using cloud-based password managers that back up your credentials and make them accessible across devices—is that the password manager company itself becomes a point of vulnerability. If one of these companies is breached or suffers a data leak, those flaws could expose an untold number of secret credentials.

Password manager companies have responded to those fears with promises of “zero knowledge” systems in which they claim credentials are encrypted so that even they can’t access them in an unencrypted state. But a new study from security researchers at ETH Zurich and USI Lugano shows how frequently those claims are showing cracks—or failing altogether if a malicious insider or hacker is sufficiently skilled at exploiting cryptographic flaws.

The researchers specifically analyzed password managers from Bitwarden, Dashlane, and LastPass—though they warn their findings likely apply to others, too—and found that they could often gain access to users’ credentials. In some cases, they could access users’ entire “vault” of passwords or even gain the ability to write to those vaults at will. The cryptographic vulnerabilities they found varied between password managers and existed only when certain features were enabled, such as the key escrow systems that allow the backup and recovery of passwords. But they also say many of the flaws they found were relatively simple and show the lack of scrutiny around password managers’ “zero knowledge” claims.

Defcon Hacker Conference Bans 3 People for Their Connections to Epstein

Virtually no part of American society, it increasingly seems, has escaped mention in the newly released emails of the late convicted pedophile and sex trafficker Jeffrey Epstein—including the cybersecurity and technology community represented at the Defcon hacker conference. Defcon this week officially banned three people whose ties to Epstein had come to light in the Justice Department’s incomplete and highly redacted release of documents related to Epstein: cybersecurity entrepreneur Vincent Iozzo—who had already been removed from review board on the website of Black Hat, Defcon’s more corporate sister conference—as well as former MIT Media Lab director Joichi Ito and tech investor Pablos Holman. (A spokesperson for Iozzo said the ban was “performative” and not based on any “wrongdoing,” in a statement to TechCrunch, while Holman and Ito didn’t respond to its requests for comment.) All three men had extensive interactions with Epstein, including long after he was exposed as a sex offender and trafficker both in court and in extensive media reporting.

US Planning “Online Portal” to Unblock Banned Global Content

More than two decades ago, the government domain “freedom.gov” was used for news and “victory” information about the war in Iraq. Since the domain was reregistered on January 12, after years being offline, it has been part of a State Department effort to create an anti-censorship “online portal,” according to a Reuters report this week.

The report says the portal may have been created to “enable people in Europe and elsewhere” to see content banned by their governments, citing hate speech- and terrorism-related content as examples. The website may incorporate VPN technology to get around geolocation blocks. The development of the site, which could help to further fracture differing internet freedom regimes and political tensions between the US and Europe, comes at a time when many US government-funded internet freedom programs have been shut down.

Cambodia Claims It Will Eradicate Scam Compounds. Experts Are Skeptical

During the past decade, hundreds of thousands of human trafficking victims have been forced to run online scams from vast prisonlike compounds in Southeast Asia. These so-called scam compounds have flourished across Myanmar, Laos, and Cambodia, making billions of dollars for the often Chinese criminal gangs that run the facilities. Facing growing international pressure, including sanctions on criminal bosses operating in the country, Cambodian officials now claim they are raiding casinos and scam compounds in the region, with the aim of shutting down all of the operations by April. Allegedly more than 100,000 foreigners have been released from compounds in recent weeks. However, many of those human trafficking victims have found themselves stuck in Cambodia and part of a growing humanitarian crisis. Experts have also pointed out that multiple previous scam compound crackdowns have been temporary, with the industry managing to survive each time and continuing to make huge profits.

The Implications of Password Manager Vulnerabilities

The study by ETH Zurich and USI Lugano researchers highlights the need for greater scrutiny of password manager companies and their claims of “zero knowledge” systems. While password managers are a convenient and practical solution for creating and implementing unique, sufficiently strong passwords, the risk of a data leak or breach is still present. This is particularly concerning given the widespread use of cloud-based password managers that back up credentials and make them accessible across devices.

The vulnerabilities found in the study also raise questions about the security of password managers and the potential for malicious insiders or hackers to exploit them. This highlights the need for greater transparency and accountability from password manager companies, as well as the need for users to be aware of the potential risks and take steps to mitigate them.

Forward-Looking Thoughts

The study by ETH Zurich and USI Lugano researchers is a timely reminder of the need for greater scrutiny of password manager companies and their claims of “zero knowledge” systems. As the use of cloud-based password managers continues to grow, it is essential that users are aware of the potential risks and take steps to mitigate them. This includes being aware of the vulnerabilities found in the study and taking steps to protect their credentials.

The development of the State Department’s anti-censorship “online portal” also raises questions about the potential implications for internet freedom and the role of the US government in promoting it. As the US government continues to grapple with the challenges of promoting internet freedom, it is essential that it takes a nuanced and thoughtful approach that balances the need to promote freedom of expression with the need to protect national security and prevent the spread of hate speech and terrorism-related content.

The Cambodian government’s claims to eradicate scam compounds also raise questions about the potential implications for human trafficking victims and the need for greater international cooperation to address this issue. As the international community continues to grapple with the challenges of human trafficking, it is essential that it takes a comprehensive and coordinated approach that addresses the root causes of this issue and provides support to victims.

In conclusion, the study by ETH Zurich and USI Lugano researchers highlights the need for greater scrutiny of password manager companies and their claims of “zero knowledge” systems. It also raises questions about the potential implications of the State Department’s anti-censorship “online portal” and the Cambodian government’s claims to eradicate scam compounds. As the use of cloud-based password managers continues to grow, it is essential that users are aware of the potential risks and take steps to mitigate them.

Source: https://www.wired.com/story/security-news-this-week-password-managers-share-a-hidden-weakness/