Installing the KeePass Password Manager

Today I want to walk through installing the KeePass password manager on Windows 10. This post will explore downloading, installing, and first steps to using a local password manager. The end result, for those who follow these steps, will be an encrypted password generation and storage mechanism.

Setting Up KeePass

Download KeePass

The first step in the process is downloading the installer. From the KeePass download page, there are options for both the installer and the portable package. While this post will be focused around installing the software on Windows 10, the portable option provides a good solution for users who need their passwords on multiple machines.

KeePass Download Page

Choose the installer and then save the file to disk

Save Installer

Once downloaded, navigate in Explorer to wherever the file was saved. Usually, this is in C:\Users\$USER\Downloads. Double clicking the installer will launch the process. After Windows User Access Control confirms permission to proceed, the KeePass installer will launch. The following series of images illustrates the install process.

Installing KeePass

First, select the install language.

Select Language

The license agreement is next. Be sure to read this before selecting “I accept the agreement”, which is required in order to proceed.

Accept License Agreement

I generally don’t mess with the install path, but if you have a desire, the next dialogue allows for definition of where KeePass will be installed on the system.

Choose Install Path

Another area that I typically don’t mess with, the component selection dialogue lets users take more control over what components of KeePass are installed.

Select Install Components

Yet another menu that requires no changes, the options pictured below ensure that KeePass recognizes the .kdbx file extension, as well as letting the user decide if a desktop and/or Quick Launch shortcut should be created.

Additional Tasks

With all the options configured, take a moment to look over the install configuration before proceeding.

Confirm Install Options

And we’re off to the races! In a few moments KeePass will be installed on the local system.

KeePass Installing

Once installation completes, launching KeePass will take us into the next steps to configure a password database.

Launch KeePass

Using KeePass

Launch the Program

If you accepted the install defaults, there is an icon on the desktop. Otherwise find the launcher in the start menu and KeePass walks users through the basic steps of setting up a database.

Configuring New Database

Select the path and file name that will become the password database file.

Select Password Database Path

The next step is to define the master password. This is the one password which users need to remember to access all the other passwords. Generally, I encourage users to use a passphrase rather than a password, for increased security.

Configure Master Password

Presuming both entries match, selecting “OK” will take us into some additional database settings. Again, since we’re just covering the basics of KeePass, I won’t be covering these today, but I encourage users to explore these other options.

Additional Database Settings

The last step in the setup is to print the KeePass Emergency Sheet. Print this off, fill out the details, and keep it safe as this will contain the details to gain access, should someone need it.

KeePass Emergency Sheet

And finally, we’re presented with the KeePass interface. In a later post, we’ll work with creating, editing, and using various entries, and how to put KeePass to work generating, and protecting, your passwords from prying eyes.

MyDatabase Running

There are several default entries and categories within a default KeePass database. I highly recommend exploring the entries that are available, learning the options, and making some mistakes with passwords that don’t matter before you start entering passwords on which you depend into KeePass.

Conclusion

If you’ve followed along at home, we’ve successfully installed, configured, and started using the KeePass password manager. While this post was written to demonstrate the process on a Windows 10 machine, KeePass also runs on Linux and Mac. In the next post, I’ll cover some notes on general usage of KeePass and the use of online alternatives. The goal here is to get readers to understand the benefits of using a password manager, and to illustrate the ease with which they can be implemented. I hope you’ve found this post to be informative and I appreciate the time you’ve taken to read it. Remember that we live in a hostile world and it is important to take measures to protect yourself!

Self Doxing: Loose Lips Sink Ships

Talk too much

For anyone who spends any time reading my content, you may remember a recent post that outlines my thoughts on the general basics of Operational Security. A well timed tweet last week, sparked by this article, kicked off some interesting conversations around the topic which resulted in the series of thoughts that sparked what you’re reading now. During the interactions on Twitter, one tweet in particular hit on several areas that I observe to be blatantly prevalent as I travel, work in the field, or observe people in general daily life.

