LastPass' password meter is broken

Password strength meters are notoriously unreliable and LastPass is unfortunately no exception. Depending on what options are configured, the password strength meter both in the Chrome browser plugin, and at <a href=https://lastpass.com/generatepassword.php>lastpass.com</a> will give completely ridiculous estimates, providing a false sense of security and putting users at risk.

Example 1
Generating a purely numeric 14-digit password results in a green strength bar, although such a password is in fact extremely weak: at just 46 bits of entropy, it would be bruteforced in minutes by even a modest cracking rig.

<img src=https://i.imgur.com/Ctx0Ry9.png>

dict size: 10   length: 14  ->  46.50 bits of entropy  ->  bruteforce difficulty: trivial (minutes)


Example 2

This password is shorter (10 characters) but results in an even longer and greener strength meter.

<img src=https://i.imgur.com/wPoEsha.png>

dict size: 18   length: 10  ->  41.69 bits of entropy  ->  bruteforce difficulty: trivial (seconds)



Bottom line is, don’t use LastPass to generate your passwords. At least not until their fix (or remove) their password meter. Don’t get burned. Just use a proper, native password manager.

PS. I had a rather bad experience reporting a previous (more serious) vulnerability to LastPass, so I’m not sure I want to go through that again.

<A href=https://twitter.com/hexatomium>Follow</A> @hexatomium

GoGoogle - A strange Firefox address bar behavior

Try this in Firefox: Open a new tab and type goo%67 in the address bar. Assuming you have visited Google.com recently, here’s what you will get:

<IMG src=https://i.imgur.com/F9eJbbl.png>

Looks like a weird autocomplete bug. No time to investigate in depth, though it does not seem to be exploitable at first sight.

<A href=https://twitter.com/hexatomium>Follow</A> @hexatomium

Cheatsheet - The powers of "limited" Windows accounts

While using a non-admin account for everyday tasks is a sound and highly recommended security measure, it is important to keep in mind that it should only be one layer of your security posture.

It is easy to underestimate the amount of damage that can be done by malware running as a “limited” Windows user, even without resorting to privilege escalation. Here is a quick roundup:

  1. keylogging / password stealing
  2. file encryption (e.g. Cryptowall)
  3. silently recording audio/video
  4. banking trojan infections (e.g. Dridex)
  5. persistence (surviving reboots)
  6. formatting external FAT drives
  7. infecting USB sticks
  8. sending out any data (outbound FW rules typically won’t help much)
  9. browser hijacking
  10. joining a botnet
  11. hosting content
  12. reading memory of other processes (e.g. Keepass)
  13. serving a remote console (e.g. VNC)
  14. port scanning / network recon
  15. Active Directory enumeration

Did you know you all of the above could be done with a regular account?

<A href=https://twitter.com/hexatomium>Follow</A> @hexatomium

View my <A HREF=https://www.linkedin.com/profile/view?id=1283234>LinkedIn</A> page (Firas Salem)

Microsoft silenty adds Amazon root certificates to its CTL

Microsoft has just pushed a new CTL update with 6 new root certificates, 4 of which are for a brand new root CA: Amazon. This conveniently occurs just in time for Amazon’s Certificate Services go-live. But what should have been a fairly ordinary update is raising a few red flags.

  1. Amazon is reported to have some <a href=http://www.defenseone.com/technology/2014/07/how-cia-partnered-amazon-and-changed-intelligence/88555/>close ties</a> to <a href=http://www.salon.com/2014/12/01/amazons_frightening_cia_partnership_capitalism_corporations_and_our_massive_new_surveillance_state/>spy agencies</a>.

  2. The new roots have not been announced by Microsoft. Their <A Href=http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx>Program Participants</A> page is oddly silent about the changes. Additionally, it’s interesting that Starfield (another root acquired by Amazon last year) does not appear in there either. Hopefully that’s just a coincidence - I will not to speculate on that.

  3. No other trust store provider (Mozilla, Google, Oracle) trusts these roots as of today.

<a href=http://trax.x10.mx/apps.html>RCC</A> detecting the new roots:

<img src=https://i.imgur.com/b4Il9ff.png>

By the way, if you are running any supported version of Windows, be aware that you are already effectively trusting them now, <a href=http://hexatomium.github.io/2015/08/29/why-is-windows/>even if you do not see them in the Windows Certificate Manager</a>.

<A href=https://twitter.com/hexatomium>Follow</A> @hexatomium

The Executable Palindrome

What happens when you mix palindromes, a pinch of ASM, and a New Year hangover? A tiny 600-byte executable binary palindrome :)

<img src=http://i.imgur.com/OXHphWP.png>

This tiny Windows EXE will run identically even if all bytes are reversed.

Of course it does not do much (actually all it does is exit with a specific return code) but it’s a new type of palindrome, an executable palindrome.

Also to make it a little more fun, one extra twist i added is to place the entry point (EP) in the mirrored half. Also, the actual executed code is contained within my New Year greetings :)

Building an executable palindrome part is actually simple. In fact, most EXEs can very easily be turned made into palindromes (with the possible exception of digitally signed EXEs.)

Wanna give it a try? Grab it from <A href=http://trax.x10.mx/download.php?appname=mzzm.exe>here</A> (or manually type in the above bytes using a hex editor, to experience a true hacker’s high!)

BTW, this would not have been possible without the awesome PE resources maintained by corkami.

<A href=https://twitter.com/hexatomium>Follow</A> @hexatomium