A Few Options To Use Keepass Even More Safely

To use everyone’s favorite password tool Keepass more safely, enable the following options:

1) Enter master key on secure desktop. You can find this option in the security tab in the options dialog.

2015_01_19_23_51_55_Options

This option will make sure it’s very difficult for key loggers to steal your master password of your Keepass database while you enter it. Read more on it here.

2) Two-channel auto-type obfuscation. This option can be enabled only per password entry.

2015_01_19_23_54_03_Edit_Entry

This option will paste parts of the password through the clipboard making almost any keylogger useless. Read more on it here.

You will receive a warning that this option won’t work with all windows.

2015_01_19_23_53_53_KeePass

As long as you’re using Keepass mainly for passwords for web services, you should be fine.

I recommend you look around in the options dialog to see of you can tweak some more options for your security. Let me know in the comments if you find something that everyone should use.

Advertisements

Playing Android Games On Your Windows PC

And now, for something completely different ūüôā

I once owned an Android phone. I didn’t only use it for making calls, I also played some games on it. When I disposed of the phone and didn’t get another Android phone, I had a problem. I still wanted to play my games.

After some searching, I found the answer: An Android emulator! You can download the BlueStacks App Player for Windows here. This App Player is free. It only asks to install some sponsored games while you use it. You don’t have to run them, but they have to be installed. Beside that, you’re totally free to install and run any app that you can find in the Play Store. You have to have a Google account, just as when using Android natively on your device.

Now just run the app…

2015_01_19_20_00_20_BlueStacks_App_Player_for_Windows_beta_1_

Install your favorite game (in this screenshot, I’m updating)..

2015_01_19_20_02_09_BlueStacks_App_Player_for_Windows_beta_1_

And play!

2015_01_19_20_05_30_BlueStacks_App_Player_for_Windows_beta_1_

Alternatively, you can use Andy¬†to play your Android apps. It’s also free. Have fun!

My First Essay: Using Elliptic Curve Cryptography

Another assignment ūüôā I decide to combine this with the requirement of six blog post. Please post comments below or send me an e-mail.

This is my first argumentative essay, so please be gentle ūüėĬ†Mind you, this is not university level.

This has been checked by the Word 2013 dictionary and my English teacher, so it should be relatively free of typo’s.¬†Here goes!

s1072318_essay_using_elliptic_curve_cryptography_final

Securing your browsers: Internet Explorer

As third and last, I’ll show you how to secure your browser settings for Internet Explorer.

Internet Explorer is somewhat different because it doesn’t have it’s own settings for cipher suites. It gets those from the operating system. In Windows they are implemented in one of the SSPI’s namely¬†SChannel. So to enable or disable cipher suites in IE, you need to enable or disable them in Windows.

First, let’s take care of the obvious. In IE there is an SSLv3 setting in the Advanced tab of the Internet Options. Uncheck this and IE will be POODLE-proof. SSL 2.0 should be unchecked by default.

2015_01_06_12_16_22_Internet_Options

Now, to disable cipher suites we could edit the registry. This is complicated and error prone, so we are going to use a tool. Download IIS Crypto here. I recommend version 1.6 GUI for .NET 4.0.

Start the tool with elevated privileges and have most of the work done for you¬†by clicking the Best Practices button. You’ll have to Press the Apply button and restart for the changes to take effect.

I have edited the cipher suite order and put the ECDHE_ECDSA ciphers at the top of the list, followed by the ECDHE_RSA ciphers. I have tried disabling MD5 hashing but found that some applications for RDP were not working anymore. Disable every protocol before TLS 1.0 and every cipher suite above Triple DES 168. I tried disabling Triple DES 168, but some websites wont work anymore because they are not updated to use the newer Elliptic Curve cipher suites yet. Please test what works for you and post in comments.

2015_01_06_12_30_23_IIS_Crypto_1.6_build_7

2015_01_06_12_30_39_IIS_Crypto_1.6_build_7

2015_01_06_12_30_58_IIS_Crypto_1.6_build_7

As you can see, I disabled all TLS_DHE_DSS suites and the RC4 suite. I use the 3DES_CBC suite as a fallback suite.

I also disabled a few RSA SHA256 and RSA SHA384 suites because Microsoft released a bad patch. The IIS Crypto site also tells us to disable these:

2015_01_06_12_38_17_Nartac_Software_IIS_Crypto_Chromium

This concludes my ‘series’ on how to secure your browser. It may be that these settings will be deprecated real soon. It might also be that you can use these safely for a few years. All depends on the progress and development in the field of cryptography. I will keep you updated.

Securing your browsers: Firefox

As a continuation of my previous post, I will now show you how to use secure settings with your Firefox browser. We still have to do the following:

  • Disable SSLv3 (this counters POODLE)
  • Disable RC4 cipher suites as much as possible
  • Disable SHA1 cipher suites as much as possible
  • Disable DES3 cipher suites as much as possible

I will use the most current version of Firefox, which is version 34.0(.5) as of now. The development team decided it was time to drop SSLv3 support by default, so they conveniently  took care of the first point.

To get to the security settings, open the about:config page in the address bar. Take notice of the warning and proceed. Now type ‘ssl’ in the search box that has appeared and press Enter. You will see all SSL related settings. On the bottom of your page are the cipher suites. The last column indicates if the cipher suite is enabled or not. True is enabled, false is disabled.

Again, I have tested several cipher suites in the last months and have come to a workable situation. I advise you to disable the following settings starting from the bottom:

  • security.ssl3.rsa_rc4_128_md5;false
  • security.ssl3.rsa_camellia_256_sha;false
  • security.ssl3.rsa_camellia_128_sha;false
  • security.ssl3.ecdhe_rsa_rc4_128_sha;false
  • security.ssl3.ecdhe_rsa_des_ede3_sha;false
  • security.ssl3.ecdhe_ecdsa_rc4_128_sha;false
  • security.ssl3.dhe_rsa_des_ede3_sha;false
  • security.ssl3.dhe_rsa_camellia_256_sha;false
  • security.ssl3.dhe_rsa_camellia_128_sha;false
  • security.ssl3.dhe_dss_aes_256_sha;false
  • security.ssl3.dhe_dss_aes_128_sha;false

Some will be disabled by default.

In addition, I advise you to enable the following cipher suites, again starting for the bottom of the page. These are cipher suites that can provide Perfect Forward Secrecy and are not (publicly) know to have been compromised:

  • security.ssl3.rsa_rc4_128_sha;true (fallback cipher suite)
  • security.ssl3.rsa_aes_256_sha;true (fallback cipher suite)
  • security.ssl3.ecdhe_rsa_aes_256_sha;true
  • security.ssl3.ecdhe_rsa_aes_128_sha;true
  • security.ssl3.ecdhe_rsa_aes_128_gcm_sha256;true
  • security.ssl3.ecdhe_ecdsa_aes_256_sha;true
  • security.ssl3.ecdhe_ecdsa_aes_128_sha;true
  • security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256;true
  • security.ssl3.dhe_rsa_aes_256_sha;true
  • security.ssl3.dhe_rsa_aes_128_sha;true

Additionally, you can disable ssl3.rsa_aes_128_sha too in favor of ssl3.rsa_aes_256_sha, ssl3.dhe_rsa_aes_128_sha in favor of ssl3.dhe_rsa_aes_256_sha and ssl3.ecdhe_ecdsa_aes_128_sha in favor of ssl3.ecdhe_ecdsa_aes_256_sha. Almost all servers support the 256bit version if the 128bit version is also offered, so this way I force the one with the strongest encryption. Mind you, I have not tested this thoroughly.

Firefox will prefer other cipher suites before ssl3.rsa_rc4_128_sha, so this will really act as a fallback cipher suite. Your result should be similar to this:

2015_01_06_10_50_27_about_config

Now, to check SSLv3 is disabled, type in ‘tls’ in the search box. You will see the setting security.tls.version.min;1. It should have the value ‘1’. Value ‘0’ will allow SSLv3.

2015_01_06_10_48_41_about_config

You can test your browser and the cipher suites it uses here or here. It should be these:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_RC4_128_SHA

or these:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_RC4_128_SHA

Next post will handle the same settings for Internet Explorer.

2014 in review

Dear readers,

Thanks again for your support in the past year 2014. I hope to create more posts in 2015 as 2014 was a slow year. Personally, the amount of work (done) in 2014 was crazy. And adding the study and my three kids, 2014 was everything but slow.

Thanks for visiting and I hope to see you around in 2015.

Here’s an excerpt:

The Louvre Museum has 8.5 million visitors per year. This blog was viewed about 110,000 times in 2014. If it were an exhibit at the Louvre Museum, it would take about 5 days for that many people to see it.

Click here to see the complete report.

%d bloggers like this: