KeePass Password Manager

These days it’s more important than ever that you have a good strong password that’s different for each account you have, keeping track of all these can be quite complicated so having a password manage makes life much easier, you could of course write them down but that has its own risks such as someone reading them or more likely you losing them.

Many people rely on the password managers built in to web browsers, however this is a very bad idea, since there is often no encryption and it can be quite easy to fool the web browser in to giving the stored passwrds which is why I strongly advise people to stop using it.

KeePass

5i7dbt7

Main window

KeePass is a very popular password manager which has been around since 2006, it has many of the features you would expect from such a mature application such as:

  • Encrypted password database
  • Password categories & search
  • Autotype system that doesn’t need browser plugin
  • Password generator
  • Plugins to add more options
  • Free and open source

KeePass was orginally written for Windows but now many ports are available for different operating systems, KeePassX in partiular supports many platforms.

nogljqw

Password generator

There are of course other applications available that do more or less the same, however most are not open source and many depend on cloud based storage which in my opinion could be a security risk since the database is out of your control.

After using KeePass for quite a few years I could never go back to the old way of managing passwords, using this I can use passwords far longer than I could ever be botherd to type which greatly improves security, unfortunately there are still some websites out there that have arbitary limits on password length, PayPal in particular is a good example of this stupidity.

How not to lose your password database

With KeePass which is not cloud based there is always a risk you could lose the password database, one way around this is to have a cloud hosting account with a simple password you can easily remember, it isn’t vital to protect the database since it’s already encrypted, you can then synchronize the database whenever you make changes.

Like anything it’s still a good idea to make periodic offline backups.

Blocking Advertising

Internet advertising is one of the biggest risks to your security and privacy so it’s important to block it if you value these things, some might argue it’s wrong to block advertising but when it puts you and your computer at risk there is no other option.

Internet advertising can be blocked by three main methods:

  • Hosts file
  • DNS filter
  • Browser plugins

Most people these days use browser plugins such as AdBlock, Adblock Plus or my personal preference and recommendation uBlock Origin, these in general do a very good job at blocking advertising but don’t work outside the web browser, they can also be used to remove unwanted elements from a web page giving you a cleaner browsing experience.

Hosts File

The hosts file is a little more complicated to explain, when you go to a website such as http://www.google.com your computer needs to lookup the domain name to obtain the internet address such as 216.58.198.110, this is done by contacting a DNS server which is typically provided by your ISP, however in the early days of the internet there was no DNS servers, instead it looked in a hosts file which manually maps domain names to ip addresses, for example:

216.58.198.110 http://www.google.com

The hosts file typically has priority over the DNS server so you can use it to override the domain name resolution, this is usually done by redirecting the domain to the local loopback address which is 127.0.0.1 or 0.0.0.0, this effectivly blocks the domain.

On windows the hosts file can be found at C:\Windows\System32\drivers\etc\hosts
On Linux and most other UNIX based systems it can be found at /etc/hosts

To make things easier you can find hosts files online that already block the majority of advertising providers and other unsafe domains, I’m currently using Steven Black’s hosts file which is compiled from several different reliable sources.

This applies to all applications on your system but I still recommend it be combined with a browser plugin for maximum coverage.

DNS Filter

Rather than at the hosts file the blocking can also be done at the DNS server level, you can either do this by setting up your own DNS server or by using a public DNS service such as OpenDNS.

Personally I don’t use these public services out of privacy concerns but if you want a very simple method that needs no maintenence this might be for you, one big advantage of this is that it works on devices where you cannot typically access the hosts file.

If you have a Raspberry Pi laying around consider installing pi-hole on it for a super simple hardware DNS server.

Advanced Blocking

Sometimes you may run in to an advert that is not blocked by any of your installed methods, in a web browser it’s easy to add new blocking rules but outside you may need to find which domain it’s coming from.

This is easily done by tools such as Process Explorer or Wireshark which can show all HTTP connections, with a little effort this is usually able to locate the offending domain, for cases where the connection is made directly by IP address you can block it using a firewall such as TinyWall or Windows Firewall.

