Password Managers Share a Hidden Weakness
An FBI informant helped run the dark web marketplace Incognito and allegedly approved the sale of fentanyl-laced pills, including those from a dealer linked to a confirmed death, WIRED reported this week. Meanwhile, Jeffrey Epstein’s ties to Customs and Border Protection agents sparked a Justice Department investigation. Documents indicate that CBP agents in the U.S. Virgin Islands were still friendly with Epstein years after his 2008 conviction, illustrating the infamous sex offender’s tactics for cultivating allies.
WIRED has published a guide detailing expert advice and favorite tools for surveillance-resistant organizing and collaboration. If Opsec fails, comments and other metadata left on a PDF detailing Homeland Security’s proposal to build “mega” detention and processing centers reveal DHS personnel involved in creating the plan. And the Department of Homeland Security is taking steps to combine its face and fingerprint technologies into a centralized, searchable database across all its agencies.
Fears about possible drug cartel drone activity over Texas sparked a recent airspace shutdown in New Mexico and El Paso, Texas, but the episode ultimately highlighted the challenges of safely deploying anti-drone weapons near cities. A database left accessible to anyone online contained billions of records, including passwords and Social Security numbers. The situation is far from unique, but it highlights the potential risk of identity theft since it appears that some data has not yet been exploited by criminals.
If you’re looking to win $10,000, the Fulu Foundation, a nonprofit that pays bounties for removing user-hostile features, is looking for a way to use Ring cameras while preventing them from sending data to Amazon. And the Mexican city of Guadalupe, which will host part of the 2026 World Cup, will deploy four new robot dogs to provide security during matches at BBVA Stadium.
But wait, there’s more! Every week, we round up security and privacy news that we haven’t covered in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.
At WIRED, we’ve been recommending password managers for years. It’s arguably the only convenient and practical system for creating and implementing unique, strong enough passwords on every online account in your life. But the risk, at least when using cloud-based password managers that save your credentials and make them accessible across devices, is that the password management company itself becomes a point of vulnerability. If any of these companies suffer a data breach or leak, these breaches could reveal untold amounts of secret credentials.
Password management companies have responded to these fears by promising “zero knowledge” systems in which they claim that credentials are encrypted so that even they cannot access them in an unencrypted state. But a new study by security researchers at ETH Zurich and USI Lugano shows how often these claims crack, or even fail completely, if a malicious insider or hacker is skilled enough to exploit the cryptographic flaws.
The researchers specifically analyzed password managers from Bitwarden, Dashlane and LastPass (although they caution that their findings likely apply to others as well) and found that they could often access user credentials. In some cases, they could access the users’ entire password “vault” or even have the ability to write to these vaults at will. The cryptographic vulnerabilities found varied among password managers and only existed when certain features were enabled, such as key escrow systems that allow password backup and recovery. But they also say many of the flaws they found were relatively simple and show the lack of oversight around password managers’ “zero knowledge” claims. Read the full research paper here.
Virtually no part of American society, it increasingly seems, escaped mention in the recently released emails of the late pedophile and sex trafficker Jeffrey Epstein, including the cybersecurity and technology community represented at the Defcon hacker conference. This week, Defcon officially banned three individuals whose ties to Epstein had been exposed by the Justice Department’s release of incomplete and heavily redacted documents relating to Epstein: cybersecurity entrepreneur Vincent Iozzo, who had already been removed from the website review board of Black Hat, Defcon’s more corporate sister conference, as well as former MIT Media Lab director Joichi Ito and technology investor Pablos Holman. (A spokesperson for Iozzo said the ban was “performative” and not based on any “wrongdoing,” in a statement to TechCrunch, while Holman and Ito did not respond to requests for comment.) All three men had numerous interactions with Epstein, including long after he was exposed as a sex offender and trafficker, both in court and in numerous media reports.
More than twenty years ago, the government domain “freedom.gov” was used to distribute news and information about the “victory” in the Iraq War. Since the domain was re-registered on January 12, after years of inactivity, it has been part of a State Department effort to create an anti-censorship “online portal”, according to a Reuters report this week.
The report said the portal may have been created to “enable citizens in Europe and beyond” to view content banned by their governments, citing content related to hate speech and terrorism as examples. The website may integrate VPN technology to bypass geolocation blocks. The development of the site, which could help further break down differing internet freedom regimes and political tensions between the United States and Europe, comes at a time when many US government-funded internet freedom programs have been shuttered.
