Installing the KeePass Password Manager

Today I want to walk through installing the KeePass password manager on Windows 10. This post will explore downloading, installing, and first steps to using a local password manager. The end result, for those who follow these steps, will be an encrypted password generation and storage mechanism.

Setting Up KeePass

Download KeePass

The first step in the process is downloading the installer. From the KeePass download page, there are options for both the installer and the portable package. While this post will be focused around installing the software on Windows 10, the portable option provides a good solution for users who need their passwords on multiple machines.

KeePass Download Page

Choose the installer and then save the file to disk

Save Installer

Once downloaded, navigate in Explorer to wherever the file was saved. Usually, this is in C:\Users\$USER\Downloads. Double clicking the installer will launch the process. After Windows User Access Control confirms permission to proceed, the KeePass installer will launch. The following series of images illustrates the install process.

Installing KeePass

First, select the install language.

Select Language

The license agreement is next. Be sure to read this before selecting “I accept the agreement”, which is required in order to proceed.

Accept License Agreement

I generally don’t mess with the install path, but if you have a desire, the next dialogue allows for definition of where KeePass will be installed on the system.

Choose Install Path

Another area that I typically don’t mess with, the component selection dialogue lets users take more control over what components of KeePass are installed.

Select Install Components

Yet another menu that requires no changes, the options pictured below ensure that KeePass recognizes the .kdbx file extension, as well as letting the user decide if a desktop and/or Quick Launch shortcut should be created.

Additional Tasks

With all the options configured, take a moment to look over the install configuration before proceeding.

Confirm Install Options

And we’re off to the races! In a few moments KeePass will be installed on the local system.

KeePass Installing

Once installation completes, launching KeePass will take us into the next steps to configure a password database.

Launch KeePass

Using KeePass

Launch the Program

If you accepted the install defaults, there is an icon on the desktop. Otherwise find the launcher in the start menu and KeePass walks users through the basic steps of setting up a database.

Configuring New Database

Select the path and file name that will become the password database file.

Select Password Database Path

The next step is to define the master password. This is the one password which users need to remember to access all the other passwords. Generally, I encourage users to use a passphrase rather than a password, for increased security.

Configure Master Password

Presuming both entries match, selecting “OK” will take us into some additional database settings. Again, since we’re just covering the basics of KeePass, I won’t be covering these today, but I encourage users to explore these other options.

Additional Database Settings

The last step in the setup is to print the KeePass Emergency Sheet. Print this off, fill out the details, and keep it safe as this will contain the details to gain access, should someone need it.

KeePass Emergency Sheet

And finally, we’re presented with the KeePass interface. In a later post, we’ll work with creating, editing, and using various entries, and how to put KeePass to work generating, and protecting, your passwords from prying eyes.

MyDatabase Running

There are several default entries and categories within a default KeePass database. I highly recommend exploring the entries that are available, learning the options, and making some mistakes with passwords that don’t matter before you start entering passwords on which you depend into KeePass.

Conclusion

If you’ve followed along at home, we’ve successfully installed, configured, and started using the KeePass password manager. While this post was written to demonstrate the process on a Windows 10 machine, KeePass also runs on Linux and Mac. In the next post, I’ll cover some notes on general usage of KeePass and the use of online alternatives. The goal here is to get readers to understand the benefits of using a password manager, and to illustrate the ease with which they can be implemented. I hope you’ve found this post to be informative and I appreciate the time you’ve taken to read it. Remember that we live in a hostile world and it is important to take measures to protect yourself!

Self Doxing: Loose Lips Sink Ships

Talk too much

For anyone who spends any time reading my content, you may remember a recent post that outlines my thoughts on the general basics of Operational Security. A well timed tweet last week, sparked by this article, kicked off some interesting conversations around the topic which resulted in the series of thoughts that sparked what you’re reading now. During the interactions on Twitter, one tweet in particular hit on several areas that I observe to be blatantly prevalent as I travel, work in the field, or observe people in general daily life.

Since these were called out by others during the conversation, and I have had the (mis)fortune of running into some of them recently, I figured I’d expound on the topics. In my normal fashion, I thought some anecdotes could help drive the visibility up a bit and hopefully get some of you thinking a little differently about how you handle yourselves in public.

What is “Doxing”?

First, a little background. Somewhere along the line “doxing” became a recognized form of internet attack. Basically, this tactic requires the attacker(s) to scour internet resources to gather information on a targeted individual, and then broadcasting personal or private information about that person. While the point of this article is not to go in-depth into the world of doxing, some high profile examples are outlined on the Wikipedia page covering the topic.

