LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 07-07-2021, 09:33 PM   #1
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 17,501
Blog Entries: 28

Rep: Reputation: 5434Reputation: 5434Reputation: 5434Reputation: 5434Reputation: 5434Reputation: 5434Reputation: 5434Reputation: 5434Reputation: 5434Reputation: 5434Reputation: 5434
Vulnerability in the Kaspersky Password Manager


Bruce Schneier reported it on his blog. The short version is that it produces easily-guessable passwords.

Full Disclosure: I didn't know that Kasperky offered a password manager.
 
Old 07-08-2021, 02:44 AM   #2
obobskivich
Member
 
Registered: Jun 2020
Posts: 368

Rep: Reputation: Disabled
That blog post is confusing - is/was it a password manager, or a password generator? (and am I the only one who thinks if the answer is 'both' that should be a big 'yikes!') Wouldn't it also require knowing the 'current time' at whenever it generated a password to bruteforce it? (I clicked into the article linked and indeed yes it would - they offer a hypothesis that many web forums show join date/time which could be used as a weakness here, IF you knew the account had used a password generated in this way (and I believe using the application defaults as well)). Also from the linked article, this was discovered (AND PATCHED) in 2019, and is only being disclosed/published now that the CVE is published and resolved, and apparently users were pushed notifications in 2020 to prod them to re-generate any passwords that may be vulnerable to this.

The linked article was an interesting read: https://donjon.ledger.com/kaspersky-password-manager/
 
Old 07-08-2021, 10:30 AM   #3
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,232
Blog Entries: 4

Rep: Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260
And, "if you're relying on the extremely-limited entropy of 'a password' – any password – you are already in trouble.

Don't put anything that accepts a password "within view of the public," so that they can start trying to guess it. Place it behind something like OpenVPN, protected with individually-accountable digital certificates. A certificate contains thousands of bits of strong entropy. Before anyone is able to try their key in the front door, force them to cross the moat.
 
Old 07-08-2021, 10:16 PM   #4
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,604

Rep: Reputation: 1946Reputation: 1946Reputation: 1946Reputation: 1946Reputation: 1946Reputation: 1946Reputation: 1946Reputation: 1946Reputation: 1946Reputation: 1946Reputation: 1946
Quote:
Originally Posted by obobskivich View Post
That blog post is confusing - is/was it a password manager, or a password generator? (and am I the only one who thinks if the answer is 'both' that should be a big 'yikes!')
I think it's pretty common for password managers to also provide password generation as a feature. It adds to the convenience.

Quote:
Wouldn't it also require knowing the 'current time' at whenever it generated a password to bruteforce it? (I clicked into the article linked and indeed yes it would - they offer a hypothesis that many web forums show join date/time which could be used as a weakness here, IF you knew the account had used a password generated in this way (and I believe using the application defaults as well)).
Since they were using time in seconds, 2^32 possiblities (which could definitely be done in an offline attack) covers a range of ~136 years. Even if the join date/time isn't shown publicly you can probably guess it to within 100 years

Quote:
Originally Posted by sundialsvcs View Post
Don't put anything that accepts a password "within view of the public," so that they can start trying to guess it. Place it behind something like OpenVPN,
Now tell us how you put LQ behind a VPN so that it won't be "within view of the public"
 
Old 07-08-2021, 11:45 PM   #5
obobskivich
Member
 
Registered: Jun 2020
Posts: 368

Rep: Reputation: Disabled
Quote:
Originally Posted by ntubski View Post
Since they were using time in seconds, 2^32 possiblities (which could definitely be done in an offline attack) covers a range of ~136 years. Even if the join date/time isn't shown publicly you can probably guess it to within 100 years
I was thinking about applications where that doesn't make sense - like say this thing's output was used as a log-in password for a system, or as a WiFi AP password, or what-have-you - it'd be impossible to guess at that. But as they pointed out, because it would be the SAME at any given time, it sounds like you could write a program that could just solve every possible password it could've generated (within a sane band based on date, so you don't need to guess values for say, 1963) and then run through that as a dictionary of sorts. Certainly not a 'good' situation for the passwords generated here, but successfully attacking it does require some foreknowledge - both that the password was generated in this way and perhaps also roughly when. It's also interesting how the Kaspersky program was attempting to foil real-world attacks by avoiding certain kinds of strings, but ended up re-creating the same problem for itself.
 
Old 07-09-2021, 03:36 PM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,232
Blog Entries: 4

Rep: Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260Reputation: 3260
Naturally, "LQ is intended to be publicly accessible." But, like all web sites these days, it does use "https" to guarantee to users that they really are contacting LQ.

"Passwords," directly exposed to the Internet-at-large, are deficient on their face ... if only because your computer will now waste a great deal of time and bandwidth rejecting millions of script-driven attempts to break it. Those resources ought to instead be used to provide useful services to legitimate users.

Hence the "identity badges" that are used in every company. It is individually issued to you and it protects the outermost perimeter. The only parties who will ever even be invited to "say the magic word" are those who have already passed over the moat. The credential can be individually revoked when you leave the company, without impacting anybody else's access.

Last edited by sundialsvcs; 07-09-2021 at 03:38 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to update Security Vulnerability on Rhel Linux (CVE Vulnerability) taufikrizkir Linux - Security 2 05-18-2020 06:11 AM
vulnerability scanning using NMAP on CVE-2014-0322 vulnerability,check vulnerable meeiyoke Linux - Security 2 06-06-2014 05:09 PM
vulnerability scanning using NMAP on CVE-2014-0322 vulnerability,check vulnerable . meeiyoke Linux - Newbie 1 06-06-2014 12:14 PM
Kaspersky Anti-Virus for Linux File Server: Can't find license manager azmadar Linux - Security 1 12-02-2004 08:29 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 06:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration