Home Tags Intel Security

Tag: Intel Security

Intel touts bug bounties to hardware hackers

Website and Intel Security (McAfee) products excluded from 'Wild West' payouts scheme Intel has launched its first bug bounty program, offering rewards of up to $30,000.…

Survey Finds Disconnect Between Security Strategy and Execution

Report from Intel Security and CSIS discovers 93% of businesses have cybersecurity strategies, but only 49% fully implement them.

Intel Security Looks Forward to McAfee Future

VIDEO: Chris Young, Senior Vice-President and General Manager of Intel Security talks about his RSA Conference keynote.

US Libraries Hit By Ransomware Attack

Libraries across the city of St Louis are gradually regaining control of their computer systems, following a malware attack several days ago.Criminals broke into the systems of 17 libraries, disabled them and demanded a ransom...

Security expert: Ransomware took in $1 billion in 2016

Increased user awareness of phishing threats, better antivirus technology, more industry-wide information sharing and cross-border efforts by law enforcement authorities will combine to turn the tide against ransomware this year, according to some security experts, but others expect the attacks to continue to increase. According to a security expert who requested anonymity, ransomware cybercriminals took in about $1 billion last year, based on money coming into ransomware-related bitcoin wallets. That includes more than $50 million each for three wallets associated with the Locky ransomware, and a fourth one that processed close to $70 million.

Cryptowall brought in close to $100 million before it was shut down this year.

CryptXXX gathered in $73 million during the second half of 2016, and Cerber took in $54 million, the expert said. Smaller ransomware families brought in another $150 million, and the FBI has reported $209 million in ransomware payments during the first three months of 2016.
In addition to this $800 million or so in known payments, there are many other Bitcoin wallets that are unknown to researchers and uncounted, pushing the estimated total to $1 billion for all of 2016. “The $1 billion number isn’t at all unreasonable and might even be low,” confirmed Mark Nunnikhoven, vice president of cloud research at Trend Micro. “It’s getting difficult to track the amount of money flowing into criminals’ Bitcoin wallets because they’ve started to try and hide the transactions across a large number of wallets,” he added. He said that there was a 400 percent increase in ransomware variants last year, and he expects to see a 25 percent growth in ransomware families in 2016. “What we’re seeing is a bit of a maturation in how to execute these attacks, so we’re expecting a leveling off to a more realistic growth curve,” he said. But criminals will continue innovating because of how profitable ransomware is. “I don’t think we’ll see the 100 percent growth that we saw from 2015 to 2016,” said Allan Liska, intelligence analyst at Recorded Future. “I think we’ll probably see a 50 percent growth.” The markets for stolen medical records, credit card numbers and email addresses are collapsing, he said. “Not only is it taking a while to get paid, but they’re not getting paid as much as they used to,” he said. Meanwhile, ransomware is an easy business to get into, the payout is immediate, and it offers an ongoing revenue stream. “There’s no incentive for them to discontinue ransomware,” he said. Some experts expect growth to be even higher. Successful ransomware attacks will double this year, predicted Tom Bain, vice president at CounterTack. “The reality is that every single customer I speak to, anyone in the industry really, this is their number one concern,” he said. Better defensive technology and collaboration will help, he said, but the problem is going to get worse before it starts to get better. Gartner analysts estimate that there were between 2 million and 3 million successful ransomware attacks in 2016, and that the frequency will double year over year through 2019. “I think they’re right,” said Bain. But not all experts think the future is quite that bleak. Raj Samani, vice president and CTO at Intel Security, predicts that anti-ransomware efforts will begin to pay off in the next few months. “We’ll see a spike earlier on this year, but then I anticipate our efforts with law enforcement to be successful,” he said. Intel, along with Kaspersky Labs, Europol, and the Dutch National High Tech Crime Unit formed an alliance this past summer, No More Ransom.
Since then, more than a dozen other law enforcement agencies have joined up, including Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland, and the United Kingdom.
Several other security vendors have also joined up. “Now that we’ve got more law enforcement agencies on board, and more private sector firms, we expect to see an increase in successful take-down operations,” said Samani. In addition to working together to bring down ransomware operations, the group also distributes free anti-ransomware tools. That, combined with more user awareness about phishing and better detection technologies, will combine to stop the growth of this attack vector, Samani said. “As an industry, we’ve started to develop new products, sandboxing, threat intelligence exchanges,” he said. “It is getting better.” However, he warned that malware authors do have one significant advantage. “There’s an asymmetry of information,” he said. “They have tools and services that will allow them to run their malware through all the anti-virus engines out there.

They can install our products and they know how our products work because we openly talk about them.

This is one of the big security challenges.” This story, "Security expert: Ransomware took in $1 billion in 2016" was originally published by CSO.

Hacking Evidence in Hand, Obama Sanctions Russia

US authorities provided technical details to back up their claims that Russian authorities were behind recent cyber attacks on American political targets.

US authorities on Thursday released technical details about the tools and infrastructure that Russian hackers used to compromise the computer systems of multiple American government and private entities.

A brief joint report from the Federal Bureau of Investigation and the Department of Homeland Security outlines what the agencies refer to as Russia's "ongoing campaign of cyber-enabled operations directed at the US government and its citizens."

The report bolsters the FBI's earlier claim that hackers affiliated with Russian intelligence services (RIS) targeted computers at the headquarters of the Democratic National Committee during the final months of the 2016 US presidential election. Two separate Russian organizations gained access to the political party's systems as early as summer 2015, according to the report. The first group used a "spearphishing" campaign that sent an email to more than 1,000 recipients, at least one of whom opened attachments containing malware.

The second Russian group targeted the same political party—the report does not identify the DNC by name—in spring 2016 using a similar phishing campaign, which tricked recipients into visiting a fake website that asked them to change their email passwords. The second attack likely resulted in the "exfiltration of information from multiple senior party members," according to the report.

"Actors likely associated with RIS are continuing to engage in spearphishing campaigns, including one launched as recently as November 2016, just days after the U.S. election," the report concluded.

US authorities did not announce further information about the two groups, nor the specifics of their links to Russian intelligence. The report simply states that "public attribution of these activities to RIS is supported by technical indicators from the US Intelligence Community, DHS, FBI, the private sector, and other entities."

Along with the report, the Obama administration also announced sanctions against Russia for its hacking activities. Using an executive order, President Obama sanctioned the GRU and FSB, Russia's military and civilian intelligence agencies, as well as three companies and four individual members of the GRU that he said provided support to its hacking operations.

"We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized," Obama said in a statement. "In addition to holding Russia accountable for what it has done, the United States and friends and allies around the world must work together to oppose Russia's efforts to undermine established international norms of behavior, and interfere with democratic governance."

The Russian response to the sanctions appeared scattered Thursday afternoon, with the Russian embassy in the UK offering a separate statement on Twitter from that of Konstantin Kosachev, the head of Russia's Committee on Foreign Relations.

"The outgoing administration has no grounds, neither political nor moral rights for such harsh and destructive steps towards the bilateral relations with Russia," he told Interfax, a Russian newswire, according to NBC News. "I am sorry for the harsh wording but I don't have other words for it. This not just an agony of the 'lame ducks,' but of the 'political corpses.'"

Although President-elect Donald Trump has downplayed the severity of Russia's hacking efforts, private sector security experts in the US welcomed the sanctions.

"The administration, fellow lawmakers and general public must understand the potentially catastrophic consequences of a digital cyber conflict," Intel Security CTO Steve Grobman said in a statement issued ahead of the sanctions. "We usually consider critical infrastructure to include life-sustaining services such as water, power, transportation, and first responder communications. But, given that election systems are the foundational organs of democracy, we must protect them accordingly."

White House Announces Retaliatory Measures For Russian Election-Related Hacking

35 Russian intelligence operatives ejected from the US, and two of the "Cyber Most Wanted" are frozen out by Treasury Department. UPDATED 4:00 PM E.T.

THURSDAY -- The US, today, formally ejected 35 Russian intelligence operatives from the United States and imposed sanctions on nine entities and individuals: Russia's two leading intelligence services (the G.R.U. and the F.S.B.), four individual GRU officers, and three other organizations.

The actions are the Obama administration's response to a Russian hacking and disinformation campaign used to interfere in the American election process. The FBI and the Department of Homeland Security also released new declassified technical information on Russian civilian and military intelligence service cyber activity, in an effort to help network defenders protect against these threats. Further, the State Department is shutting down two Russian compounds, in Maryland and New York, used by Russian personnel for intelligence-related purposes. Plus, the US Department of Treasury sanctioned two members of the FBI's Cyber Most Wanted List, Evgeniy Mikhailovich Bogachev and Aleksey Alekseyevich Belan.
Infosec pros will recognize Bogachev especially as the alleged head of the GameOver Zeus botnet.

A $3 million reward for info leading to his arrest has been available for some time. Treasury sanctioned Bogachev and Belan "for their activities related to the significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for private financial gain.

As a result of today’s action, any property or interests in property of [Bogachev and Belan] within U.S. jurisdiction must be blocked and U.S. persons are generally prohibited from engaging in transactions with them." This is the first time sanctions are being issued under an Executive Order first signed by President Obama in April 2015, and expanded today.

