Password managers share a hidden weakness

FBI informant She helped run an incognito dark web marketplace and allegedly agreed to sell pills laced with fentanyl, including those offered by a dealer linked to a confirmed death, WIRED reported this week. Meanwhile, Jeffrey Epstein’s ties to CBP officers sparked a Justice Department investigation. Documents indicate that Customs and Border Protection officers in the U.S. Virgin Islands were still friendly with Epstein years after his 2008 conviction, illustrating the notorious sex offender’s tactics to win allies.

WIRED has published a guide detailing expert tips and favorite tools for surveillance-resistant organizing and collaboration. If Opsec fails, comments and other metadata left on the PDF detailing DHS’s proposal to build “mega” detention and processing centers reveal DHS employees involved in creating the plan. The Department of Homeland Security is taking steps to integrate facial and fingerprint technologies into a central database that can be searched across all its agencies.

Concerns about possible drug cartel drone activity over Texas sparked recent airspace closures in New Mexico and El Paso, Texas, but the incident ultimately highlighted the challenges of safely deploying anti-drone weapons near cities. The database left accessible to anyone online contains billions of records, including passwords and Social Security numbers. The situation is by no means unique, but it highlights the ongoing potential risks of identity theft since it appears some data has yet to be exploited by criminals.

If you’re looking to make $10,000, the Fulu Foundation — a nonprofit that pays bounties for removing user-hostile features — is looking for a way to use Ring cameras while preventing them from sending data to Amazon. The Mexican city of Guadalupe, which will host parts of the 2026 World Cup, will deploy four new robotic dogs to help provide security during matches at BBVA Stadium.

But wait, there’s more! Every week we round up security and privacy news that we haven’t covered in depth ourselves. Click on the titles to read the full stories. And stay safe out there.

We at WIRED have recommended password managers for years. It’s arguably the only practical and convenient system for creating and enforcing unique and strong enough passwords across every online account in your life. But the risk — at least when using cloud-based password managers that back up your credentials and make them accessible across devices — is that the password management company itself becomes a vulnerability. If one of these companies is hacked or experiences a data leak, these flaws could expose countless confidential credentials.

Password management companies have responded to these concerns with promises of “zero-knowledge” systems that claim that credentials are encrypted so that you can’t even access them in an unencrypted state. But a new study by security researchers at ETH Zurich and USI Lugano shows how often these claims show cracks — or fail altogether if a malicious insider or hacker is skilled enough at exploiting encryption flaws.

The researchers specifically analyzed password managers from Bitwarden, Dashlane, and LastPass — though they cautioned that their findings likely apply to others as well — and found that they can often access users’ credentials. In some cases, they can access users’ entire password “vault” or even gain the ability to write to those vaults at will. The encryption vulnerabilities they found varied among password managers and only existed when certain features were enabled, such as key security systems that allow for the backup and recovery of passwords. But they also say that many of the flaws they discovered were relatively minor and show a lack of scrutiny around password managers’ “lack of knowledge” claims. Read the full research paper here.

Increasingly, it appears that no part of American society has escaped mention in newly released emails of the late convicted pedophile and sex trafficker Jeffrey Epstein — including the cybersecurity and technology community represented at the Defcon hacking conference. Defcon this week formally banned three people whose ties to Epstein appeared in the Justice Department’s incomplete, highly redacted release of documents related to Epstein: cybersecurity entrepreneur Vincent Iozzo — who has already been removed from a review board on the website of Black Hat, Defcon’s big sister conference — as well as former MIT Media Lab director Goichi Ito and technology investor Pablos Holman. (An Iozzo spokesperson said the ban was “performative” and not based on any “wrongdoing,” in a statement to TechCrunch, while Holman and Iozzo did not respond to the company’s requests for comment.) The three men had extensive interactions with Epstein, including long after his identity as a sex offender and human trafficker was exposed both in court and in extensive media reporting.

For more than two decades, the government domain “freedom.gov” has been used for news and “victory” information about the war in Iraq. Since the domain was re-registered on January 12, after years offline, it has become part of the State Department’s effort to create an anti-censorship “website”, according to a Reuters report this week.

The report says the portal may have been created to “enable people in Europe and elsewhere” to see content blocked by their governments, citing hate speech and terrorism-related content as examples. The Website may include VPN technology to circumvent geolocation blocking. The development of the site, which could help further break down various internet freedom regimes and political tensions between the United States and Europe, comes at a time when many US government-funded internet freedom programs have been shut down.