Installing the KeePass Password Manager

Today I want to walk through installing the KeePass password manager on Windows 10. This post will explore downloading, installing, and first steps to using a local password manager. The end result, for those who follow these steps, will be an encrypted password generation and storage mechanism.

Setting Up KeePass

Download KeePass

The first step in the process is downloading the installer. From the KeePass download page, there are options for both the installer and the portable package. While this post will be focused around installing the software on Windows 10, the portable option provides a good solution for users who need their passwords on multiple machines.

KeePass Download Page

Choose the installer and then save the file to disk

Save Installer

Once downloaded, navigate in Explorer to wherever the file was saved. Usually, this is in C:\Users\$USER\Downloads. Double clicking the installer will launch the process. After Windows User Access Control confirms permission to proceed, the KeePass installer will launch. The following series of images illustrates the install process.

Installing KeePass

First, select the install language.

Select Language

The license agreement is next. Be sure to read this before selecting “I accept the agreement”, which is required in order to proceed.

Accept License Agreement

I generally don’t mess with the install path, but if you have a desire, the next dialogue allows for definition of where KeePass will be installed on the system.

Choose Install Path

Another area that I typically don’t mess with, the component selection dialogue lets users take more control over what components of KeePass are installed.

Select Install Components

Yet another menu that requires no changes, the options pictured below ensure that KeePass recognizes the .kdbx file extension, as well as letting the user decide if a desktop and/or Quick Launch shortcut should be created.

Additional Tasks

With all the options configured, take a moment to look over the install configuration before proceeding.

Confirm Install Options

And we’re off to the races! In a few moments KeePass will be installed on the local system.

KeePass Installing

Once installation completes, launching KeePass will take us into the next steps to configure a password database.

Launch KeePass

Using KeePass

Launch the Program

If you accepted the install defaults, there is an icon on the desktop. Otherwise find the launcher in the start menu and KeePass walks users through the basic steps of setting up a database.

Configuring New Database

Select the path and file name that will become the password database file.

Select Password Database Path

The next step is to define the master password. This is the one password which users need to remember to access all the other passwords. Generally, I encourage users to use a passphrase rather than a password, for increased security.

Configure Master Password

Presuming both entries match, selecting “OK” will take us into some additional database settings. Again, since we’re just covering the basics of KeePass, I won’t be covering these today, but I encourage users to explore these other options.

Additional Database Settings

The last step in the setup is to print the KeePass Emergency Sheet. Print this off, fill out the details, and keep it safe as this will contain the details to gain access, should someone need it.

KeePass Emergency Sheet

And finally, we’re presented with the KeePass interface. In a later post, we’ll work with creating, editing, and using various entries, and how to put KeePass to work generating, and protecting, your passwords from prying eyes.

MyDatabase Running

There are several default entries and categories within a default KeePass database. I highly recommend exploring the entries that are available, learning the options, and making some mistakes with passwords that don’t matter before you start entering passwords on which you depend into KeePass.


If you’ve followed along at home, we’ve successfully installed, configured, and started using the KeePass password manager. While this post was written to demonstrate the process on a Windows 10 machine, KeePass also runs on Linux and Mac. In the next post, I’ll cover some notes on general usage of KeePass and the use of online alternatives. The goal here is to get readers to understand the benefits of using a password manager, and to illustrate the ease with which they can be implemented. I hope you’ve found this post to be informative and I appreciate the time you’ve taken to read it. Remember that we live in a hostile world and it is important to take measures to protect yourself!

Self Doxing: Loose Lips Sink Ships

Talk too much

For anyone who spends any time reading my content, you may remember a recent post that outlines my thoughts on the general basics of Operational Security. A well timed tweet last week, sparked by this article, kicked off some interesting conversations around the topic which resulted in the series of thoughts that sparked what you’re reading now. During the interactions on Twitter, one tweet in particular hit on several areas that I observe to be blatantly prevalent as I travel, work in the field, or observe people in general daily life.

Since these were called out by others during the conversation, and I have had the (mis)fortune of running into some of them recently, I figured I’d expound on the topics. In my normal fashion, I thought some anecdotes could help drive the visibility up a bit and hopefully get some of you thinking a little differently about how you handle yourselves in public.

