Skip to main content

LastPass Password Manager Details Vulnerable to Hack


LastPass is one of the popular password managers, which stores user’s passwords in the cloud in an encrypted vault. This user’s database is protected by a single username/password pare and various forms of two-factor authentication. However, some security researcher has recently issued a tool able to steal the login details and two-factor authentication key for the manager, thus leaving users potentially exposed. The instrument in question enables hackers to mimic the look and feel of the LastPass browser plugin and website, imitating the way the password manager requests a user’s password and two-factor authentication key.


The security researcher presented the attack at the hacker convention ShmooCon in Washington, calling it LostPass. The attack works because ordinary users can’t tell the difference between a fake and a real message. The fake message shows up if a user visits a malicious website. Once the malware detects that the browser is using LastPass, it mimics a LastPass notification, remotely logs-out the user and requests their password and two-factor authentication key. As a result, the hacker would be able to gain access to every password stored in the system, change settings, block a user’s access or hide it leaving the user none-the-wiser.

LastPass was notified about the vulnerability back in November and responded by implementing a system to alert users when they type their master password on a fake site. The problem is that hackers can easily block that notification as well.

While the attack is not a flaw within LastPass itself, it still highlights a major problem that even the most careful users can encounter. As for the service, it said that the email verification process significantly reduces the threat of such phishing attack because in this case the hackers would need to gain access to the user’s email account as well. In this case, if a user sees a verification request they never initiated, they can safely ignore it.

LastPass also added that it has implemented a fix preventing the malware from logging a user out of their account. Although none of these changes can prevent the hackers from stealing login details, they could still prevent from using those details to access the user’s password manager.

Comments

Popular posts from this blog

Here Are 7 Brilliant Cheat Sheets For Linux/Unix

There's nothing better than a cheatsheet when you are stuck and need a reference. So here bringing to you 7 brilliant free cheat sheets.  1. Unix Tool Box : An incredibly exhaustive reference for all things Linux. This document is a collection of Unix/Linux/BSD commands and tasks which are useful for IT work or for advanced users. 2. One page Linux Manual : Great one page reference to the most popular Linux commands, it is a summary of useful Linux commands. 3. Linux Reference Card : One great reference published by FOSSwire. 4. Linux Command Line Cheat Sheet : This is an interestingly sorted and helpful cheat sheet by cheatography. 5. Linux Command Line Tips : This is a linux command line reference for common operations. Cleanly sorted and well described. 6. Treebeard’s Unix Cheat Sheet : A great reference that shows command comparisons with that of DOS. So if you are someone who was a DOS user and has switched to Linux, this is the best one too have! 7. Linux Shor

Extracting Administrator Passwords Using LCP

Extracting Administrator Passwords Using LCP Link Control Protocol (LCP) is part of the Point-to-Point (PPP) protocol In PPP communications, both the sending and receiving devices send out LCP packets to determine specific information required for data transmission. ■ Use an LCP tool ■ Crack administrator passwords Tools Needed ■ A computer running Windows Server 2012 ■ A web browser with an Internet connection ■ Administrative privileges to run tools                ■ You can also download the latest version of LCP from the link         http: / www.lcpsoft.com/engl1sh/1ndex.htm ■ If you decide to download the latest version, then screenshots shown     might differ ■ Follow the wizard driven installation instructions ■ Run this tool in Windows Server 2012 ■ Administrative privileges to run tools ■ TCP/IP settings correctly configured and an accessible DNS server Overview of LCP LCP program mainly audits user account passwords and

Ten Important Rules Of Ethical Hacking

The world of ethical hacking too is bound by a set of rules and principles, here are 10 crucial ones!   Time and again we have been bringing you valuable resources on ethical hacking since we know and understand the nature of things as far as security goes. Ethical hacking is picking up steam each day with more and more organisations spending heftily to maintain the sanctity of their systems and data. As such, ethical hacking is a glorious career option in the current scheme of things. 1.Set your goals straight To begin with, an ethical hacker must start thinking like the intruder. He must be able to identify the loopholes on the target access points or networks that are prone to attack, he must be aware of the repercussions of these loopholes and how the intruder can use it against the same. An ethical hacker then has to find out if anyone at the target notice the intruder's attempts to carry out his/her acts. Finding out and eliminating unauthorised wireless access point