Security Update for Keeper Browser Extension

by , on

by Craig Lurey, CTO at Keeper Security, Inc. – August 26, 2016

Keeper holds the security of our customers and their data as our highest priority.  To mitigate the possibility of an online clickjacking attack during a browser session, we have updated our Keeper Browser extension.  We have made two security enhancements based on the analysis provided by Tavis Ormandy, a highly-respected security analyst at Google.

Yesterday, we received a report regarding this potential security risk.  It related to a security threat that could potentially be exploited by a clickjacking attack using an on-page feature of the browser extension.  In this scenario, a malicious website with intent to attack the extension could entice a user to click on the Keeper lock icon and take advantage of our “Search” feature with the goal of attempting to extract a credential from the vault.

We immediately addressed and resolved this potential vulnerability by removing the “Search” and “Add to Existing Record” features from the on-page browser extension user interface as seen below:

sign in

Removing the Search feature

 

add to existing

Removing the “Add to Existing Record” feature

 

This change has been published on the Chrome, Firefox, Safari and IE extension and will automatically update for all users.

If you have any questions about this extension update, please contact support@keepersecurity.com.

8 Most Common Password Mistakes

by , on

keeper blog

A friend recently told me a scary story about why he changed the password on his account with one of the leading online securities trading firms. He was perusing his six-figure portfolio when it occurred to him that he hadn’t changed his password a while. Quite a while, it turned out; about nine years.

He was further dismayed to realize that the password he had been using all that time –the name of a beloved pet followed by a single number – could probably be guessed by anyone who followed him on social media. For a sophisticated password cracking program, guessing it would be a layup.

Surprisingly, many online services don’t regularly challenge customers to change their passwords, despite the fact that password-cracking technology has advanced by leaps and bounds. Bad guys now follow their victims on social networks to mine keywords that they feed into malicious programs that use machine intelligence to test variations until the door is unlocked. A small fortune may be protected by the cyber security equivalent of tin foil.

No one likes passwords, but they are more important than ever these days. And the ones that worked for you five years ago are probably useless today. If your money, health records or any other personally identifiable information (PII) is at stake, you owe it to yourself to use a secure, random code that a machine can’t guess. As you go about resetting your passwords, avoid these eight common mistakes.

  1. Using the same password everywhere

The easiest way to remember a password is to use only one, but that’s also the fastest route to disaster. Once a successful phishing attack captures that password – and studies have found that as many as 97% of people can’t detect a phishing email – the attacker essentially has the keys to the kingdom. While it’s probably okay to use the same password for sites that don’t store any PII, you should use different and secure passwords in any situation where your identity or financial information could be compromised.

  1. Varying passwords with a single character

This is a trap many people fall into when asked to change their passwords; they comply by changing a “12” to a “13.” Password-guessing programs are wise to this trick and can sniff it out in seconds.

A variation of this dangerous practice is to include a non-alphanumeric character by tacking “!” onto the end of your existing password. That’s the oldest dodge in the book, and password crackers are wise to it. Non-alphanumeric characters should be used within the password, not at either end.

  1. Using personal information in passwords

Avoid using names of relatives, celebrities, sports teams, pet or any other common terms in your passwords. Cracking software automatically looks for the most common combinations like Yoda123. Don’t think that you can protect yourself by invoking personal information like the name of a loved one or your high school mascot. Social networks make it straightforward for crooks to harvest that information.

You also shouldn’t assume that adding a string of characters to a common name is protection enough. Password crackers know this trick and cycle through combinations of common names and numbers until they hit the right one. The only safe password is one with random – or seemingly random – sets of characters.

  1. Sharing passwords with others

You might have the strongest password in the world, but if you share it with someone who stores it in an email account protected by “qwerty,” it won’t make a bit of difference. Your passwords are for your eyes only.

  1. Using passwords that are too short

A decade ago, a five- or six-character password was enough to beat most cracking programs, but computers are so much faster now that a six-character password can be guessed by a brute-force attack. Think 12 characters at a minimum.

  1. Storing passwords in plain text

One easy way to remember passwords is to store them in a spreadsheet or mail them to yourself. Bad idea. Have you heard of ransomware? It’s the fastest-growing category of malware. Criminals hold your data hostage until you pay them a ransom. In the meantime, they scour your hard drive looking for anything that resembles a password list. Once they find it, the ransom payment is the least of your problems.

  1. Using recognizable keystroke patterns

“1qaz2wsx” may seem like a pretty tough password to guess until you look at your keyboard and notice the pattern. A random series of letters and numbers must be truly random to have a chance.