Browsing the Web Securely

Browsing the web is one of the most dangerous activities when it comes to keeping your computer secure, the vast majority of all malware and worse infections come through web exploits, this article covers some of the best ways to improve your security.

The Web Browser

Using a modern web browser that is regularly updated is one the most important thing you can do, Mozilla Firefox and Google Chrome are two of the most popular but there are plenty of others out there that are just as good such as Opera, Vivaldi, Chromium and SeaMonkey.

Most of these have versions for mobile devices, although in my opinion it’s best to avoid doing anything important on a mobile device, particularly with Android.

Block Advertising

A large percentage of malware is delivered through online advertising so it’s absolutely critical that you block it, white listing certain websites is also a bad idea since this can occur even on major websites like YouTube.

There are a variety of adblockers available, some of the most common being adblock plus and ublock origin, personally I recommend the latter as it uses less resources and allows no ads by default.

Another form of adblocking (also used for other purposes) is by using a custom hosts file, this stops the computer from connecting to the listed websites, this is best used in combination with an adblocker, one good hosts file can be found here along with usage instructions.

Browser Plugins

Plugins like Flash and Java are a big no if you’re looking for security, flaws in these can easily expose your system to serious infections, if you need to use them make sure you always have the latest version and keep it disabled until needed.

Javascript

The majority of serious malware makes use of Javascript in combination with known web browser flaws to gain unrestricted access to the system or some other kind of attack, disabling Javascript when visiting unknown sites is the best thing you can do, unfortunately Javascript is also used by almost all websites for interactive content.

One way to make this simpler is to use a browser extension such as NoScript, this by default blocks all scripts so you have to manually accept them, this is a little time consuming but it only needs to be done on your first visit to each web site, in addition it allows you more control over what the website can do.

Cross-site Scripting (XSS)

A cross-site script is a script that reads or sends content to another website, one simple example being loading an image hosted on another web site, the problem with this is that without proper care and design it’s possible to exploit XSS to read private data or inject malicious code.

The risk of this cannot be emphasised enough, many major websites such as YouTube, Twitter and Facebook have been attacked using XSS, the best way to prevent this is to use a browser extension that by default blocks all cross-site requests such as RequestPolicy.

Virtual Machine

Perhaps the only true way to ensure security of your computer is to browse the web in a virtual machine, this is often time consuming to setup but is well worth the effort, this way you can be reasonably sure that even if you are infected the infection will be contained to the virtual machine, a lesser kind of virtual machine is a virtual sandbox which basically creates an isolated container, this isn’t nearly as secure as a virtual machine but is much quicker to setup.

Secure Operating System

If you’re using Windows then you’re going to be at significantly higher risk of infection, simply due to the number of users, the quickest way to boost security is to switch to Linux, BSD or Mac OS X (if you can afford it), this is not for everyone however but is well worth giving it a try, these can also be used in a virtual machine.

Use Anti-virus Software

Having some anti-virus software installed is very important, this is usually the final barrier stopping an infection, particularly as most now scan any changes made so malware and other nasty stuff is caught before it can actually cause any problems, this comes at a small impact to system performance but the loss is well worth it.

Anti-virus software should not be confused with anti-malware software, most anti-malware software deals with minor things such as adware and tracking cookies, anti-virus software will often ignore these so it’s good to have both.

Password Security

In the event that a web site you used is compromised (all too common these days) it’s important that you have unique passwords for each website that you use, these can be hard to remember so a program like keepass is extremely useful, this also allows the use of much longer passwords helping to prevent dictionary attacks and brute force.

Suspicious Sites

Always look at the URL before you click a link, unusual domains like .tk and domains in countries like russia and china (assuming you don’t live there) should be avoided.

If your browser has the option or there is an extension available you should disable automatic redirects, there have been many cases where a normal site has been hacked and changed to redirect you to the attack site.

Downloads

Another common technique to catch people is drive-by downloads, this is where a download will randomly pop up when you reach an infected page (usually triggered by a script), always check the download name, size and file extension, if you’re even the slightest bit concerned scan it before opening, a final fail safe is to open any download in a virtual machine.

Another way to verify a download is to verify the checksum if available, any changes or corruption of the download will alter the resulting checksum, IgorWare Hasher is a free Windows tools you can use, Linux and BSD usually already have something installed.