Typically, attackers will use the collected information to put pressure on targets, or to put them at risk in the most severe circumstances. While this most often is the result of actions taken by attackers against us, all too often people fall victim to “self-doxing”. In these instances, inattention to details or surroundings falsely convince a person that they are in a safe place to divulge certain information. All of these vectors are viable and often employed ‘in the wild’. As an attacker, I exercise these skills without even thinking about it. Here is my take on the subject:

Shoulder surfing

I was sitting aboard a flight recently, exit row aisle seat. I had been drawn to one particular individual who’d caught my attention through his generally boisterous nature during the boarding process. His holier-than-thou arrogance dripped off him, much like the aroma of the Tommy cologne he must’ve bathed in that morning. My eyes, closed as usual to appreciate the sensation of takeoff, opened when the flight attendant came over the PA with an annoyed tone. Her reminder to remain seated through the ascent was prompted by Mr. Important as he was standing in the aisle 2 rows ahead of me, digging his laptop from his belongings in the storage compartment above.

When he settled back into his seat, I couldn’t help myself but to get a peek at what was so pressing. In the hour that followed, I caught sight of documents his company surely wouldn’t want outsiders to see. I didn’t take photos for proof but I’m pretty sure capturing these documents would have been fairly easy to do. I also saw other juicy tidbits like contact information for others within Mr. Important’s company. Were I a bad guy, I could have leveraged the information here in a social engineering campaign to gain access to more sensitive information, and potentially unauthorized access into the company itself.

It’s wise to be mindful of your surroundings, especially when traveling. You never know who’s watching so exposing sensitive data should always be considered a risk in public. These things can usually wait until you’re in a private place where prying eyes are not a concern. However, if you must touch sensitive data in public, use a privacy filter to reduce exposure to onlookers.

Passive conversation listening

I ran into two separate instances on the same trip recently, where the information divulged in conversation provided me with enough information to identify the individuals, and gather significant pieces of private information about them, to make a significant impact upon their personal lives. I wanted to share these experiences here in hopes that we can reduce the number of times so much information is divulged in such a short time.

Mary Loves to Fly

I’d never met Mary before. Nothing about her caught my attention. She was already in the middle seat, one row behind me, when I settled into mine. As the plane filled, conversations rambled as they do, and when Mary’s travel neighbors settled in, she  chatted up a storm with Lucy in the window seat next to her. Now I am usually a pretty passive listener, a skill honed over a lifetime which lets me parse conversations and pick up on valuable tidbits. It’s quite nice for drowning out the general drivel of small talk while still letting me tune in when the conversation turns juicy.

A few minutes into Mary’s conversation with Lucy and I was gleaning bits and pieces of data that officially had me tuned in. Mary had given up her last name within minutes as well as her husband’s name, he was sitting up in first class but she thought the upgrade was not worth the cost, and the names of their 3 kids who were waiting for them on the other side of the flight. By the time we touched down I knew cites of residence, places of employment, and names. With a little OSINT gathering, there was enough public record and social media interaction to provide me with a full profile of all 5 members of this family.

Alexis and Her Lexus

On this same business trip, I was out to dinner at a local establishment. I sat at the bar and soaked up the atmosphere of the locals. 3 middle-aged men were at one corner of the bar sharing all kinds of tall tales, and taking their opportunities to hit on the young bartender, Alexis. Through the conversations they’d strike up with her, I learned she was a very proud owner of a Lexus RC, she was somewhat of a gym rat, and she once threw a full bottle of wine at an ex-boyfriend’s head in a rage after finding out he cheated on her. Oh, and her last name.

I was already in the mindset of the effects of this information leakage, and so I did a little more digging and was again able to gather some pretty deep detail on this subject, just from the couple hours of conversation I listened into at the bar one evening.

With cases like the murder of Kenichiro Okamoto fresh in our minds, we have to realize that oversharing can be deadly. Sure, this is an extreme case but people don’t realize how much information they leak on a regular basis. Stop talking about your children in so much detail with strangers. Don’t be so comfortable to divulge details of where you work with someone you’ve just met – let along in the open air of an airplane with countless unknown listeners.

Dumpster diving

The old adage rings true. One’s trash really can be treasure to another! The information discarded into the trash can often be used to the advantage of a threat actor. Think about what you’re getting rid of and how it might be used in the hands of some nefarious evil doer. As much as we’d like to think it won’t happen to us, the chances are ever increasing that someone will act upon a crime of opportunity and make use of data if it’s easily accessible.

