This acquisition extends WatchGuardrsquo;s security portfolio beyond network and wireless security, enabling the company to deliver advanced authentication to small to midsize businesses... Source: RealWire
There are even some declarations that this might be the year, or at least ought to be the year, that it happens. Don’t hold your breath.
Brett McDowell, executive director of the FIDO (Fast IDentity Online) Alliance, is as passionate an advocate of eliminating passwords as anyone. He says that day is coming, given the creation of a, “new generation of authentication technology” largely based on biometrics, and a “massive collaboration among hundreds of companies” to define standards for that technology. The goal of FIDO, a nonprofit created in 2012, is to supplant passwords with what it calls, “an open, scalable, interoperable set of mechanisms,” for secure authentication. But McDowell said last fall, and said again this past week that passwords will, “have a long tail,” that is unlikely to disappear anytime soon – certainly not this year. There are a number of reasons for that, even though the security problems with passwords are well known and well documented.
As Phil Dunkelberger, CEO of Nok Nok Labs, put it, “the username and password paradigm is fundamentally broken.
It was never designed for, and is inherently incapable of addressing, the use cases of modern society. “ Brett McDowell, executive director, FIDO Alliance And of course it is not just technology that has made it easier for attackers to compromise them. Users frequently make it ridiculously easy as well.
They use short, simple passwords that wouldn’t even take a machine to guess – like “admin,” “password,” “12345,” etc.
They continue to use the same user name and password for multiple sites, since they know they won’t be able to remember a couple dozen of them. The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords. And even if users do have somewhat rigorous passwords, far too many can still be tricked into giving them away through social engineering attacks. Yet, passwords are such an embedded part of authentication systems – most popular websites still use them – that, as McDowell said, it will take considerable time for them to disappear. Or as Scott Simkin, senior group manager, threat intelligence cloud & security subscriptions at Palo Alto Networks, put it, “We have decades of legacy systems and behavior to change, and it will take years for the industry to catch up.” Joe Fantuzzi, CEO, RiskVision Beyond that, there are at least some in the security community who say we should be careful what we wish for.
They note that cyber criminals have always found a way around every advance in security.
So while biometric credentials – fingerprints, iris scans, voice recognition etc. – are much tougher to compromise than passwords, they may not be a magic bullet.
And if attackers can find ways to steal or spoof them, those will obviously be much more difficult to change or update than a password. Indeed, there have already been multiple reports of biometric spoofing.
FireEye reported more than a year ago that fingerprint data could be stolen from Android devices made by Samsung, Huawei, and HTC because, “the fingerprint sensor on some devices is only guarded by the ‘system’ privilege instead of root, making it easier to target and quietly collect the fingerprint data of anyone who uses the sensor.” The Japan Times reported earlier this month that a team at Japan’s National Institute of Informatics (NII) found that a good digital image of people simply flashing the peace sign could result in their fingerprint data being stolen. Researchers have reported that a high-resolution image of a person’s eyes can allow an attacker to make a ”contact lens” of the iris that would pass as the real thing for authentication. And there have already been demonstrations that a manipulated recording of a person’s voice can trick authentication systems. Advocates of biometric authenticators don’t deny any of this, but say one key to their successful use is for the data from them to stay on user devices only, as is the case with Apple’s Touch ID.
As McDowell notes, one of the many problems with passwords is that they are “shared secrets” – they exist not only on users’ devices, but also have to be given to a website’s server, which then matches them with what is stored in its database. When such a server gets compromised, millions of passwords get stolen at the same time, through no fault of the user. Zohar Alon, Co-Founder and CEO of Dome9 According to McDowell, the risk of biometric spoofing is “infinitesimal” compared to that of passwords. Since the biometric credential data never leaves the device, “the attacker must steal the phone or computer even to attempt an attack,” he said. “This doesn’t scale, and is therefore not viable for financially-motivated attackers.” James Stickland, CEO of Veridium, agreed. “You can purchase a kit from China for $10 to copy and extract a fingerprint.
This has been shown to work on fingerprint sensors from Touch ID to the device used for the Indian government, and is a problem for almost all but the most expensive sensors,” he said. “But this is a problem only when an attacker has access to the user’s device, so the time window for attack is pretty low.” Of course, not all biometrics remain only on the user device.
Some, such as the fingerprints of millions of people who work, or have worked, for government or that are taken by law enforcement, will be stored on servers. Joe Fantuzzi, CEO of RiskVision, said this might lead to the same risks that plague the healthcare industry, because of its storage of patient data. “Incorporating customer biometric information will essentially make all companies lucrative targets for attacks and ransomware,” he said. But those advocating the “death” of passwords say the other key to secure authentication is what security professionals have been preaching for years: multi-factor authentication. In other words, they are not trying to mandate that biometrics be the sole replacement for passwords.
Dunkelberger, who said the FIDO Alliance is using the authentication technology his firm created, said the core idea, “isn’t to replace passwords with biometrics, but rather to replace passwords with a strong, secure signal of any kind.” McDowell agreed. He said many FIDO implementations do use biometrics for authentication, but that the specifications are “technology agnostic.” It is implementers, he said, who decide what mechanisms it will support.
It could be, “a local PIN code for user verification vs. biometrics if you prefer.” He said FIDO specifications, “allow the use of authenticators built into a device, such as biometrics or a PIN, and/or external, second-factor authenticators, such as a token or a wearable.” The message from Stickland is similar. “The only current defense is multifactor authentication, using two or more biometrics – for example, fingerprint and face, or voice.
At the very least fingerprint plus a long, randomized PIN would be good.” He said his firm created an authentication tool that, “uses a combination of hardware, secure certificates, biometrics, and other information to validate not only the biometric, but every communication between a remote device and a server, basically verifying that not only is the user valid, but the hardware the user is using is also valid.” Simkin also said multifactor authentication, “of which there are many options available today,” should be used, “for all critical resources and applications.
The more time and resources you require attackers to expend, the lower the chances of a successful breach.” Stephen Stuut, CEO of Jumio, said organizations will still have to balance security with convenience, since “friction” in the process of signing on to a site may cause users simply to give up on it. “Companies should focus less on one single technology but rather on the correct combination that meets their business requirements and customer needs,” he said. “Adding too many steps to the process may increase session abandonment, especially on mobile, where attention spans are short.” All of which sounds like, passwords could for some time remain as a part of multi-factor authentication: Something you know, something you have and something you are. Zohar Alon, Co-Founder and CEO of Dome9, said he doesn’t think they will ever disappear. “They remain one of the simplest means of proving identity and gaining access,” he said. “We can design better security with multiple factors of authentication and authorization that are not correlated with each other, that cannot be compromised all at once.” But Stickland said he believes they will eventually become obsolete. “Passwords are painful. We forget them, they are stolen, it’s time consuming to reset them.
At some point, new technology will win.” This story, "Passwords: A long goodbye" was originally published by CSO.
The TLP rating system was first defined by the Forum for Incident Response and Security Teams (FIRST) as a way to help cybersecurity professionals responsibly share information on threats, without exposing organizations to additional risk.
The TLP:WHITE classification means that the information being shared carries, "minimal or no foreseeable risk of misuse," according to US-CERT.In the JAR, the U.S Government confirms that two different Russian Intelligence Services (RIS) affiliated groups, were involved in an attack against the Democratic National Committee (DNC).
The JAR notes that one group identified as APT28, hacked the DNC in the summer of 2015, while APT 29 breached the DNC in Spring 2016. On June 14, 2016, eWEEK reported on the DNC breaches, which were identified by security firm CrowdStrike.
The DNC breaches were not the first U.S attacks from APT28 and APT29 either.
CrowdStrike which refers to APT29 as 'CozyBear' has attributed multiple U.S. government attacks to CozyBear, including breaches in the White House in October 2014 and the State Department in November 2014.The JAR also confirms that the DNC was breached by way of multiple targeted spearphishing campaigns.
The report notes that one of the spearphishing campaigns achieved its initial success when a targeted individual, "…activated links to malware hosted on operational infrastructure of opened attachments containing malware." Another APT28 spearphishing campaign in spring 2016 took a different approach and was able to trick victims into changing passwords, via a fake webmail domain that was actually being hosted by APT28. "Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members, the report states.After the spring 2016 attack was revealed by CrowdStrike to be associated with RIS operatives, a hacker identified as 'Guccifer' shot back online claiming responsibility for the breach and denying any connection to Russia.
The JAR report states that, in some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack.Indicators of Compromise (IOCs)As part of the JAR, US intelligence agencies have provided some direction for US government agencies and organizations to help identify any potential RIS associated hacking activities.
The JAR provides a list of Indicators of Compromise (IOCs) including IP addresses and file hashes of malware.
The IOC data is available in the Structured Threat Information eXpression (STIX) format to help make it easier for organizations to use the data.Among the IOCs in the report was a form of PHP malware that was also found to be attacking WordPress powered websites. Mark Maunder, Founder and CEO of Wordfence blogged that his firm had tracked over 130 attempts to upload the PHP malware to Wordfence protected customer sites. Maunder stated that just because an attack may make use of the same malware reported in the JAR, doesn't necessarily mean the attackers are Russian government operatives."The data in the DHS/FBI Grizzly Steppe report contains 'indicators of compromise' (IOCs) which you can think of as footprints that hackers left behind," Maunder wrote. "The IOC’s in the report are tools that are freely available and IP addresses that are used by hackers around the world."Looking beyond just the attribution of IOCs mentioned in the DHS/FBI Grizzly Steppe report, the JAR also provides organizations with a long list of actions that can be taken to help prevent and detect attacks.Among the best practices recommendations made in the JAR are for organizations to make use of multi-factor authentication and for users to use complex passwords that change regularly.
Additionally the report recommends that organizations use a multi-tier administrative model for account credentials.What is particularly interesting about the JAR is that it doesn't mention the use of any particularly unique or exotic malware. Now that doesn't mean that there were no zero-days in use, this is just a TLP:WHITE rated report, but it does mean that cybersecurity best practices and technology can work to reduce risk. While the DHS/FBI Grizzly Steppe report details actions taken by RIS operatives, the recommendations for defense and security are likely useful for organizations of all sizes to stay safe in 2017.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.
