Resultados 1 a 2 de 2
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    [EN] LastPass mitigates credentials-stealing phishing attack

    Security researcher Sean Cassidy created a fake login dialog page
    to phish LastPass users' credentials

    Juha Saarinen
    Jan 20 2016

    Popular credentials manager LastPass has taken steps to counter a "very simple" phishing attack that could see users' passwords, email addresses and two-factor authentication tokens stolen.

    Researcher Sean Cassidy posted proof of a successful phishing attack using a faked LastPass notification in a web browser earlier this month, following a presentation at hacker conference Schmoocon.

    By setting up a malicious website that displays notifications telling users their LastPass sessions have expired, Cassidy was able to create a page that lured people into entering their credentials for the password manager.

    The researcher called the attack LostPass. A successful capture of user LastPass credentials would allow attackers full access to all login details stored in the password manager.

    According to Cassidy, the attack works best on the popular Google Chrome web browser.

    LastPass has since made changes to its browser notification and alerts systems, and now requires email confirmation for all logins from new IP addresses, which Cassidy says substantially mitigates against his attack.

    The company is also looking into using a different method for notifications than the web browser viewport below the tab and link address bar, where Cassidy created the fake warnings about session expiry.

    LastPass has also asked Google to help make the viewport area more secure for to use, or to provide an alternative for notifications.

    Cassidy noted that in general terms, web browser extensions are riskier than native applications that run on the operating system.

    Also, having an publicly accessible application programming interface makes it easier to steal a great deal of data, he said.

    Cassidy cautioned that users should only store frequently used and low-risk data in LastPass and other password managers.

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    Too many people still use terrible passwords

    Daniel Cooper

    The fifth annual SplashData chart of the Internet's worst passwords is out, and it looks like people just can't learn the lesson. The firm has aggregated the passwords from around two million that were leaked in 2015, finding that basic, easy-to-guess terms are still in abundance. The most popular code behind which people store their valuables is "123456," with "password" sitting comfortably in second place.

    One thing that you can glean from the information is that people who use such easily-guessable passwords are also led by pop culture and sports. For instance, some of the newer entries on the list include "solo," "princess" and "starwars," while "football" and "baseball" are also in the top 25. As smart as you may think you're being by using the phrase "passw0rd," it's an idea that's been used by thousands, if not hundreds of thousands of other computer users. We've included the full run down below, and if you spot one on this list that you use, consider this a wake-up call.

    Rank Password
    1 123456
    2 password
    3 12345678
    4 qwerty
    5 12345
    6 123456789
    7 football
    8 1234
    9 1234567
    10 baseball
    11 welcome
    12 1234567890
    13 abc123
    14 111111
    15 1qaz2wsx
    16 dragon
    17 master
    18 monkey
    19 letmein
    20 login
    21 princess
    22 qwertyuiop
    23 solo
    24 passw0rd
    25 starwars
    Última edição por 5ms; 20-01-2016 às 08:10.

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens