Password Security, from a man with no background, but a love for EnPass IO.

In the digital age, we store everything from photos of families, invoices and financial documents, to our login details to every service we utilizing, on a PC or smartphone, right? So, it is little question why security is a subject upon everyone’s lips. The security game keeps changing, but in 2016/7 a new crave hit my fancy, password managers.

The whole premise of a password manager is to store a key and username for accounts in an encrypted database, allowing the use of a master password to retrieve the credentials upon request – nifty.

Storing a local database that houses both the username and password to a multitide of accounts? Sounds risky, right? Not if you use the right methodology (or, tool)! There are a large array of posts about “should you trust password managers“, and I tend to be concerned about the security surrounding the product as well, but let me tell you the 5 key benefits to implementing a password manager as one solution to your security, that make it worth while:

  • Being able to use unique passwords per service reduces the risk of cross-service exposure should your password be leaked;
  • Being able to generate “strong” passwords based on requirements allows for a more randomized and secure approach to accounts;
  • Being able to ensure your passwords are stored in a centralized encrypted database, as compared to “passwords.txt”;
  • Allowing restricted access to your personal data (such as licenses, two-step codes etc.) in a restricted application amplifies security and;
  • Prevents you from forgetting passwords (and therefore, making easy-to-remember passwords, or repeating them cross-site)

Now, I would consider password managers as one layer to password security. When implementing a secure process for storing logins, one can never be too careful. For example, to ensure the integrity of my data stays secure (or at least, more secure), I implement the following approach to my digital accounts:

  • I use 1Password to store my usernames to services, with the password field being a reference;
  • I use EnpassIO to reference the password codename to the actual password and;
  • I use Google Authenticator to provide a 2-Step Authentication approach.

This ensures that without access to both databases, there is no ability to compromise my accounts – the master passwords to both are unique and not recreated for any other service.

So, by relying on 3 unique services to all work in cohesion with one another for access to my accounts, I have improved the security layers surrounding my accounts. It is, however, worth mentioning that implementing 2-Step Authentication adds another layer of complexity to the account process. We will post more about two-step authentication in future posts.

Continue reading

RansomeWare, oh the joys it brings.

RansomeWare has been on an upward trend, notably so in Quarter 3 and 4 of 2016. The main targets shifted from phishing links with a drop of 50% (Source: Proofpoint) to RDP. According to Webroot, two thirds (66%) of Ransomeware Infections in Q1 2017 where delivered by RDP.

For those who are unfamiliar with the term, Ransomeware can be summarised as:

Ransomware is a type of malicious software that blocks access to the victim’s data or threatens to publish or delete it until a ransom is paid.

Source: RansomeWare – Wikipedia

However, RansomeWare is categorised  as a form of cryptoviral extortion; it is an act of CryptovirologyMoti Young published his findings of cryptoviral extortion (Cited entries can be read here) where the process was further discussed in 3 key phases:

  1. [attacker→victim] The attacker generates a key pair and places the corresponding public key in the malware. The malware is released.
  2. [victim→attacker] To carry out the cryptoviral extortion attack, the malware generates a random symmetric key and encrypts the victim’s data with it. It uses the public key in the malware to encrypt the symmetric key. This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim’s data. It zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertext and e-money to the attacker.
  3. [attacker→victim] The attacker receives the payment, deciphers the asymmetric ciphertext with his private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key thereby completing the cryptovirology attack.The symmetric key is randomly generated and will not assist other victims. At no point is the attacker’s private key exposed to victims and the victim need only send a very small ciphertext to the attacker (the asymmetric ciphertext).

 

Looking at the latest WannaCry breakout, the process can be defined as the following 5 steps:

Trend Micro – WannaCry Blog Post

The process adopted here follows the ruleset of Moti’s assumption, whilst also leveraging SMB faults to spread through networks.

Further investigation on this fault will be documented at a later stage.

On a side note, WannaKey? This tool may help recover WannaCry files.

Continue reading