  1. Substituting numbers for letters

This used to be an effective technique, but “Spr1ngst33n” doesn’t survive a determined attack any more. The software is on to that trick.

Your best bet is to use a password manager protected by strong encryption. The best ones generate secure passwords for you and give you total protection with two-factor authentication.

Keeper for DevOps: More Than Just Passwords

by , on

By Craig Lurey, CTO & Co-founder of Keeper Security

Keeper is awesome for DevOps teams. Back when we first created Keeper, our goal was to build a digital vault that was ultra secure but also easy to access and use. Website passwords are just one of many types of sensitive information that Keeper can protect.

Unlike other password managers, Keeper is focused on the secure storage and management of all types of private, highly sensitive data – passwords, SSH keys, SSL Certificates, RSA Keys, server logins, confidential notes, top secret files/photos/videos and anything else you need to protect.

We offer a few different ways of storing content outside of Usernames and Passwords. You can use Custom Fields, File Attachments and Secure Notes.

Keeper Custom Fields

 

Custom Fields

Custom fields is a powerful feature to save information into your Keeper vault without being forced into using a predefined template. Just add a custom field, name it (or select from a previously used field) and save it.  For example, you could create a custom field on-the-fly called “AWS Access Key” and “AWS Secret Key” to store your Amazon AWS credentials.  You can also create custom fields that contain all of the complex command-line utilities that you and your DevOps team utilize.

Keeper Custom Fields

 

File Attachments

Another way to store information into the Keeper Vault is using the Secure File Storage feature.  Simply drag-and-drop an SSH Key or certificate file into the record on your Desktop App or Web App. Keeper instantly encrypts the file and stores it in your vault. It is then synced to your other devices and computers with complete end-to-end encryption.


Screen Shot 2016-08-12 at 7.01.51 AM


Screen Shot 2016-08-12 at 7.02.09 AM

 

Secure Notes

It’s quick and easy to create a record in your vault and add text notes.  For example, you can add a note with instructions on how to login to a server remotely or other multi-line content that is too sensitive to be checked into a source code repository.

Screen Shot 2016-08-12 at 7.13.18 AM

 

Sharing Private Keys

Within a DevOps team, it’s important to be able to share private keys and other access credentials with the highest levels of security but with convenient, on-demand access. Keeper can be used to securely and easily share confidential data.  When you share information from within the Keeper system, your information is protected by the highest level of encryption and an impenetrable zero-knowledge architecture.   

Screen Shot 2016-08-12 at 7.02.30 AM

 

Simply click on the “Share” button from your Keeper vault record and type in the Keeper email address of the person you are sharing with. If you are a Keeper Business customer, you can also share to an entire team with one click.  Full access rights (view, edit, share) can be assigned per-user or per-team.

Screen Shot 2016-08-12 at 7.02.52 AM

It’s also really easy to add vault records into a shared folder.  Shared folders give teams the flexibility to just add a record into a folder and everyone receives it instantly and securely.

Screen Shot 2016-08-12 at 7.03.42 AM

 

Zero Knowledge Security

Keeper is the only zero-knowledge solution in the industry.  This means that we do not have access to ANY of your data, the encryption keys that decrypt your data, your files, or your master password.  It’s critical that you use a zero-knowledge platform to store data which could cause irreparable harm to your business or personal life.

Zero Knowledge is a system architecture that guarantees the highest levels of security and privacy by adhering to the following principles:

  1. Data is encrypted and decrypted at the device level (not on the server)
  2. The application never stores plain text (human readable) data
  3. The server never receives data in plain text
  4. No employee or intermediary can view the unencrypted data
  5. The keys to decrypt and encrypt data are derived from the user’s master password
  6. Multi-Layer encryption provides access control at the user, group and admin level
  7. Sharing of data uses Public Key Cryptography for secure key distribution

Data is encrypted on the user’s device before it is transmitted and stored in Keeper’s digital vault. When data is synchronized to another device, the data remains encrypted until it is decrypted on the other device.

Keeper is the most secure, certified, tested and audited password management and digital vault in the world. We are the only SOC2 certified password management solution in the industry and certified by TRUSTe for online privacy. Not only do we implement the most secure levels of encryption, we also adhere to very strict internal practices that are continually audited by third parties to help ensure that we continue to develop secure software.  Detailed information about our Zero-Knowledge security platform can be found at https://keepersecurity.com/security.html.