HTTPS

HTTPS encrypts data being sent and received by your web browser with SSL, most websites support encryption but not all have it enabled by default, always be very aware when sending sensitive data that the website is using HTTPS, this is usually indicator by a padlock icon near the address bar and the URL starting with https://

A nice little browser extension is HTTPS Everywhere, this forces use of HTTPS where available among other features.

Autofill

Most web browsers can remember your password to make things easier and quicker, however this is a big security risk that is often targeted by malicious scripts or software, so it’s strongly recommended that you disable it.

Advanced Authentication

Many websites are now offering more advanced authentication using things like verifying your email address or sending you an SMS message rather than just password alone, this can be a bit annoying but for important accounts you should always enable it.

Conclusion

Good browsing security isn’t difficult, most of it comes down to common sense but hopefully you have learned something of use from this article.

Secure Communication With GnuPG

Now days with the increase in spying by organizations such as the NSA and reqular attacks against websites it’s more important than ever to secure your data and communication.

GnuPG is a free and open source OpenPGP implementation available on every major operating system that can provide strong encryption, before making use of GnuPG it’s important to understand some concepts.

Basic Concepts

Public Key

The public key is an encryption key that is intended to be publicly available, at the very least the sender will need your personal public key to perform encryption, public keys are also used to verify signatures so any unauthorized changes can be detected.

Secret Key / Private Key

The secret key is used to decrypt a message or file than has been encrypted by the matching public key, the secret key should as the name suggest be kept secret as it provides additional security on top of the passphrase, secret keys are also used to sign a file so persons with your public key can verify the file has not been changed.

Passphrase

A passphrase is used when performing decryption or signing a file, this generally follows the same rules as making a good password except it should be much longer, around 40-60 characters is considered typical which will be for all intents and purposes unbreakable.

Installing GnuPG

There are two main version usually installed stable and classic, these are run with the command ‘gpg2’ and ‘gpg’ respectively, in most cases you should always use the stable version of GnuPG, on Linux most distributions come with it already installed.

For Windows user the easiest way is to install gpg4win which can be downloaded with a graphical front end for easier use.

Using GnuPG

For this I’m going to assume you’re using the traditional command line and not a graphical front end, if you are you should check the documentation for your particular front end.

Generating a key pair

Generating a key pair (key pair being the public and secret key) is really simple, just run the following command:

gpg2 --gen-key

You will then be asked the following:

Please select what kind of key you want:
 (1) RSA and RSA (default)
 (2) DSA and Elgamal
 (3) DSA (sign only)
 (4) RSA (sign only)
Your selection?

In almost all cases you want option 1 which is considered by many to be the most secure, next you will be asked to specify the key size.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 

2048 bits should be the absolute minimum for good protection with 4096 being the optimal choice where speed or size isn’t a major concern, keep in mind slower machines may have trouble dealing with a large key.

Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)

You will then be asked for an expiry date, it’s a good idea to set this since it provide a clear indication to users that they should update their key, a key that has expired can still be used normally, although many key servers will remove expired keys.

GnuPG needs to construct a user ID to identify your key.

Real name: TestKey
Email address: Test@Test.com
Comment: Test Key
You selected this USER-ID:
    "TestKey (Test Key) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? 

You will then be asked for your real name, email address and a comment to help identify the key, both for yourself and others.

Once this is done you will be asked for the passphrase, it’s a good idea to practice using the passphrase you have chosen before making the key since writing it down would defeat the purpose, there is also no way to recover a lost passphrase.

The key will then be generated, as GnuPG suggest you should move your mouse around randomly to help generate a truly random key.

gpg: key EA40ACC3 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   5  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 5u
pub   4096R/EA40ACC3 2015-11-08
      Key fingerprint = CA97 B246 2A38 A2EA 6A0D  0228 2CBE 7277 EA40 ACC3
uid       [ultimate] TestKey (Test Key) 
sub   4096R/C0523162 2015-11-08

This shows the keys were successfully generated, the key ID is EA40ACC3, it also shows the public key fingerprint which is used by the recipient to verify with you that the key they have received is correct, it also shows the key name, comment and email address along with the trust level, which for a newly generated key is ultimate (it’s your key you trust it fully), a subkey is also shown, this should not be confused with the secret key which is not shown here, GnuPG by default uses a separate subkey only for encryption with the ID here of C0523162.

