Wired reports on strong Russian interest in password cracking tool Mimikatz:
In early 2012, Delpy was invited to speak about his Windows security work at the Moscow conference Positive Hack Days. He accepted—a little naively, still thinking that Mimikatz’s tricks must have already been known to most state-sponsored hackers. But even after the run-in with the man in his hotel room, the Russians weren’t done. As soon as he finished giving his talk to a crowd of hackers in an old Soviet factory building, another man in a dark suit approached him and brusquely demanded he put his conference slides and a copy of Mimikatz on a USB drive.
Delpy complied. Then, before he’d even left Russia, he published the code open source on Github, both fearing for his own physical safety if he kept the tool’s code secret and figuring that if hackers were going to use his tool, defenders should understand it too.
As the use of Mimikatz spread, Microsoft in 2013 finally added the ability in Windows 8.1 to disable WDigest, neutering Mimikatz’s most powerful feature. By Windows 10, the company would disable the exploitable function by default.
But Rendition’s Williams points out that even today, Mimikatz remains effective on almost every Windows machine he encounters, either because those machines run outdated versions of the operating system, or because he can gain enough privileges on a victim’s computer to simply switch on WDigest even if it’s disabled.
You know that. But what’s crazy is that, in 2015, some websites are intentionally disabling a feature that would allow you to use stronger passwords more easily—and many are doing so because they wrongly argue it makes you safer.
Here’s the problem: Some sites won’t let you paste passwords into login screens, forcing you, instead, to type the passwords out. This makes it impossible to use certain kinds of password managers that are one of the best lines of defense for keeping accounts locked down.
Typically, a password manager will generate a long, complex, and—most importantly—unique password, and then store it in an encrypted fashion on either your computer or a remote service. All you have to do is remember one password to enter all of your others. In essence, the task of remembering dozens of passwords is relegated to the manager, meaning that you don’t have to deploy that same, easy to remember password on multiple sites.
“We are confident that our encryption measures are sufficient to protectthe vast majority of users,” he blogged. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
The investigation did not turn up any evidence that encrypted user vault data was taken or that LastPass user accounts were accessed.
“Nonetheless, we are taking additional measures to ensure that your data remains secure,” Siegrist blogged. “We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password. An email is also being sent to all users regarding this security incident.”
This is the latest in a series of internet-wide security breaches taking place almost daily. No matter where you store your data – locally on your computers hard-drive, on a storage device connected to your network, or in the cloud – it is not safe and can be breached. Ensure you take the proper precautions to secure your more valuable data so that when it is stolen – and it is a matter of when, not if – you can feel confident it will remain unreadable.
Starting Wednesday, NTT DoCoMo customers with smartphones capable of handling biometric authentication will be able to access several online services using iris recognition or fingerprint authentication, the company said. The company offers four smartphones with biometric authentication, including the Galaxy S6 Edge SC-04G, Galaxy S6 SC-05G, Arrows NX F-04G and Aquos Zeta SH-03G. The Arrows NX F-04G has an iris scanner which can authenticate the user.
NTT DoCoMo will support biometric authentication based on protocols developed by the FIDO Alliance, a consortium of technology companies and financial services firms trying to strengthen authentication by creating protocols and standards which don’t rely on passwords. The protocols rely on the combination of hardware, software, and services, and are designed to be interoperable across different networks and devices.
This effort is only aimed at Android-based phones sold only by Docomo. How long before KDDI and Softbank follow suit?