New Release Available for Download: Keeper for Desktop V10

by , on

Desktop-v10-Header

Keeper’s engineering teams are working around the clock to provide you with the strongest experience on all major platforms and devices. Today, we’re excited to bring you the latest version of Keeper Desktop.

Keeper Desktop is a cross-platform password manager and digital vault providing encrypted storage and seamless cloud synchronization on Windows, Mac and Linux.  

This new version delivers:

  • UI refinements and enhancements
  • Performance enhancements including faster login, searching and syncing
  • Support for multi-select drag and drop for shared folders
  • Support for Keeper Business enforcements including, master password strength and expiration, mandatory two-factor authentication and cloud backup

Download Keeper Desktop 10 Now

The Keeper 10 Quick Start Guide can be found here

Please contact our support team at support@keepersecurity.com if you have questions.

Protect and Preserve Your Family Legacy with the Keeper Family Plan

by , on

In an increasingly digital world, families everywhere struggle to keep track of passwords, files, documents and other sensitive information. Families share nearly everything – files, photos, videos, Internet accounts, security system codes and personal identification numbers.

Reusing simple, easy-to-remember passwords is a huge problem. In fact, more than 60% of cyber breaches occur due to weak or stolen passwords. Hackers target young adults to the elderly, stealing their identities, money and digital assets.

 

Introducing the Keeper Family Plan

You can now protect your whole family (up to 5 people) for one low price of $59.99/yr. Keeper Family Plan secures passwords, private files, photos and videos and lets you securely store and share these between family members with ease.

 

Keeper Family Plan includes the following benefits:

  • Up to 5 users with private vaults
  • Unlimited password storage
  • Unlimited devices + sync
  • Unlimited secure cloud backup
  • Unlimited secure record sharing
  • 10GB Secure File Storage
  • Fingerprint login
  • Web app
  • 24/7 support

 

Upgrading your existing Free or Paid plan is quick and easy – Sign Up Now!

Customer Survey: Keeper for Business Takes Less Than an Hour to Deploy (Infographic)

by , on

The effectiveness of security technology depends on whether it’s being adopted by users, yet it’s rare to see a security solution that offers a fast time-to-security and ease of use. We surveyed a variety of Keeper for Business customers and found that on average, Keeper for Business takes less than an hour to deploy.

 

See the infographic below (click to expand):

Keeper Deployment Infographic

 

Learn more about Keeper for business at https://keepersecurity.com/business

Feb. 1 Was Change Your Password Day: Why You Should Care

by , on

keeper app

Weak passwords: there’s no excuse for them yet we still see so many people using them.  It is often disregarded as unimportant and a result of not having a nominal level of security education and awareness. Weak passwords and password reuse account for over 70% of all computer and internet account breaches. People hate creating passwords and even more so, have a tough time remembering them.  It’s a simple function of human nature that we call “password fatigue.”

Last month, a survey was published with the most common leaked passwords during data breaches that occurred throughout 2015. Once again, “123456” and “password” dominated the top of the list and new ones appeared, such as “starwars”, “princess” and “login”. While many consumers are attempting to use longer passwords, they remain so simple that most hackers could guess them.

As we celebrate “National Change Your Password Day,” it only makes sense to remind people everywhere that most online breaches are caused by weak or stolen passwords.  Every time there’s a new breach, your personal data is leaked to cyber criminals who can use it as bait for phishing scams, to steal your credit card information, social security number, tax information or more. And once you’ve clicked on that link – accidentally or not – hackers can now implant a keystroke logger onto your laptop or mobile device, embed malware and ultimately steal your information, money and worse, your identity.

The cybercriminal playbook doesn’t change much for businesses either. One weak, cracked password or an employee falling for a phishing scam could yield a data breach that could ultimately put a company out of business, or cost them millions of dollars to recover.

As the CEO of Keeper Security, the leading global password management application, I advise people on how to protect themselves and their personal information. Here are some quick tips for improving your overall password security:

