Password Manager - Stranica 5

xlr · 25.01.2023., 17:30

Ako su iste kao onda - svakako bih promjenio.

The Exiled · 28.02.2023., 11:10

Friški nastavak LastPass sage ...

Citiraj:

The company has now disclosed how the threat actors performed this attack, stating that they used information stolen in an August breach, information from another data breach, and a remote code execution vulnerability to install a keylogger on a senior DevOps engineer's computer. As only four LastPass DevOps engineers had access to these decryption keys, the threat actor targeted one of the engineers. Ultimately, the hackers successfully installed a keylogger on the employee's device by exploiting a remote code execution vulnerability in a third-party media software package. As part of today's disclosure, LastPass has released more detailed information on what customer information was stolen in the attack. Depending on the particular customer, this data is wide and varied, ranging from Multifactor Authentication (MFA) seeds, MFA API integration secrets, and to Split knowledge component (“K2”) Key for Federated business customers.

Ukratko, pokradeno im je sve moguće.

Dottore · 28.02.2023., 11:25

Ja sam otišao od 10mj i još nisam imao problema.

Neo-ST · 17.05.2023., 14:11

Keepass vulnerability:

https://nvd.nist.gov/vuln/detail/CVE-2023-32784

The Exiled · 17.05.2023., 19:24

Citiraj:

For the PoC tool to work, you need the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or a RAM dump of the entire system.
It has been fixed in the test versions of KeePass v2.54 – the official release is expected by July 2023.
KeepassXC – a fork of KeePassX, which is a cross-platform port of KeePass – is not affected.

Neo-ST · 23.05.2023., 13:14

Opet Keepass? https://twitter.com/ghidraninja/stat...60231111598080

The Exiled · 23.05.2023., 13:37

Nema veze s KeePassom, ovo je neki/nečiji iOS KeePass, dok je ovdje popis pravih službenih iOS aplikacija.

Night · 24.05.2023., 09:31

Citiraj:

Autor Neo-ST

Keepass vulnerability:

https://nvd.nist.gov/vuln/detail/CVE-2023-32784

Najnezgodniji dio je ovo što navodno može ostaviti plaintext password u pagefile.sys, još jedna preporuka za koristiti full-disk encryption.
Probao sam runati PoC kod na jednom pagefile.sys dumpu sa kompa koji ima KeePass ali nije mi ništa izbacio, memory dump još nisam testirao.
Autoru kao da se baš ne žuri sa ispravkom ovog dosta ozbiljnog propusta.

The Exiled · 03.06.2023., 20:27

KeePass 2.54 released

Citiraj:

New Features:

Triggers, global URL overrides, password generator profiles and a few more settings are now stored in the enforced configuration file.
Added dialog 'Enforce Options (All Users)' (menu 'Tools' → 'Advanced Tools' → 'Enforce Options'), which facilitates storing certain options in the enforced configuration file.
Export confirmation dialog banners now have a yellow-orange background.
In export confirmation dialogs, the text of the 'OK' button is now changed to 'Confirm Export'.
In report dialogs, passwords (and other sensitive data) are now hidden using asterisks by default (if hiding is activated in the main window); the hiding can be toggled using the new '***' button in the toolbar.
The 'Print' command in most report dialogs now requires the 'Print' application policy flag, and the master key must be entered if the 'Print - No Key Repeat' application policy flag is deactivated.
The 'Export' command in most report dialogs now requires the 'Export' application policy flag, and the master key must be entered.
Single line edit dialogs now support hiding the value using asterisks.
On Unix-like systems, commands that require elevation now have a shield icon (like on Windows).
TrlUtil: added 'Move Selected Unused Text to Dialog Control' command.

Citiraj:

Improvements:

Improved process memory protection of secure edit controls.
The content mode of the configuration elements '/Configuration/Application/TriggerSystem', '/Configuration/Integration/UrlSchemeOverrides' and '/Configuration/PasswordGenerator/UserProfiles' is now 'Replace' by default.
The built-in override for the 'ssh' URI scheme is now deactivated by default (it can be activated in the 'URL Overrides' dialog).
When opening the password generator dialog without a derived profile, the '(Automatically generated passwords for new entries)' profile is now selected by default, if profiles are enabled (otherwise the default profile is used).
Improved UI update performance in the password generator dialog.
Improved and renamed dialog banner styles.
The separator line of light dialog banners is gray now.
Improved serialization/deserialization of custom configuration settings (used by plugins).
Improved reporting of unknown database header fields.
On Unix-like systems, the clipboard workarounds are now disabled by default (they are not needed anymore on most systems).
Improved clipboard clearing on Unix-like systems.
Improved starting of an elevated process on Unix-like systems.
TrlUtil: improved keyboard shortcut assignment and toolbar construction.
Installer: the desktop shortcut is now created for all users (if the option 'Create a desktop shortcut' is activated).
Installer: removed the Quick Launch shortcut option.
Upgraded installer.
Various UI text improvements.
Various code optimizations.
Minor other improvements.

kreso75 · 04.06.2023., 09:50

Citiraj:

Autor The Exiled

KeePass 2.54 released

Jesu ispravili sigurnosni propust da se može doći do master passworda na Windowsima?
Iz opisa na "New features" i "Imporvements" mi se ne čini da su to naveli...

