Friday, November 06, 2015

What the hell do we do if password vaults aren't secure enough?

Only this week we have learned of a hacking tool which allows a threat actor to, under an admittedly rather strict set of prior requirements, to access and stealthily decrypt all the login credentials and secure notes stored within an instance of the KeePass program. Which leads us to ponder, what the hell are we supposed to do if password vaults just aren't secure enough anymore? The hacker tool in question, that targets KeePass, has been named KeeFarce and isn't actually as worrying as it may appear at first. We say this despite the fact that, in principle, a similar tool could be designed that could empty the contents of pretty much any password vault. The reason that we are not in a state of panic is simply that in order for KeeFarce to do what it does, it needs the target computer to have already been compromised. So it's a great tool for pen testers and hackers alike, but only if they already have access to the machine with KeePass installed. What's more, it needs that instance of KeePass to be open with the user logged in and the password database unlocked. Under those circumstances it's pretty much game over anyway, so not as big a deal that it can silently decrypt and copy your password database to a file for you to collect at your leisure. That said, as Ken Munro, senior partner at Pen Test Partners, points out: "Someone did all the hard work to make this attack vector very easy to implement. Its success rate, however, is directly related to how exploitable the target workstations are."