What is “Doxing”?

First, a little background. Somewhere along the line “doxing” became a recognized form of internet attack. Basically, this tactic requires the attacker(s) to scour internet resources to gather information on a targeted individual, and then broadcasting personal or private information about that person. While the point of this article is not to go in-depth into the world of doxing, some high profile examples are outlined on the Wikipedia page covering the topic.

Typically, attackers will use the collected information to put pressure on targets, or to put them at risk in the most severe circumstances. While this most often is the result of actions taken by attackers against us, all too often people fall victim to “self-doxing”. In these instances, inattention to details or surroundings falsely convince a person that they are in a safe place to divulge certain information. All of these vectors are viable and often employed ‘in the wild’. As an attacker, I exercise these skills without even thinking about it. Here is my take on the subject:

Shoulder surfing

I was sitting aboard a flight recently, exit row aisle seat. I had been drawn to one particular individual who’d caught my attention through his generally boisterous nature during the boarding process. His holier-than-thou arrogance dripped off him, much like the aroma of the Tommy cologne he must’ve bathed in that morning. My eyes, closed as usual to appreciate the sensation of takeoff, opened when the flight attendant came over the PA with an annoyed tone. Her reminder to remain seated through the ascent was prompted by Mr. Important as he was standing in the aisle 2 rows ahead of me, digging his laptop from his belongings in the storage compartment above.

When he settled back into his seat, I couldn’t help myself but to get a peek at what was so pressing. In the hour that followed, I caught sight of documents his company surely wouldn’t want outsiders to see. I didn’t take photos for proof but I’m pretty sure capturing these documents would have been fairly easy to do. I also saw other juicy tidbits like contact information for others within Mr. Important’s company. Were I a bad guy, I could have leveraged the information here in a social engineering campaign to gain access to more sensitive information, and potentially unauthorized access into the company itself.

It’s wise to be mindful of your surroundings, especially when traveling. You never know who’s watching so exposing sensitive data should always be considered a risk in public. These things can usually wait until you’re in a private place where prying eyes are not a concern. However, if you must touch sensitive data in public, use a privacy filter to reduce exposure to onlookers.

Passive conversation listening

I ran into two separate instances on the same trip recently, where the information divulged in conversation provided me with enough information to identify the individuals, and gather significant pieces of private information about them, to make a significant impact upon their personal lives. I wanted to share these experiences here in hopes that we can reduce the number of times so much information is divulged in such a short time.

Mary Loves to Fly

I’d never met Mary before. Nothing about her caught my attention. She was already in the middle seat, one row behind me, when I settled into mine. As the plane filled, conversations rambled as they do, and when Mary’s travel neighbors settled in, she  chatted up a storm with Lucy in the window seat next to her. Now I am usually a pretty passive listener, a skill honed over a lifetime which lets me parse conversations and pick up on valuable tidbits. It’s quite nice for drowning out the general drivel of small talk while still letting me tune in when the conversation turns juicy.

A few minutes into Mary’s conversation with Lucy and I was gleaning bits and pieces of data that officially had me tuned in. Mary had given up her last name within minutes as well as her husband’s name, he was sitting up in first class but she thought the upgrade was not worth the cost, and the names of their 3 kids who were waiting for them on the other side of the flight. By the time we touched down I knew cites of residence, places of employment, and names. With a little OSINT gathering, there was enough public record and social media interaction to provide me with a full profile of all 5 members of this family.

Alexis and Her Lexus

On this same business trip, I was out to dinner at a local establishment. I sat at the bar and soaked up the atmosphere of the locals. 3 middle-aged men were at one corner of the bar sharing all kinds of tall tales, and taking their opportunities to hit on the young bartender, Alexis. Through the conversations they’d strike up with her, I learned she was a very proud owner of a Lexus RC, she was somewhat of a gym rat, and she once threw a full bottle of wine at an ex-boyfriend’s head in a rage after finding out he cheated on her. Oh, and her last name.

I was already in the mindset of the effects of this information leakage, and so I did a little more digging and was again able to gather some pretty deep detail on this subject, just from the couple hours of conversation I listened into at the bar one evening.

With cases like the murder of Kenichiro Okamoto fresh in our minds, we have to realize that oversharing can be deadly. Sure, this is an extreme case but people don’t realize how much information they leak on a regular basis. Stop talking about your children in so much detail with strangers. Don’t be so comfortable to divulge details of where you work with someone you’ve just met – let along in the open air of an airplane with countless unknown listeners.

Dumpster diving

The old adage rings true. One’s trash really can be treasure to another! The information discarded into the trash can often be used to the advantage of a threat actor. Think about what you’re getting rid of and how it might be used in the hands of some nefarious evil doer. As much as we’d like to think it won’t happen to us, the chances are ever increasing that someone will act upon a crime of opportunity and make use of data if it’s easily accessible.

Public computers

I’m always surprised by the number of people I see who are still using shared computers. At the library, in the airport, and most often at hotels, people log into these shared machines for many reasons. I don’t have much to offer here because I strongly recommend bringing your own device to access data when on the road. But if you must use a shared machine:

  • Learn to delete cookie from the web browser
  • Delete any files downloaded to the machine
  • Log out of EVERYTHING

Unattended devices

Here is another vector that just boggles my mind. Why, in today’s hostile world, do people ever find it appropriate to leave their belongings unattended? I can’t comprehend this logic. Even the cheapest MP3 player can be left alone and someone will take it simply because they can! People aren’t nice. If you have something of any value, they’re likely to want it for their own.

Picture you’re in a parking lot, standing between 2 cars among a sea of others. 1/2 mile from anyone else with no surveillance. One car is locked and has a $100 bill sitting on the passenger seat. The other, windows down and unlocked, with a $5 in the cup holder. The chances are great that the $5 gets stolen more often than the $100 simply because of availability and ease of access. Make yourself and easy target and you make yourself a definite target.

OpSec in the Real World

Operations Security

What is OpSec?

Operations Security (OpSec) is the action of protecting information which might be used against one in a hostile encounter. OpSec forces a person, or organization, to perform threat modeling to determine potential vulnerabilities which might be exposed to adversaries and establish controls aimed at anticipating and defending possible attacks. Identifying attack surfaces and hardening them reduces risk and increases the difficulty an adversary faces in launching a successful attack.

“All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”  – Sun Tzu

Operational Security OpSec


Why OpSec

Allow me to put my tin foil hat on for a moment to explain why OpSec matters. It is a harsh, cold world out there today and adversaries are everywhere. In a world that is constantly connected, where people share and over share everything, it’s important that we’re taking steps to protect ourselves, our data, and our friends/family. It can be something as simple as thoughtlessly sharing a photo to Facebook. Without thinking, you could expose someone to risk, There could be a stalker out there just waiting for information that could lead them to their prey. A Facebook group I belong to recently proved this threat as someone posted a photo in the group which exposed the license plate of another person who happened to be trying to escape an abusive spouse. Thankfully, the victim was gone before anything bad could happen but this mishap did put a dangerous person on the trail of someone they had been trying to find for nearly a year!

The sad fact of the matter is that there are so many bad situations we can find ourselves in today that makes OpSec more important than ever before. Keeping data safe means implementing consistent OpSec practices. My hope in writing this is that you’ll think about your own operations security and will find ways to make changes that make you and your data more secure.

How to OpSec?

Creating an effective OpSec program requires 5 steps:

Identify Critical Information

Critical information is a specific fact related to intentions, capabilities, or activities that could be used by adversaries in an attack. If Critical Information is obtained, the adversary would be able to impact the mission. The first step of the OpSec process is developing a Critical Information List (CIL) which defines any sensitive data which might be targeted.


In the case of organizational risk and corporate espionage, learning the limitations of a partner or competitor could be invaluable. Learning what cannot be done is just as valuable as knowing what can. For a hostile threat agent to understand the limitations of a target

Operation Plans

Getting visibility into planning operations poses a significant risk to both organizational and personal OPSEC. Attacks against operational plans include the who, what, when, and where components of the planning phases and can wreak havoc upon the forward momentum of operational plans.