The original executive Order, gives the president authorization to impose some sort of retribution or response to cyberattacks and also allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks.

That includes freezing the assets of attackers. The sanctions announced today are not expected to be the Obama administration's complete response to the Russian operations.
In a statement, the president said "These actions are not the sum total of our response to Russia’s aggressive activities. We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized." The moves will put pressure on president-elect Donald Trump to either support or attempt to lift the sanctions on Russian officials and entities.

Trump has expressed skepticism at the validity of American intelligence agencies' assertions that such a campaign occurred at all. When asked by reporters Wednesday night about the fact that these sanctions were set to be announced, Trump said, “I think we ought to get on with our lives.
I think that computers have complicated lives very greatly.

The whole age of computer has made it where nobody knows exactly what is going on.  The NY Times reported today that immediate sanctions are being imposed on four Russian intelligence officials: Igor Valentinovich Korobov, the current chief of the G.R.U., as well as three deputies: Sergey Aleksandrovich Gizunov, the deputy chief of the G.R.U.; Igor Olegovich Kostyukov, a first deputy chief, and Vladimir Stepanovich Alekseyev, also a first deputy chief of the G.R.U. From the Times: The administration also put sanctions on three companies and organizations that it said supported the hacking operations: the Special Technologies Center, a signals intelligence operation in St. Petersburg; a firm called Zor Security that is also known as Esage Lab; and the Autonomous Non-commercial Organization Professional Association of Designers of Data Processing Systems, whose lengthy name, American officials said, was cover for a group that provided special training for the hacking. Wednesday, The Russian Ministry of Foreign Affairs' official representative, Maria Zakharova, said in a statement on the ministry's website: "If Washington really does take new hostile steps, they will be answered ... any action against Russian diplomatic missions in the US will immediately bounce back on US diplomats in Russia." 'Proportional' response The news comes after President Obama stated in October that the US would issue a "proportional" response to Russian cyber attacks on the Democratic National Committee.  The administration has used the word "proportional" when discussing cyber attacks before.
In December 2014, while officially naming North Korea as the culprit behind the attacks at Sony Pictures Entertainment, President Obama said the US would "respond proportionately." That attack was against one entertainment company, however, and not a nation's election system, so the proportions are surely different. "We have never been here before," said security expert Cris Thomas, aka Space Rogue, in a Dark Reading interview in October. "No one really knows what is socially acceptable and what is not when it comes to cyber. We have no 'Geneva Convention' for cyber."  According to Reuters reports, "One decision that has been made, [officials] said, speaking on the condition of anonymity, is to avoid any moves that exceed the Russian election hacking and risk an escalating cyber conflict." As Christopher Porter, manager of the Horizons team at FireEye explained in a Dark Reading interview in October, Russian doctrine supports escalation as a way to de-escalate tensions or conflict. "If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous." "The administration, fellow lawmakers and general public must understand the potentially catastrophic consequences of a digital cyber conflict escalating into a kinetic, conventional shooting-war," said Intel Security CTO Steve Grobman, in a statement. "While offensive cyber operations can be highly precise munitions, in that they can be directed to only impact specific targets, the global and interconnected nature of computing systems can lead to unintended consequences.
Impacting digital infrastructure beyond the intended target opens the door to draw additional nation states into a conflict.

This increases risk to civilian populations as countries see the need to retaliate or escalate." ORIGINAL STORY: Officials stated Wednesday that the White House will announce, as early as today, a series of measures the US will use to respond to Russian interference in the American election process.

The news comes after President Obama stated in October that the US would issue a "proportional" response to Russian cyber attacks on the Democratic National Committee.  Not all the measures will be announced publicly.

According to CNN, "The federal government plans some unannounced actions taken through covert means at a time of its choosing." Wednesday, CNN reported that as part of the public response, the administration is expected to name names -- specifically, individuals associated with a Russian disinformation operation against the Hillary Clinton presidential campaign. The actions announced are expected to include expanded sanctions and diplomatic actions. Reuters reported Wednesday that "targeted economic sanctions, indictments, leaking information to embarrass Russian officials or oligarchs, and restrictions on Russian diplomats in the United States are among steps that have been discussed." In April 2015, President Obama signed an Executive Order, which gives the president authorization to impose some sort of retribution or response to cyberattacks.

The EO has not yet been used.
It allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks.