Since these were called out by others during the conversation, and I have had the (mis)fortune of running into some of them recently, I figured I’d expound on the topics. In my normal fashion, I thought some anecdotes could help drive the visibility up a bit and hopefully get some of you thinking a little differently about how you handle yourselves in public.

What is “Doxing”?

First, a little background. Somewhere along the line “doxing” became a recognized form of internet attack. Basically, this tactic requires the attacker(s) to scour internet resources to gather information on a targeted individual, and then broadcasting personal or private information about that person. While the point of this article is not to go in-depth into the world of doxing, some high profile examples are outlined on the Wikipedia page covering the topic.

Typically, attackers will use the collected information to put pressure on targets, or to put them at risk in the most severe circumstances. While this most often is the result of actions taken by attackers against us, all too often people fall victim to “self-doxing”. In these instances, inattention to details or surroundings falsely convince a person that they are in a safe place to divulge certain information. All of these vectors are viable and often employed ‘in the wild’. As an attacker, I exercise these skills without even thinking about it. Here is my take on the subject:

Shoulder surfing

I was sitting aboard a flight recently, exit row aisle seat. I had been drawn to one particular individual who’d caught my attention through his generally boisterous nature during the boarding process. His holier-than-thou arrogance dripped off him, much like the aroma of the Tommy cologne he must’ve bathed in that morning. My eyes, closed as usual to appreciate the sensation of takeoff, opened when the flight attendant came over the PA with an annoyed tone. Her reminder to remain seated through the ascent was prompted by Mr. Important as he was standing in the aisle 2 rows ahead of me, digging his laptop from his belongings in the storage compartment above.

When he settled back into his seat, I couldn’t help myself but to get a peek at what was so pressing. In the hour that followed, I caught sight of documents his company surely wouldn’t want outsiders to see. I didn’t take photos for proof but I’m pretty sure capturing these documents would have been fairly easy to do. I also saw other juicy tidbits like contact information for others within Mr. Important’s company. Were I a bad guy, I could have leveraged the information here in a social engineering campaign to gain access to more sensitive information, and potentially unauthorized access into the company itself.

It’s wise to be mindful of your surroundings, especially when traveling. You never know who’s watching so exposing sensitive data should always be considered a risk in public. These things can usually wait until you’re in a private place where prying eyes are not a concern. However, if you must touch sensitive data in public, use a privacy filter to reduce exposure to onlookers.

Passive conversation listening

I ran into two separate instances on the same trip recently, where the information divulged in conversation provided me with enough information to identify the individuals, and gather significant pieces of private information about them, to make a significant impact upon their personal lives. I wanted to share these experiences here in hopes that we can reduce the number of times so much information is divulged in such a short time.

Mary Loves to Fly

I’d never met Mary before. Nothing about her caught my attention. She was already in the middle seat, one row behind me, when I settled into mine. As the plane filled, conversations rambled as they do, and when Mary’s travel neighbors settled in, she  chatted up a storm with Lucy in the window seat next to her. Now I am usually a pretty passive listener, a skill honed over a lifetime which lets me parse conversations and pick up on valuable tidbits. It’s quite nice for drowning out the general drivel of small talk while still letting me tune in when the conversation turns juicy.

A few minutes into Mary’s conversation with Lucy and I was gleaning bits and pieces of data that officially had me tuned in. Mary had given up her last name within minutes as well as her husband’s name, he was sitting up in first class but she thought the upgrade was not worth the cost, and the names of their 3 kids who were waiting for them on the other side of the flight. By the time we touched down I knew cites of residence, places of employment, and names. With a little OSINT gathering, there was enough public record and social media interaction to provide me with a full profile of all 5 members of this family.