  1. Use a secure password manager.  Utilizing a password manager like Keeper allows you to create randomly generated secure passwords for all of your sites so you do not have to remember simple passwords, reuse the same password and keep passwords on sticky notes or word files.  The average person has over 25 passwords to remember and there is no possible way to remember all of them. A strong password manager like Keeper can give you peace of mind knowing that your data is encrypted and safe from cybercriminals.
  2. When resetting your passwords, be careful about the reset questions you choose. It’s easy to forget passwords for your various accounts and click on the reset button to get an email prompting you to pick another password. As a form of increased security, most sites ask you “security questions” that you must answer to enable a password reset. The questions are typically very simple: “What’s your maiden name?” or “What was the street you lived on growing up?” These questions are very easy to guess, especially with social media giving away so much personal data. Try to pick a question that nobody can guess to help increase the security of your password resetting feature.
  3. Use two-factor authentication. Many sites offer 2FA now so you should turn it on at all times – for your bank accounts, GMail accounts, Facebook, Twitter, etc. You should always choose more security over less!
  4. Change your passwords regularly. If you choose to not use a password manager, you should be vigilant about choosing strong, complex passwords and changing them every month or so. You must use unique passwords for each account and not recycle them. Enterprises should enforce password changing with employees every 100-120 days, as a standard business practice.
  5. Audit your passwords and your own personal security when data breaches occur, especially those that impact you directly. Every time a major data breach occurs, it’s important to be proactive and take precautionary measures to change your passwords immediately, as your personal data most likely leaked during the breach. It’s also not a bad idea to double check that your software and apps are updated regularly on both your personal computers and mobile devices and run your antivirus checks as well.

We hope you will take these security tips seriously — not only on National Change Your Password Day, but every day.

 

Keeper Security’s Top 5 Security Predictions for 2016

by , on

2015 was a record breaking year for data breaches impacting almost every sector – healthcare, education, financial services, retail, the federal government and more. During the first three quarters of the year, over 3,000 data breaches were reported. Of course, the most eye-opening breach of all was at the Office of Personnel and Management (OPM), where the sensitive data of more than 21.5M federal workers and contractors was exposed, as well as biometric data. Every time there’s a new breach where data leaks out, it’s just another opportunity for cyber criminals to use the exposed data to steal identities and carry out other malicious deeds.

As we look ahead into 2016 and beyond, we predict the following events:

 

  • Hackers will exploit weaker supply chain partners. There is a trickle down effect when data breaches occur and supply chain partners are not immune. Once forensic analysis and investigations are completed, there’s often a clearer understanding of how a breach happened in the first place. With the Target and Anthem attacks, not only were employees and customers impacted, but others who were connected to the breached victims were put at risk as well. It is widely known that the hackers first gained access into Target’s system through one of its HVAC vendors. In 2016, we’ll see more B2B companies not only invest heavily in their own security upgrades but also demand a higher level of security from their partners.
  • Hackers will get more creative and breach a hot new target: IoT devices. According to Gartner, by 2050, there will be over 20 billion connected devices in our homes and in the workplace. Wearable products such as the Apple Watch, fitness trackers and new “smart” objects such as household appliances and connected cars were counted among 2015’s hottest products. With new technology, comes new security threats. In 2016, we expect to see security holes exposed by IoT will dwarf today’s traditional cyber threats. With expansive user bases scattered in the cloud and among third-party vendors, IoT devices running mobile applications can be hacked or riddled with malware, with the potential to affect millions.  
  • Encryption technology will become the norm.  There is an ongoing debate among government agencies and technology providers regarding the use of encryption. Encryption provides a much stronger layer of protection for consumers and businesses which prevents government actors from accessing files and communications.  While governments may want access to certain individual assets, technology companies who open the doors to one individual or agency provide an opening for any hacker to penetrate that system.
  • Wearable devices will force BYOD policy changes. Now that wearables like the iWatch are the new “norm,” companies will have to adjust their BYOD policies to accommodate for all IoT devices brought into the workplace — not just smartphones. According to a survey from IT staffing firm Modis, 90 percent of employees surveyed were interested in receiving a wearable device from their employer to complete work tasks and 60 percent said they would be extremely interested in using such a device at work. As employees begin to use wearables for work-related activities, IT security teams will have to rethink how these will impact the company and revamp security policies and employee training.
  • OEMs will implement greater security in their products. In 2016, original equipment manufacturers (OEMs) will integrate security features into the hardware and software layers of a device from the onset of design, rather than as an afterthought. By preloading mobile devices with security apps, customers are immediately protected, from the moment their phone is booted up. As a result, consumers will feel more secure in using their mobile device for things like e-commerce transactions and web-browsing, potentially reducing the number of software security patches OEMs are responsible for, as a result.

Yes, mobile technology is bringing new, sophisticated cyber threats into our workplaces and homes, but it’s also bringing greater convenience and productivity. As we adapt to this new landscape, cybersecurity investments cannot be overlooked.