That includes freezing the assets of attackers. The Russian Ministry of Foreign Affairs' official representative, Maria Zakharova, said in a statement on the ministry's website: "If Washington really does take new hostile steps, they will be answered ... any action against Russian diplomatic missions in the US will immediately bounce back on US diplomats in Russia." 'Proportional' response The administration has used the word "proportional" when discussing cyber attacks before.
In December 2014, while officially naming North Korea as the culprit behind the attacks at Sony Pictures Entertainment, President Obama said the US would "respond proportionately." That attack was against one entertainment company, however, and not a nation's election system, so the proportions are surely different. "We have never been here before," said security expert Cris Thomas, aka Space Rogue, in a Dark Reading interview in October. "No one really knows what is socially acceptable and what is not when it comes to cyber. We have no 'Geneva Convention' for cyber."  According to Reuters reports, "One decision that has been made, [officials] said, speaking on the condition of anonymity, is to avoid any moves that exceed the Russian election hacking and risk an escalating cyber conflict." As Christopher Porter, manager of the Horizons team at FireEye explained in a Dark Reading interview in October, Russian doctrine supports escalation as a way to de-escalate tensions or conflict. "If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous." "The administration, fellow lawmakers and general public must understand the potentially catastrophic consequences of a digital cyber conflict escalating into a kinetic, conventional shooting-war," said Intel Security CTO Steve Grobman, in a statement. "While offensive cyber operations can be highly precise munitions, in that they can be directed to only impact specific targets, the global and interconnected nature of computing systems can lead to unintended consequences.
Impacting digital infrastructure beyond the intended target opens the door to draw additional nation states into a conflict.

This increases risk to civilian populations as countries see the need to retaliate or escalate." Related Content:   Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

White House Set To Announce Retaliatory Measures For Russian Election Hacking

US expected to name and sanction some individuals involved in disinformation campaign as early as today, and conduct other covert responses at a time of its choosing. Officials stated Wednesday that the White House will announce, as early as today, a series of measures the US will use to respond to Russian interference in the American election process.

The news comes after President Obama stated in October that the US would issue a "proportional" response to Russian cyber attacks on the Democratic National Committee.  Not all the measures will be announced publicly.

According to CNN, "The federal government plans some unannounced actions taken through covert means at a time of its choosing." Wednesday, CNN reported that as part of the public response, the administration is expected to name names -- specifically, individuals associated with a Russian disinformation operation against the Hillary Clinton presidential campaign. The actions announced are expected to include expanded sanctions and diplomatic actions. Reuters reported Wednesday that "targeted economic sanctions, indictments, leaking information to embarrass Russian officials or oligarchs, and restrictions on Russian diplomats in the United States are among steps that have been discussed." In April 2015, President Obama signed an Executive Order, which gives the president authorization to impose some sort of retribution or response to cyberattacks.

The EO has not yet been used.
It allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks.

That includes freezing the assets of attackers. The Russian Ministry of Foreign Affairs' official representative, Maria Zakharova, said in a statement on the ministry's website: "If Washington really does take new hostile steps, they will be answered ... any action against Russian diplomatic missions in the US will immediately bounce back on US diplomats in Russia." 'Proportional' response The administration has used the word "proportional" when discussing cyber attacks before.
In December 2014, while officially naming North Korea as the culprit behind the attacks at Sony Pictures Entertainment, President Obama said the US would "respond proportionately." That attack was against one entertainment company, however, and not a nation's election system, so the proportions are surely different. "We have never been here before," said security expert Cris Thomas, aka Space Rogue, in a Dark Reading interview in October. "No one really knows what is socially acceptable and what is not when it comes to cyber. We have no 'Geneva Convention' for cyber."  According to Reuters reports, "One decision that has been made, [officials] said, speaking on the condition of anonymity, is to avoid any moves that exceed the Russian election hacking and risk an escalating cyber conflict." As Christopher Porter, manager of the Horizons team at FireEye explained in a Dark Reading interview in October, Russian doctrine supports escalation as a way to de-escalate tensions or conflict. "If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous." "The administration, fellow lawmakers and general public must understand the potentially catastrophic consequences of a digital cyber conflict escalating into a kinetic, conventional shooting-war," said Intel Security CTO Steve Grobman, in a statement. "While offensive cyber operations can be highly precise munitions, in that they can be directed to only impact specific targets, the global and interconnected nature of computing systems can lead to unintended consequences.
Impacting digital infrastructure beyond the intended target opens the door to draw additional nation states into a conflict.

This increases risk to civilian populations as countries see the need to retaliate or escalate." Related Content:   Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

Steganos Password Manager 18

Münich-based software publisher Steganos is all about privacy. The company offers encryption, VPN, secure deletion, and other privacy-related tools. Naturally, the lineup includes a password manager. Steganos Password Manager 18 doesn't have the high-end features that typify the very best password managers, though, and even its more mundane features didn't always work in testing.

