Researchers looking into the recent GRU arrests have uncovered a trove of information because sloppy Russian spycraft. Speculation already is that GRU is severely breached.

In the course of researching the authenticity of the personal data of the four individuals, Bellingcat was able to locate one of the four GRU officers identified by the MIVD in a Russian automobile ownership database. As of 2011, Alexey Morenets was the registered user and/or owner of a Lada (VAZ 21093) car. […] By searching for other vehicles registered to the same address, Bellingcat was able to produce a list of 305 individuals who operated cars registered to the same address.[…] The database contains their full names and passport numbers, as well as — in most cases — mobile telephone numbers.

That’s a GRU-some breach with a LADA data!

I used to give talks about medical data (zipcodes of doctors) being connected in this way to de-anonymize people using big data. This new example is superior in so many ways, not least of all because it highlights Russian experts at actively poisoning information, let alone people, haphazardly failing at their own game.

Password managers have become something of a religion, which is a very good sign in theory. People getting passionate about protecting their stored secrets sounds like a win for infosec management. On the other hand, discussions may get heated about an exact password manager one should worship. Imagine office rules soon may be updated to say it is inappropriate to discuss politics, sports and password databases.

Of course for those who see all the religions as roughly equivalent in spirit, none of them being perfect and all having some virtues, they may seek easy conversion paths to embrace options. Come along and don your pope robe, grab a yarmulke, put on your tilak, etc. and covert your belief secret tomes by sliding easily between password databases.

For example, just a few years ago a couple of computer science researchers credited PasswordSafe as the most…

Wait for it…safe implementation.

It seems fair to require that a password manager that asks users to authenticate themselves with a password, at least provides secrecy and data authenticity. This is currently only achieved by a single password database format, namely PasswordSafe v3. As a general rule, a password manager should be explicit about the security offered by the underlying database format.

Thus in 2015 one might rightly be expected to worship the psafe3 scriptures as holier than thou. Now that we are in 2018, however, others have rightly pointed out that PasswordSafe and the cross-platform version PasswordGorilla have seen few updates. As other password managers are iterating more rapidly, the believers wonder when will PasswordGorilla 1.6 drop and can their faith last until such prophecy comes true?

KeePass in particular has been developing a large following, and I’ve been told there’s an entire plugin movement devoted to the art of bringing other faiths under their big tent. This makes it one of the better examples for those looking into multi-platform solutions with flexible options. Apparently the conversion steps are simple.

Prerequisite: This conversion presumes you have a psafe3 file on a running Windows system, such as PasswordSafe installed on a virtual machine easily downloaded from Microsoft.

A) Conversion from psafe3 (version 1, 2, or 3) to kdb (version 1)

1. Download the old version 1.09 zip file of KeePass (max supported conversion version)
2. Download the PwSafeDBImport plugin zip file
3. Extract the KeePass 1.09 zipfile to a new directory
4. Extract the PwSafeDBImport.dll to the same directory
5. Start KeePass.exe
6. Select the Tools drop-down and then Plugins
7. Right-click on the PwSafeDbImport plugin and choose Enable
8. Exit KeePass
9. Start KeePass (to load the PwSafeDBImport plugin)
10. Click on the New Database icon and set a strong master key (KeePass recommends 96 bits or more)
11. Select the File drop-down, then choose Import from and select PwSafe database (option at bottom, do not select psafe2 TXT file)
12. Select the psafe3 database you want to import from
13. Enter your psafe3 database password
14. Review KeePass folders to verify integrity of imported secrets
15. Click on the Save icon and set a kdb filename

B) Conversion from kdb (version 1) to kdbx (version 2)

1. Start KeePass
2. Select Database drop-down and then select Import KeePass 1 Database
3. Select kdb file and enter master key
4. Click on the Save icon and set a kdbx filename

Can I get an Amen?

In my next post on this topic, we will discuss hosted databases and why nobody expects the cloud inquisition.