Fast cracking of WPA with TKIP, even more reason to dump TKIP.

So we have known for some time now that WEP is little better than no encryption, about a  year ago it was found that using TKIP with WPA had a vulnerability to weaken associated implementations of WPA.
Now scientists in Japan have reportedly come up with a break WPA TKIP secured wireless in less than a minute. The specific details have not been fully discussed, but details have been documented here and will be presented at the IEICE in September.

You can read more over at Network World, but the message is clear really if you have the ability you should be using WPA or WPA2 with AES not TKIP.

Password Managers, something worth considering. Some Options

Password-PostItI think we all appreciate that we all have lots of passwords to remember, especially if your working in the IT industry. Now a lot of us have good methods to mentally store the various passwords, however its still not uncommon to see a Post-It on the monitor, stuck under the keyboard, or even a big white sticker stuck directly on the front of a laptop.

Many years ago when I worked in a small office, I had a phone call from a user explaining how his password had gone. He hadn’t forgotten it, it had gone. This didn’t make any sense, so I went to see him. Turned out his password was the serial number of a near by fire extinguisher, and this has recently been replaced and moved else where in the building. Creative thinking, but a little bit flawed 🙂

With many organisations passwords are still the key to gaining access to the system. This may cover one of more of the following, such as encryption password, network log on, mail access, bank information and more. So its clear passwords are important, and its not something with should be sharing and advertising to every passer by. So aside from continuing user awareness on the importance, what other solutions could be considered.

Well one option is a Password Manager. Essentially a password manager is an application, add-on or device that can store all your passwords in a secure encrypted format, that you protect with a single complex passphrase. With this in mind I have had a little look at some of the offerings available, both opensource and commercial to provide a single place to start you on your search for the right solution for you and your company.

Firefox Password Manager
So we could consider this as putting all your eggs in one basket, but its possibly better than using post it notes, and a plain text file to store all your passwords. Granted there is always a possibility of a browser exploit leading to a vulnerability that could gain access, so also keep this in mind. If you do use the Firefox Password Manager, ensure that you set a strong master password. I am not sure specifically how the passwords are stored, but at least it will require you to enter a password to have the stored passwords available, so not just anyone using your machine would have access.
FireFoxPasswordManager

Access Manager
Access Manager is a great free password management tool. Your passwords are safely encrypted with AES and Blowfish, and the tool has a simple and easy to use interface, and like most of these applications you can install it onto a removable media. A nice little function of this tool is the Password Selector, when logging onto some security web sites they require different letters or numbers from your password and the password selector tool makes this easy for you.
AccessManager

KeePass
The KeePass Password Safe is probably my favorite application (aside from my IronKey) for storing passwords. KeePass secures your password with AES and Twofish encryption, and it has what I think is a simple easy to use interface, oh and its Free to. It doesn’t need to be installed on your system so you can easily run it from a thumb drive or other removable storage, and it also has a neat password generator. There are versions for Windows, Mac and Linux so should be something for everyone.
KeePass

Keeper
Keeper Password and Data Vault is not a free tool, but there is a demo available before parting with your precious $15. I have heard good things about this product from others in the InfoSec community but I have not used it myself. One advantage is that it works on the Mac and for those with an iPhone you can sync your passwords, so that could be handy.
Keeper

IronKey
I appreciate not everyone has an IronKey (not cheap, but awesome) but if you do you may want to considering using the inbuilt password manager and password generator. The advantage you have with the IronKey is that it uses AES like the other offerings but it has the advantages of all the other IronKey offerings, specifically the hardware encryption.
IronKeyPassword

I am sure there are many more solutions, but I think this gives you a little insight into whats available so you can do your own research on these products as well as digging deeper into other applications and options for securing your precious passwords.

A little tip though, use a strong passphrase you wont forget as if you do, you wont be getting easy access to your passwords. So don’t put it on a sticky on your screen. If you really do need to write it down, secure the paper somewhere safe and secure and totally separate from your IT equipment, and don’t make it obvious as what its for…. perhaps get  a safe 😀

BitLocker To Go in Windows 7. How To In 5 Easy Steps.

Encryption is becoming more and more important with the increased usage of electronic media, especially when it comes to removable media.

Windows Vista was the first Microsoft OS to feature inbuilt encryption in the form of BitLocker, however ideally you need a TPM (Trusted Platform Module), and it wasn’t really all that good to implement due to how the partitioning was setup at install.

With the release of Windows 7 they have made some improvements to the BitLocker implementation making it much easier to turn on as they have made a small partion as standard to store the relevant information. In addition they have also implemented BitLocker To Go, so that you can easily encrypt your removable storage.

Below is a simple step by step how to:

You will need a Windows 7 Ultimate Installed (Not clear what other versions will have this feature at release), a USB Storage Device, and about 5 mins of your time. Time will increase based on the size of the storage device.

* It is important to note that BitLocker only supports Windows volumes, so currently you will be unable to open these on a Mac, Linux or Unix platforms.

Step 1 – Insert your storage device into your machine. There is no need to remove data from the device, no information loss should occur as part of the encryption process.

MyComp

Step 2 – Open up control panel and select “System and Security” and then select “BitLocker Drive Encryption”. Once the BitLocker screen has opened identify the removable storage device and click on the associated “Turn on BitLocker”.

Bitlocker

BitLocker will now review the size and contents of your removable media, before starting the pre-encryption process.

StartBL2Go

Step 3 – You will now be prompted to set an Encryption Password, or associate a smart card to unlock your key. BitLocker uses a strong encryption algorithm (AES-CBC + Elephant Diffuser), but it is still important to set a strong passphrase. I would recommend 20 characters or more and included numbers, letters, and special characters (@!£#).

Enter your password in both boxes and select next.
A short password was used for this demonstration.

blpw

Step 4 – Create a recovery key. This is important so that in the event you forget your password you have an alternative method to access your data. You can print or save a file containing this key. What ever option you select, store the outcome somewhere safe, and do not keep it with your removable storage device. Once you have stored or printed your key, continue by clicking next.

recovery key

Step 5 – Encrypting your device. Once your sure you want to encrypt your device, click “Start Encrypting” if you have any doubts now is the time to cancel.

enc

You can monitor the encryption process. Obviously the time taken will depend on the size/capacity of the removable storage.

encpro

Once the process has completed, the below message will be displayed. All you need to do is press close and your done.

enccomp

To verify the encryption was successful you can go back into the BitLocker section in Control Panel.

comp

Or in My Computer you will see your removable device has a new “open” padlock associated with it.

nowenc

From now on when you insert your device you will be prompted to enter your passphrase or insert your associated smart card. It is possible to associate your removable media with your computer, but I would not recommend this.

enterpass

You will also notice if you dont enter the password, you have a closed padlock in My Computer.

nowenccomp

If you decide to remove the encryption, simply open up control panel and select “System and Security” and then select “BitLocker Drive Encryption”. Once the BitLocker screen has opened identify the removable storage device and click on the associated “Turn off BitLocker”. Obviously you will need to have authenticated yourself to the drive to allow this activity.