KeePassDroid makes recalling passwords as easy as copy/paste and also includes a password generator for creating strong passwords.

KeePass ports like KeePassDroid store passwords in an encrypted file that can be easily shared between devices. That’s where Dropbox comes in. When used together with DropBox, password files can be automatically synced between platforms and across devices.

To use KeePass and Dropbox together to manage passwords that easily sync between devices:

1. Install DropBox on your PC/Mac and Android device
2. Put a KeePass port on each of the same devices
3. Move the KeePass KDB database files to the Dropbox cloud

That’s it! Those concerned about storing their passwords in a cloud can rest easy knowing the KeePass databases are stored encrypted using some of the strongest ciphers in existence today. So unless you’re protecting the kind of info that might one day end up on WikiLeaks, you’ve got little to worry about in storing your KeePass data online.

Fake virus scan running in Google Chrome

After a few seconds on the page the following occurred:

• Result page successfully hijacked and a faux Windows Explorer interface loaded.
• A fake virus scan ran in the look-alike Explorer window, conveniently uncovering trojans and other malware.
• Alerts, dialogs and phony windows displayed in an attempt to execute a little social engineering.

After attempting to interact with the document the following occurred:

• A potentially threatening program file download initiated if you clicked on anything in the page.
• Additional warning dialog and pop-up window displayed on attempting to unload the page (e.g. hit the back button).
• Intermittently, the Google Chrome 3.0 back-button and tab [x] icon stopped functioning as expected.

The last point was of particular interest at first, as it is not like modern browsers to allow websites to modify browser functionality. But after some additional research, it was clear the hijack was more complex than a page titled with search engine optimization in mind. This article will study the hijacking in some technical detail, discuss the black hat SEO techniques used to get the rogue application listed on Google and how the app was able modify the expected functionality of browser controls in Chrome 3.0.

The bait and switch

How does activating a seemingly innocuous (and tasty) link from Google land someone on a potentially dangerous page? 302. HTTP 302 that is.

After locating the offending link on Google, I used a client-side proxy to trap the HTTP headers for a play-by-play review:

GET http://woodstockfolkmusic.com/bftwe/tiijy/carne.php HTTP/1.1
HTTP/1.1 302 Found
GET http://goodstats1.net/in.cgi?2 HTTP/1.1
HTTP/1.1 302 Found
GET http://sunstats1.net/in.cgi?default HTTP/1.1
HTTP/1.1 302 Found
GET http://sunstats1.net/redirect3/ HTTP/1.1
HTTP/1.1 302 Found
GET http://bookletantcars.cn/?pid=283s01&sid=2a15a0 HTTP/1.1
HTTP/1.1 302 Found
GET http://wwwantispyware10.com/scan1/?pid=283s1&engine=%3D3W59jDuNTIuMTUxLjE1MyZ0aW1lPTEyNTE2NYcMOAkN HTTP/1.1
HTTP/1.1 200 OK

Stepping through the sequence we can see the initial GET request followed by a 302 redirect response. Several redirects later and the browser successfully arrives at destination malware, beef stew long forgotten.

Black hat inside

The next thing I tried was to analyze the source of the PHP file cataloged by Google, which was not difficult for two reasons:

1. Directory listing was enabled on the web server, and
2. Navigating directly to the PHP file caused the page to load without redirect.

The PHP file was stowed away on woodstockfolkmusic.com (which appears to be a legitimate folk music site based out of Illinois) along with some 300 similar PHP files, covering a range of topics from Alba to Wisconsin. The files found contained mostly deprecated HTML markup (remember the <marquee> tag anyone?) and no PHP script or META tags. The files were stuffed with hundreds of keywords, a form of spamdexing I thought was no longer practiced. Nevertheless the result still appeared on Google, possibly with a little help from cloaking.

Engage the cloaking device

Curious as to why the PHP files (with no PHP script or META tags, mind you) would redirect links coming from Google, but not when loaded directly, I again pulled up a client-side proxy for closer investigation. Below are the results of several slightly modified HTTP requests for the file initially requested by Google. Each request contains a modified Referer request-header field.

First request
Hacked the Referer field to point to the Google domain.

GET http://woodstockfolkmusic.com/bftwe/tiijy/carne.php HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.27 Safari/532.0 Paros/3.2.13
Referer: http://www.google.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

First response
Hijack successful; browser redirected to bogus antivirus page.

HTTP/1.1 200 OK
Date: Sun, 18 Oct 2009 22:33:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.8
Connection: close
Content-Type: text/html

Second request
Hacked the Referer field to a domain other than Google.

