Archive for the ‘password reset’ Category

What was the name of your first exploit? Win 10 security questions open backdoor

December 5th, 2018
What was the name of your first exploit? Win 10 security questions open backdoor

Enlarge (credit: Microsoft)

Security questions—the annoying shared secrets used as a secondary form of authentication—have been around forever and are used by just about everyone to deal with users who forget their password. That’s starting to change as more enlightened services—most notably Google and Facebook—have recently phased out security questions after recognizing something then vice presidential candidate Sarah Palin learned the hard way in 2008: the answers are easy for hackers to guess.

Enter Microsoft, which earlier this year added a security questions feature to Windows 10. It allows users to set up a list of security questions that can be asked in the event they later forget a password to one of their administrative accounts. By answering questions such as “What was your first car?” the users can reset the forgotten password and regain control of the account. It didn’t take long for researchers to identify weaknesses in the newly introduced feature. They presented their findings today at the Black Hat Europe Security Conference in London.

“Durable, stealthy backdoor”

The problem, the researchers said, is that the password reset questions are too easy to set and too hard to monitor in networks made up of hundreds or thousands of computers. A single person with administrator credentials can remotely turn them on or change them on any Windows 10 machine and there’s no simple way for the changes to be monitored or changed. As a result, malicious users—say a rogue employee or a hacker who briefly gains unauthorized administrative control—can use the security questions as a backdoor that will secretly allow them to regain control should they ever lose it.

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, microsoft, password reset, passwords, security questions, Windows | Comments (0)

Valve Patches Password Reset Vulnerability in Steam

July 27th, 2015

Valve Software has patched a vulnerability in the Steam gaming platform that enabled account hijacking through its password reset mechanism.

Posted in Gaming Security, password reset, Password reset vulnerabiilty, Steam, Steam gaming platform, Steam patch, Steam vulnerability, Valve Software, Valve Software patch, vulnerabilities, Web Security | Comments (0)