A hacker conference that’s all about passwords, PIN codes, and digital authentication.
We are excited to announce that we are sponsoring and attending Passwords 15 this August 4th and 5th in Las Vegas! It’s an annual conference held alongside the BSides hacker conference which brings together some of the brightest minds in the field—among them password crackers, researchers, and security experts.
Representing us will be two members of our development team, Micah Moore and Billy Gray. If you’re attending as well, don’t be shy, say hello. This is our third year attending Passwords; last year we sponsored the conference and delivered two talks ourselves. Here’s the one we gave on enhancing password-based key derivation techniques:
This year we’re just going to take it all in. The talks are really engaging, some demonstrate cutting-edge cracking techniques and delve into theory while others try to make sense of all the research out there and address wider issues. BSides is of the same caliber: there’s never a dull moment, and the pool party isn’t bad, either ;) Hope to see you there!
Hello readers. STRIP, our password manager, has a helpful feature named Secret Agent that makes it easy to access data stored in STRIP from other apps. We created a demonstration video on how to use Secret Agent effectively and we wanted to share it with you and describe the feature a bit more.
Ever get to a website login page and sigh at the annoyance of typing in your username and password? You don’t have to with Secret Agent. Just use the global keyboard shortcut to bring up the search bar. Search for your entry and hit enter, then select the field you want and hit enter again. Secret Agent will automatically fill in the field–without the need for an additional browser plugin. This works on more then just browsers: you can insert data from STRIP in any app using Secret Agent.
How to set it up:
On Windows go to File/Preferences/ Check off “Run Secret Agent at Windows Login”
On OS X go to STRIP/Preferences/General Check off “Enable Secret Agent with keyboard command”
NOTE FOR OS X USERS: Make sure user script is at the correct path: ~/Library/Application\ Scripts/net.zetetic.Strip.mac/
How to use it:
At a prompt you can use the hotkeys to bring up the search bar. These are the default keys which we recommend, but you’re free to change it to your liking.
Windows: Shift + Control + Backslash
OS X: Shift + Command + Backslash
Search for your entry. Hit enter on the field you want to fill. Make sure your insertion cursor (blinking vertical line) is on the field you want to fill before calling Secret Agent. When you call it again it will start from where you last left off incase your filling in multiple fields. Else, you can just start typing and it will search. Once you get the hang of it logging in becomes impressively quick, leaving on-lookers curious as to how you were able to login in so quickly without touching your mouse or typing all that much.
The feature is optional, disabled by default, and simple to use.
To enable Touch ID authentication:
Update STRIP to 2.5.0
Login to STRIP and tap on the Settings view tab
On the Settings view tap on Login Settings
Tap on the switch labeled “Enable Touch ID login”
You may be prompted to authenticate with your Touch ID by iOS
That’s it! The next time you are asked to login to STRIP you will be prompted for your Touch ID
As an aside, this feature works nicely in conjunction with the Auto Lock Timer preference, which allows you to keep STRIP unlocked for a chosen interval.
Changes in this version:
Provides new “Enable Touch ID login” feature under Settings -> Login Settings
Search view now searches your records as you type
Password Generator view maintains state when leaving STRIP
Additional changes to the iPad version:
Fixes search bar disappearing when tapped twice quickly
Thanks so much to our beta testers for helping us to identify bugs and edge cases early in the process. Your efforts and repeatedly installing beta builds over the last month really helped us as we vetted this version for release.
Is STRIP for iOS vulnerable to this “0 days flaw” in Apple software and allows “cross-app resource access (XARA) attacks”? Is the password for the iOS STRIP app stored in the keychain of the iOS or anywhere else in the iOS system other than in the STRIP app itself?
STRIP does not store the user’s master password in the iOS or OS X Keychain (back to this in a moment).
However, STRIP makes use of the Dropbox and Google-supplied frameworks for authenticating against their services for sync if you choose either of these sync modes. Both of those frameworks store the OAUTH authentication credential in the iOS and OS X Keychains (open Keychain Access on your Mac and search for “STRIP” to have a look).
Touch ID Authentication on iOS
In the soon-to-be-released version of STRIP for iPhone and for iPad we’ve added the oft-requested feature of Touch ID login. This feature is completely optional, disabled by default, and only available on devices with Touch ID. The feature works by storing your master password for STRIP encrypted in the Secure Enclave on the device, through the Keychain.