Personal Information

In 2007, stolen email accounts were worth anywhere from $4-$30. In 2008, prices fluctuated between $0.10 and $100. Compare this to 2009, when the price hovered between $1 and $20. Today, you can get 1,000 stolen email accounts for $0.50 to $10.

Credit card information, on the other hand, has not depreciated in recent years. In 2007, credit cards advertised around $0.40 to $20 per record. Sale price would depend on factors such as the brand of card, the country of origin, how much metadata is provided, volume of purchase, and how recently the card data was obtained. In 2008, the average asking price for credit card data, according to my research, was slightly higher–$0.06 to $30–and later in the year it rose to from $0.85 to $30. Today, prices for stolen credit card records fluctuate between $0.10 and $20 per record. In general, credit card data prices have fallen slightly over the last few years, especially in cases where cyber criminals trade in volume.

Where we saw healthcare records fetch $200-$500 for a single record in 2015, today prices are more in the range of $1.50-10 depending on the type of data and who’s buying it.

Analyze Threats

With critical information identified, we now have something to protect. The next step is to determine the individuals or groups that represent a threat. There may be multiple adversaries, and different pieces of information may be targeted by different groups. In this stage, the capabilities, use for the information, determination and resources must also be analyzed.

Analyze Vulnerabilities

Vulnerability analysis is one of the most challenging pieces of the OpSec puzzle. Basic vulnerability exists in innocent day to day tasks like conversations or phone calls in public or posts on social networking sites. But society has become more reliant on technology and a complacency has put us in the position of exposing our email conversations and web pages which can provide insight for a threat agent. In the most extreme cases, communication intercepts and espionage may come into play. Each level presents it’s own risk and has it’s own consequences. This is why threat modeling is important.

Assess the Risks

First, planners analyze the vulnerabilities identified in the previous action and identify possible OpSec measures for each vulnerability. Second, specific OpSec measures are selected for execution based upon a risk assessment done by the commander and staff. Risk is calculated based on the probability of Critical Information release and the impact if such as release occurs. Probability is further subdivided into the level of threat and the level of vulnerability. The core premise of the subdivision is that the probability of compromise is greatest when the threat is very capable and dedicated, while friendly organizations are simultaneously exposed.

Apply Countermeasures

Protected communications

Implement controls over your personal communications. Use encryption wherever possible. Email can be encrypted using PGP. Text messages and mobile phone calls can be encrypted with services like Wire and Signal respectively. If you have a service you’re using, there is probably a way to encrypt the data. Learn how and make it happen!

Protected Web Browsing

Modern web browsers offer methods to force the use of HTTPS while browsing. One way to accomplish this is with the use of browser plugins or extensions Adding this functionality to your browser will force encryption to be used during browsing.

Physical Controls

OpSec doesn’t solely apply to the internet, there are many concerns in the physical world too. While you operate in daily life, there are some considerations to keep in mind:

  • Be alert
  • Be suspicious
  • Be aware

Finally, consider the threat when you:

  • Use the phone
  • Talk to strangers
  • Disclose in public
  • Use social media

Each of these present their own unique risks to personal OpSec and should be addressed to reduce the risk of attacks.


OpSec is a necessity for anyone who has anything sensitive that needs to be kept confidential. Obscuring information, skewing facts, and offering misinformation can all be useful in protecting personal operations. Making sure to be consistent in these practices will eliminate the likelihood that information gets leaked to unauthorized parties, reducing the overall attack surface. Protect yourself out there- no one’s going to do it for you!

Breaking into Offensive Security

There’s been a lot of talk around this topic lately. As I’ve been working to solidify my team’s bond, I also have the challenge of helping those interested in getting involved in the offensive security world. This quest has helped me identify some things you might consider when trying to break into offensive security.

Things to consider

Have a well rounded knowledge of “advanced fundamentals”

Being able to sort out basic permission issues or understanding general functionality of major operating systems are not part of offensive security. However, understanding intricacies within operating systems and troubleshooting problems on the fly are.  Operators encounter countless complications in the field and rarely are they basic.

Those considering a career in offensive security should have a solid understanding of a wide range of technical topics. A successful attacker doesn’t necessarily know all the answers, but definitely takes the time to learn as much about the fundamentals of a target as possible.

Find your niche

It’s important to know a little bit about everything, but it’s equally important to find a specialty. Offensive security teams are often built around the strengths of the members. Members are often selected when engagements arise that require additional skills being added to the bench. Depending on the service offering of the team(s) you’re involved with, bringing relevant expertise to the table is important.

My personal passions lie in social engineering and physical security. Other members  of my team are stronger in other areas than I. In the field, weather operating alone or as a unit, we rely on each other for help. Knowing the strengths and weaknesses of the membership, proper preparation, and thorough documentation all allow the team to tailor to the engagement.

Know how to think, research, and study

An offensive security operator doesn’t know everything about all the things.  Successful operators know how to profile and research a target and study the engagement in preparation. Additionally, they’re also able to think their way through unforeseen circumstances and overcome adversity in the field.

No matter how accurate the profile, no matter how much intelligence has been gathered in preparation, problems and unexpected situations are inevitable in the field. Operators must be prepared for everything and still be able to think their way through the myriad of things that can go wrong.

Be hungry for knowledge

You have to want to learn. Everyone wants to be a hacker, to be Neo but not everyone wants to put in the work to bend the spoon. Someone wiser than I once said it takes 10,000 hours to become an expert at something. If you’re only learning during the 8-5, that’s roughly a 5 year path.

Don’t get lazy. Complacence is one of the biggest challenges to offensive security operators. They end up thinking they know it all and stop chasing the dragon, or they burn out along the journey. All too often, offensive security operatives fall prey to the latter, but the former is just as dangerous.

Have a strong work ethic

Offensive security teams typically operate based upon the needs of the engagement. if that means working late nights, early morning, or weekends, then we work when there is work to be done. As a team, members need to be available whenever the engagement requires. It’s important that operators are prepared to be dedicated to the team.

This isn’t as bad as it sounds. Learning the work/life balance, and learning how to work remotely, come with the territory. My team is expected to be available when it matters but they’ve also mastered the art of global availability. Weather it means fielding social engineering calls from the beach or conducting a vulnerability assessment from the audience of a school play, successful operators manage the demand of the workload while still trying to maintain a life.

Fourth quarter is the exception to this point. During fourth quarter, offensive security operators should expect to be running full bore with little room to breathe. The cyclical nature of fiscal business means that this is inevitable.

Be flexible

Field Marshal Helmuth Karl Bernhard Graf von Moltke  once said “no plan of operations extends with any certainty beyond the first contact with the main hostile force.”  Nowhere is that more true in the field of offensive security. Neither scope nor plan nor backup plan nor change order can account for the infinite number and combination of things that can go wrong in the field.

Offensive security operators need to accept this and be able to adapt, and overcome, in the field. While process and procedure are important in business, flexibility during an engagement is vital to operational success. The objective is what matters, the means do not- as long as they’re within the rules of engagement.

Take notes

At the end of the day, offensive security is still a business. We must be able to prove what we do (and don’t do), and we have to turn all the data into some actionable data that the client can use after. Successful operators live, and die, by their documentation. Not only for self reference, but the team should be able to pick up notes from other members and run with an engagement, if necessary.

Documenting the engagement as it happens, especially when milestones or objectives are met, are vital to keeping accurate record of what happened. The more data that gets collected during the engagement, the more detailed and accurate the reporting and debriefing will be. However you decide to do it, take good notes.

Don’t be afraid to make mistakes

Offensive security is a kludge of computer science, performance art, and voodoo. Much of the information exists in available documentation but there is much more to be written. And even when we think we’ve covered it all, there will still be niches and nuances and caveats that can’t be accounted for.

Be willing to take calculated, educated risks in the field. Realizing the objectives are what matter, operators need to be willing and able to take some creative freedoms in the field. This also means facing the consequences of those actions.

Own your attitude

In one of my favorite movies, Training Day, Jake Hoyt (Ethan Hawk) talks about how you can only control your smiles and cries. In the field, attitude and response to adversity are two  of the very few things an offensive security operator can control. It’s important to maintain this control and to remember that clients are looking to us as experts. If they see us responding poorly or carrying the dead weight of negativity, it will most certainly effect their overall experience.

