Security

Kaspersky Password Manager's random password generator was about as random as your wall clock

Could be brute-forced due to design blunders, according to infosec outfit


Last year, Kaspersky Password Manager (KPM) users got an alert telling them to update their weaker passwords. Now we've found out why that happened.

In March 2019, security biz Kaspersky Lab shipped an update to KPM, promising that the application could identify weak passwords and generate strong replacements. Three months later, a team from security consultancy Donjon found that KPM didn't manage either task particularly well – the software used a pseudo-random number generator (PRNG) that was insufficiently random to create strong passwords.

From that time until the last few months of 2020, KPM was suggesting passwords that could be easily cracked, without flagging the weak passwords for users.

"The password generator included in Kaspersky Password Manager had several problems," the Donjon research team explained in a blog post on Tuesday.

"The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time. All the passwords it created could be bruteforced in seconds."

Using the current system time as the random seed value, Donjon explains, means that KPM will generate identical passwords at any given time anywhere in the world. But KPM's interface includes a one-second animation of rapidly shifting random characters that obscures the moment the actual password gets generated. This made the problem harder to spot.

Nonetheless, the lack of randomness meant that for any given password character set, the possible passwords created over time are limited enough they can be brute-forced in a few minutes. And if the creation time of an account is known – something commonly displayed in online forums, according to Donjon – that range of possibilities becomes much smaller and reduces the time required for bruteforce attacks to a matter of seconds.

"The consequences are obviously bad: every password could be bruteforced," the Donjon team wrote. "For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Bruteforcing them takes a few minutes."

A series of fixes – because the initial Windows patch didn't work properly – were rolled out to the web, Windows, Android, and iOS between October and December 2019. And in October 2020, Kaspersky released KPM 9.0.2 Patch M, which included a notification to users that certain weak passwords need to be regenerated.

The issue was assigned CVE-2020-27020 and Kaspersky published an advisory in April, 2021.

"Kaspersky has fixed a security issue in Kaspersky Password Manager, which potentially allowed an attacker to find out passwords generated by the tool," a company spokesperson said in an email to The Register.

"This issue was only possible in the unlikely event that the attacker knew the user’s account information and the exact time a password had been generated. It would also require the target to lower their password complexity settings."

The company's spokesperson advised that all users install the applicable updates. ®

Send us news
78 Comments

Bug in WebKit's IndexedDB implementation makes Safari 15 leak Google account info... and more

Glitch is spilling private data and there's not much Apple users can do about it

An improperly implemented API that stores data on browsers has caused a vulnerability in Safari 15 that leaks user internet activity and personal identifiers.

The vulnerability was discovered by fraud detection service Fingerprint JS, which has contacted the WebKit maintainers and provided a public source code repository.

As of 28 November last year, the issue had not been fixed, so the team at Fingerprint JS decided to make the finding public to encourage the expedition of its repair.

Continue reading

Buy 'em by the punnet: Raspberry Pi offers RP2040 chips in bulk

'Reel'-y cheap – like $0.70 a pop

If you only need the smallest of Raspberry Pi chips, but you need a lot of them, you can now buy the gang's RP2040 microcontrollers directly from the farm supplier in lots of 500 or 3,400.

Because the Raspberry Pi range is so cheap, people use lots of them – even in places where a complete Linux computer is arguably overkill. That's probably why, this time last year, the Raspberry Pi Foundation launched the Raspberry Pi Pico, a $4 device based around the RP2040 microcontroller – its first in-house CPU design.

The end-user version of the Pi Pico is a tiny PCB containing the RP2040 system-on-a-chip (SoC) and 2 MB of flash memory. (The board is a hair over 2×5cm, so only slightly bigger than an old-style DIP chip such as a Z80.) The RP2040 is still an ARM, but a tiny one: a dual-core 133 MHz Cortex M0+, plus 264 kB of RAM.

Continue reading

Ukraine blames Belarus for PC-wiping 'ransomware' that has no recovery method and nukes target boxen

And for last week's digital graffiti operations, too

After last week's website defacements, Ukraine is now being targeted by boot record-wiping malware that looks like ransomware but with one crucial difference: there's no recovery method. Officials have pointed the finger at Belarus.

Continue reading

Move over exoplanets, exomoons are the next big thing

Is that an extremely large moon we see outside the solar system, astro-boffins ask themselves

Scientists have spotted a new candidate for a moon existing outside of our solar system, with only a 1 per cent chance the observation could be an anomaly.

More than 4,000 exoplanets have been mapped since the first was found in 1992. Although the finding of worlds beyond the Earth's immediate star system generated much excitement at the time, exoplanets are not so rare a discovery in recent years: US space agency NASA once found 700 in a single haul.

However, the existence of moons outside the solar system has yet to be confirmed. Going with the thinking that there's nothing particularly special about our own solar system, which is host to more than 200 moons, then we might assume they are also commonplace elsewhere.

