KeePass question

Discussion in 'all things UNIX' started by JConLine, Sep 6, 2010.

Thread Status:
Not open for further replies.
  1. JConLine

    JConLine Registered Member

    Joined:
    Apr 16, 2009
    Posts:
    107
    I have a couple of questions about keepass.

    1. If the password is drag 'n' dropped into on online form, while in transit does the password maintain it's encryption.

    2. If the master password is entered via a virtual keyboard does that enhance security. I've never been comfortable entering my master Keepass password while online, just curious if a virtual keyboard offers more protection.

    Jim
     
  2. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667

    Have a look at the discussion in https://www.wilderssecurity.com/showthread.php?t=280781
    The upshot was that unless you use SeLinux or similar security restrictions, your events are not secure (including virtual keyboarding).
     
  3. katio

    katio Guest

    1) No, but I don't think that matters. Drag and drop is between two clients, I can't think of way for a 3rd one to eavesdrop on the connection wrt above xorg issue.
    If you have a kernel level exploit it's game over anyway because at some point the password will reside in RAM as plaintext.
    As for a user level exploit I can only think of GUI spoofing so you end up sending the credentials to the wrong window.
    2) yes, logging the keyboard is much easier than logging mouse events and most hardware keyloggers are useless against virtual keyboards.
     
  4. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    If your worried about keyloggers, I'd advise using a Keyfile instead. Store it on a USB drive, then you have to have the usb to access your passwords. Or better, use both, password and keyfile.
     
  5. katio

    katio Guest

    This only works reliable against hardware based attacks, a simple software keylogger wouldn't work either but if you fear there's malware on the system this is no solution. Also it does not work with online logins which is what OP is interested in. You could protect the passwords at rest that way but once you use one you'll have exactly the same problems as with the current approach.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    That is not true. Stop spreading fear.
    Your events, as you call them, are secure.
    What if she's the only user on her machine? What then?
    How about not having any crap on your machine and then all is well?

    Mrk
     
  7. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Firefox etc can still be running malware if open.

    Sure, if you have no malware on computer, either resident, or running via plugins/browsers, then you are secure; but thats like saying if there were no criminals in thw world, then there would be no crime.

    As for you harping on me; there is a keylogging program presented in that thread which shows how simple it is.
     
  8. katio

    katio Guest

    No, it's like saying:
    There are criminals in the world, but why would they attack me if there are so many much lower hanging fruits. Possible? yes, but not likely.

    It's only simple once you have access to the system, but the latter is the hard part. Even then, copy/pasting the keyword with keypass or using a virtual keyboard renders that particular attack useless.
    The xorg issue was about grabbing key strokes and sending keys to other windows, not a general system compromise (it could facilitate one however, again far from simple).
     
  9. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    I'm not harping on you - you're spreading unsubstantiated fear. You're frightening people with half-based ideas and assumptions.

    You say: Firefox can still be running malware if open. What does that mean? Care to elaborate? Are we talking a compromised shared library? Are we talking hooking a device? Are we talking a recompiled kernel object? A replaced binary? Inter-process communication? How does this ethereal malware manifest? And why do you have in the first place? How did it break past the existing barriers? How come the user got to run the bad code and ruin his/her machine? Why? Oh, have you ever seen Firefox running malware, so to speak? Have you ever witnessed a live, genuine hijacking of the browser, even on Windows, not counting IE? Have you ever seen that happen on Linux?

    You may say, it could happen - but then earth might implode too.

    And which Firefox version are we talking about? Which operating system? Which kernel? Which processor architecture and what extensions? What kind of permissions and attributes on mounted devices? What kind of restrictions on binaries? What does /proc/cmdline say? What's under /etc/mtab? Wanna go fancy with geeky words, we could, for no good reason but spreading technobabble.

    So there's a keylogging program proof of concept written. So? Someone still has to run that code. It's like saying, there's AIDS in the world. It's so simple getting infected. You just need to have unprotected sex with some 30-40 people, several dozen times each, exchange a few needles and that's it.

    I can write half a dozen proofs of concepts in ten minutes. I can write a dangerous kernel module in 34 seconds. And? How does this relate to reality?

    The entire malware discussion, regardless of the OS uses always comes down to two basic things:

    1) Understanding the problem nullifies fear.
    2) If you don't click, it won't execute.

    It's as simple as that.

    Cheers,
    Mrk
     
  10. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    The issue here is that the "Linux people" have always lived under the assumption that Linux is "secure by design", that even if there were a healthy ecosystem of Linux malware out there Linux would still be immune. Now the cat's out of the bag and it's being shown that - just like any other OS - it's entirely possible for the user to get pwned if they click on the wrong stuff.

    For some of us this is perfectly normal and obvious, but for some others there needs to be some time to readjust to this new worldview. I don't think wearetheborg is spreading FUD, he's probably just trying to preach this new reality to the old guard, so to speak.

    Having said that, I don't really think it's worth worrying about this yet either. Lots of other low-hanging fruit, as katio pointed out. MUCH lower-hanging fruit.
     
  11. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Yes, Eice is correct. I'm not arguing about the chances of being hit by these kinds of linux attacks, but how technically feasible they are.

    It would be misleading to say such attacks are not feasible.

    Regarding Firefox running malware, I'm considering a simple scenario: a user visits some website, with the website running some malicious script. The script does not install anything, rather it capture x-events. Tecnically, it can take a screenshot whenever a mouse is clicked, thus negating this security. This is not particular to linux, there was an article on password security which pointed out this same thing.
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    I did write that it takes 34 seconds to write malicious code, it's feasible.

    Now, to your example - a website captures x events.

    How exactly? I want you to explain this to me and yourself in technical terms. Once you know the answer you will realize that your example does not apply.

    Your X window or anything is not just a shelf in a supermarket with anyone on the Internet shoving their filthy hands all over. It does not work that way.

    I recommend you invest in a very basic thing - learning how network interaction between site - your browser - and local content works. After this, you can upgrade to malware examinations. But first, the basics.

    Once again, malware thingie, in any OS, including Windows, is so overrated.

    Mrk
     
  13. katio

    katio Guest

    It doesn't quite work as simple as that. Scripts and plugins all run constrained e.g. the JS sandbox or Java's JVM. So in order to do anything malicious you still first need to find an exploit.
    That's why I consider regular and early patching (next to your backup strategy) by far the most important defense and don't bother with stuff (gimmicks) like keylogger protection.
     
  14. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Got any links I could use to learn this?
     
  15. JConLine

    JConLine Registered Member

    Joined:
    Apr 16, 2009
    Posts:
    107
    Thanks for the comments.

    Sorry to ask these noob questions but security is a mystery to me. When using KeePass, I know the clipboard is used for copy and paste but is the clipboard also used for drag 'n' drop, and is one way of transferring the password more secure than the other?

    Thanks for your help.

    Jim
     
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    You can start with learning about the network stack. Then, you may want to look into how applications communicate with one another, what protocols and mechanism are used. Will take a while, but if you're serious about OS internals, then you should enjoy it.

    Some pointers [sic]:

    http://en.wikipedia.org/wiki/Network_stack (also TCP/IP model)

    http://en.wikipedia.org/wiki/Inter-process_communication

    Cheers,
    Mrk
     
Thread Status:
Not open for further replies.