KeePass looter: Password plunderer rinses pwned sysadmins Kiwi hacker Denis Andzakovic has developed an application that steals password vaults from the popular local storage vault KeePass. The jeu de mots KeyFarce works when a user has logged into their vault, and will dump the contents to a file that attackers can steal. It is no death knell for KeePass or other password managers …
Whichever it is, the lesson is clear: Never leave your password manager's database unlocked if you're not using it. As I read the article, the password manager isn't the issue; it's a case of PEBKAC and insecure memory. It's also Windows only as it's talking about dll entry points but don't let that stop you from closing your KeePassX database, just in case. If it can be done there, it can probably be done elsewhere as well.
This may also be a good time to set a nice, strong password on your browser's password store, too.
"Never leave your password manager's database unlocked if you're not using it."
If your machine is compromised with a trojan running and waiting for an instance of keypass to attach to you are going to loose all your password the first time the database is unlocked.
Your 'clear lesson' typically isn't going to protect passwords for more than a couple of hours.
This is far more dangerous than just gaining access to a server. Any Admins on here will undoubetdly have passwords stored for much or all of their other equipement .
Domain Admins passwords
Switches,
Routeurs,
RDP Sessions to other sites.
(S)FTP servers.
SSH login with possibly the keys.
Building access codes.
Extranets.
Web Serveurs
and the list goes on.
What advice does anyone have to offer ?
Three options spring to mind.
1 - run up keypass on an iPhone or Android device and use the file exclusively there. I have a keypass compatible app on my BlackBerry Classic and do just that, then just use my PC as a backup location for the keypass encrypted data file.
2 - run keypass for windows inside a VM on your desktop, and don't give the VM any network connectivity - almost like an air-gap system. It's harder to backup the keypass file but it can still be done - or you can backup the VM that runs it.
3 - or for the completely paranoid of us, just run an air-gap system for some really sensitive stuff.
I'd be more worried about keyboard grabbers intercepting copy/paste traffic as I paste usernames and passwords into fields myself.
"What advice does anyone have to offer?"
Don't keep anything that really needs to be secure on a Windows PC. That's nothing to do with how secure Windows is - but that any flaw is going to be exploited to a far higher degree than on any other OS. Its just not worth it for most blackhats to go after Linux or MacOS when there are so many rich pickings elsewhere. Security by obscurity is a layer not to dismiss lightly.
Hence those of us who use KeePass on Linux/MacOS are shifting uneasily in our seats but far from panicking. But what news of a rewrite? I'm guessing this needs much more than a patch to sort.
Mes excuses pour cette petite faux pas, yes I meant to write Router...
French is my daily language et c'est vraiment facile to confndre the words qui sont very similar... Malgre the fact que je suis an English speaker, beaucoup de ce que j'ai learned en IT was appris en French..
And oui, je trouve that it is parfois easier to parler Franglais.
It comes down to decreasing the attack surface - so best use a device with small online presence to store your passwords. I wonder if a sandboxed 'secure' phone (i.e. Samsung Knox) or an offline virtual machine might help? Unfortunately I know little about how / how well that should work. Maybe somebody here can explain.
This is good to know but not enough to make me move away from KeePass just yet (especially after I've not long ditched LastPass). The way I see it every site requires a password and there's a limited amount of space in my head for strong passwords so I'm going to have to write down passwords somewhere. KeePass seems like a decent option for storage of those passwords: it's with me most of the time and it's easy enough to use. I actually suspect a piece of paper would be more secure but it would certainly be less convenient.
I see security as being a bit like running away from a hungry bear. You don't need to be the fastest runner you just need to be faster than the slowest guy.
Actually a key logger may be ineffective in swiping passwords from KeePass. In the program you can select auto-type. No actual typing occurs so if a key logger is watching for key presses it will get nothing. Another option is copying the password to the clip board and then pasting it onto the site. The program wipes the clip board after something like 10 seconds so it can't be copied later. This also should defeat key loggers.
I keep my KeePass files on a usb stick which is only attached to my computer when logging in. Would this exploit be able to still get the info?
Yes, becuse it is a DLL exploit and the fact that you run keepass.exe is all that is required on your behalf ( it also requires that the program/hack be in memory)... The physical support has not bearing in the hack.
In fact that very hack/virus/proof of concept could actually be hiding on your USBKey....just waiting for delivery......
This is a good wake-up call to those of us who use password managers. The password manager is only as secure as the system it runs on.
So, when deciding whether to use a web-based or local password manager you have to assess whether your machine or the web company is more likely to be compromised. It is a hard call: the web company have a lot more resources available to protect things, but is a MUCH more valuable target so is under lots of threats; I am careful on my machines but some of them are likely to have significant zero-day vulnerabilities (such as phones).
It is certainly a reminder to make sure you separate information into separate databases as much as possible, possibly on different systems/services. Certainly keep really critical passwords (personal bank account, maybe domain administrator account) either in your head or, at least, in small databases, so it is less likely you have opened them before you discover the machine/service has been compromised.
So, when deciding whether to use a web-based or local password manager you have to assess whether your machine or the web company is more likely to be compromised...
Unless you are *paying* the cloud provider to hold your data securely, under a contract with appropriate penalties should there be a security breach, there isn't really any security at all. What I am saying is, the free cloud providers have no interest in your security, and owe you nothing, because you are not paying for the service. Anyone in doubt of that can see the T&Cs.
It's fine as I use LastPass because it's much easier to just let someone else have all my passwords, all in one convenient place, which is somewhere else, someone else's cloud presumably. They take great care of them for me.
All your passwords are belong to ------------------------------------>
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
