Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

Update on April 19th at noon Pacific time: Chrome has just released version 58.0.3029.81. We have confirmed that this resolves the issue and that our ‘epic.com’ test domain no longer shows as ‘epic.com’ and displays the raw punycode instead, which is ‘www.xn--e1awd7f.com’, making it clear that the domain is not ‘epic.com’. We encourage all Chrome users to […]

Source: Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

Review: Keepass

Keepass is a Password Manager, which helps you to remember your password and make secure passwords for you. Securing your online accounts is becoming more and more important, and using unique passwords for each account is very important to avoid that your other accounts get hacked when a single website or service leaked your information. This way it will only compromise the account of the website or service that was breached, and not your other online identities and accounts.

You can also store notes or text inside the database and protect it, which could be useful for order numbers, messages, logs, financial information, …
Keepass also supports the encryption of files through its Attachment system, but it’s not very clear. You could add an entry which is not a password, and through the advanced options you can add any file to that entry.

Keepass offers good security. It encrypts the database that stores your accounts and passwords with AES/Twofish algorithm. You can chose to install the program to your computer, or use a portable version to deploy it on a cloud or keep it on a usb drive. As extra security layers, Keepass also is hardened against dictionary (guessing) attacks, it protects your passwords while keepass  is running and makes it impossible for an attacker to read the password while it remains in the computer’s memory or when it’s being written to the disk.

Your database is protected by encryption, and accessing the database can only be done in the way you set it up. For example if you chose to protect the database with a “Master Password”, only that master password can unlock the database. You can also use a key file or the windows user account, which I do not recommend using.

Password Generation

generator dialog

Keys can be generated by the program itself by a pseudo-random number generator. Since computers can’t make random numbers, we have to rely on complex algorithms. Keepass uses a wide combination of factors to make the password as random as it can (which is extremely good and well executed compared to other solutions). Such factors are random number generators given by the computer, the current time, operating system version, hardware uuid’s, processor count, memory and process statistics, and tons more.

This makes the system very robust and makes even trying to hack away at the number generator to predict numbers in advance less likely.

Additional Security

While no system is perfect, Keepass offers more ways to mitigate against attacks and intercepting your password. For example with TCATO (two channel auto type obfuscation) when the password gets ‘transferred’ by copy pasting through the clipboard, it will obfuscate the password with false keys, which make it harder for an attacker to use a clipboard copy tool or a key logger to gather your password. This function is not enabled by default due to compatibility issues that might happen.

For more information and for downloads, please visit the official Keepass website at http://keepass.info

Upcoming program reviews

I will soon start publishing some reviews of programs that I use daily. These range from password managers, file managers, security tools, development tools, image editing and more.

Each post will have an in-depth explanation of how you can use the program and configure it to your needs. The first program I will introduce to you will be a password manager, Keepass, which will help you generate very secure passwords and remember them for you.