[MattPalmer1086]

You have misunderstood the threat. When an attacker gains a foothold in a corporate environment, they will immediately try to find any accessible credentials to assist in lateral movement.

If the user's passwords to the rest of the corporate systems are sitting unprotected in a browser password store, it is a gold mine.

Yes, they should have 2fa and single sign on and so on, but many places don't. The article isn't terrible, it's just pointing out something in browsers that works ok for home users but puts businesses at some risk.

[denton-scratch]

> When an attacker gains a foothold in a corporate environment, they will immediately try to find any accessible credentials to assist in lateral movement.

/me not a security expert. But isn't this the mistake I used to make for years: to believe that the hacker is a human, responding to his environment and making decisions? It took me a long time to acknowledge that nearly all network attacks are automated, and unless it's a highly targeted attack, the attack script won't care whether you're a corporation or a couch-potato in a basement.

[GekkePrutser]

The big news headlines like wannacry were fully automated. But one-trick ponies. If you had patched you were fine. What made it a problem was that so many hadn't.

But the sinister targeted ones where you only find out because someone is selling terabytes of confidential data, those are usually highly targeted and manual. It's very hard to automate and stay under the radar.

You need protection against both.

[denton-scratch]

> But the sinister targeted ones where you only find out because someone is selling terabytes of confidential data, those are usually highly targeted and manual.

It doesn't surprise me that "sinister targeted" attacks are also "usually highly targeted".

[GekkePrutser]

Lol yeah not my best writing. Agreed

[MattPalmer1086]

One thing I think isn't widely appreciated is that insecurity is a highly developed market.

People still have this idea of the lone hooded hacker doing everything from their bedroom.

In reality, people specialise in different aspects of cracking security and sell what they have to someone else. So someone is in the market for a zero day, or a compromised system in the government or a company, and they can just buy that.

For home users, the payoff isn't big enough to be worth more than automated type attacks. So you escape the human in the loop mostly.

[MattPalmer1086]

It can either be a human directing it once a foothold is established, or an automated attack. Initial compromise may be automated but lateral movement is harder to automate.

If you work on highly sensitive systems then you should expect a human in the loop at some point.

[denton-scratch]

> If you work on highly sensitive systems

I don't; I'm retired. I have only my home network to fret about. I don't have data to lose, but I don't want some rotter using my network to attack other networks. That rotter isn't going to set up automation to grab my family photos; but he'll use automation to attack other networks.

I've never worked with "highly sensitive systems", as far as I'm aware. I've only ever worked with systems that had the potential to wreck the company. I don't know if that counts, in your book.

[MattPalmer1086]

Potential to wreck the company counts pretty high in my book!

My own home security is merely adequate. I turn off things like upnp on the router. Disks and backups are encrypted. I don't worry overly much about it. If someone actually targets me it's probably game over, but it's ok against random script kiddies or someone stealing my computers.

[lmns]

>When an attacker gains a foothold in a corporate environment, they will immediately try to find any accessible credentials to assist in lateral movement.

So you think this isn't the case with home users? Maybe I still misunderstand the point that is being made here, but from my perspective it's only a matter of time until my encrypted password store gets exposed to the local attacker (as soon as I unlock it).

[MattPalmer1086]

I didn't say it wasn't a problem for home users. I said that the browser security model works OK for home users who aren't at all bothered by security unless it gets in their way, in which case they will switch to a product that doesn't. It's poor security but probably the best we can do by default.

So that default browser behaviour creates a risk that a business should acknowledge and assess.

A home user can of course also decide it's too risky, or that password managers are too risky and only a yubikey will do.

[kurupt213]

2fa doesn’t get triggered onsite for my employer, only remote IPs.

[MattPalmer1086]

Well, better than nothing. Most places I've worked do not have ubiquitous 2fa. And it's mostly just a gate to gain access, rather than something required to maintain access.

[ShowalkKama]

or he could simply wait until the employee unlocks his password manager and steal the password?

[MattPalmer1086]

That there exist additional attack vectors is not an argument to ignore one which is simple and requires no user interaction to pull off.

If your point is that password managers aren't a total solution to the issue, I'd agree.