A hacker conference that’s all about passwords, PIN codes, and digital authentication.

We are excited to announce that we are sponsoring and attending Passwords 15 this August 4th and 5th in Las Vegas! It’s an annual conference held alongside the BSides hacker conference which brings together some of the brightest minds in the field—among them password crackers, researchers, and security experts.

Representing us will be two members of our development team, Micah Moore and Billy Gray. If you’re attending as well, don’t be shy, say hello. This is our third year attending Passwords; last year we sponsored the conference and delivered two talks ourselves. Here’s the one we gave on enhancing password-based key derivation techniques:

This year we’re just going to take it all in. The talks are really engaging, some demonstrate cutting-edge cracking techniques and delve into theory while others try to make sense of all the research out there and address wider issues. BSides is of the same caliber: there’s never a dull moment, and the pool party isn’t bad, either ;) Hope to see you there!

Hello readers. STRIP, our password manager, has a helpful feature named Secret Agent that makes it easy to access data stored in STRIP from other apps. We created a demonstration video on how to use Secret Agent effectively and we wanted to share it with you and describe the feature a bit more.

Ever get to a website login page and sigh at the annoyance of typing in your username and password? You don’t have to with Secret Agent. Just use the global keyboard shortcut to bring up the search bar. Search for your entry and hit enter, then select the field you want and hit enter again. Secret Agent will automatically fill in the field–without the need for an additional browser plugin. This works on more then just browsers: you can insert data from STRIP in any app using Secret Agent.

How to set it up:

• On Windows go to File/Preferences/ Check off “Run Secret Agent at Windows Login”
• On OS X go to STRIP/Preferences/General Check off “Enable Secret Agent with keyboard command”
• NOTE FOR OS X USERS: Make sure user script is at the correct path: ~/Library/Application\ Scripts/net.zetetic.Strip.mac/

How to use it:

At a prompt you can use the hotkeys to bring up the search bar. These are the default keys which we recommend, but you’re free to change it to your liking.

• Windows: Shift + Control + Backslash
• OS X: Shift + Command + Backslash

Search for your entry. Hit enter on the field you want to fill. Make sure your insertion cursor (blinking vertical line) is on the field you want to fill before calling Secret Agent. When you call it again it will start from where you last left off incase your filling in multiple fields. Else, you can just start typing and it will search. Once you get the hang of it logging in becomes impressively quick, leaving on-lookers curious as to how you were able to login in so quickly without touching your mouse or typing all that much.

As always, if there are any issues please let us know.

If you take a look at the iTunes App Store US reviews for STRIP for iPhone, you’ll see this sentiment in a number of the more recent ones:

It’s a good app, however it’s missing a big thing here which other security apps have…simply NOT supporting “Touch ID” …whyyy!! Once this integrated will pump up the rate to 5*

I hope we’ve finally earned that fifth star, Kokiiiz78! Today we’re excited to announce that Touch ID authentication is now available in STRIP for iPhone and STRIP for iPad version 2.5.0.

TouchID Login for STRIP from Zetetic on Vimeo.

The feature is optional, disabled by default, and simple to use.

To enable Touch ID authentication:

1. Update STRIP to 2.5.0
2. Login to STRIP and tap on the Settings view tab
3. On the Settings view tap on Login Settings
4. Tap on the switch labeled “Enable Touch ID login”
5. You may be prompted to authenticate with your Touch ID by iOS
6. That’s it! The next time you are asked to login to STRIP you will be prompted for your Touch ID

As an aside, this feature works nicely in conjunction with the Auto Lock Timer preference, which allows you to keep STRIP unlocked for a chosen interval.

Changes in this version:

• Provides new “Enable Touch ID login” feature under Settings -> Login Settings
• Search view now searches your records as you type
• Password Generator view maintains state when leaving STRIP

Additional changes to the iPad version:

• Fixes search bar disappearing when tapped twice quickly

Thanks so much to our beta testers for helping us to identify bugs and edge cases early in the process. Your efforts and repeatedly installing beta builds over the last month really helped us as we vetted this version for release.

As always, if there are any issues please let us know. If you’d like to tell us what you think consider stopping by our discussion forum.

A customer wrote us regarding recent reports of vulnerabilities to the Keychain in iOS and OS X and whether or not these affect STRIP password manager:

Is STRIP for iOS vulnerable to this “0 days flaw” in Apple software and allows “cross-app resource access (XARA) attacks”? Is the password for the iOS STRIP app stored in the keychain of the iOS or anywhere else in the iOS system other than in the STRIP app itself?

STRIP does not store the user’s master password in the iOS or OS X Keychain (back to this in a moment).

However, STRIP makes use of the Dropbox and Google-supplied frameworks for authenticating against their services for sync if you choose either of these sync modes. Both of those frameworks store the OAUTH authentication credential in the iOS and OS X Keychains (open Keychain Access on your Mac and search for “STRIP” to have a look).

Touch ID Authentication on iOS

In the soon-to-be-released version of STRIP for iPhone and for iPad we’ve added the oft-requested feature of Touch ID login. This feature is completely optional, disabled by default, and only available on devices with Touch ID. The feature works by storing your master password for STRIP encrypted in the Secure Enclave on the device, through the Keychain.

Are these Keychain items vulnerable to attack?

It depends. There’s a great article on iMore.com explaining the attacks and what’s vulnerable (emphasis theirs):

Contrary to what some reports have said, while a malicious app cannot read your existing keychain entries, it can delete existing keychain entries, and it can create new keychain entries that are readable and writeable by other, legitimate apps. This means a malicious app can effectively trick other apps into saving all new password entries to a keychain it controls, and then can read.

iOS is unaffected:

The researchers note that one of the reasons iOS is unaffected by this is that iOS doesn’t have ACLs (access control lists) for keychain entries. Keychain items on iOS may only be accessed by an app with a matching bundle ID, or group bundle ID (for shared keychain items). If a malicious app created a keychain item that it owned, it would be inaccessible by any other app, making it entirely useless as any sort of honeypot.

Using the Touch ID login feature in the next version of STRIP for iPhone and iPad should not leave you vulnerable to this exploit.

In the end you always want to avoid suspicious, maliciously crafted software; once a host operating system is compromised it becomes very difficult to keep your data secure. Watch out for phishing attacks, where email is crafted to trick you into visiting a malicious website or downloading malware posing as normal attachments. On OS X you can limit the apps allowed to run on your Mac to those signed by Apple or by Apple-identified developers (like Zetetic):

If you are concerned about malicious keychain entries you can check for them easily:

1. Open Keychain Access
2. Search for “STRIP”
3. Select the Keychain item in the right pane and select File -> Get Info (or type command+i)
4. Select Access Control
5. In the list of allowed applications you should only see STRIP

What about WebSockets?

While STRIP on the Mac provides a utility function for looking up your passwords and inserting them in other applications, it does not include a browser plugin and makes no use of WebSockets, another point of vulnerability detailed in the recently announced exploits.

We are happy to announce the availability of commercial licenses to SQLCipher for Cordova. Cordova allows a developer to quickly develop mobile applications using JavaScript and now secure database storage via SQLCipher is available as a commercially supported platform. SQLCipher for Cordova provides support for integrating a SQLCipher database within a Cordova project running on iOS, Android, and Windows Phone. All interactions will the database are perform through a simple JavaScript API. Now available for purchase or as a trial.