What the hell do we do if password vaults aren't secure enough?
The news that the KeePass program can be hacked, allowing an attacker to stealthily decrypt login credentials, raises concerns for all password vaults.
People are increasingly relying on password vaults to organise their login credentials
Only this week we have learned of a hacking tool which allows a threat actor to, under an admittedly rather strict set of prior requirements, to access and stealthily decrypt all the login credentials and secure notes stored within an instance of the KeePass program. Which leads us to ponder, what the hell are we supposed to do if password vaults just aren't secure enough anymore?
The hacker tool in question, that targets KeePass, has been named KeeFarce and isn't actually as worrying as it may appear at first.
We say this despite the fact that, in principle, a similar tool could be designed that could empty the contents of pretty much any password vault. The reason that we are not in a state of panic is simply that in order for KeeFarce to do what it does, it needs the target computer to have already been compromised.
So it's a great tool for pen testers and hackers alike, but only if they already have access to the machine with KeePass installed.
What's more, it needs that instance of KeePass to be open with the user logged in and the password database unlocked. Under those circumstances it's pretty much game over anyway, so not as big a deal that it can silently decrypt and copy your password database to a file for you to collect at your leisure.
That said, as Ken Munro, senior partner at Pen Test Partners, points out: "Someone did all the hard work to make this attack vector very easy to implement. Its success rate, however, is directly related to how exploitable the target workstations are."
Munro told SCMagazineUK.com that the kind of attack he would be seriously concerned about would be one that "exploits weaknesses in the encryption algorithms and makes the database susceptible to brute forcing within a practical time frame" – which isn't to say that KeeFarce-style malware may not emerge, and become increasingly problematical. It all depends on how popular device-based password vault software gets; if enough people start using it then common malware families will start targeting this stuff.
"It's all about return on investment, though, so if only a tiny fraction of people make use of it then the malware authors probably won't consider it a high priority," said Luke Jennings, senior security researcher, MWR InfoSecurity.
This raises the question, does KeeFarce reveal the strength of a cloud-based store, the weakness of a local one, or is it more about confirming that all bets are off once your computer is compromised?
"A cloud solution isn't necessarily any better," Jennings said. “Malware can just key log your credentials used to access it. If you use out-of-band authentication as well then they can still potentially pivot off a legitimate session via your computer."
What KeeFarce does is, therefore, confirm that all bets are off once your computer, or smartphone, is OS-level compromised – simple as.
"Such compromises make it irrelevant whether passwords are stored in the cloud or not," insisted CertiVox CEO Brian Spector, who continued: "OS-level compromises will enable an attacker to gather credentials for cloud-based or local passwords."