Don’t let the little things get to you. Realize that we live in imperfect chaos and the chances of anything going the way we want it to is highly unlikely, bordering on impossible. The successful offensive security operator maintains composure in the face of frustrating circumstances. The information security community is small and professional reputation is fragile. If the time comes that you’re struggling to stay positive, keep your head held high and remember how hard you worked to get where you are.

Don’t forget the soft skills

I work with computers because I really don’t like people. On the same hand, it’s important that an offensive security operator be able to interact with people effectively when deployed on an engagement. At the end of the day, the client is expecting a positive experience. The more pleasant a team makes it, and presuming quality work is submitted, the more likely they are to come back for repeat business.

The offensive security operator is burdened with the responsibility of taking a mass of data, and an often unpleasant message, to a client in a manner which they understand and can relate to. This translation process, in my opinion at least, is one of the single most important components of a successful engagement. Without making the data  actionable for the client, the value in the service is diminished.

Advice from a perpetual noob

The sad truth is that not everyone is cut out to do every job. While I will always advocate for everyone having an opportunity to try out for their dream job, it’s an indisputable fact that not everyone makes the cut to play in the NFL or to act in a Hollywood film. You have to be more than just “computer literate” to make the cut on an offensive security team. If you’re not striving for absolute excellence, you’ll be swimming in an endless stream of mediocrity. I believe anyone reading this has the ability to reach the goal of becoming an offensive security operator. Having the drive, however is a different story.

In my final thought, I want to stress that there is more to being an offensive security operator than just breaking things. In the field we are regularly placed in delicate environments with exposure to sensitive data. Morals and ethics are values of paramount importance to the offensive security operator. Degradation of these values may lead to loss of freedom in extreme case, but it will most certainly result in damage to the professional image of an operator. Reputation takes years to build but only moments to damage, and repair is long and tedious.

For those of you working to break into offensive security, I hope these tidbits offer you a little insight into my perspective into the consulting world. As a team leader and mentor, I wish you the best along your journey. As a fellow hacker, I look forward to learning with you!

New Year, New Vulnerabilities

Well, we got to ring in the new year with some major excitement, haven’t we? 2018 has met us with a nasty 1-2 punch combination, no doubt! First, the exposure of a vulnerability that effects millions of GPS tracking devices. Security researchers were able to access location history, send commands to the device (the same commands that would be sent via SMS), and activate or deactivate geo fencing alarms. All this was said to be possible with no authentication needed.

This was immediately followed up by the Meltdown and Spectre vulnerabilities in what is essentially anything device connected to the internet. From mobile phones, to tablets, to laptop and desktop PCs, these flaws do expose us to some pretty significant risk. But the world is not, in fact, over. Not yet at least.

The RedLegg team has been fielding calls from clients, friends, and family about these vulnerabilities that have been drawing a lot of attention this week. There is significant implication as to the damage that could result from successful exploit of these issues, but we wanted to present some additional facts for consideration. Here’s what we know:


This vulnerability allows any application to access all system memory, including memory allocated for the kernel. Patches are being , and in some cases have been, rolled out and should be applied as soon as possible. So far, research indicates that only Intel chips have been shown to be vulnerable.


This vulnerability allows an application to force another application to access arbitrary portions of its memory, which can then be read through a side channel and affects nearly every CPU built on the x86 architecture. This vulnerability may require changes to processor architecture in order to fully mitigate. According to leading research, this vulnerability impacts Intel, AMD, and ARM chips. Due to the development life-cycle implemented by processor manufacturers, this issue will likely be around for a very long time.

Exploitation is possible. Security researchers produced and release proof of concept exploit code within roughly a day. There is no reason to believe that the bad guys will be working feverishly to weaponize these and deploy them for nefarious means. And while there definitely is significant risk associated with these vulnerabilities, there is no proof or reason to believe weaponized exploit code is in use in “the wild”.

Consider taking an inventory of all your systems by processor type, be sure to apply vendor patches as they become available, and track the progress of the updates as they’re released.

  • Microsoft has issued a patch for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018.
  • MacOS 10.13.2 mitigates some of the disclosed vulnerabilities, but MacOS 10.13.3 will enhance or complete these mitigations.