Follow him on Twitter @TechJournalist
If a website's massive data breach compromises your privacy, there's not much you can do. It's out of your hands. But that doesn't mean you're completely helpless. There's plenty you can do to protect your own privacy, things like encrypting your files, and protecting your passwords. Steganos Privacy Suite 18 brings together a variety of useful privacy-related tools. However, the quality of the tools varies, and the suite lacks some useful features found in competing products.
With most antivirus tools, security suites, and password managers, you pay a yearly subscription fee. That's not the case with Steganos. For $59.95 you can install it on up to five PCs and use it for as long as you like. The only thing you don't get is a free update to the next version.
Earlier editions of this product included VPN protection, but the current product lineup makes Steganos Online Shield VPN a separate product. As I write this, Steganos is running a promotion that gives you the VPN for free when you purchase the suite. Note, though, that PCMag's Max Eddy gave this VP service just two out of five stars.
Getting Started with Steganos
After the quick, simple installation Steganos displays its main window. At the left is a three-by-three matrix of icons representing the suite's features: Safe, Portable Safe, Crypt & Hide, Password Manager, Private Favorites, E-Mail Encryption. Shredder, Trace Destructor, and Privacy. The suite is effectively a launch pad for these utilities.
The right-hand portion of the main window is a kind of security progress report. Just by installing the suite, you start with a 20 percent security level. Creating an encrypted safe for storing sensitive files gets you another 20 percent, and setting up the password manager raises it by another 20. Using the password manager's bonus ability to store private favorites adds 20 percent more. Configuring the Privacy components takes you to 100 percent. I like the way this simple report encourages full use of the product's features.
Several components of the Steganos Privacy Suite are available as standalone products. I'll summarize my findings regarding those products. To get full details, please click the links to read my reviews.
Steganos Safe 18 lets you create any number of safes, which are encrypted storage containers for your sensitive files. You can create safes on your PC, on portable devices, or in your cloud storage accounts. When a safe is open, you use it exactly like any disk drive. When it's shut, its contents are completely inaccessible.
Steganos Safe is extremely easy to use, more so than most container-based encryption products. In addition, it offers some seriously sneaky techniques for hiding the very existence of your safes from prying eyes. For example, you can hide a fairly small safe inside an audio, video, or executable file. And the Safe in a Safe feature lets you dedicate a percentage of a visible safe for use as a discrete, invisible storage location, with its own separate password.
Along with the encryption tool, you also get Steganos Shredder, a secure deletion shredder utility. You can securely delete any file or folder by selecting Destroy from the right-click menu. With this tool you can also shred all of the free space on disk, effectively applying secure deletion to already-deleted files. It can also wipe any disk drive (except the active Windows drive) so thoroughly that a format is required when it's done.
Steganos Password Manager 18 handles the basic tasks of password capture and replay, and includes a password generator. Unlike most competing products, it doesn't directly handle syncing your passwords between devices; if you want syncing, you must connect to your existing cloud storage. You also get a limited ability to fill Web forms with personal data.
In testing, I couldn't get the password manager's Firefox extension to load. Also, some features worked in Chrome but not in Internet Explorer. If you get this password manager as part of the Steganos suite, you might as well use it. But if you're shopping for a standalone password manager, there are much better choices.
The two standalone Steganos products I've reviewed account for five of the suite's nine component icons. Password Manager and Private Favorites both correspond to Steganos Password Manager. Safe and Portable Safe are parts of Steganos Safe, as is Shredder. For the remainder of this review I'll focus on the rest of the privacy components.
Encrypt and Hide
The name Steganos comes from the term steganography, which is not the same as encryption. The aim of encryption is to ensure that others can't decipher your secrets. The aim of steganography is to conceal the fact that you have secrets. When you process a file through the suite's Crypt & Hide component and then shred the original, a hacker or snoop won't find any evidence that the sensitive data exists.
I don't know precisely how this tool processes files—it's not in the company's interest to reveal such information. But here's a simple example of how steganography could work to hide a file inside an image. First, picture that the file contains a list of numbers representing the exact color of each pixel in the image. Now round all those numbers so they're even. That tiny change doesn't make a visible difference in the image. Convert your secret file into a stream of bits, and step through the list of the image's pixels, leaving the color number unchanged for zero bits and making it odd for one bits. You've hidden the file in a way that's completely recoverable, but the image doesn't look appreciably different.
Steganos can use BMP, WAV, or JPG files as carriers for encrypted data. The help system advises using a carrier file at least 20 times the size of the encrypted data. You can also use it to create encrypted archives without hiding them, much as you'd do with a ZIP archive utility. Note, though, that the archives created by Steganos use the proprietary EDF format, not the standard ZIP format.
To create a simple encrypted archive, drag files and folders onto the Crypt & Hide dialog, or browse to locate the desired items. You can also enter a text description of the contents. Clicking Save lets you define the name and location for the resulting EDF file. The password entry dialog is the same as that used by Steganos Safe and Steganos Password Manager. It rates password strength as you type, with the option to use a virtual keyboard, or to define the password by clicking a sequence of pictures.
To create an encrypted file and also hide it, follow precisely the same procedure, but click the Hide button instead of the Save button, and choose a BMP, WAV, or JPG file as carrier. That's it. Your secret files are hidden within the chosen carrier. Don't believe it? Launch Crypt & Hide again, choose Open, and select your carrier. Once you enter the password, your files are back. Of course you must use the shredder to destroy the originals.
As you use your computer and browse the Web, you leave behind traces of what you've been doing. Sure, you hid your secret plans using Crypt & Hide, but if MyWorldTakeover still shows up in the list of recent documents, you're busted. In a similar way, your browsing history may reveal way too much about what you've been researching. That's where TraceDestructor comes in.
TraceDestructor clears various types of browsing traces from Chrome, Firefox, Internet Explorer, and Microsoft Edge. For Edge, it just clears cookies and cached files. For the others, it can also wipe out such things as history, autocomplete data, and passwords. It can also empty the Recycle Bin and eliminate Windows temporary files, recently used file lists, and other traces.
Cleaning up traces doesn't take long. When the process has finished, Steganos advises you to log off and on again, for full cleanup. Simple!
Clicking the Privacy icon brings up a simple settings dialog with four on/off switches, all off by default. I couldn't test Webcam protection, because my virtual machine test systems simply don't have webcams. In addition, every time I opened Privacy Settings I got a notification from Windows that the webcam privacy component crashed.
Webcam protection does nothing but deactivate your webcam, so you must turn that protection off if you want to use the cam for videoconferencing. A similar feature in ESET Internet Security 10 lets you disable the webcam in general but enable specific programs. That would prevent webcam spying while still letting you Skype, for example.
Kaspersky Total Security also offers webcam blocking for all but permitted programs. It extends similar protection to the microphone, to head off the possibility of a snoop listening in on your activities.
Internet advertisers work hard to profile your personal surfing habits, so they can target ads based on your interests. If you've ever bought (or looked at) a product on one site and then seen an ad for that product on a different site, you've seen this process in action. You can set your browser to send a Do Not Track header with each request, but sites aren't compelled to obey this header. The Prevent tracking option in Steganos filters out tracking activity before it reaches the browser.
Some trackers skip the usual techniques for tying together all data about your online activity, instead trying to create a fingerprint of your devices and activity, including precise data about the browsers you use. Steganos lets you replace your actual browser details with a generic fake set, to anonymize your browser type. Finally, you can choose to block advertisements altogether. The Block ads, Prevent tracking, and Anonymize browse type settings are simple on/off switches.
In testing, these three privacy elements initially didn't work. I confirmed this using various online tests. I reinstalled the product, to no avail. I installed it on a physical system, thinking that it might be incompatible with running in a virtual machine. Here, too, the privacy elements just didn't work. Tech support determined this was due to the absence of a proxy process that provides all three types of filtering.
Going back and forth with tech support, I determined that the installer failed to create a necessary configuration file. Even after I manually copied the config file that tech support supplied, it did not launch the proxy process. After more back and forth, I got the proxy running on both systems. It seemed to be running smoothly on the physical system, but its output on the virtual system contained many error messages. That being the case, I focused on the physical system.
There's no way to tell if the Prevent tracking feature is working, but Anonymize browser type should change the user agent string that your browser sends to every website. It did not do so. And although the filter's output log contained tons of ad blocking reports, the ads visibly weren't blocked.
The worst thing about this component is that even when its proxy failed to load, it didn't display any kind of error message. The privacy features work silently, so you'd have no idea that they weren't functioning, unless you noticed its failure to block ads.
There is one icon I haven't covered, E-Mail Encryption. I've skipped this one for several reasons. First, it is not a Steganos product; it's from another company, MyNigma. Second, on a PC it only functions as an Outlook plug-in, and my test systems don't have Outlook. Third, it only works to encrypt email between other users of MyNigma, so it's not useful for general-purpose encrypted communication.
Another Take on Privacy
Abine Blur is another suite of tools aimed at protecting your privacy. Its active Do Not Track component goes way beyond just sending the DNT header, which websites can ignore. Furthermore, unlike Steganos, it makes its activity visible. It includes a simple password manager, but goes beyond Steganos by offering a safety report that flags weak and duplicate passwords.
Blur protects your privacy by masking email accounts, credit cards, and (on a smartphone) phone numbers. Suppose you make a purchase from a merchant using a masked email account, and a masked credit card. Mail from the merchant reaches your inbox, but you can delete the masked account if it starts getting spam. And a merchant who doesn't have your real credit card number can't sell the card data or overcharge you. Read my review for a full explanation.
Blur doesn't block ads, and it doesn't include file encryption, but all of its components are directly aimed at protecting your privacy. Even if you do install the Steganos suite, consider trying Blur's free edition for additional protection. Note that if you do opt for a $39-per-year premium subscription, you can use Blur on all your devices.
