Cyber Security News Aggregator
.Cyber Tzar
provide acyber security risk management
platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.
First slide label
Some representative placeholder content for the first slide.
Second slide label
Some representative placeholder content for the second slide.
Third slide label
Some representative placeholder content for the third slide.
Vulnerability in the Kaspersky Password Manager
published on 2021-07-06 14:27:47 UTC by Bruce SchneierContent:
A vulnerability (just patched) in the random number generator used in the Kaspersky Password Manager resulted in easily guessable passwords:
The password generator included in Kaspersky Password Manager had several problems. The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time. All the passwords it created could be bruteforced in seconds. This article explains how to securely generate passwords, why Kaspersky Password Manager failed, and how to exploit this flaw. It also provides a proof of concept to test if your version is vulnerable.
The product has been updated and its newest versions aren’t affected by this issue.
Stupid programming mistake, or intentional backdoor? We don’t know.
More generally: generating random numbers is hard. I recommend my own algorithm: Fortuna. I also recommend my own password manager: Password Safe.
EDITED TO ADD: Commentary from Matthew Green.
https://www.schneier.com/blog/archives/2021/07/vulnerability-in-the-kaspersky-password-manager.html
Published: 2021 07 06 14:27:47
Received: 2021 07 06 15:05:00
Feed: Schneier on Security
Source: Schneier on Security
Category: Cyber Security
Topic: Cyber Security
Views: 9