Viewing your key pair

To view the public key again you can use:

gpg2 -k Test
pub   4096R/EA40ACC3 2015-11-08
uid       [ultimate] TestKey (Test Key) 
sub   4096R/C0523162 2015-11-08

To view the secret key:

gpg2 -K Test
sec   4096R/EA40ACC3 2015-11-08
uid                  TestKey (Test Key) 
ssb   4096R/C0523162 2015-11-08

In this case ssb is the matching secret subkey for the public subkey C0523162, if you run this command without Test it will show all keys in your keyring which is automatically generated the first time you run GnuPG.

Exporting and using a key server

It’s very very important you always have a secure backup of both your public and secret keys, to do this you can export them, to export the public key (public sub key is automatically included):

gpg2 --armor --export -o pub.asc Test

This exports the public Test key to the file pub.asc, the –armor option makes it output the key in plain text rather than binary, the result looks something like this:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

IZKKutUkIBxjUTv7NJUOewfJ0HtD/O/vDTMdGsbyV8t2Fdc0GLnmrpuHaiwDlNHt
vYgFz3WVTaYKxMSES/DfJFf492Hfk4PFGn5xn/4MAcbCQ5LAQkYQViU5LrBJahDO
4tBb4ykayAIqDgqEOIGRBeaU65Zp7LSbxK1noHnHskZzI41uRFR0DbeqNXOTu6Dd
NuvdojaVnzfbnLoh2N58rkc9rAIJcQ3IJN3ZABEBAAGJAh8EGAEIAAkFAlY/j4AC
GwwACgkQLL5yd+pArMO+hQ/7Bgz+vZA2gXP5ceGh32MMIhCWgFPyehzHOqK50iOQ
JwrxWl+2qqQB/+xtQFgxXGfSDJTYhPAaVhpPObX09zeEgz1UH3Va2Rih/SH9C2Dw
swtNh/aqJ6OPGa//YNyk++rva/nQR5w5NTAx6iNBcFdneKnM5G++au0vfO5JjXtG
sAAN0h3v6U3W7lEKB02jhAQM/6xwVK4mvs8ff0pY+4Iem3UrrD0UzqpGnI2GEz5a
lZ+9NjSAJIeji2xSrWCoOV4Ru9a5Y1JX0DL8WKWTgJJM2Ga4Y5itVQj6pTueuyOK
eBfjVkejgmYvr4DbVk8OaJ2oopUJTIhPN7fanmMaW9Cp0lUW+Ml2fpBfPZEq4/XV
1J8eyIdw7OTl/X5GUg91WH2xZD2SCGSVhUFEzts+B1CUxfQNFViFn4ew77VWX+za
NRY8mQxjyVU2wNgdKBivu8+cmRtk+iLG5sXDpqaI1QlUpxwvkmm6I0PGV+EnOnvW
3yboQpWXuD4SZDl386hQaF09kGodnUp6Ct77l3Cex2Lo29pdnE5Mwu0fK3sJkcHI
oMffoKRD8zy6Jp7t0RbpiHlkt3a6CaSjZ8vT14djPb1sRn/jO+KDOKZVeFiE+JPD
F4WEMhk74QOqlQH1IvWjcCxCZWKvjNB4eXgdzLlbnZnI26AFwkEoxNqBPjmtUaQC
uvg=
=BGpH
-----END PGP PUBLIC KEY BLOCK-----

It’s very important you do not modify this in any way, this can now be stored or sent to whoever you want.

To export the secret key:

gpg2 --armor --export-secret-key -o sec.key Test

This should never be given to anyone but it’s also of critical importance that you have it safely stored, if you loose it you can never decrypt or sign again with the key.

