Archive for the ‘passwords’ Category

What was the name of your first exploit? Win 10 security questions open backdoor

December 5th, 2018
What was the name of your first exploit? Win 10 security questions open backdoor

Enlarge (credit: Microsoft)

Security questions—the annoying shared secrets used as a secondary form of authentication—have been around forever and are used by just about everyone to deal with users who forget their password. That’s starting to change as more enlightened services—most notably Google and Facebook—have recently phased out security questions after recognizing something then vice presidential candidate Sarah Palin learned the hard way in 2008: the answers are easy for hackers to guess.

Enter Microsoft, which earlier this year added a security questions feature to Windows 10. It allows users to set up a list of security questions that can be asked in the event they later forget a password to one of their administrative accounts. By answering questions such as “What was your first car?” the users can reset the forgotten password and regain control of the account. It didn’t take long for researchers to identify weaknesses in the newly introduced feature. They presented their findings today at the Black Hat Europe Security Conference in London.

“Durable, stealthy backdoor”

The problem, the researchers said, is that the password reset questions are too easy to set and too hard to monitor in networks made up of hundreds or thousands of computers. A single person with administrator credentials can remotely turn them on or change them on any Windows 10 machine and there’s no simple way for the changes to be monitored or changed. As a result, malicious users—say a rogue employee or a hacker who briefly gains unauthorized administrative control—can use the security questions as a backdoor that will secretly allow them to regain control should they ever lose it.

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, microsoft, password reset, passwords, security questions, Windows | Comments (0)

Hack on 8 adult websites exposes oodles of intimate user data

October 20th, 2018
One of the hacked websites, wifelovers.com, as it appeared on October 12.

Enlarge / One of the hacked websites, wifelovers.com, as it appeared on October 12. (credit: Internet Archive)

A recent hack of eight poorly secured adult websites has exposed megabytes of personal data that could be damaging to the people who shared pictures and other highly intimate information on the online message boards. Included in the leaked file are (1) IP addresses that connected to the sites, (2) user passwords protected by a four-decade-old cryptographic scheme, (3) names, and (4) 1.2 million unique email addresses, although it’s not clear how many of the addresses legitimately belonged to actual users.

Robert Angelini, the owner of wifelovers.com and the seven other breached sites, told Ars on Saturday morning that, in the 21 years they operated, fewer than 107,000 people posted to them. He said he didn’t know how or why the almost 98-megabyte file contained more than 12 times that many email addresses, and he hasn’t had time to examine a copy of the database that he received on Friday night.

Still, three days after receiving notification of the hack, Angelini finally confirmed the breach and took down the sites on early Saturday morning. A notice on the just-shuttered sites warns users to change passwords on other sites, especially if they match the passwords used on the hacked sites.

Read 15 remaining paragraphs | Comments

Posted in Biz & IT, Data breaches, passwords, personal information | Comments (0)