Encryption tools are essential for sending and receiving information over the Internet. Encryption also helps us safeguard our stored data and make sure unsavory parties aren't gaining access to information they shouldn't see. Industries like health care and government use encryption to protect patients and citizens from identity theft and other forms of online fraud.
But what happens when encryption isn't enough? Password managers like KeePass and LastPass are useful tools that help you keep track of your passwords and secure them against security hazards, but these managers have also been recently subjected to a number of security incidents. This prompts the question: What do you do when the thing that is supposed to keep your passwords safe gets hacked?
In 2015, password manager LastPass discovered that some master passwords and email addresses had been compromised in a data breach. According to Forbes contributor Kate Vinton, the company's CEO announced the breach in a blog post, revealing that some of this confidential information had been stolen in an attack against the company's user vaults. Beyond telling customers to immediately change their master passwords and assuring them that their confidential data was safe, LastPass didn't provide any information as to the nature of the attack or when it took place. Gizmodo contributor Kate Knibbs noted that this hack was the second levied against LastPass in four years, which has served to indicate that even though the hackers didn't get beyond the program's encryption protection, there are certainly holes in its security in general.
Data breaches like this are common, with the Identity Theft Resource Center putting the number for 2015 at around 781, but the whole point of investing in a password manager is to make sure your confidential information stays behind the Internet walls you've erected. That's why it's so critical that the places you choose to keep your data secure provide the right kind of protections – and that you strengthen the capabilities of encryption tools like password management software by incorporating other solutions into your cyber security repertoire.
This wasn't the first or even the second time an attack like this had occurred. According to Trend Micro researchers, in 2014 cyber security experts found massive vulnerabilities in other password managers. At the time, senior threat researcher David Sancho suggested using complex passwords created using an easily remembered algorithm, making password managers unnecessary. However, for those who continue to use a program such as this, it's integral to make sure you're supplementing your encryption tools with other effective cyber security solutions.
KeePass and KeeFarce
Most recently, a password manager program called KeePass was targeted by malicious software called KeeFarce. According to Ars Technica, KeeFarce can decrypt entire password databases and then write that information to an easily accessible file for hackers to read. These hackers can run it on computers they already have control over, making it a dangerous program that you need to protect your system against.
"Indeed, if the operating system is owned, then it's game over," said cyber security researcher Denis Andzakovic. "The point of KeeFarce is to actually obtain the contents of the password database. Say a penetration tester has achieved domain admin access to a network but also wants to obtain access to networking hardware, non-domain infrastructure, et cetera. The tester can compromise a sysadmin's machine and use the tool to swipe the password details from the KeePass instance the sysadmin has open."
KeePass saves password data locally, which is why hackers are able to access information on computers they already have a hand in. According to Knibbs, Web-based password manager programs store information in the cloud, whereas tools like KeePass and LastPass store the data locally on your computer or mobile device. While cloud security has increased since its inception, it is still traditionally looked at as more vulnerable than on-premises data storage solutions, which may lead many to invest in tools like KeePass instead. However, this most recent hack perpetrated against KeePass is an indication that locally saved data isn't completely safe, either.
Cyber security tools you can count on
Encryption and encryption tools are critical aspects of your online privacy and security, but what happens when these programs aren't enough to guarantee your complete safety in the online realm? The answer is to stave off targeted attacks by using a combination of cyber security solutions. In addition, according to Trend Micro researchers, it's critical that you perform scheduled updates on your machines, like the ones in the March patch bulletin. All of these steps are essential in creating a unified front against hackers and malicious programs.
Encryption is a necessary aspect of sending and receiving data over the Internet, but there can even be vulnerabilities within encryption tools. Investing in cyber security software can close the gaps and help make sure systems are safe.