Keepass.com spreading malware acting as the official password manager site(twitter.com)
twitter.com
Keepass.com spreading malware acting as the official password manager site
https://twitter.com/berkcgoksel/status/1125727590440931329
104 comments
Quoting part of your original posting here:
I have been working on a fork of TrueCrypt/VeraCrypt and wanted to be sure that before releasing the code that I am following all the license terms and giving proper attribution, as TrueCrypt has a somewhat non-standard open source license.
TrueCrypt has an old trademark issued back in 2007 but which expired after 10 years in 2017. As part of the licensing review, I discovered there is a new trademark application filed August 25, 2018 by Julien Clairet under a company named "DATA ACCESS" based in Paris, France.
I discovered [that] "keepass.com" is also apparently registered to Julien / DATA ACCESS.
There is a publication period when new Trademarks are announced and an opportunity to contest the validity of the claim. The new "TrueCrypt" trademark was published on February 20, 2019, and you have 30 days from the time that the mark is published to file any opposition.
I am preparing to file a response to USPTO.
First of all, a huge thank you from everyone that loves TrueCrypt for doing this.
How long will it be before you know if they issued or rejected the trademark? Is there anything else that can be done now that the 30-day deadline has passed? Would you mind posting a link to the trademark application?
I have been working on a fork of TrueCrypt/VeraCrypt and wanted to be sure that before releasing the code that I am following all the license terms and giving proper attribution, as TrueCrypt has a somewhat non-standard open source license.
TrueCrypt has an old trademark issued back in 2007 but which expired after 10 years in 2017. As part of the licensing review, I discovered there is a new trademark application filed August 25, 2018 by Julien Clairet under a company named "DATA ACCESS" based in Paris, France.
I discovered [that] "keepass.com" is also apparently registered to Julien / DATA ACCESS.
There is a publication period when new Trademarks are announced and an opportunity to contest the validity of the claim. The new "TrueCrypt" trademark was published on February 20, 2019, and you have 30 days from the time that the mark is published to file any opposition.
I am preparing to file a response to USPTO.
First of all, a huge thank you from everyone that loves TrueCrypt for doing this.
How long will it be before you know if they issued or rejected the trademark? Is there anything else that can be done now that the 30-day deadline has passed? Would you mind posting a link to the trademark application?
Thank you and you're welcome. I did link the application in my original post, here it is again;
http://tsdr.uspto.gov/documentviewer?caseId=sn88092713&docId...
Typically two months after publications they will send the Notice of Allowance. It hasn't happened yet but it could happen any day I suspect.
http://tsdr.uspto.gov/documentviewer?caseId=sn88092713&docId...
Typically two months after publications they will send the Notice of Allowance. It hasn't happened yet but it could happen any day I suspect.
For anyone confused by this Twitter sound bite, the story is that there are 2 main sites from which you can download KeePass Password Safe (the free, open-source password manager):
- https://keepass.info/ is the official site, which ironically uses a suspicious-looking .info top-level domain, but is in fact the legitimate source
- https://keepass.com/ is an unofficial site which the Twitter article is reporting as spreading malware, but has somehow obtained the more legitimate-sounding .com top-level domain
And by the way, both of these sites come up on the first page of a Google search for "KeePass".
- https://keepass.info/ is the official site, which ironically uses a suspicious-looking .info top-level domain, but is in fact the legitimate source
- https://keepass.com/ is an unofficial site which the Twitter article is reporting as spreading malware, but has somehow obtained the more legitimate-sounding .com top-level domain
And by the way, both of these sites come up on the first page of a Google search for "KeePass".
I have the same issue with Putty. I was helping a client debug an issue with an appliance they bought from my company (me on their computer, them watching over my shoulder) and asked if I could download Putty on their machine. They said yes, so I went to "https://www.chiark.greenend.org.uk/~sgtatham/putty/" and clicked the download link and they flipped out. It's too fishy, they said, must be a malicious site. I went to putty.org instead (not affiliated with Putty), and clicked the "download putty" link and it redirected back to the other site, and from that point they refused to let me download Putty.