Do You Already Have It?
You may also find that you've already got significant privacy protection courtesy of your security suite. For example, Kaspersky and AVG Internet Security include an active Do Not Track system, like what Blur offers, and Kaspersky can block banner ads. Webcam protection in Kaspersky and ESET goes farther than what you get with Steganos.
As for encrypted storage, the core of Steganos Privacy Suite, you can find a similar feature in many suites, among them McAfee LiveSafe, Bitdefender, Kaspersky, and Trend Micro. Admittedly, none of the suites build out this feature into the comprehensive encryption system that is Steganos Safe.
As for password management, it's becoming a common bonus feature in larger suites. Webroot includes a version based on award-winning LastPass, and McAfee comes with all the multi-factor authentication glory of True Key. Symantec Norton Security Premium, Trend Micro, ESET, Kaspersky, and Bitdefender are among the other suites with a password manager built right in.
Before you purchase a set of privacy tools, check to see what you already have right in your existing security suite.
A Mixed Bag
Steganos Safe is easier to use than other container-based encryption programs, and has some nifty features to both encrypt and hide your files. However, Steganos Password Manager lacks advanced features, and some of its features didn't work in testing. The Crypt & Hide component is a kick, as it truly hides your secrets, leaving no trace. But the browser-related privacy filters just didn't work in testing. Steganos Privacy Suite is a mixed bag, for sure.
There aren't many utilities specifically devoted to privacy. Abine Blur Premium remains our Editors' Choice in this interesting field. I look forward to seeing more competition in the specific area of privacy protection.
So, you've installed a password manager and replaced all of your lame and duplicate passwords with strong, unguessable ones.
That's a good start. Now you need to think about what protects that treasure trove of stored passwords.
A lone master password just isn't enough. You need additional authentication factors to keep those passwords secure.
True Key by Intel Security (2017) places more emphasis on multi-factor authentication than just about any competitor, and it works across Windows, macOS, Android, and iOS.
You can install True Key and use it completely without cost, if you don't need to store more than 15 passwords. Once you hit that limit, you must pay $19.99 per year, which isn't bad.
Sticky Password costs $29.99 per year; Dashlane and LogMeOnce go for $39.99 per year.
At $12 per year, LastPass 4.0 Premium costs less than True Key, but not by a huge amount.
Anybody can go to the True Key website, download the app, and start using it immediately.
During the process, you do have to create a master password of at least eight characters. You're encouraged, but not forced, to either use all character sets or create a lengthy passphrase, with spaces permitted.
Once the app is installed, it prompts you to install browser extensions for Chrome, Internet Explorer, and (new since my last review) Firefox.
An extension for Microsoft Edge is available, but it must be installed directly from the Store.
For Chrome, Firefox, and Internet Explorer, the extension communicates with the True Key app.
Edge doesn't permit that, so the Edge extension is basically a recreation of the app itself.
True Key works hard to ease you into password management.
It starts by displaying a list of over two dozen popular websites and encouraging you to add one as a login. When you click an item, it opens that page in the browser and displays a popup explaining that all you need do is log in as usual.
Intel's app also walks you through the process of clicking a saved item to automatically revisit the site and log in.
Once you've used the product a little, it suggests that you add another authentication factor.
The PC I used for testing has a webcam, so it suggested adding facial recognition.
Basic Password Management
True Key does all of the basic password management tasks you'd expect.
It captures your credentials when you log in to secure sites, plays them back if you revisit such sites, and lets you visit and log in to a site with one click.
If you're creating a new account, it notices, and offers to generate (and save) a secure password.
By default, it creates 16-character passwords using all character types—the resulting passwords are plenty tough.
This utility doesn't just assume that every login was a success.
If its algorithm indicates a high probability that the login worked, it saves the credentials but gives you an option to never save this site, or to skip saving it once.
But if it's not sure, it instead asks you whether or not to save credentials.
It's a subtle touch, and a nice one.
Most secure websites follow the same standards for the login page, which makes the job of a password manager easier.
Some, though, go wildly off-standard. LastPass and Sticky Password Premium handle weird logins by letting you enter all the data and then capture every field on the page. LogMeOnce works from a catalog of almost 4,500 known websites.
True Key handles oddball logins in its own way.
If it can't properly capture login credentials, it sends a report to its masters at Intel for analysis.
They aim to update True Key to handle that site (both for you and for all other users) within 24 hours.
You can also import passwords stored insecurely in your browsers.
If you choose to do so, True Key clears them from the browser and turns off the browser's password capture facility.
There's also an option to import from LastPass or Dashlane 4. New since my last review, you can export True Key's data in the JSON data exchange format.
There aren't a lot of settings to worry about, but you'll definitely want to change one of them. Like Zoho Vault, RoboForm Everywhere 7, and most other password managers, True Key logs you out after a period of inactivity.
But unlike most others, the default for this period is a full week! I strongly recommend setting it to no more than 30 minutes.
Furthermore, you should note that this is a per-device setting, not global to your account.
You can save any number of free-form color-coded secure notes.