Your one-time payment of $24.95 gets you licenses to install the application on up to five PCs. The licenses don't expire, but they also don't automatically update to the next version. You can also tie any number of iOS or Android devices to your account. This pricing is a bit hard to compare with the competition. RoboForm Desktop is also a one-time fee, $29.95 in this case, but it doesn't sync across multiple devices. Dashlane costs $39.99 per year and puts no limits on the number of PC, macOS, Android and iOS devices. Just one dollar per month lets you use LastPass Premium on all your devices. And of course, some competitors, such as LogMeOnce Password Management Suite Premium, are completely free.

Getting Started

When you go to download Steganos, you're likely to find that it comes with a trial of the full Steganos Privacy suite. This suite includes, among other things, a file shredder, several forms of encryption, and the Steganos Online Shield VPN. In this review, I focus strictly on the password manager.

Once you've installed the product, it opens to a big, empty window, with instructions on how to proceed. With Steganos, you can create multiple password databases, which it calls keychains. Multiple users on one PC could have their own keychains. But nothing happens until you select New from the File menu, to create your first keychain.

As with most password managers, Steganos starts you off with the creation of a master password. You can type it using a virtual keyboard, or create it using the unusual PicPass feature. I'll go into detail about those below. As you type in your password, Steganos fills in five lock icons, and displays a description of your password's strength. At one lock, it says, "This password can probably be guessed." If you make it to five locks, it declares, "This password cannot be identified by intelligence agencies." Interestingly, it also reports the number of word fragments found in the password.

There's also an option to store the master password on a USB device. This isn't precisely two-factor authentication, since the USB device replaces the master password for authentication. In addition, you can't sync with mobile devices if you choose USB authentication. True Key and LogMeOnce Password Management Suite Ultimate both allow authentication using multiple other factors, without the need for a master password. In fact, passwordless login is the default for LogMeOnce.

Steganos installs the necessary browser extension in Internet Explorer automatically, and there's a menu option to install it in Chrome. Firefox is also supported, but in testing I could not get the extension to load. Even after reinstallation, Firefox reported the extension as corrupt. An Edge extension is in the works, pending approval by Microsoft. True Key by Intel Security is the only competitor I've encountered that has a working extension for Microsoft Edge.

Dashlane, Sticky Password Premium, and most password managers that let you sync your passwords across multiple devices handle syncing internally. Not Steganos. If you want to sync between devices, you must configure it to store your keychain in your existing cloud storage services. It supports Dropbox, Google Drive, and OneDrive, as well as the Europe-centric Magenta Cloud. Setting up the connection is simple enough, and of course your data is encrypted before it's sent to the cloud. Still, this might be a good time to toughen up the password on your cloud storage.

There is one more option for syncing among devices, but it's not something most users would want to mess with. If you choose File export, Steganos saves your data in a portable, shareable form. Importing that data on another PC isn't so tough, but getting it onto an Android or iOS device is a pain.

Password Capture and Replay

Like almost all password managers, Steganos notices when you log in to a secure site and offers to save your credentials. Some products slide in a notification at the top of the browser window, some create a popup within the browser, and others use a totally separate popup. Steganos is among the last group, and I found that its popup consistently got stuck behind the browser. You can give the new entry a friendly name at this time, but you can't assign it to a category.

If you're switching to a new password manager, the ability to import passwords from the product you're leaving behind is a big plus. LastPass can import from more than 30 competitors, and KeePass from nearly 40. Steganos imports from just two, KeePass 2.34 and 1Password; to me these seem like odd choices.

Dashlane, LastPass, Password Boss Premium, and True Key don't just import passwords stored insecurely in your browsers. They also delete those passwords from the browser, and turn off browser-based password capture. Alas, Steganos doesn't import from browsers at all.

When you revisit a secure site, the default behavior is for Steganos to automatically fill in the saved credentials. You can turn off this behavior and manually call on the browser extension when you want it to fill in the data. As is typical, if you have multiple sets of credentials saved, it offers a menu.

While most websites use standard login screens, easily understood by password managers, some of them march to a different drummer. If you run into a login that Steganos doesn't capture automatically, you can do it manually. Just sign out, reenter your credentials, and (in Chrome) choose "Save form to keychain" from the toolbar button's menu. In testing, I found that in IE the equivalent Save Form button did not work. LastPass, Sticky Password, and RoboForm Everywhere 7 have a similar ability to capture passwords on demand.

Many password managers turn your data into a menu of saved websites. Just click the toolbar button and choose a site to both navigate there and log in. With Steganos, you open the main application window and launch from there.

The Steganos application must be running any time you want to use its browser extensions. That's a bit different from many competing products. I kept accidentally shutting it down, when all I really wanted to do was get it out of the way. The correct way to handle that situation is to minimize the application down to its tiny desktop widget. From the widget, you can restore the main window, or drag/drop the username and password for the selected login.