We then spent 3 hours getting approvals for me to get my own laptop on their internal network so I could use ssh from my Macbook. I felt bad because my company charges like $300/hr for our consulting services, so we wasted nearly $1000 because the main Putty download site seemed too suspicious for the client to be comfortable with.
I know Putty is legitimate and I know it's a free product, but appearances do matter. Presentation does matter. Although I do blame Microsoft a bit for not shipping an SSH client for so long.
We then spent 3 hours getting approvals for me to get my own laptop on their internal network so I could use ssh from my Macbook. I felt bad because my company charges like $300/hr for our consulting services, so we wasted nearly $1000 because the main Putty download site seemed too suspicious for the client to be comfortable with.
I know Putty is legitimate and I know it's a free product, but appearances do matter. Presentation does matter. Although I do blame Microsoft a bit for not shipping an SSH client for so long.
Let this stand as a reminder that paying that extra 17$ for a more legit looking TLD may just be the right thing to do.
The legit one is usually squatted upon. It's not extra $12 (typical .com price) but extra $12k+
That's just a business problem, not any different for domain names than anything else. I have a great idea for a business, it's a small building that sells pizza. Unfortunately I can't name it Pizza Hut because that's already taken. I want to start a supermarket and my last name is Wall, I can't exactly call it Wallmart. I want to start an electronics supply company, I can't call it Tesla. I have to come up with other names.
I want to create an app that helps people relax. Sorry, Calm is taken, I need a different name. I want an app that's like a book of faces... Facebook is taken. I need a different name.
If someone else already has the domain name you want, you can register under a different tld, but you have to be aware that this conflict will exist and confusion will be a problem.
I want to create an app that helps people relax. Sorry, Calm is taken, I need a different name. I want an app that's like a book of faces... Facebook is taken. I need a different name.
If someone else already has the domain name you want, you can register under a different tld, but you have to be aware that this conflict will exist and confusion will be a problem.
I would be good money this is the opposite, the .com was registered afterwards.
Is there any list of TLDs sorted by credibilityy score?
hombre_fatal(8)
When I used to install Keepass on a new computer, I would Google "keepass" and then hesitate a moment before clicking the .info domain. The best solution I could come up with was to start using KeePassXC instead.
What a great world in which any video that accidentally includes a radio playing a song is immediately taken down, but this sort of thing can go on for years.
Well, it tells you who wrote the laws. DMCA, sure as hell wasn't written by Clinton, he just championed it.
For reference, the actual official site is https://keepass.info/
oof, .info and .biz are almost always red flags
Faced with the .info and .com I would have bet all my money that .com was the legit one.
+10000 bonus points since the malicious group made the UI feel more modern on .com than the .info page.
And this is why you buy the .com domain for your company, instead of some weird one like .info, .io, or .pizza: most people assume that's where they'll find your company. If someone's squatting it, you can buy it from them, or just come up with a new nonsense word for your company.
Maybe developers are getting used to the `getQwerpy.io` convention, but I don't see it catching on more broadly.
Maybe developers are getting used to the `getQwerpy.io` convention, but I don't see it catching on more broadly.
Good idea for a company. Tough if you're a FOSS project and the domain costs $xx,xxx (almost any desireable dot-com does).
Change the name. Especially if you're a security oriented service and not having the dot com opens you up to this sort of, I guess its phishing? .info and all are basically active red flags, especially for a security oriented project...
Honestly the Keepass maintainers have had enough basic issues with website security (see how long they held out on https for update downloads), that I use KeepassXC even on Windows these days. I figure there's enough eyes on the kdbx 4 protocol that it's safe, but the keepassxc team feels better organised.
IIRC, the update was over HTTPS, just the "check for new version" call was to HTTP.