The Exiled · 04.06.2023., 12:20

Da, popravljeno (1 - 2) je i to nekih dva mjeseca prije od planiranog.

Citiraj:

The vulnerability was assigned CVE-2023-32784 and fixed in KeePass 2.54. Thanks again to Dominik Reichl for his fast response and creative fix!

Citiraj:

EDIT:

Citiraj:

Users of KeePass 1.x, Strongbox, or KeePassXC are not impacted by CVE-2023-32784 and, thus, do not need to migrate to a newer release. To fix the vulnerability, KeePass is now using a Windows API to set or retrieve data from text boxes, preventing the creation of managed strings that can potentially be dumped from memory. Reichl also introduced "dummy strings" with random characters into the memory of the KeePass process to make it harder to retrieve fragments of the password from memory and combine them into a valid master password. KeePass 2.54 also introduces other security enhancements, such as moving 'Triggers,' 'Global URL overrides,' and 'Password generator profiles' into the enforced configuration file, which provides additional security from attacks that modify the KeePass configuration file.

Izvor: BleepingComputer

The Exiled · 24.06.2023., 20:25

LastPass users furious after being locked out due to MFA resets

Citiraj:

LastPass password manager users have been experiencing significant login issues starting early May after being prompted to reset their authenticator apps. The company first announced that users might need to log back into their LastPass account and reset their multifactor authentication preference due to planned security upgrades on May 9. However, since then, numerous users have been locked out of their accounts and unable to access their LastPass vault, even after successfully resetting their MFA applications (e.g., LastPass Authenticator, Microsoft Authenticator, Google Authenticator). Compounding the problem, affected customers cannot seek assistance from support since reaching out to LastPass support requires logging into their accounts which they can't do because they're locked in an infinite loop of being prompted to reset their MFA authenticator. LastPass says the MFA resets were announced via in-app messages for "several weeks" before the initial announcement.

Izvor: BleepingComputer

Night · 26.06.2023., 11:31

Nakon što su im procurili master kodovi sa developerovog Plexa jer je valjda normalna stvar koristiti istu mašinu za pornjavu i za master keyeve ... onaj tko je ostao na LastPassu je teška klasa Optimist

25.01.2023., 17:30	#121
xlr 49%winner Moj komp Datum registracije: Sep 2007 Lokacija: PU Postovi: 8,789	Ako su iste kao onda - svakako bih promjenio. __________________ ♕ Keep calm and fastboot oem unlock. ♕

28.02.2023., 11:25	#123
Dottore Extrema Thule Moj komp Datum registracije: Feb 2005 Lokacija: 「 ✖ ✖ ✖ 」 Postovi: 7,316	Ja sam otišao od 10mj i još nisam imao problema. __________________

23.05.2023., 13:37	#127
The Exiled McG Moj komp Datum registracije: Feb 2014 Lokacija: Varaždin Postovi: 6,773	Nema veze s KeePassom, ovo je neki/nečiji iOS KeePass, dok je ovdje popis pravih službenih iOS aplikacija. __________________ AMD Ryzen 7 Pro 4750G + Vega iGPU \| be quiet! Pure Rock 2 Black \| MSI B450 Tomahawk Max II \| 32GB G.Skill DDR4-2666 Value \| 256GB AData SX8200 Pro NVMe \| 2x4TB WD Red Plus \| Fractal Define 7 Compact \| Corsair CX450M

17.05.2023., 14:11	#124
Neo-ST Buying Bitcoin Moj komp Datum registracije: Feb 2007 Lokacija: Croatia Postovi: 7,976	Keepass vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-32784

23.05.2023., 13:14	#126
Neo-ST Buying Bitcoin Moj komp Datum registracije: Feb 2007 Lokacija: Croatia Postovi: 7,976	Opet Keepass? https://twitter.com/ghidraninja/stat...60231111598080

26.06.2023., 11:31	#133
Night Premium Datum registracije: Oct 2008 Lokacija: Dbk Postovi: 989	Nakon što su im procurili master kodovi sa developerovog Plexa jer je valjda normalna stvar koristiti istu mašinu za pornjavu i za master keyeve ... onaj tko je ostao na LastPassu je teška klasa Optimist

Oglasni prostor
PC Ekspert Forum Oglas