[iueotnmunto]

If filesystem access is a legitimate concern, you have bigger problems. Even if passwords were secured by FIDO or similar, session tokens are not.

If you compromise a computer, you can compromise web sessions. There is no mitigation for this. Shame on the author for attempting to create panic when far more productive security can be achieved elsewhere.

[Gigachad]

I’m so sick of these security articles. It’s become a boy who cried wolf situation with endless articles claiming something is critically insecure when the situation involves the attacker basically having end game access and ability to do just about anything anyway.

[JacobSeated]

Compromised sessions is not necessarily a concern, unless the attacker has physical access to the location, since systems can detect if the location changes. E.g. Ip address change prompts the user. Not perfect, and hugely inconvenient for people with dynamic IPs.

AND filesystem access IS a concern, and that is not just if someone has physical access. E.g. You do not know for sure that the code running on your own system was designed with your interests in mind.

Intentionally or by mistake, a password database file could be leaked and broken into if uploaded to a server on the internet outside of your control, and if they also upload your encryption key along with it, goodbye passwords. It could be as simple as a piece of software uploading "telemetry" data, and "accidentally" including the password database from a browser along with the encryption key.

[hn_throwaway_99]

> Compromised sessions is not necessarily a concern, unless the attacker has physical access to the location, since systems can detect if the location changes. E.g. Ip address change prompts the user.

I don't think that's a valid approach anymore. FWIW I have coded these restrictions into auth tokens before (i.e. reject the auth token if it's from a new IP), but had to get rid of it because too many ISPs frequently change a user's IP address, especially mobile clients.

[MattPalmer1086]

You have misunderstood the threat. When an attacker gains a foothold in a corporate environment, they will immediately try to find any accessible credentials to assist in lateral movement.

If the user's passwords to the rest of the corporate systems are sitting unprotected in a browser password store, it is a gold mine.

Yes, they should have 2fa and single sign on and so on, but many places don't. The article isn't terrible, it's just pointing out something in browsers that works ok for home users but puts businesses at some risk.

[denton-scratch]

> When an attacker gains a foothold in a corporate environment, they will immediately try to find any accessible credentials to assist in lateral movement.

/me not a security expert. But isn't this the mistake I used to make for years: to believe that the hacker is a human, responding to his environment and making decisions? It took me a long time to acknowledge that nearly all network attacks are automated, and unless it's a highly targeted attack, the attack script won't care whether you're a corporation or a couch-potato in a basement.

[GekkePrutser]

The big news headlines like wannacry were fully automated. But one-trick ponies. If you had patched you were fine. What made it a problem was that so many hadn't.

But the sinister targeted ones where you only find out because someone is selling terabytes of confidential data, those are usually highly targeted and manual. It's very hard to automate and stay under the radar.

You need protection against both.

[denton-scratch]

> But the sinister targeted ones where you only find out because someone is selling terabytes of confidential data, those are usually highly targeted and manual.

It doesn't surprise me that "sinister targeted" attacks are also "usually highly targeted".

[GekkePrutser]

Lol yeah not my best writing. Agreed

[MattPalmer1086]

One thing I think isn't widely appreciated is that insecurity is a highly developed market.

People still have this idea of the lone hooded hacker doing everything from their bedroom.

In reality, people specialise in different aspects of cracking security and sell what they have to someone else. So someone is in the market for a zero day, or a compromised system in the government or a company, and they can just buy that.

For home users, the payoff isn't big enough to be worth more than automated type attacks. So you escape the human in the loop mostly.

[MattPalmer1086]

It can either be a human directing it once a foothold is established, or an automated attack. Initial compromise may be automated but lateral movement is harder to automate.

If you work on highly sensitive systems then you should expect a human in the loop at some point.

[denton-scratch]

> If you work on highly sensitive systems

I don't; I'm retired. I have only my home network to fret about. I don't have data to lose, but I don't want some rotter using my network to attack other networks. That rotter isn't going to set up automation to grab my family photos; but he'll use automation to attack other networks.

I've never worked with "highly sensitive systems", as far as I'm aware. I've only ever worked with systems that had the potential to wreck the company. I don't know if that counts, in your book.

[MattPalmer1086]

Potential to wreck the company counts pretty high in my book!

My own home security is merely adequate. I turn off things like upnp on the router. Disks and backups are encrypted. I don't worry overly much about it. If someone actually targets me it's probably game over, but it's ok against random script kiddies or someone stealing my computers.

[lmns]

>When an attacker gains a foothold in a corporate environment, they will immediately try to find any accessible credentials to assist in lateral movement.

So you think this isn't the case with home users? Maybe I still misunderstand the point that is being made here, but from my perspective it's only a matter of time until my encrypted password store gets exposed to the local attacker (as soon as I unlock it).

[MattPalmer1086]

I didn't say it wasn't a problem for home users. I said that the browser security model works OK for home users who aren't at all bothered by security unless it gets in their way, in which case they will switch to a product that doesn't. It's poor security but probably the best we can do by default.

So that default browser behaviour creates a risk that a business should acknowledge and assess.

A home user can of course also decide it's too risky, or that password managers are too risky and only a yubikey will do.

[kurupt213]

2fa doesn’t get triggered onsite for my employer, only remote IPs.

[MattPalmer1086]

Well, better than nothing. Most places I've worked do not have ubiquitous 2fa. And it's mostly just a gate to gain access, rather than something required to maintain access.

[ShowalkKama]

or he could simply wait until the employee unlocks his password manager and steal the password?

[MattPalmer1086]

That there exist additional attack vectors is not an argument to ignore one which is simple and requires no user interaction to pull off.

If your point is that password managers aren't a total solution to the issue, I'd agree.

[dustinmoris]

A hijacked session is bad, but nowadays not nearly as bad as a leaked password:

- Sessions can be linked to a user's location and/or browser finger print

- Sessions are short(er) lived

- Sessions can easily get invalidated (e.g. device wide logout)

- Almost all critical actions are behind additional security (e.g. can't change password without 2FA or change billing information without confirming password and/or 2FA in order to apply changes, etc.)

- Sessions are not shared across properties, whereas many users share their password across multiple internet sites/properties

[GekkePrutser]

> whereas many users share their password across multiple internet sites/properties

Does this still really happen??

I've given up that malpractice years ago.

Unfortunately it's very hard to gauge this in our company but I would hope users take their security training to heart.