Heartbleed Security Statement for Tempo

2014-04-10 12:04:53 -0400

We've been working hard at Zetetic to assess the impact for our Tempo Time Tracking customers resulting from the recent OpenSSL security disclosure known as the OpenSSL Heartbleed bug.

This issue has undermined the security of many internet platforms by allowing attackers to read arbitrary memory from services using the popular OpenSSL library to provide secure communications over the web. This attack can allow extraction of private keys, session data, and user information from affected websites.

Web Security for Tempo

Zetetic's public Tempo web services do use OpenSSL, but are not secured by a version that is vulnerable to the Heartbleed attack. In addition Tempo utilizes Amazon Web Services, widely reported to be susceptible to the Heartbleed attack, but does not terminate SSL on the Elastic Load Balancers that were discovered to be vulnerable.

As a result, users who currently rely on Tempo for time tracking should not need to be concerned with Heartbleed exposure through the Tempo web sites.

Even though the Tempo services should not be directly affected, out of an abundance of caution, we have still taken the step of revoking and reissuing new SSL Certificates for all Zetetic web applications.

Recommendations

This is a good time to review the strength of your application passwords. You should change your Tempo password immediately if you:

  1. Are currently sharing the same password for Tempo as any other application

  2. Are currently using a weak password for Tempo that doesn't meet the recommendations below

We recommend using a strong alphanumeric password with a combination of upper case, lowercase, digits, and meta-characters of the maximum length possible to allow for convenient entry.

We take security seriously and we are happy to communicate with customers about the details of this issue, or how to take appropriate action, so please don't hesitate to contact us if you have any questions.

Heartbleed Security Statement for STRIP Password Manager

2014-04-10 11:19:58 -0400

Like most service and software providers, we've been working hard at Zetetic to assess the impact for our customers resulting from this week's OpenSSL security disclosure, commonly known as the OpenSSL Heartbleed bug. More specifically referred to as CVE-2014-0160, this issue has undermined the security of many internet platforms by allowing attackers to read arbitrary memory from services using the popular OpenSSL library to provide secure communications over the web. This attack can allow extraction of private keys, session data, and user information from affected websites.

STRIP, SQLCipher, and OpenSSL

Users of the STRIP Password Manager may recall that the application uses Zetetic's SQLCipher encrypted database library to protect all underlying application data. While SQLCipher does make use of OpenSSL, it only relies on low-level encryption interfaces. Since there is no use of OpenSSL's SSL functions, there is nothing that would expose SQLCipher or STRIP to direct attack via Heartbleed. More details on the use of OpenSSL in SQLCipher are available separately in our Heartbleed Security Statement for SQLCipher.

As a result, we're pleased to report that users who currently rely on STRIP for their data security need not be concerned with Heartbleed exposure on their local computers and devices a result of the software.

STRIP Cloud Sync

It's important to note that STRIP does provide a variety of optional synchronization features that use cloud services like Dropbox and Google Drive. Both of those services used affected versions of OpenSSL in the past, and may have been vulnerable to the Heartbleed bug.

STRIP's synchronization features do keep copies of the encrypted STRIP data on the cloud service. However, STRIP is very careful never to expose any unencrypted data to cloud services during synchronization. All STRIP data stored in Dropbox or Google Drive is fully encrypted using a strong encryption key derived from your master password.

While there haven't been any public reports of attackers using Heartbleed against Google or Dropbox, the nature of the bug make it possible that data on those services could have accessed without knowledge. However, since the database is fully encrypted at rest using STRIP, there is no risk of plaintext data exposure.

Recommendations

Even with STRIP's advanced protections, this is a really good time to review the strength of your master password, because STRIP's security really comes down to the security of your passphrase.

We recommend using an alphanumeric passphrase with a combination of upper case, lowercase, digits, and meta-characters of the maximum length possible to allow for convenient entry.

If you are currently using a weak password, especially in combination with Cloud sync, we'd strongly recommend that you change your STRIP password now to ensure the long term security of your data.

Finally, many internet sites have been affected by the Heartbleed bug, and are issuing statements suggesting that users change their passwords, log out of mobile applications, and reset authentication tokens, etc. Please take these notices seriously and update your credentials for affected systems as soon as possible.

We take security seriously and we are happy to communicate with customers about the details of this issue, or how to take appropriate action, so please don't hesitate to contact us if you have any questions.

Heartbleed Security Statement for SQLCipher

2014-04-10 11:16:21 -0400

Like most service and software providers, we've been working hard at Zetetic to assess the impact for our customers resulting from this week's OpenSSL security disclosure, commonly known as the OpenSSL Heartbleed bug. More specifically referred to as CVE-2014-0160, this issue has undermined the security of many internet platforms by allowing attackers to read arbitrary memory from services using the popular OpenSSL library to provide secure communications over the web. This attack can allow extraction of private keys, session data, and user information from affected websites.

We are pleased to report that SQLCipher is not directly impacted by the Heartbleed bug and subsequent disclosure. Many SQLCipher platforms, including SQLCipher for Mac OS X, Android, Xamarin.Android, ADO.NET, and Windows C++ do make extensive use of OpenSSL. However, they only utilize the low level "libcrypto" interfaces to access encryption algorithms. Specifically, SQLCipher's OpenSSL provider uses the EVP interfaces, random number generator, and PKCS5_PBKDF2_HMAC_SHA1. There is no use of OpenSSL's SSL functions, and thus nothing that would expose SQLCipher to direct attack via Heartbleed.