For anyone using Qualys Vulnerability Management, Qualys will continue to release QIDs for any vendor patches that mitigate this vulnerability. A list of currently-released QIDs is being maintained in this Qualys Support article.

It’s an increasingly interesting time to be in the world of security, and an increasingly dangerous time to fall victim. Take the time to read the information that’s out there on these issues, there is a lot. But be sure to understand what you’re reading. Proof of concept exploits for these issues continue to surface, and with each release the potential for a weaponized exploit increases. Considering the number of devices impacted here, we really need to be watching the horizon as the research develops.

Happy New Year. Stay safe out there!


Detecting and Removing Android Malware

Android Malware

A friend reached out recently asking for some advice as to how to determine if her Android device had been infected. Apparently, she’d fallen prey to a Facebook Messenger attack and clicked on a dirty link, now her phone was doing some weird things. So after walking her through the process, I figured it might be worth sharing with others. Also, I have been too busy to write much so it’s a chance for me to turn the notes into a post- 2 birds and all that!

NOTE: If you rooted your device, you should be able to fix it. These steps still apply, in some capacity, but rooting the device opens up a whole other can of worms from a security aspect. 

CAVEAT: Before we go on, we should level-set our understanding to one sad but simple fact. Modern malware is nasty. Software isn’t made well in many cases and it is entirely too easy for a skilled bad guy to outsmart the good guys. If your device is infected, I highly recommend backing up your data to salvage what you can and do a factory reset on the device. We can take our chances with disinfecting, but a reset is always the safest bet if you can afford it.

Indicators of Compromise

While none of these are issues in and of themselves, technology is messy and sometimes things happen. But if you experience these symptoms regularly, it’s increasingly likely that there is an issue.

Decreased Performance

Different behavior from a device is the first indicator that something may be afoot. Unfortunately, that doesn’t mean just being slow because that is an inherent trait of the Android platform. Much like your laptop or desktop, these devices need maintenance in order to run properly. You may just need to do some housekeeping. We’ll look more at removing malware and doing general housekeeping later on in the post, but let’s look at some signs of infection.

Bad Battery Life

Another IoC is when batteries mysteriously drain quicker than usual. Users generally have a good idea of how long their battery should last. Sudden, increased battery usage is likely due to something suspicious. Continuously displaying aggressive ads, for example, can impact battery life significantly. Malware may hide in plain sight by pretending to be a regular application or try to stay hidden from the user, abnormal battery drainage can indicate the presence of an Android infection.

Can You Hear Me Now?

Disruptions during a conversation or dropped calls are another indication of a possible infection. While this can also be the fault of your carrier, malware could be the culprit. Call your service provider to determine if there are any service issues with the network in your area. It’s important to determine if this is the fault of the carrier, or if something more worrisome is going on.

Mo Money, Mo Problems

Android malware can steal data from your device, send text messages to premium numbers, and even make phone calls from a compromised device. This malware  may send an SMS message irregularly to fly under the radar, or may self-destruct after making substantial charges, uninstalling from the device without a trace. Consider setting up usage quotas to help identify anomalies here. Finally, check your phone bill often to determine if anything nefarious is going on.


If you’re still reading, I’ll presume that you’ve determined, using the Indicators of Compromise above, that your device is compromised. The next step is to start cleaning up the mess. Following these steps can help get things back to normal.

Out with the Bad

The very first thing you want to do, in the event of an infection, is to uninstall anything you no longer need or use. Going through your application manager allows you to identify, and remove, any apps that might be causing problem. It’s also important to look at things you didn’t install as Android malware has been known to act as a “trojan dropper” which simply assists in getting more devious malware onto a compromised device. A good rule of thumb is that if you haven’t used the application in the last 3 months, it can probably go.

Scan for Threats

The next step is to scan the device using some security software. I’ll talk more about general antivirus solutions for android later, but I highly recommend Malwarebyte’s AntiMalware for this task. While nothing is perfect, MBAM is a good starting point for disinfecting an infected device.

Clean the Crap

By this point, we have established at least a little faith in the device. Next it’s important to delete the remnants of unwanted data and free up as much space as we can. Crap Cleaner, or CCleaner, from Pirform Software has long since been a solid housekeeping solution for laptops and desktops for some time. I was elated when they released a mobile version! CCleaner is able to clean cached data, downloaded files, and even gets rid of the old APK files that have been left over after installing apps. Use this handy app regularly to free up space and keep your device running smoothly.

Install Antivirus

Antivirus has served a valuable place in computing for decades and that’s not likely to change anytime soon. If you’re using a device that’s connected to the internet, you should be using some form of antivirus. This goes for your mobile device(s) just as for a laptop or desktop or anything else. There are many solutions out there and I have no intention of opening this can of worms right now. Consider researching the options and determining which is best for you. It’s never a bad idea to test several options but remember, test only one antivirus solution at a time as multiple installations could create conflicts and actually decrease the efficacy of the software. Here is a link to some content by sources I respect. Take some time to do your homework and pick the solution that’s best for you.

Stay Vigilant

These devices have become increasingly important in our day-to-day lives, and they contain more and more sensitive data as a result. Because of this dependence, we have to protect these devices in order to protect our data. While there is no “silver bullet”, and anything can be hacked, these steps can at least make you a harder target.

Default Settings

Am I actually advocating for leaving default settings in place? Yes, I am. Android devices come shipped with several security controls in place which work to prevent compromise in the event of dangerous situations. Leaving these settings in place can help to prevent attacks such as a trojan dropper. Another good default setting to mention here is that of keeping the USB Debugging feature turned OFF. Turning USB Debugging on could allow unauthorized users to gain access to sensitive data on the device without permission.

Shop Responsibly

The Google Play Store is the only source you should trust for installing applications on your Android device. Let me say that again. The Google Play Store is the only source you should trust for installing applications on your Android device.  Google Protect provides several layers of security around the apps that make it to the Play Store and has been proven time and again to quickly address any potential issues that fall through the cracks. Avoid installing apps from other sources that might not be so diligent.

Police your Permissions

One of the longest standing complaints I’ve had about the Android platform is the unnecessarily permissive app requests. For example, if you’re downloading a simple game like Angry Birds, why does it need access to your contact list? Unfortunately, Android users are in a pickle. If you want to use the app, you have to accept the permissions. There’s really no way around it. So, when you’re installing an app, just review these carefully and ask yourself if it’s really necessary.


At the end of the day, due diligence pays off. Knowing what you’re installing and having confidence in the source, as well as paying attention to anomalies, all go a long way to keeping your device safe. Perform regular maintenance on your device by checking for rogue apps and deleting any files that aren’t needed. Take the chance to reduce the attack surface wherever you can and you’ll make yourself a harder target to hit.

Profiling a WordPress Attack

Hacking the Hackers

WordPress SecurityWelcome back to those of you playing along at home. This site has been down for a considerable amount of time, but I’m back! And I bring with me tales from the battlefield. Let’s talk a little about WordPress and security, shall we?

A WordPress honeypot

Some time ago, while doing maintenance on the site, I identified an opportunity for a research project. I decided it would be fun to turn the WordPress installation into a honeypot and collect some threat intelligence.  I decided it was time once again to delve into the current state of WordPress security. So I disabled the security controls, stopped updating the software and sat back to watch the world burn.

It didn’t take long before I started seeing scans pour in. And in a matter of days I captured some malware and began to catalog the attack patterns of WordPress attackers. It’s fascinating to see the evolution of PHP malware as related to WordPress specifically. I spent some time doing extensive research into the breach, analyzing the attack patterns, and even tracing the honey data that was posted in various parts of the internet. Eventually I’ll be writing that up as a blog series later in the year to show you how it all played out, but for now I’m getting things back online and ready to roll it out, so here we go!

So welcome back and thanks for joining me for the next chapter of the adventure! I’ll be repopulating the database in the near future to re-establish a lot of the old content, and going forward if there is content you like please say so and I will mark it for salvation in case this happens again. As always, if you have questions or if there is some content you’d like to see covered here, don’t hesitate to contact me! I’m always happy to engage others and to push myself to produce desired content. I appreciate you for taking the time to visit and hope to see you around the internet.

Grand Re-Opening