Password Generator

When you're editing one of your saved password entries, you can invoke the built-in password generator to provide a strong new password. However, it's up to you to go to the site and put your new password in place. Steganos doesn't automatically offer the password generator when you're setting up a new online account, either.

The password generator defaults to creating 16-character passwords, which is good. But it only uses uppercase letters, lowercase letters, and digits, by default. I advise adding special characters to the mix. Interestingly, Steganos seeds its random number generator before each password generation event by using your own mouse movements.

Organizing Passwords

As noted, you can assign a friendly name at the time Steganos captures a set of login credentials. That name is what appears in the main window's password list. When you click an item in the list, its details appear at right. You can click Edit to change those details—all except the friendly name. To change that name, you must right-click it in the list.

To start, all your passwords simply appear directly below the root of the tree. If you prefer a more organized approach, you can create any number of categories, which become branches in the tree display. You can even create nested categories, something that few password managers allow. RoboForm, Sticky Password, and LastPass 4.0 Premium are among the few that permit multilevel categories.

I assumed that organizing my saved logins would be a simple matter of dragging them in to the desired category, the way you do with LastPass. It's not. Instead, you right-click the entry and select its new location in the tree.

Portable Edition

With LastPass, Dashlane 4, LogMeOnce, and other Web-centric password managers, you can log into your password database from any computer. Steganos requires installation of its app on a PC, and doesn't make your cloud-connected database available without it.

However, if you anticipate needing to use the app on an unfamiliar computer, you can create a portable edition on any USB device. Just select the keychain, select the device, and you're done. Any future changes you make in the main app don't appear in the portable edition, so you should recreate the portable edition frequently. In addition, all the data in the portable edition is read-only.

PicPass and Virtual Keyboard

Some people have no trouble remembering a strong password based on a favorite song or quote. Others are more visual, and for those people Steganos offers PicPass. When you choose to define or redefine your master password using PicPass, you start with a grid of 36 photos or 36 symbols. You proceed to click on as many of the pictures as you think you can remember, and then repeat that same pattern of picture-clicks.

However, there's a catch. The 36 pictures correspond to the 10 digits and 26 uppercase letters, and your fancy pattern of clicks gets translated into a mundane password like 1UB3OX. Steganos doesn't hide this fact; it even offers to display the generated password. Yes, you can make the PicPass process tougher by having Steganos scramble the picture locations, but doing so just makes it harder for you to get the right sequence. It doesn't make the password itself more resistant to brute-force cracking.

Limited Web Form Filling

Steganos lets you store a very limited set of personal data, little more than name, address, email, phone, and birthdate. There's no option to store multiple profiles such as you get with LastPass, Dashlane, and others. And there's certainly no ability to create multiple instances of data fields the way you can in RoboForm. You can enter data for any number of bank accounts and credit cards, and sync these between your devices, but the app does not use these to fill Web forms.

In testing, I found that the Web form-filling feature worked correctly in Chrome, but didn't work in Internet Explorer. In some cases, it immediately filled personal data into the form's fields. In other cases, I had to select "Fill form now" from the toolbar button's menu.

Mobile Options

If you want to use Steganos for logging into secure sites on your mobile devices, you must configure your account to use one of its cloud storage options. Install the free Steganos Mobile Privacy from the Google Play store or Apple App Store, connect it with your cloud storage, and enter your master password. You're ready to go.

I installed the app on a Nexus 9, just to get a feel for it. The PC edition's tree display is absent, so you have to either dig down to the entry you want or use the handy search box. Tapping an entry opens the corresponding website in the app's internal browser and logs you in. There's no integration with other browsers installed on the device.

Like the portable edition, the mobile edition is read-only. If you want to add or edit password entries, credit card data, or anything else, you must do it on your PC. But if all you want is quick mobile access to your secure websites, it does the job.

You Can Do Better

It's nice to see a password manager that charges a one-time fee rather than a per-year subscription, but there are disadvantages, too. That yearly subscription pays other vendors for things like server space to hold your encrypted data. With Steganos Password Manager 18, you supply that storage yourself, in the form of an account with one of the big cloud storage providers. Steganos also lacks the advanced features found in the very best password managers. In testing, even the simpler features it does contain didn't always work perfectly.

If the low, one-time price really resonated with you, you're probably better off getting one of our top free password managers instead. For those willing to pay a bit, we've identified several password managers worthy of the title Editors' Choice. LastPass 4.0 Premium costs just a dollar a month, and it has tons of features. LogMeOnce Password Management Suite Ultimate 5.2 beats all the competition feature-wise, with some security elements not found in any competitor. Dashlane 4 goes for streamlined ease of use, with advanced features including an actionable password strength report, secure password sharing, and account inheritance.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page. These commissions do not affect how we test, rate or review products. To find out more, read our complete terms of use.