Contrary to what some reports have said, while a malicious app cannot read your existing keychain entries, it can delete existing keychain entries, and it can create new keychain entries that are readable and writeable by other, legitimate apps. This means a malicious app can effectively trick other apps into saving all new password entries to a keychain it controls, and then can read.
iOS is unaffected:
The researchers note that one of the reasons iOS is unaffected by this is that iOS doesn’t have ACLs (access control lists) for keychain entries. Keychain items on iOS may only be accessed by an app with a matching bundle ID, or group bundle ID (for shared keychain items). If a malicious app created a keychain item that it owned, it would be inaccessible by any other app, making it entirely useless as any sort of honeypot.
Using the Touch ID login feature in the next version of STRIP for iPhone and iPad should not leave you vulnerable to this exploit.
In the end you always want to avoid suspicious, maliciously crafted software; once a host operating system is compromised it becomes very difficult to keep your data secure. Watch out for phishing attacks, where email is crafted to trick you into visiting a malicious website or downloading malware posing as normal attachments. On OS X you can limit the apps allowed to run on your Mac to those signed by Apple or by Apple-identified developers (like Zetetic):
If you are concerned about malicious keychain entries you can check for them easily:
Open Keychain Access
Search for “STRIP”
Select the Keychain item in the right pane and select File -> Get Info (or type command+i)
Select Access Control
In the list of allowed applications you should only see STRIP
What about WebSockets?
While STRIP on the Mac provides a utility function for looking up your passwords and inserting them in other applications, it does not include a browser plugin and makes no use of WebSockets, another point of vulnerability detailed in the recently announced exploits.
Update, July 9th: We will be shutting down Tempo permanently on Monday, July 13th, to give our customers a couple more days for the transition.
After many happy years we have made the difficult decision to stop operation of the Tempo time tracking system in the near future.
When we started Tempo in 2007, the marketplace for online time tracking systems was limited. Existing systems were rigid and inflexible, often using antiquated desktop interfaces without mobile support. Tempo’s core ideas like flexible tagging, time entry via email / SMS / Twitter, and detailed trend reports, were fresh.
Since then, however, the number of cloud-based time trackers and mobile apps has grown substantially, and an increasing number of people have moved to consolidated project and billing platforms, or implemented their own time tracking solutions using simple and free cloud services. We believe strongly in working on projects that are sustainable and, unfortunately, Tempo is no longer sustainable in the long term.
Starting today we will be blocking new account registrations on Tempo. The system will be turned off permanently on July 10th, 2015. We will not be billing accounts during the transition period, so if you are a paying customer on a premium plan you will not be charged again for Tempo service.
In order to help you get data out of Tempo, you can use a new full account export feature to download a single compressed file containing the exports of your account’s time entries. The included CSV file can be easily opened by a spreadsheet program for manipulation, long-term historical archiving, or to provide a base data set to migrate to another system. The export function is now available to account owners and managers on the Accounts tab in Tempo.
All exports are refreshed daily and contain all of the information from the start of your account to the previous day. Please be sure to make a copy of your critical data before the system is shut off.
There are several other excellent project and time tracking systems that you might consider switching to. While we can’t recommend any particular system, we encourage you to try out a few over the coming weeks to see what you like. Some systems that we have seen recommended in the past include Harvest and Freckle, especially for advanced users.
Tempo is the only system that Zetetic is shutting down. Our other solutions, including SQLCipher, STRIP, and our Identity and Access Management services are unaffected. Despite Tempo’s lack of growth, Zetetic is still doing very well as a company, continuing to grow, and approaching our 10th year in business.
Finally, we want to say thank you to all of our Tempo users for providing feedback along the way, and helping to spread the word. We really appreciate you as customers and sincerely apologize for any inconvenience this difficult decision may cause. If there is anything we can do to help make the transition easier please don’t hesitate to let us know. <
Zetetic LLC is a small company specializing in applied data security. As the developers behind the SQLCipher encrypted database library and Codebook Password Manager, hundreds of organizations and millions of users trust Zetetic’s software and frameworks.