Archive for January, 2009»
Keepass Password Safe
I have always been a skeptic of password keepers. Putting all of your passwords in one place was never really an appealing idea. What happens if someone gets a copy of it and tries to brute force it? My train of thought always led me to not wanting to put all my eggs in one basket.
But what if that basket required two factor authentication (ooooh) and was encrypted with an AES 256bit key (aaaah)?
Keepass is one of those programs that I just started using and wondered how I ever got on without it. It has a nice security feature that you can enable, which makes use of a key file, generated with the help of using random mouse movements and random keyboard strokes (mash the pad).
You then need a combination of this key file and a password to gain access to the database. This is essentially a master password to all your other passwords, so make sure it’s not something simple to guess. In fact, using a passphrase with a few complex characters isn’t a bad idea either.
Brute force attacks are also prevented by encrypting the actual key X amount of times – this can be specified by you. Basically, increasing this number increases how long it takes to open the password database on your computer, but it would also increase the time required for each attempt in a brute force attack. If it takes a second longer to open on your computer, this would mean an exponential amount of time until the brute force attack was successful (if the attacker was still alive by then!).
A few points about Keepass
- It is quite flexible in setting timeouts and lockout actions (lock and minimise to tray after x, remove text from clipboard after x, etc).
- The entire contents of the database is encrypted – titles, usernames, notes, and of course, passwords.
- You can use keyboard shortcuts to enter usernames and passwords into fields in web browsers, avoiding the clipboard. This means you can have huge passwords and never have to remember them, or even type them.
- You can add attachments, though this greatly increases the amount of time needed to encrypt and decrypt the database
Yes, again. Another security vulnerability has reared it’s head. The fix is exactly the same as the last one – a short delay in message delivery will be incurred, but nothing major (no reboot).
I’ve had some of the following thoughts for a while now.
Breaking out the BlackBerry router, yeah not a bad security consideration, but what about the attachment service? Take a look at most of the vulnerabilities reported in the list below. Most vulnerabilities associated with BES are to do with the attachment server.
http://www.blackberry.com/btsc/RSS-sec/servlet/RSS
- Vulnerabilities in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server
- Vulnerabilities in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server
- Updating the Microsoft GDI component that the BlackBerry Attachment Service uses
- Corrupt PNG file may cause heap overflow in the BlackBerry Attachment Service
- Corrupt Word file may cause buffer overflow in the BlackBerry Attachment Service
- Corrupt TIFF file may cause heap overflow resulting in Denial of Service in the BlackBerry Attachment Service
There were some with the Blackberry Router, some with the Blackberry Browser as well, but most are to do with this. To me, this seems like a great opportunity to put pressure on the powers that be to break out the attachment service to a separate box, for two reasons.
Security. If the Attachment service is broken out, and it gets compromised, it’s not as big a deal. Put it in a quarantined network with a subnet set to only allow two usable IP address (router and box), firewall the hell out of it and call it a day. Not much chance of someone launching an attack, even if that box is completely compromised.
Performance. Attachment server chews up the processor. Breaking it out would increase performance on the BES as well. Two birds with one server.
Anyway. Just some thoughts I’ve had for a while now, wanted to share.