VU#535111: McAfee VirusScan Enterprise for Windows scriptproxy COM object memory corruption...

McAfee VirusScan Enterprise for Windows scriptproxy COM object contains a memory corruption vulnerability.

IT Security Pros Says They Are Overwhelmed by Threat Alert Flood

In the modern cyber-security landscape, security vendors have been pushing the idea of visibility and alerting tools to help improve enterprise security.

According to Intel Security's McAfee Labs Threat Report for December 2016, many of the alerts that...

True Key by Intel Security (2017)

So, you've installed a password manager and replaced all of your lame and duplicate passwords with strong, unguessable ones.

That's a good start. Now you need to think about what protects that treasure trove of stored passwords.

A lone master password just isn't enough. You need additional authentication factors to keep those passwords secure.

True Key by Intel Security (2017) places more emphasis on multi-factor authentication than just about any competitor, and it works across Windows, macOS, Android, and iOS.

You can install True Key and use it completely without cost, if you don't need to store more than 15 passwords. Once you hit that limit, you must pay $19.99 per year, which isn't bad.
Sticky Password costs $29.99 per year; Dashlane and LogMeOnce go for $39.99 per year.

At $12 per year, LastPass 4.0 Premium costs less than True Key, but not by a huge amount.

Easy Start

Anybody can go to the True Key website, download the app, and start using it immediately.

During the process, you do have to create a master password of at least eight characters. You're encouraged, but not forced, to either use all character sets or create a lengthy passphrase, with spaces permitted.

Once the app is installed, it prompts you to install browser extensions for Chrome, Internet Explorer, and (new since my last review) Firefox.

An extension for Microsoft Edge is available, but it must be installed directly from the Store.

For Chrome, Firefox, and Internet Explorer, the extension communicates with the True Key app.

Edge doesn't permit that, so the Edge extension is basically a recreation of the app itself.

True Key works hard to ease you into password management.
It starts by displaying a list of over two dozen popular websites and encouraging you to add one as a login. When you click an item, it opens that page in the browser and displays a popup explaining that all you need do is log in as usual.
Intel's app also walks you through the process of clicking a saved item to automatically revisit the site and log in.

Once you've used the product a little, it suggests that you add another authentication factor.

The PC I used for testing has a webcam, so it suggested adding facial recognition.

Basic Password Management

True Key does all of the basic password management tasks you'd expect.
It captures your credentials when you log in to secure sites, plays them back if you revisit such sites, and lets you visit and log in to a site with one click.
If you're creating a new account, it notices, and offers to generate (and save) a secure password.

By default, it creates 16-character passwords using all character types—the resulting passwords are plenty tough.

This utility doesn't just assume that every login was a success.
If its algorithm indicates a high probability that the login worked, it saves the credentials but gives you an option to never save this site, or to skip saving it once.

But if it's not sure, it instead asks you whether or not to save credentials.
It's a subtle touch, and a nice one.

Most secure websites follow the same standards for the login page, which makes the job of a password manager easier.
Some, though, go wildly off-standard. LastPass and Sticky Password Premium handle weird logins by letting you enter all the data and then capture every field on the page. LogMeOnce works from a catalog of almost 4,500 known websites.

True Key handles oddball logins in its own way.
If it can't properly capture login credentials, it sends a report to its masters at Intel for analysis.

They aim to update True Key to handle that site (both for you and for all other users) within 24 hours.

You can also import passwords stored insecurely in your browsers.
If you choose to do so, True Key clears them from the browser and turns off the browser's password capture facility.

There's also an option to import from LastPass or Dashlane 4. New since my last review, you can export True Key's data in the JSON data exchange format.

There aren't a lot of settings to worry about, but you'll definitely want to change one of them. Like Zoho Vault, RoboForm Everywhere 7, and most other password managers, True Key logs you out after a period of inactivity.

But unlike most others, the default for this period is a full week! I strongly recommend setting it to no more than 30 minutes.

Furthermore, you should note that this is a per-device setting, not global to your account.

You can save any number of free-form color-coded secure notes.

There's also a Wallet feature that lets you save address, credit card, driver's license, membership, passport, and social security number data, with appropriate data fields for each type. You can create as many of these as you want, and color-code them. However, you can't use them to fill in Web forms the way you can with LastPass, Password Boss Premium, and most for-pay password managers.

True Key sticks to the basics.
It doesn't have the actionable password strength report or automated password changing ability you find in LastPass, Dashlane, and LogMeOnce Password Management Suite Ultimate.

The company tells me that this feature is planned for the next edition. You can't categorize, group, or tag your saved logins.