Continue reading

Cloud spending back to business as usual at end of 2021: Slight slowdown was a blip due to overprovisioning

IDC figures suggest providers had extra inventory to shift after pandemic panic

Spending on compute and storage infrastructure for the cloud rose by 6.6 per cent during the last quarter following a cooldown in the middle of 2021 due to overprovisioning by cloud providers in response to the pandemic.

The figures come from IDC's latest worldwide quarterly enterprise infra tracker that traces buyer and cloud deployment. The report shows that spending on compute and storage infrastructure products increased to $18.6bn during the third quarter of fiscal 2021.

This resumes the underlying trend of net positive year-on-year spending growth in each quarter, which, according to IDC, saw a dip in the second quarter of 2021 when spending actually decreased by 1.9 per cent.

Continue reading

Umbrella company Parasol Group confirms cyber attack as 'root cause' of prolonged network outage

'Malicious activity on our network' spotted, says CEO, as some contractors say they've still not been paid

Umbrella company Parasol Group has confirmed why it shut down part of its IT last week: it found unauthorised activity from an intruder.

As reported by us on Friday, the umbrella company's MyParasol portal, where timesheets are submitted, was not accessible due to a multi-day outage starting on 12 January, impacting the processing of payroll.

Tech freelancers suspected a cyberattack was to blame for the blackout and sure enough the Group wrote to customers at the close of last working week to explain in more detail what had happened.

Continue reading

Email blocklisting: A Christmas gift from Microsoft that Linode can't seem to return

Sorry, that IP address is on the naughty step

Microsoft appears to have delivered the unwanted Christmas gift of email blocklisting to Linode IP addresses, and two weeks into 2022 the company does not seem ready to relent.

Problems started as large chunks of the world began packing up for the festive period. Complaints cropped up on Linode's support forums when customers began encountering problems sending email to Microsoft 365 accounts from their own email servers.

On that thread, a Linode staffer acknowledged there was an issue and suggested a number of alternative third-party email services as a stopgap as well as saying: "Microsoft has acknowledge[d] the problem and looking into it [sic]."

Continue reading

Epoch-alypse now: BBC iPlayer flaunts 2038 cutoff date, gives infrastructure game away

Nobody expects the Linux malposition, do they, Michael Palin?

Feeling old yet? Let the Reg ruin your day for you. We are now substantially closer to the 2038 problem (5,849 days) than it has been since the Year 2000 problem (yep, 8,049 days since Y2K).

Why do we mention it? Well, thanks to keen-eyed Reg reader Calum Morrison, we've spotted a bit of the former, and a hint of what lies beneath the Beeb's digital presence, when he sent in a snapshot that implies Old Auntie might be using a 32-bit Linux in iPlayer, and something with a kernel older than Linux 5.10, too.

That 2020 kernel release was the first able to serve as a base for a 32-bit system designed to run beyond 03:14:07 UTC on 19 January 2038.

Continue reading

Edge computing set for growth – that is, when we can agree what it is

Analyst predicts double-digit percentage uptick in '22

Worldwide spending on edge computing is expected to see double-digit growth this year, according to new figures from analyst IDC.

It also predicted investments in edge will reach $176bn in 2022, an increase of 14.8 per cent over last year.

"Edge computing continues to gain momentum as digital-first organisations seek to innovate outside of the data centre," IDC research vice president Dave McCarthy said in a statement, adding that the diverse needs of edge deployments have created a market opportunity for technology suppliers, increasingly through partnerships and alliances.

Continue reading

Open source, closed wallets, big profits – nobody wins the OSS rock, paper, scissors game

Stop horsing around. Pony up

Opinion There's much talk of the Open Source Sustainability Problem. From individual developers to Google's White House lobbying, the issue seems simple but intractable. Is the willingness of volunteer coders a solid enough basis for the long-term health of essential infrastructure?

This is, of course, balderdash. It's not an open source problem, it's a software problem. All software needs resources to adapt as the working environment changes, resources the changed environment may not provide. Look how many out-of-support versions of Windows still limp on like superannuated footy players in the Sunday leagues.

According to StatCounter, as of December 2021, one in seven PCs still runs Windows 7. One in 200 is on XP. Try getting Microsoft to update either.

Continue reading

Planning for power cuts? That's strictly for the birds

Please Mr Hitchcock, no more. The UPS can't take it

Who, Me? "Expect the unexpected" is a cliché regularly trotted out during disaster planning. But how far should those plans go? Welcome to an episode of Who, Me? where a reader finds an entirely new failure mode.

Today's tale comes from "Brian" (not his name) and is set during a period when the US state of California was facing rolling blackouts.

Our reader was working for a struggling hardware vendor in the state, a once mighty power now reduced to a mere 1,400 employees thanks to that old favourite of the HR axe-wielder: "restructuring."

Continue reading