Alexis and Her Lexus

On this same business trip, I was out to dinner at a local establishment. I sat at the bar and soaked up the atmosphere of the locals. 3 middle-aged men were at one corner of the bar sharing all kinds of tall tales, and taking their opportunities to hit on the young bartender, Alexis. Through the conversations they’d strike up with her, I learned she was a very proud owner of a Lexus RC, she was somewhat of a gym rat, and she once threw a full bottle of wine at an ex-boyfriend’s head in a rage after finding out he cheated on her. Oh, and her last name.

I was already in the mindset of the effects of this information leakage, and so I did a little more digging and was again able to gather some pretty deep detail on this subject, just from the couple hours of conversation I listened into at the bar one evening.

With cases like the murder of Kenichiro Okamoto fresh in our minds, we have to realize that oversharing can be deadly. Sure, this is an extreme case but people don’t realize how much information they leak on a regular basis. Stop talking about your children in so much detail with strangers. Don’t be so comfortable to divulge details of where you work with someone you’ve just met – let along in the open air of an airplane with countless unknown listeners.

Dumpster diving

The old adage rings true. One’s trash really can be treasure to another! The information discarded into the trash can often be used to the advantage of a threat actor. Think about what you’re getting rid of and how it might be used in the hands of some nefarious evil doer. As much as we’d like to think it won’t happen to us, the chances are ever increasing that someone will act upon a crime of opportunity and make use of data if it’s easily accessible.

Public computers

I’m always surprised by the number of people I see who are still using shared computers. At the library, in the airport, and most often at hotels, people log into these shared machines for many reasons. I don’t have much to offer here because I strongly recommend bringing your own device to access data when on the road. But if you must use a shared machine:

  • Learn to delete cookie from the web browser
  • Delete any files downloaded to the machine
  • Log out of EVERYTHING

Unattended devices

Here is another vector that just boggles my mind. Why, in today’s hostile world, do people ever find it appropriate to leave their belongings unattended? I can’t comprehend this logic. Even the cheapest MP3 player can be left alone and someone will take it simply because they can! People aren’t nice. If you have something of any value, they’re likely to want it for their own.

Picture you’re in a parking lot, standing between 2 cars among a sea of others. 1/2 mile from anyone else with no surveillance. One car is locked and has a $100 bill sitting on the passenger seat. The other, windows down and unlocked, with a $5 in the cup holder. The chances are great that the $5 gets stolen more often than the $100 simply because of availability and ease of access. Make yourself and easy target and you make yourself a definite target.

Profiling a WordPress Attack

Hacking the Hackers

WordPress SecurityWelcome back to those of you playing along at home. This site has been down for a considerable amount of time, but I’m back! And I bring with me tales from the battlefield. Let’s talk a little about WordPress and security, shall we?

A WordPress honeypot

Some time ago, while doing maintenance on the site, I identified an opportunity for a research project. I decided it would be fun to turn the WordPress installation into a honeypot and collect some threat intelligence.  I decided it was time once again to delve into the current state of WordPress security. So I disabled the security controls, stopped updating the software and sat back to watch the world burn.

It didn’t take long before I started seeing scans pour in. And in a matter of days I captured some malware and began to catalog the attack patterns of WordPress attackers. It’s fascinating to see the evolution of PHP malware as related to WordPress specifically. I spent some time doing extensive research into the breach, analyzing the attack patterns, and even tracing the honey data that was posted in various parts of the internet. Eventually I’ll be writing that up as a blog series later in the year to show you how it all played out, but for now I’m getting things back online and ready to roll it out, so here we go!

So welcome back and thanks for joining me for the next chapter of the adventure! I’ll be repopulating the database in the near future to re-establish a lot of the old content, and going forward if there is content you like please say so and I will mark it for salvation in case this happens again. As always, if you have questions or if there is some content you’d like to see covered here, don’t hesitate to contact me! I’m always happy to engage others and to push myself to produce desired content. I appreciate you for taking the time to visit and hope to see you around the internet.

Grand Re-Opening