Yet another reason why you should use separate credentials for all online accounts and websites…
SMS messaging as a second factor of authentication is certainly better than nothing, but it is also a clear step backward compared to a physical or soft token.
Please take this situation into account if you are a LastPass user and patch your systems accordingly. Also, take additional precautions given the browser specific vulnerabilities that exist.
Browsers are getting marginally better in defending against compromise, especially with the progression of better sandboxing techniques, but some browsers are doing a better job than others.
Take a moment to read this article, watch the demonstrations, and then contemplate the implications. For a long time, protecting local administrative access meant protecting the confidentiality of the data stored on the server or PC tethered to those local admin credentials. This exploit / vulnerability / Windows feature (select your viewpoint here) changes the game and injects another leg of the security triad stool – integrity. Data stored or associated with a specific user session can be accessed as that user without compromising that user’s credentials and without leaving any significant forensic fingerprints.
This article alludes to the fact that Microsoft is well aware of this “feature” and most likely has no intentions of changing it. As such, we as IT security professionals and general IT practitioners must take necessary steps to mitigate the possibility of exploitation.
Not as if we needed another reason to disable TELNET on network devices, but this article is a great reminder. Please review your Cisco switch deployments and reconfigure as needed.