Public keys are often stored on a public keyserver for convenience, to send your key to a keyserver (in this example I’m sending it to pgp.mit.edu):

gpg2 --keyserver pgp.mit.edu --send-keys EA40ACC3

To get a key from the keyserver use:

gpg2 --keyserver pgp.mit.edu --recv-keys EA40ACC3

It should be noted there is no way for you to delete the key from the server, some servers may delete keys that have expired or that have received a revocation certificate, this requires the secret key so it’s best done right after key creation.

gpg2 --output pub-revoke.gpg --gen-revoke EA40ACC3

To use this you import the revocation certificate and then send the key again to the keyserver.

gpg2 --import pub-revoke.gpg
gpg2 --keyserver pgp.mit.edu --send-keys EA40ACC3

Importing Keys

Importing a key is very easy for both public and secret keys:

gpg2 --import pub.asc
gpg2 --import sec.asc

A key that is imported is by default untrusted, to change this you need to go into key editing mode:

gpg2 --edit-key test

This will show the usage of each key and subkey, S being Sign, C being create certificate, A being authentication and E being encryption.

You can get the fingerprint by typing ‘fpr’ you should always use this to verify any key sent to you.

You can switch between the public and secret keys by typing ‘toggle’.
To change the trust type ‘trust’ and answer the following question, ultimate trust should only be assigned to keys you are 100% sure of.
When you are done make sure you type ‘save’.

Encryption and Decryption

Encryption is the main purpose on GnuPG, this can be done two ways, encrypting a message or encrypting a file.
To encrypt a message use:

gpg2 --armor -r Test -e

You can now type your message, when finished hit ctrl + d, the encrypted message will now be given:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2

hQEMAxzJ34dtBd7eAQgAjf/jdG58LvYt8//szu25fw5GGc4GoAosaWuGT6RmciD5
Pqj7SQlYFs0qodT42OYpSs1cSSdyR6Xz5XCJj/H+Z3FeOmHmQqdPbI5igsq7inZe
KU4to8vrMPifTavumhuXOoY/sBEWnoSwb95DeLfZs46rziFWIUrajzqsl5uXmO5U
2culeNUfga1ppad/P73WFr7m5sdQcnizVbs1w+ODxOKc082P1zzxfJ9x49uZQmTZ
dRRUp/ajPIPiYfckqlV68S9BYh4IjNtXL3dbf4BpxS98B07PQsmAgni39+J+Sie6
2nvLq0sDxdcv9Dxsd3eBYCUhCuUzpQHwx48tjXh5LNJGAa39Ctz5NHrt7he5vy3D
WXLSHOpv3eAQXr/7zpN1m325D+4P45XMZTcPDBjXO6CJVrHjRTDLE2rsT9EjksFN
VNi/MlRDVA==
=/qRd
-----END PGP MESSAGE----

To decrypt a message use:

gpg2 -d

Paste in the message and it should ask for the decryption key, if not try hit ctrl + d.
If the passphrase is correct you will see the original message.

Windows has a problem with not recognizing ctrl + d so this method as far as I can tell will not work.

Encrypting a file can be done like so:

gpg2 --armor -r Test -o test.txt.gpg -e test.txt

Since –armor outputs ASCII you can send the encrypted text in test.txt.gpg in an email as long as the recipient knows it’s a file and the intended file extension, or as an attachment.
To decrypt:

gpg2 -o test.txt -d test.txt.gpg

File Signing

Signing a file is a great way to ensure the recipient can verify that they have the correct unmodified file, this is similar in many ways to a file hash.
To sign a file do:

gpg2 --armor -u Test -b test.txt

This will create a test.txt.asc file which contains the file signature, this is known as a detached signature which is most often what you want, this should be included along with the file you are sending.

If you are sending an encrypted file you should generate your signature from the original file, under UNIX systems it’s common to sign a .tar archive before it gets compressed, for example with bzip2.
To verify the signature.

gpg2 --verify test.txt.asc

Conclusion

This may look like a lot of work but it’s really very simple once you’ve done it a few times, there are a bunch of friendly user interfaces such as GPA available so you don’t have to remember the commends, for quick reference you can type ‘gpg2 –help’, this guide doesn’t cover everything but it’s enough to get you started.

Online security is very important so it’s well worth taking the time to learn how to use encryption effectively.