There's also a Wallet feature that lets you save address, credit card, driver's license, membership, passport, and social security number data, with appropriate data fields for each type. You can create as many of these as you want, and color-code them. However, you can't use them to fill in Web forms the way you can with LastPass, Password Boss Premium, and most for-pay password managers.
True Key sticks to the basics.
It doesn't have the actionable password strength report or automated password changing ability you find in LastPass, Dashlane, and LogMeOnce Password Management Suite Ultimate.
The company tells me that this feature is planned for the next edition. You can't categorize, group, or tag your saved logins.
There's no secure sharing of passwords, or password inheritance, either.
But what it does do, True Key does well.
True Key's real strength lies in its ability to use multiple factors for authentication. Right from the start, you can require both the master password and a trusted device.
Any attempt to log in from another device requires additional authentication.
For example, when I installed it on an Android device, it asked to verify using facial recognition.
You can add other factors on the My Factors page. Your trusted email account is automatically available for verification.
If you wish, you can enhance facial recognition so it requires you to turn your head from side to side.
That's so that nobody can log in using a photo of your face.
And you can require authentication using a second device, typically a mobile device.
The second device receives a request for authentication, and you simply respond by swiping, much like the Keeper DNA feature in Keeper Password Manager & Digital Vault 8.
At the default Basic security level, you choose from a subset of these possibilities. You can't deselect Trusted Device; that's a given.
To that, you add either master password or face-based authentication.
If you raise the security level to Advanced, it adds the option to use a second device.
At this level, you must choose exactly two factors besides the trusted device.
I tried choosing all three and was baffled when it wouldn't let me save my settings.
The security level and authentication choices are specific to the device you're using.
If you want to always use Advanced authentication, remember to change that setting on each new device.
If you've gone out without your second device, or if it's too dark for face recognition, never fear. You can choose to use a different factor, such as email verification. On iOS devices you can use Touch ID as a factor. New in this edition, fingerprint verification is available for certain Android devices, but only those whose fingerprint readers meet Intel's criteria for accuracy.
When you use the Edge extension, you get another option for authentication, Windows Hello.
This is the same feature that lets you log into your Windows account using face recognition, fingerprint authentication, or a PIN on a trusted device. Which of these are available depends on the capabilities of your PC. My very new but low-end Windows 10 all-in-one has a lovely camera, but not lovely enough for Windows Hello to use it.
New since my last review, True Key can use a PC-installed fingerprint reader for authentication.
It also supports Intel's RealSense camera technology, and can protect its data using Intel's SGX (Software Guard Extensions) on CPUs that support it. (Being part of Intel pays off.)
True Key doesn't attempt to pull in every possible authentication factor.
Dashlane, LastPass, and Keeper support Google Authenticator. Keeper, LogMeOnce, and Zoho Vault can send a one-time password via SMS. LastPass, LogMeOnce, and Sticky Password can modify a USB drive so it serves as an authentication factor.
But really, True Key's choices for multi-factor authentication are well thought out, and work well together.
Kill the Password!
LogMeOnce lets you create your account without ever defining a master password, using a variety of other factors instead. With oneID, you can't create a master password even if you want to; it relies strictly on authentication using a trusted device.
True Key requires a master password to get started, but you can go passwordless quite easily.
At the Basic security level, you can authenticate using your face, not a master password.
If you wisely choose Advanced, you can authenticate with face recognition and a second device.
Password managers that do rely on a master password usually offer a warning that if you forget that password, they can't help you. (That also means they can't be compelled to unlock your account for the NSA, which is a plus.) Intel can't unlock your account, or tell you the master password you forgot, but as long as you've defined enough other factors, True Key lets you authenticate with those and thereby reset the master.
If someone else tries to reset the master password, you get an email alert, with an option to lock password recovery for a day.
Three failed tries triggers that lock automatically.
I did my desktop testing on Windows, but True Key is equally at home on a Mac. You won't get the option to log in with Windows Hello, of course, but other than that the experience should be almost the same.
All of the same features and abilities are available in the Android and iOS apps, but laid out appropriately for the mobile form factor. New with this edition, you can configure mobile devices to use three authentication factors. On iOS, True Key installs as a Safari share-box extension, just as LastPass and Dashlane do. On Android, it offers instant login for Opera and the native browser.
You're not likely to lose a desktop computer, but it's awfully easy to misplace a mobile device.
If someone else gets hold of your device, the multi-factor authentication system should be able prevent them from accessing it.
To make it even tougher for a thief, you can remotely remove the device from the trusted list.
Every successful modern password manager syncs passwords across all your devices.
True Key by Intel Security goes a step further, involving those devices and your biometric data in the authentication process.
It's easy to set up, easy to use, and attractive.
If only it also had the advanced features that grace its competitors, it would be even better.
LogMeOnce Password Management Suite Ultimate also offers many different authentication factors, but just two at a time.
It's even more feature-packed than long-time favorite LastPass 4.0 Premium. With Dashlane 4 you get all your password management needs in a slick package that's as attractive as True Key's.
These three are our Editors' Choice commercial password manager.