As a result, applications that currently rely on SQLCipher for local data security need not be concerned with Heartbleed exposure as a result of the SQLCipher library. Of course, application and service providers should be sure to carefully audit their software and infrastructure to ensure that there aren't other components or services that rely on affected versions of OpenSSL.

Finally, even though Heartbleed does not impact SQLCipher, we will include the latest OpenSSL 1.0.1g in upcoming releases of SQLCipher Commercial Edition for those customers using our commercially supported libraries to ensure dependency on the latest stable version.

We take security seriously and we are happy to communicate with customers about the details of this issue, so please don't hesitate to contact us if you have any questions.

STRIP for iPhone and iPad 2.2.2 Released

2014-03-31 12:27:49 -0400

We released a point update for STRIP for iPhone and STRIP for iPad today alongside today's update to STRIP for OS X. The new versions contain various bug fixes and a handy new improvement: a cancel button on the Sync view. STRIP for iPhone and STRIP for iPad are available now in the iTunes App Store (if you don't see 2.2.2 yet try again in a few minutes, the App Store doesn't always get the update out quickly after we Release.)

Changelog

  • New Button to Cancel sync in progress
  • Fixes direct IP / Hostname view for WiFi Sync
  • Fixes masking switch on Note labels
  • Fixes login interface on device rotation
  • Fixes crash on resume when menu showing on iPad

If you're enjoying the changes we've been making or if you'd like to see more, please consider reviewing STRIP in the iTunes App Store and letting us know. If you have any issues whatsoever or if you'd prefer to get in touch with us directly please write us at support@zetetic.net. Thanks!

STRIP for OS X 2.2.0 Released

2014-03-31 11:55:49 -0400

Today we released STRIP for OS X 2.2.0, a major improvement over 2.1.0 in terms of stability, resource utilization and convenience. If you take a look at the image above you'll see some new additions to the interface—toolbar buttons! The icons for these were lovingly designed by Jory Raphael at SensibleWorld.com, and we'll be seeing more artwork from Jory in STRIP soon.

OS X 10.9 Mavericks Required

This version of STRIP requires a minimum OS X version of 10.9 Mavericks, do not install it without first upgrading OS X. STRIP for OS X 2.2.0 is sync-compatible with the previous version 2.1.0 allowing some time to upgrade, but with all the fixes in this update we're hoping you'll make the leap with us sooner than later.

Download

Download STRIP for OS X from the Mac App Store. If you purchased the independent build of STRIP for OS X from Zetetic, simply launch the app and select "Check for Updates" from the STRIP menu in the menu bar if you are not prompted to update.

What's New

Toolbar: We probably should have added these buttons a lot sooner, but hopefully this is a reasonable initial set with obvious functionality. One of the buttons however, with the flashlight icon, does something new. This button (and the associated keyboard combo shift+command+M) allows you to quickly show and hide all masked fields on the entry view and we find ourselves using this all the time now.

Entry view: There's so much we have planned here but for now a minor update to the display of field labels and values along with a slew of fixes for the actions presented in the context menu when you right-click on a field (in view and edit modes).

Import: If you've ever tried to import a lot of records into STRIP for OS X via CSV (like say 500), it was very slow, consumed a ton of memory and was prone to crashing. All fixed up! Although, there is a hard limit of 998 records in one import at the moment. We'll be looking to fix that in future updates.

Memory use: Such memory leaks, many fixes. We'll be paying a lot more attention to this from here on out, making heavy use of profiling tools to manage resource utilization and ensure STRIP is a good citizen on the OS.

Sync: Some bug fixes here as well, along with a fully functional Cancel button. Sometimes there are errors on sync or the network connection is interrupted—you need to be able to cancel the operation and STRIP should handle errors gracefully.

Guts: We found some ugly bugs in how STRIP handled data persistence and put a lot of effort into fixing that up. We're constantly trying to improve and here's one area where we couldn't ignore code written three years ago. There will be no bit-rot in STRIP!

As always, if you have any questions or issues please contact us at support@zetetic.net. If you like this update to STRIP and want to see more please consider leaving a rating or a review in the Mac App Store, tell us what you'd like to see next.

Changelog

  • Adds new timer to erase field values copied to clipboard after 2 minutes
  • Now uses internal, private pasteboard for copying category and entry records
  • Adds preference to sort labels alphabetically (defaults to enabled)
  • Adds new toolbar buttons
  • Adds Start Sync button to toolbar
  • Adds Password Generator button to toolbar
  • Restores global availability of Password Generator (shift+command+P)
  • Adds new show/hide all masked fields feature to toolbar and View menu (shift+command+M)
  • Adds right-click and keyboard command to launch selected field (command+return)
  • Adds shift+command+J for masking and revealing the selected field
  • Adds 4 and 8 hour intervals to preferences for Auto-lock
  • Includes minor improvements to entry view display
  • Fixes crash during import
  • Fixes poor/slow performance during import
  • Fixes memory leaks during import
  • Fixes memory leaks in main window interface
  • Fixes Auto-lock engaging during import for lengthy imports and shorter lock intervals
  • Fixes sync failure regression on passwords with a single-quote character
  • Fixes window restore location after Auto-lock
  • Fixes preventing access to Preferences window while locked
  • Fixes right-click commands on fields improperly mapped to selected row instead of click target
  • Fixes sorting of new and edited category and entry records to maintain alphabetic sort
  • Fixes any missing or duplicate replica IDs on sync
  • Fixes dysfunctional cancel button on sync progress sheet