GET http://woodstockfolkmusic.com/bftwe/tiijy/carne.php HTTP/1.1
Host: woodstockfolkmusic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.27 Safari/532.0 Paros/3.2.13
Referer: http://www.habdas.org/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Second response
No hijack; browser sent directly to indexed page.

HTTP/1.1 200 OK
Date: Sun, 18 Oct 2009 22:31:36 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Content-Type: text/html

Additional testing
Additional testing revealed page redirection would occur only when the Referer field was included in the HTTP request header, and only when the field value contained certain phrases. Two phrases found to trigger the hijack include “google” and “yahoo” (case insensitive) while other likely phrases such as “bing”, “msn”, “aol” and “ask” did not.

Note: I am I not currently aware if Yahoo is susceptible this particular brand of page hijacking. If you’ve seen it on Yahoo or know of any examples, please comment and let us know.

Testing for the presence of phrases “Googlebot”, “googlebot” or “google” and “bot” (separated) all resulted in the 302 redirects, which leaves some of the following possibilities:

• The 302 redirect (likely of the .htaccess kind found in the Antivirus 2009 approach) was turned on after the page was indexed.
• The web crawler that originally accessed the page did not pass the phrases “google” or “yahoo” in the Referer [sic] field in the HTTP request header.

Monitoring over a several day period landed the browser on some of the following domains, each with their own similar virus scan or some derivation:

• wwwantispyware10.com
• topantimalwarescan7.com
• top-antispyware-scan8.com
• computer-protection11.com
• webprosecurity.com
• guardpconline.com

The Chrome 3.0 Browser Button Issue

The Chrome button issues are happening on and off. Some of the changes in behavior I have witnessed using Chrome v3.0.195.27 (Win):

• Browser unable to navigate backwards in history;
• Navigation backwards in history only after several tries; and
• Tab hangs and cannot be closed, and Windows clocks, until the pop-up notification window is closed.

PassKeeper is a Windows utility that allows you to keep a list of accounts with usernames, passwords, and notes. This list is stored encrypted.

The utility is freeware and has been available for public download since the mid-90’s. Data are encrypted using the 56-bit DES cipher and stored in an DAT file in the application’s root directory. The size of the application (189 kilobytes) and the data file (~400 bytes/entry) are lightweight and can easily be carried around on any USB flash drive.

Image of PassKeeper running under Windows Vista

The application’s user interface (pictured left) is straight-forward and easy to use, and the system-oriented UI design has become more visually appealing as Windows has evolved.

One thing that hasn’t evolved, however, is the utility’s application icon (not pictured). The application icon has looked outdated since about Windows 98. But fixing the blemish is easy enough. Just create a Windows Shortcut and use a different icon. The imageres.dll located in %windir%\system32\ in Windows Vista contains a decent-looking padlock icon that can be used if desired.

With a little practice, the entire utility can be navigated using only the keyboard, and passwords can be quickly copied from PassKeeper and pasted into online forms and desktop applications without the use of a mouse. Coincidentally, the copy/paste behavior may help enhance security by masking password keystrokes from key loggers.

Over time, one noticeable drawback of using PassKeeper is that it does not provide a built-in password generator. Another is that passwords copied to the clipboard are not automatically cleared after a set amount of time, requiring the user to do so by some other means—if at all. There is also a bug with account names using certain special characters, though in my ten years using the utility I only saw it once. According to program readme.txt on www.passkeeper.com the utility is limited to 128 entries, but offers a simple workaround for the limitation.

Overall, PassKeeper is a straight-forward, easy-to-use utility for managing and securing personal passwords and account data. And though it’s starting to show its age, it continues run stably as Windows evolves. If you decide to use PassKeeper and carry around password data on a USB flash drive, the 56-bit encryption used should buy most users plenty of time to change any sensitive passwords should the device be lost.

Other password managers worth checking out

• KeePass Password Safe — A free open source password manager, which helps you to manage your passwords in a secure way.
• KeePassX — Platform-independent port of KeePass Password Safe that works on Windows, Mac and Linux to name a few. Compatible with existing KeePass password databases.
• KeePassDroid — A port of the KeePass Password Safe for the Android platform. Try it in conjunction with DropBox and KeePassX for a great cross-platform personal security solution.

Password managers to pass up

RoboForm — Though it has a version specifically for use with USB flash drives, RoboForm is reliant on a web browser to function; it is not suitable for managing desktop application passwords and may not function in all browsers.