There's no secure sharing of passwords, or password inheritance, either.

But what it does do, True Key does well.

Security Levels

True Key's real strength lies in its ability to use multiple factors for authentication. Right from the start, you can require both the master password and a trusted device.

Any attempt to log in from another device requires additional authentication.

For example, when I installed it on an Android device, it asked to verify using facial recognition.

You can add other factors on the My Factors page. Your trusted email account is automatically available for verification.
If you wish, you can enhance facial recognition so it requires you to turn your head from side to side.

That's so that nobody can log in using a photo of your face.

And you can require authentication using a second device, typically a mobile device.

The second device receives a request for authentication, and you simply respond by swiping, much like the Keeper DNA feature in Keeper Password Manager & Digital Vault 8.

At the default Basic security level, you choose from a subset of these possibilities. You can't deselect Trusted Device; that's a given.

To that, you add either master password or face-based authentication.
If you raise the security level to Advanced, it adds the option to use a second device.

At this level, you must choose exactly two factors besides the trusted device.
I tried choosing all three and was baffled when it wouldn't let me save my settings.

The security level and authentication choices are specific to the device you're using.
If you want to always use Advanced authentication, remember to change that setting on each new device.

If you've gone out without your second device, or if it's too dark for face recognition, never fear. You can choose to use a different factor, such as email verification. On iOS devices you can use Touch ID as a factor. New in this edition, fingerprint verification is available for certain Android devices, but only those whose fingerprint readers meet Intel's criteria for accuracy.

When you use the Edge extension, you get another option for authentication, Windows Hello.

This is the same feature that lets you log into your Windows account using face recognition, fingerprint authentication, or a PIN on a trusted device. Which of these are available depends on the capabilities of your PC. My very new but low-end Windows 10 all-in-one has a lovely camera, but not lovely enough for Windows Hello to use it.

New since my last review, True Key can use a PC-installed fingerprint reader for authentication.
It also supports Intel's RealSense camera technology, and can protect its data using Intel's SGX (Software Guard Extensions) on CPUs that support it. (Being part of Intel pays off.)

True Key doesn't attempt to pull in every possible authentication factor.

Dashlane, LastPass, and Keeper support Google Authenticator. Keeper, LogMeOnce, and Zoho Vault can send a one-time password via SMS. LastPass, LogMeOnce, and Sticky Password can modify a USB drive so it serves as an authentication factor.

But really, True Key's choices for multi-factor authentication are well thought out, and work well together.

Kill the Password!

LogMeOnce lets you create your account without ever defining a master password, using a variety of other factors instead. With oneID, you can't create a master password even if you want to; it relies strictly on authentication using a trusted device.

True Key requires a master password to get started, but you can go passwordless quite easily.

At the Basic security level, you can authenticate using your face, not a master password.
If you wisely choose Advanced, you can authenticate with face recognition and a second device.

Password managers that do rely on a master password usually offer a warning that if you forget that password, they can't help you. (That also means they can't be compelled to unlock your account for the NSA, which is a plus.) Intel can't unlock your account, or tell you the master password you forgot, but as long as you've defined enough other factors, True Key lets you authenticate with those and thereby reset the master.

If someone else tries to reset the master password, you get an email alert, with an option to lock password recovery for a day.

Three failed tries triggers that lock automatically.

Other Platforms

I did my desktop testing on Windows, but True Key is equally at home on a Mac. You won't get the option to log in with Windows Hello, of course, but other than that the experience should be almost the same.

All of the same features and abilities are available in the Android and iOS apps, but laid out appropriately for the mobile form factor. New with this edition, you can configure mobile devices to use three authentication factors. On iOS, True Key installs as a Safari share-box extension, just as LastPass and Dashlane do. On Android, it offers instant login for Opera and the native browser.

You're not likely to lose a desktop computer, but it's awfully easy to misplace a mobile device.
If someone else gets hold of your device, the multi-factor authentication system should be able prevent them from accessing it.

To make it even tougher for a thief, you can remotely remove the device from the trusted list.

Multi-Factor Maven

Every successful modern password manager syncs passwords across all your devices.

True Key by Intel Security goes a step further, involving those devices and your biometric data in the authentication process.
It's easy to set up, easy to use, and attractive.
If only it also had the advanced features that grace its competitors, it would be even better.

LogMeOnce Password Management Suite Ultimate also offers many different authentication factors, but just two at a time.
It's even more feature-packed than long-time favorite LastPass 4.0 Premium. With Dashlane 4 you get all your password management needs in a slick package that's as attractive as True Key's.

These three are our Editors' Choice commercial password manager.

But if your main concern is multi-factor authentication, True Key has them all beat.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.