Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Plaintext. Show all posts
Privacy
Cyber Security DPC Encryption Fine GDPR Meta Passwords Plaintext Privacy

Meta Fined €91 Million by EU Privacy Regulator for Improper Password Storage

 

On Friday, Meta was fined €91 million ($101.5 million) by the European Union's primary privacy regulator for accidentally storing some user passwords without proper encryption or protection.

The investigation began five years ago when Meta informed Ireland's Data Protection Commission (DPC) that it had mistakenly saved certain passwords in plaintext format. At the time, Meta publicly admitted to the issue, and the DPC confirmed that no external parties had access to the passwords.

"It is a widely accepted practice that passwords should not be stored in plaintext due to the potential risk of misuse by unauthorized individuals," stated Graham Doyle, Deputy Commissioner of the Irish DPC.

A Meta spokesperson mentioned that the company took swift action to resolve the error after it was detected during a 2019 security audit. Additionally, there is no evidence suggesting the passwords were misused or accessed inappropriately.

Throughout the investigation, Meta cooperated fully with the DPC, the spokesperson added in a statement on Friday.

Given that many major U.S. tech firms base their European operations in Ireland, the DPC serves as the leading privacy regulator in the EU. To date, Meta has been fined a total of €2.5 billion for violations under the General Data Protection Regulation (GDPR), which was introduced in 2018. This includes a record €1.2 billion penalty issued in 2023, which Meta is currently appealing.
Read more »
Windows Hello
2FA. Cyber Security Microsoft Azure Plaintext Windows 10 Windows Hello

Microsoft Azure Credentials Exposed in Plaintext by Windows 365

 

Mimikatz has been used by a vulnerability researcher to dump a user's unencrypted plaintext Microsoft Azure credentials from Microsoft's new Windows 365 Cloud PC service. Benjamin Delpy designed Mimikatz, an open-source cybersecurity software that allows researchers to test various credential stealing and impersonation vulnerabilities.

Microsoft's Windows 365 cloud-based desktop service went live on August 2nd, allowing customers to rent Cloud PCs and access them via remote desktop clients or a browser. Microsoft offered free virtual PC trials, which rapidly sold out as consumers hurried to receive their two-month free Cloud PC. 

Microsoft announced their new Windows 365 cloud-based virtual desktop experience at the Inspire 2021 conference, which allows organizations to deploy Windows 10 Cloud PCs, as well as Windows 11 eventually, on the cloud. This service is built on top of Azure Virtual Desktop, but it has been modified to make managing and accessing a Cloud PC easier. 

Delpy told that he was one of the lucky few who was able to receive a free trial of the new service and began testing its security. He discovered that the brand-new service allows a malicious programme to dump logged-in customers' Microsoft Azure plaintext email addresses and passwords. The credential dumps are carried out using a vulnerability he identified in May 2021 that allows him to dump plaintext credentials for Terminal Server users. While a user's Terminal Server credentials are encrypted when kept in memory, Delpy claims he could decrypt them using the Terminal Service process. 

To test this technique, BleepingComputer used a free Cloud PC trial on Windows 365. They entered the "ts::logonpasswords" command after connecting through the web browser and started mimikatz with administrative privileges, and mimikatz promptly dumped their login credentials in plaintext. 

While mimikatz was designed for researchers, threat actors frequently use it to extract plaintext passwords from the LSASS process' memory or perform pass-the-hash attacks utilizing NTLM hashes due to the power of its different modules. Threat actors can use this technique to spread laterally across a network until they gain control of a Windows domain controller, allowing them to take control of the entire Windows domain.

To protect against this method, Delpy recommends 2FA, smart cards, Windows Hello, and Windows Defender Remote Credential Guard. These security measures, however, are not yet accessible in Windows 365. Because Windows 365 is oriented toward enterprises, Microsoft is likely to include these security protections in the future, but for the time being, it's crucial to be aware of the technique.
Read more »
Plaintext
Enterprise customers G Suite Google Hack-able Passwords password hack Plaintext

Google stored G Suite passwords in plaintext, apologises


Google says a small number of its enterprise customers mistakenly had their passwords stored on its systems in plaintext.

If you have a Google account, Google's core sign-in system is designed not to know your password.
The search giant disclosed the exposure Tuesday but declined to say exactly how many enterprise customers were affected. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Google vice president of engineering Suzanne Frey.

The company said that only G Suite enterprise customers were impacted, but not regular Gmail accounts.

The tech giant said it had notified G Suite administrators to change the impacted passwords.

Google on Wednesday extended an apology to its G Suite customers.

"We apologise to our users and will do better," she added.

Most G Suite customers are companies that signed-up for enterprise versions of Gmail, Google Docs, Google Sites, Google Drive, and Google's various other services.

No consumer Gmail accounts were affected by the security lapse, said Frey.

Storing passwords without cryptographic hashes expose them to hacking risk as they become readable.

Passwords are typically scrambled using a hashing algorithm to prevent them from being read by humans. G Suite administrators are able to manually upload, set and recover new user passwords for company users, which helps in situations where new employees are on-boarded. But Google said it discovered in April that the way it implemented password setting and recovery for its enterprise offering in 2005 was faulty and improperly stored a copy of the password in plaintext.

Google has since removed the feature.

Google said the bug at the heart of this security breach was an old tool it developed back in the 2000s.

"The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company's users," the company said today.

Read more »
Subscribe to: Posts (Atom)