But if your main concern is multi-factor authentication, True Key has them all beat.
PCMag may earn affiliate commissions from the shopping links included on this page.
These commissions do not affect how we test, rate or review products.
This represents the first-ever standard for code-signing, and the advocacy group hopes the guidelines will improve web security by making it easier to verify software authenticity. The new Minimum Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates outlines specific steps CAs and individual software companies must perform to ensure code-signing certificates are not abused.
It addresses "user concerns about the trustworthiness of signed objects and accurately identifying the software publisher," the working group wrote in the requirements document. While the requirements are intended primarily for CAs that can issue code-signing certificates (including root CAs publicly trusted for code signing and all other CAs part of the root CA's validation path), software companies and developers have to comply with some of the requirements if they are going to work with a standards-compliant CA. Not meeting those requirements can mean a code-signing certificate will not be issued, or an existing one will be revoked. Code signing refers to using certificates to digitally sign executables and scripts in order to verify the author's identity and, more importantly, that the code has not been altered or corrupted since it was signed.
Several attack campaigns have stolen legitimate code-signing certificates to sign malware, making it possible for the malicious code to bypass security defenses.
There are 25 million pieces of malware enabled by code-signing certificates, and stolen code-signing digital certificates are sold everyday on underground markets for more than $1,000 each, said Kevin Bocek, vice president or security strategy and threat intelligence at Venafi. "Code signing is critical to every mobile device and computer we touch," Bocek said. Microsoft has already adopted the minimum requirements and will require all CAs issuing code-signing certificates for the Windows platform to adopt the minimum requirements starting Feb. 1, 2017. Because CAs have different rules for how they issue and revoke code signing certificates, both developers and cybercriminals could game the system, Bocek said. Without any standards in place, it was possible to get accepted one CA even after already being rejected by a different CA.
The variance made it difficult to know which code-signing certificate could be trusted. With the guidance, each CA has some leeway in developing its own process for how to issue and revoke certificates, but the underlying requirements are the same from CA to CA. Along with providing all the information necessary for the CA to verify the identity of the software company (or developer) in order to issue the certificate or sign the code object, organizations are responsible for making sure the private key is generated, stored, and used in a secure environment with controls to prevent the keys from being stolen or misused.
The CA has to provide guidance on how to protect the keys, but it's up to the organization do it in a way that matches the guidelines: Protecting the private keys: Organizations have to use either a trusted platform module to generate and secure key pairs, a FIPS-140-Level-2 Hardware Security Module or equivalent (such as Common Criteria EAL 4+), or another type of hardware storage token, such as a USB key or a SD card.
The tokens have to be kept physically separate from the device hosting the code-signing function until the moment it is actually needed for a signing session. Securing the code signing computer: The computer used for signing cannot be used for web browsing, and it must be periodically scanned by regularly updated security software for possible infections. Picking a trusted third-party: Organizations that use a third-party signing service to sign objects with their private keys should make sure the signing service has enabled multi-factor authentication to access and authorize code signing.
If the service doesn't, it's not compliant with the new requirements and should be a serious warning flag. Transporting the key securely: If the CA or the signing service is generating the private key on behalf of the organization, the private keys may be transported outside of the secure infrastructure.
In those cases, the key must either be transported "in hardware with an activation that is equivalent to 128 bits of encryption, or encrypt the Private Key with at least 128 bits of encryption strength," according to the standard.
That could mean using a 128-bit AES key to wrap the private key, or storing the key in a PKCS 12 file encrypted with a randomly generated password "of more than 16 characters containing uppercase letters, lowercase letters, numbers, and symbols." Using strong keys: The CA will not issue the code-signing certificate if the requested Public Key does not meet modern security requirements or if it has a known weak Private Key (such as a Debian weak key). The CA will have to spell out all of the new requirements in the subscriber agreement, and it has to keep complete records to show both the organization and the CA is following the rules. Under the agreement, the organization cannot request a code-signing certificate if the public key in the certificate is -- or will be -- used with a non-code signing certificate.
The organization also has to commit to protecting against the theft or misuse of the private key, and to immediately request the CA to revoke the certificate if the private key is compromised or used to sign malicious code. If the private key is compromised due to an attack, the CA doesn't have to issue a new or replacement certificate until it is satisfied the organization has improved its security protections. "Documentation of a Takeover Attack may include a police report (validated by the CA) or public news report that admits that the attack took place.
The Subscriber must provide a report from an auditor with IT and security training or a CISA that provides information on how the Subscriber was storing and using Private keys and how the intended solution for better security meets the guidelines for improved security," the standard says. Currently, if the CA rejects the request for a new or replacement certificate, the organization can apply with another CA. However, if the second CA is following the new requirements, then it will be checking "at least one database containing information about known or suspected producers, publishers, or distributors of Suspect Code, as identified or indicated by an Anti-Malware Organization and any database of deceptive names" before issuing a certificate.
