Only this week we have learned of a hacking tool which allows a threat actor to, under an admittedly rather strict set of prior requirements, to access and stealthily decrypt all the login credentials and secure notes stored within an instance of the KeePass program. Which leads us to ponder, what the hell are we supposed to do if password vaults just aren't secure enough anymore?
The hacker tool in question, that targets KeePass, has been named KeeFarce and isn't actually as worrying as it may appear at first.
We say this despite the fact that, in principle, a similar tool could be designed that could empty the contents of pretty much any password vault. The reason that we are not in a state of panic is simply that in order for KeeFarce to do what it does, it needs the target computer to have already been compromised.
So it's a great tool for pen testers and hackers alike, but only if they already have access to the machine with KeePass installed.
What's more, it needs that instance of KeePass to be open with the user logged in and the password database unlocked. Under those circumstances it's pretty much game over anyway, so not as big a deal that it can silently decrypt and copy your password database to a file for you to collect at your leisure.
That said, as Ken Munro, senior partner at Pen Test Partners, points out: "Someone did all the hard work to make this attack vector very easy to implement. Its success rate, however, is directly related to how exploitable the target workstations are."
Munro told SCMagazineUK.com that the kind of attack he would be seriously concerned about would be one that "exploits weaknesses in the encryption algorithms and makes the database susceptible to brute forcing within a practical time frame" – which isn't to say that KeeFarce-style malware may not emerge, and become increasingly problematical. It all depends on how popular device-based password vault software gets; if enough people start using it then common malware families will start targeting this stuff.
"It's all about return on investment, though, so if only a tiny fraction of people make use of it then the malware authors probably won't consider it a high priority," said Luke Jennings, senior security researcher, MWR InfoSecurity.
This raises the question, does KeeFarce reveal the strength of a cloud-based store, the weakness of a local one, or is it more about confirming that all bets are off once your computer is compromised?
"A cloud solution isn't necessarily any better," Jennings said. “Malware can just key log your credentials used to access it. If you use out-of-band authentication as well then they can still potentially pivot off a legitimate session via your computer."
What KeeFarce does is, therefore, confirm that all bets are off once your computer, or smartphone, is OS-level compromised – simple as.
"Such compromises make it irrelevant whether passwords are stored in the cloud or not," insisted CertiVox CEO Brian Spector, who continued: "OS-level compromises will enable an attacker to gather credentials for cloud-based or local passwords."
One advantage of cloud-based password vaults are in some cases that they offer two-factor authentication. The user experience deterioration of traditional two-factor authentication solutions, however, often leads users to deactivate that credible and effective security layer and that is a mistake users make.
"A password manager without strong cryptographic two-factor authentication is no help in any case when the computer is compromised," Spector concluded. "All bets are, indeed, off.”
Brendan Rizzo, technical director EMEA for HPE Security, recommends perhaps thinking slightly sideways and mitigating the compromise risk of tools such as KeeFarce by air-gapping password storage and usage.
"This could be done by storing passwords on a password vault on a smartphone," Rizzo explained, "but using them on your PC. This does reduce the convenience factor, but it also greatly enhances the overall security."
Unfortunately, it is the convenience factor that leads to your average user having passwords like 12345678 and not bothering with two-factor authentication in the first place, so the idea of them bothering with an air-gap is something of a leap.
The same applies to the sound advice from Benjamin Nathan, director of engineering at Varonis, who said, "sensitive applications and passwords should be segregated with applications", adding, "The same segregation of duties that organizations use to manage servers should apply to the safe that contains the keys to access them."
Good advice, but unlikely to be adopted by your average, or even semi-clued up, consumer.
Andrew Rogoyski, VP cyber security services at CGI UK, agreed and added that it "illustrates the classic balancing act between usability and security”.
He told SC, “Password vaults/managers allow people to use dozens of complex passwords that they typically need for everyday life. However, they also introduce a single point of failure – if your password vault or device is hacked, so are all your accounts. The alternative for many people is to physically write their passwords down or too use simple, easy to remember/hack passwords."
We will leave the final word with Cameron Brown, a cyber-security pro with expertise related to international security, policing, intelligence and counter terrorism.
He told SCMagazineUK.com that, at the end of the day, "the utility of security enhancing tools like password managers is impacted by the trustworthiness of the end point on which it is deployed”.
He said: “If the base operating system is compromised, transmissions may be intercepted, user data may be exfiltrated or encrypted by miscreants, and keystrokes can be captured with ease. Effective use of password management systems requires some mindfulness and technical engagement by the user, thereby posing a potential security problem in itself."
If users are prepared and able to educate themselves about the strengths and weaknesses of these systems, Brown insists, then password managers can provide adequate protection.