And again,
The password manager vendors cited in ISE's report challenged the notion that their products were insecure. The realistic threat from the password manager vulnerabilities stated in the study is limited, according to a statement from 1Password chief security officer Jeffrey Goldberg.
"An attacker who is in a position to exploit this information in memory is already in a very powerful position," Goldberg said. "No password manager (or anything else) can promise to run securely on a compromised computer."
Dominik Reichl, who developed the open source password manager KeePass, believes what ISE found is a well-known limitation of the process memory protection for his software. KeePass
documentation states the password manager "must make sensitive data available unencryptedly in the process memory," including passwords as unencrypted string.
According to LogMeIn, which acquired LastPass in 2015, the password manager vulnerabilities research raises awareness to a limitation of protecting secrets in memory against an attacker with administrative privileges.
"In line with the opinion of other password managers, once an attacker has local access and admin privileges, the operating system is compromised and an attacker will end up having access to anything on the device," the statement read. "This is an independent issue from whether or not a password manager is used."
The company has implemented changes to LastPass for Applications to mitigate and minimize the risk of the potential attack detailed in the ISE report, LogMeIn said.
"To mitigate risk of compromise while LastPass for Applications is in a locked state, LastPass for Applications will now shut down the application when the user logs out, clearing the memory and not leaving anything behind," according to the statement.
LastPass is also looking into ways to implement additional safeguards and protections, according to the company.
"As always, it's essential to
regularly patch your computers and use an effective antivirus and anti-malware software," according to the statement.
Dashlane CEO Emmanuel Schalit emphasized that the attack scenario detailed in ISE's research would pose massive danger to any application or data on the compromised device.
"It is indeed correct that if an attacker has full control of a device at the lowest operating systems level, the attacker can read any and every information on the device," he said in a statement to SearchSecurity. "This is not the case just with Dashlane or with password managers, but of any software or in fact any device that stores digital information. For that reason, it is generally well known in the world of
cybersecurity that the above scenario is an extreme one, in the sense that no mechanism can protect the digital information on a device if that device is already entirely compromised."
Schalit stressed the data stored by Dashlane on the hard drive is encrypted and cannot be read by an attacker even if the attacker has full control of the device. However, he noted the attack scenario "only applies to the data present in the memory of the device when Dashlane is being used by a user who has typed the Master Password."
In addition, Schalit wrote that there is "dangerous logic" in using the research to argue that people should not use password managers. "This is like saying, 'I am only willing to accept that I will be 100% protected. If that is not possible I do not trust any protection,'" he wrote.
celltrackingapps.com
www.newsweek.com