If the second CA sees that the organization has been implicated in signing bad code, then the idea is that it will also push back and reject the application, just like the first CA. "The CA must not issue new certificates to organizations that have been the victim of two Takeover Attacks or where the CA is aware the organization is not storing the private keys correctly," the standard says. The standard also has other requirements about the CA setting up a Timestamp Authority and how the timestamp certificates should be used, such as letting code signatures to stay valid for the length of the period of the timestamp certificate. The standard was released by the Code Signing Working Group, part of the CA/Browser Forum, which is a voluntary group of CAs, browser makers, and software vendors that use X.509 v.3 digital certificates in their applications.
The Code Signing Working Group consists of Comodo, DigiCert, Entrust, GlobalSign, Izenpe, Microsoft, Symantec, SSC, and WoSign.
The China-based WoSign is the same CA that was recently marked as untrusted by Mozilla, Apple, and Google for multiple problems in how SSL certificates were issued. "The CA Security Council guidance on code signing is long overdue," Bocek said. "New methods of certificates to detect fraud and misuse such as Certificate Reputation will also see increased adoption as misuse of code signing certificates gets more and more attention." The requirements have not been adopted by the CA/Browser Forum, but will instead be improved and maintained by the CA Security Council.
The hack also installs a backdoor that makes the owner's Web browser and local network remotely controllable by the attacker. Enlarge Samy Kamkar PoisonTap is the latest creation of Samy Kamkar, the engineer behind a long line of low-cost hacks, including a password-pilfering keylogger disguised as a USB charger, a key-sized dongle that jimmies open electronically locked cars and garages, and a DIY stalker app that mined Google Streetview. While inspiring for their creativity and elegance, Kamkar's inventions also underscore the security and privacy tradeoffs that arise from an increasingly computerized world. PoisonTap continues this cautionary theme by challenging the practice of password-protecting an unattended computer rather than shutting it off or, a safer bet still, toting it to the restroom or lunch room. Kamkar told Ars: The primary motivation is to demonstrate that even on a password-protected computer running off of a WPA2 Wi-Fi, your system and network can still be attacked quickly and easily.
Existing non-HTTPS website credentials can be stolen, and, in fact, cookies from HTTPS sites that did not properly set the 'secure' flag on the cookie can also be siphoned. Unsecured home or office routers are similarly at risk. Kamkar has published the PoisonTap source code and additional technical details here and has also released the following video demonstration:
PoisonTap - exploiting locked machines w/ Raspberry Pi Zero. Once the device is inserted in a locked Mac or PC (Kamkar said he hasn't tested PoisonTap on a Linux machine), it surreptitiously poisons the browser cache with malicious code that lives on well after the tool is removed.
That makes the hack ideal for infecting computers while they are only briefly unattended. Here's how it works. Once the PoisonTap software is installed, the Raspberry Pi device becomes a miniature Linux computer that presents itself as an Ethernet network. Like a router, it's responsible for allocating IP addresses for the local network through the dynamic host configuration protocol.
In the process, the device becomes the gateway for sending and receiving traffic flowing over the local network.
In this sense, PoisonTap is similar to a USB exploit tool demonstrated in September that stole login credentials from locked PCs and Macs. Through a clever hack, however, PoisonTap is able to become the gateway for all Internet traffic as well.
It does this by defining the local network to include the entire IPv4 address space. With that, the device has the ability to monitor and control all unencrypted traffic the locked computer sends or receives over its network connection. PoisonTap then searches the locked computer for a Web browser running in the background with an open page. When it finds one, the device injects HTML iframe tags into the page that connect to the top 1 million sites ranked by Alexa.
Because PoisonTap masquerades as the HTTP server for each site, the hack is able to receive, store, and upload any non-encrypted authentication cookies the computer uses to log in to any of those sites. Given its highly privileged man-in-the-middle position, PoisonTap can also install backdoors that make both the Web browser and connected router remotely accessible to the attacker.
Attackers still must overcome any password protections safeguarding an exposed router.
But given the large number of unpatched authentication bypass vulnerabilities or default credentials that are never changed, such protections often don't pose much of an obstacle. PoisonTap challenges a tradition that can be found in almost any home or office—the age-old practice of briefly leaving a locked computer unattended.
And for that reason, the ease and thoroughness of the hack may be understandably unsettling for some people.
Still, several safeguards can significantly lower the threat posed by the hack.
The first is to, whenever possible, use sites that are protected by HTTPS encryption and the transmission of secure cookies to prevent log-in credentials from being intercepted.
A measure known as HTTP Strict Transport Security is better still, because it prevents attack techniques that attempt to downgrade HTTPS connections to unsecured HTTP. As a result, neither Google nor Facebook pages can be triggered by computers infected by PoisonTap.
Sadly, multi-factor authentication isn't likely to provide much protection because it generally isn't triggered by credentials provided in authentication cookies. End users, meanwhile, should at a minimum close their browsers before locking their computer or, if they're on a Mac, be sure to enable FileVault2 and put their machine to sleep before walking away, since browsers are unable to make requests in such cases. Regularly flushing browser caches is also a sound, albeit imperfect, measure.
For the truly paranoid, it may make more sense to simply bring laptops along or to turn off machines altogether.