Wi-Fi Sync Removal

by , on

Keeper has removed its Wi-Fi syncing feature. We’re now auto-enabling our Cloud-based Internet Syncing feature for all users. This is great news for users – it simplifies the user experience, reduces confusion, enhances the product and increases security.

Keeper’s Internet Sync feature is the most secure way to sync information between your devices and protect your data in case your device is lost, stolen, damaged or replaced. It works instantly across all devices, computers and web browsers – and no configuration is required.

Security is our #1 priority. Keeper is a zero-knowledge security provider. Zero Knowledge is a system architecture that creates the highest levels of security and privacy by adhering to the following principles:

1. Data is encrypted and decrypted at the device level (not on the server)
2. The application never stores plain text (human readable) data
3. The server never receives data in plain text
4. No employee or intermediary can view your data
5. The keys to decrypt and encrypt data are derived from the user’s master password
6. Multi-Layer encryption provides access control at the user, group and admin level
7. Sharing of data uses public key cryptography for secure key distribution

Data is encrypted on the user’s device before it is transmitted and stored in Keeper’s digital vault. When data is synchronized to another device, the data remains encrypted until it is decrypted on the other device.

Keeper is the most secure, certified, tested and audited password management and digital vault in the world. Keeper is the only SOC2 certified password management solution in the industry and certified by TRUSTe for online privacy. Keeper uses the most secure levels of encryption and adheres to very strict internal practices that are continually audited by third parties. As a company, we do this to create the best product in our industry and most importantly, honor your security. Detailed information about our zero-knowledge security platform can be found at https://keepersecurity.com/security.html.

If you have any questions, please contact support@keepersecurity.com.

5 Tips for Safer Holiday Shopping in Stores & Online

by , on

blog post image

‘Tis the season for holiday shopping and hackers! As Black Friday and Cyber Monday approach us, the two biggest shopping days of the year, it’s imperative that consumers everywhere follow some simple steps to protect themselves and their wallets. This level of security awareness should not only apply during the holiday season but ALL the time. Remember, cyber criminals work around the clock – 24x7x365 – which is why you need to protect yourself around the clock too!

As you probably know, 2015 brought another overload of data breaches across many sectors including retail, and as a result, many consumers have had their personally identifiable information (PII) exposed. And with each breach, more PII can fall into the hands of hackers, resulting in identity theft which is never easy to clean up.

So to help consumers this holiday shopping season, we’re offering some helpful tips and reminders for keeping consumers secure, both online and in stores:

 

  1. Update your anti-virus and computer software regularly. And if you don’t have anti-virus, get it immediately. However, be careful where you download your AV from because there are a lot of fake AV scammers out there. Go to the website of the AV provider directly to download it safely and double check ratings on sites like PC Magazine and ZDNet to find the best one for you.
  2. When to use cash vs. credit? Whenever possible, use cash for your transactions in stores. Just remember to keep all your receipts either printed out or via email in case you have to make a gift exchange. When shopping online, it’s always a better idea to use a credit card versus a debit card. That way, if there are fraudulent charges made to your account, you can dispute them with your credit card provider more easily.
  3. Do not use public Wi-Fi. It’s never a good idea to use public Wi-Fi from airports, coffee shops, restaurants and more, and certainly not when you are shopping online and transacting with retailers using your credit cards. Public Wi-Fi is a great attack vehicle for online cyber criminals who can spy on your activity through man-in-the-middle attacks. Use a private home Wi-Fi connection or your own personal hotspot available inside your phone.
  4. Ensure you are using SSL-encrypted websites whenever you transact. While not foolproof, making sure you’re using a website that has the HTTPS (look for the “S” that stands for “secure” and the little padlock in the upper lefthand corner) connection in the web address. This will at least give you peace of mind that your connection is encrypted to prevent cybercriminals from eavesdropping on your traffic.
  5. Use a strong password manager and digital vault. The average person has 19 passwords to remember but 1 in 3 passwords are not strong enough. Utilizing multiple passwords (and recycling the same 3 or 4) makes it nearly impossible to keep them all straight when you’re shopping on Amazon.com, Target.com, Macys.com and more. It’s a much better idea to use a password manager like Keeper that gives you one master password to remember and uses military grade encryption to ensure any data inside the Keeper digital vault remains secure at all times. Password managers alleviate the headache of managing too many passwords and will only make your life easier.

 

Hopefully, these simple security tips will help to ensure a safer and more secure holiday for all and keep the cyber criminals locked away with the naughty elves and a lump of coal!

 

Cheers!

The Keeper Support Team