Public computers

I’m always surprised by the number of people I see who are still using shared computers. At the library, in the airport, and most often at hotels, people log into these shared machines for many reasons. I don’t have much to offer here because I strongly recommend bringing your own device to access data when on the road. But if you must use a shared machine:

  • Learn to delete cookie from the web browser
  • Delete any files downloaded to the machine
  • Log out of EVERYTHING

Unattended devices

Here is another vector that just boggles my mind. Why, in today’s hostile world, do people ever find it appropriate to leave their belongings unattended? I can’t comprehend this logic. Even the cheapest MP3 player can be left alone and someone will take it simply because they can! People aren’t nice. If you have something of any value, they’re likely to want it for their own.

Picture you’re in a parking lot, standing between 2 cars among a sea of others. 1/2 mile from anyone else with no surveillance. One car is locked and has a $100 bill sitting on the passenger seat. The other, windows down and unlocked, with a $5 in the cup holder. The chances are great that the $5 gets stolen more often than the $100 simply because of availability and ease of access. Make yourself and easy target and you make yourself a definite target.

New Year, New Vulnerabilities

Well, we got to ring in the new year with some major excitement, haven’t we? 2018 has met us with a nasty 1-2 punch combination, no doubt! First, the exposure of a vulnerability that effects millions of GPS tracking devices. Security researchers were able to access location history, send commands to the device (the same commands that would be sent via SMS), and activate or deactivate geo fencing alarms. All this was said to be possible with no authentication needed.

This was immediately followed up by the Meltdown and Spectre vulnerabilities in what is essentially anything device connected to the internet. From mobile phones, to tablets, to laptop and desktop PCs, these flaws do expose us to some pretty significant risk. But the world is not, in fact, over. Not yet at least.

The RedLegg team has been fielding calls from clients, friends, and family about these vulnerabilities that have been drawing a lot of attention this week. There is significant implication as to the damage that could result from successful exploit of these issues, but we wanted to present some additional facts for consideration. Here’s what we know:

Meltdown

This vulnerability allows any application to access all system memory, including memory allocated for the kernel. Patches are being , and in some cases have been, rolled out and should be applied as soon as possible. So far, research indicates that only Intel chips have been shown to be vulnerable.

Spectre

This vulnerability allows an application to force another application to access arbitrary portions of its memory, which can then be read through a side channel and affects nearly every CPU built on the x86 architecture. This vulnerability may require changes to processor architecture in order to fully mitigate. According to leading research, this vulnerability impacts Intel, AMD, and ARM chips. Due to the development life-cycle implemented by processor manufacturers, this issue will likely be around for a very long time.

Exploitation is possible. Security researchers produced and release proof of concept exploit code within roughly a day. There is no reason to believe that the bad guys will be working feverishly to weaponize these and deploy them for nefarious means. And while there definitely is significant risk associated with these vulnerabilities, there is no proof or reason to believe weaponized exploit code is in use in “the wild”.

Consider taking an inventory of all your systems by processor type, be sure to apply vendor patches as they become available, and track the progress of the updates as they’re released.

  • Microsoft has issued a patch for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018.
  • MacOS 10.13.2 mitigates some of the disclosed vulnerabilities, but MacOS 10.13.3 will enhance or complete these mitigations.

For anyone using Qualys Vulnerability Management, Qualys will continue to release QIDs for any vendor patches that mitigate this vulnerability. A list of currently-released QIDs is being maintained in this Qualys Support article.

It’s an increasingly interesting time to be in the world of security, and an increasingly dangerous time to fall victim. Take the time to read the information that’s out there on these issues, there is a lot. But be sure to understand what you’re reading. Proof of concept exploits for these issues continue to surface, and with each release the potential for a weaponized exploit increases. Considering the number of devices impacted here, we really need to be watching the horizon as the research develops.

Happy New Year. Stay safe out there!

 

My New Year’s Resolution

How did we get here?

As I was enjoying the Christmas holiday with family, a revelation washed over me. My affinity for technology, once a healthy hobby, had devolved into a sick dependency and an addiction. This experience sparked some intense reflection into how I used to love getting my hands on the keyboard and getting online but now the internet is ubiquitous and ingrained into pretty much every aspect of my life. The joy had faded into an expectation and now, when I’m not connected, I find myself wondering what’s happening. I had to acknowledge that I’d fallen prey to FOMO.

I started to become more conscious of this over the days since and I started to see how much time I’d spent on some digital device looking at social media. But it was worse. After spending all day with my face in a screen, rather than have conversations over a meal I would thumb through Facebook and continue to evade the human connection. I started to look back on how many times someone would post something on Facebook or @ me on Twitter when we were in the same room.

How does it happen?

The root of the problem is that we are all, at our base roots, drug addicts. You may not drink. You may not smoke. You may avoid caffeine. But you’re human and therefore you’re an addict. There are some really great articles which explain this in deeper detail than I’ll cover here, but the fact is that we are all driven to seek satisfaction. With the internet, twitter, and texting we now have almost instant gratification of this desire to seek. We no longer have to leave a message on someone’s answering machine, wait for them to get home to listen to the message, and wait for a return call. Now you can just shoot a quick text. This increased level of instant gratification can create a dopamine induced loop. The dopamine starts you seeking, which leads to rewarding satisfaction, which sets us on another search. It becomes harder and harder to stop looking at email, stop texting, or stop checking your cell phone to see if you have a message or a new text.

Taking action

Well, now that I’ve realized how big this dependency has become, I have to do something about it. And being on an endless quest for knowledge and growth, I’ve devised a plan to not only break me from my obsession, but to use the opportunity to level up my skills in psychology and situational awareness.

Cutting the cord

The first step in my plan is to delete the social media applications from my phone. Not only will this help to my aim of breaking the compulsion to be connected, but also from the perspective of fewer distractions from the notifications associated and increased battery life on my smartphone. When I saw this tweet on the topic, I knew I was on the path to doing something right.

Filling the silence

As I’ve been mentally preparing myself for this endeavor, one that I admittedly expect to be quite challenging, I started forcing myself to slowly stop using the phone. When I become conscious that I’m surfing social media, I force myself to put the phone away and reinsert myself into real life. This has helped me to realize how I was getting the added benefit of escaping what was in front of me. Faced with this increased opportunity to engage people I have been enjoying more conversations where there used to be nothing but silence.

And hacking…

As with all things, one only takes from an experience what they put in. While this New Year’s resolution will certainly allow me to get closer with my friends and family, there is also a more nefarious method to my madness. In my continuing quest to improve my social engineering techniques, I intend to increase my use of various tactics during these random encounters with strangers. While these skills might be used for evil, my intent will be more to exercise my conversational techniques so that I might apply them in the field during penetration testing.

Using conversational signals, and techniques like projection, I’ll be working to learn more about how to profile people during random engagements, how to read them on the fly, and how to find the combination of conversational tactics that bring them to a place where I can extract a piece of data.

Conclusion

Today, I delete these apps from my phone. I’ll only be using social media from my laptop, when I’m online and connected. With every day that passes, I feel more and more like I’m living in a society prophesied in the movie Idiocracy. People are simultaneously becoming increasingly harder to deal with and decreasingly smart, and social media on demand only makes it worse. My intention is to learn more about people, learn more about myself, and generally become more present in the moments I have the privilege of experiencing as I navigate the choppy sea of life. Here’s to growth and adventure in 2018!

A Christmas Rant

Please allow me to rant for a moment…

I was engaged in a conversation recently when I was met with a statement that someone “had to buy me a gift, so it might as well be $thing.”

O____________________O

Let me get one thing absolutely straight, for anyone listening.

You are not *REQUIRED* to buy, make, or otherwise procure a gift for me for any reason other than because you want to. I conform to many social conventions to be congenial but I abhor the social requirement of reciprocal gift giving.

If I haven’t impacted your life in a manner significant enough to make you feel like showing your appreciation, don’t phone it in. If you haven’t come across something that just screams me, save your hard earned money. If you’re just buying the biggest canned gift basked that fits within your allotted gift amount because you’re obligated, please don’t.

The fact that someone might be forced into giving a gift totally sucks any enjoyment out of receiving said gift for me, as the recipient, and it puts me in a bit of an angry state when the tables are turned. Gifting used to mean something, and sometimes it still does. But more often than not in this consumer driven world, we use stuff as a substitute for substance. It is not!

I hope this doesn’t come off as me being a jerk- that is not my intent. But the commercialization of holidays like Christmas have completely destroyed the true meaning and have become disgusting perversions of what they’re supposed to mean.

I promise, I will get more joy out of spending time with people who matter, disengaging from a pretty much constant work culture, and finding some time to actually relax, than I will in another tie or reindeer boxer shorts or that knock off android tablet that you won from work.

CAVEAT: Bourbon. Bourbon is always accepted and appreciated.