According to https://keepass.info/help/kb/sec_issues.html, it doesn't auto-update - it just displays that a new version is available. Enabling a man-in-the-middle to display a fake update notification, when there are fake versions of Keepass floating around and the user could easily slip up (and the MITM could guide the user towards a fake version) still feels like a hole, albeit a minor one.
It has however been resolved:
> the version information file is now digitally signed (using RSA-4096 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. Furthermore, the version information file is now downloaded over HTTPS.
It has however been resolved:
> the version information file is now digitally signed (using RSA-4096 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. Furthermore, the version information file is now downloaded over HTTPS.
The domain name provider I use[1] takes $2 less per year for a .com compared to a .info.
[1]: https://domainname.shop/register
[1]: https://domainname.shop/register
For an unregistered .com. Most desirable .com's have been squatted, and the squatters want five to six digits for the domain. The business model deserves a fiery death, yet it thrives.
Fair point. Most of my domains have not been .com's but when I've registered I've checked if the .com was available and for the most part they have been.
So cities recently have been toying with vacancy taxes that target rich people using prime real estate speculatively or who wish to reserve a unit without anyone having lived there for cultural reasons - maybe that's the sort of tactic we need to examine with domains, some sort of creative usage bar that utilizes distinctness from other domains to detect squatting and levy a fee.
At scale, distinguishing a squatter's markov-generated WordPress landing page from a genuine pre-product startup in stealth mode sounds like a Hard Problem. On the other hand someone with 10,000 domains and zero business plans is obviously a squatter. There's probably a way to draw the line that's viable to enforce.
Seems like it would be fairly trivial to find any instance of a phrase similar to "this domain for sale" on any page and flag it for human intervention. Because that's how squatters get buyers, right, by indicating the site is for sale? Am I missing something obvious?
Additionally, as a web developer, when I see squatting on a domain I want, I will be absolutely livid. Give me a place to report squatters and I'll happily help you crowd-source what was previously a Hard Problem.
Additionally, as a web developer, when I see squatting on a domain I want, I will be absolutely livid. Give me a place to report squatters and I'll happily help you crowd-source what was previously a Hard Problem.
That's actually kind of genius. Domain squatting is highly automated, so in most cases it's not hard to figure out when a domain is squatted rather than simply inactive. Taxing squatters 10% of their sale offer every year would make them think twice.
It could even be done through the registrars: for every year you hold onto a domain, the registrar withholds another 10% if/when you sell it. Legitimate companies and people wouldn't suffer, since they would want to keep their domains more or less forever. Those looking to flip domains would have to consider their diminishing returns.
It could even be done through the registrars: for every year you hold onto a domain, the registrar withholds another 10% if/when you sell it. Legitimate companies and people wouldn't suffer, since they would want to keep their domains more or less forever. Those looking to flip domains would have to consider their diminishing returns.
That page says €9.95/yr for .com which is $11.17 USD...
$11.95 vs $13.95 for me. Similar in my local currency if I go to their regional page.
Keepass.com is present in uBlock Origin's Badware Risks list, I couldn't even access it first.
I have my browser that I use for logging into sites behind three layers of security:
- Google Safe Browsing
- Pihole including a couple of regularly updated malware lists
- uBlock Origin
It looks like Safe Browsing and pihole do not yet have this on the blacklist.
- Google Safe Browsing
- Pihole including a couple of regularly updated malware lists
- uBlock Origin
It looks like Safe Browsing and pihole do not yet have this on the blacklist.
I submitted keepass.com on the report malware form on Google, for what it's worth.
Caught it for me also - looks like keepass.fr is also taken.
Kinda surprised the badware list only contains 100 or so URL's!
Kinda surprised the badware list only contains 100 or so URL's!
I assume it's complimentary to the Google Safe Browsing service that Chrome uses.
Further proves the obvious: it's dangerous to use the Internet without uBlock Origin.
Disclaimer: I'm the founder/maintainer for AppGet (appget.net)
Issues like this were one of the main reasons I started working on appget. I died a little bit inside every time I saw a friend google an app and click on the first link (usually an ad) or click through the installation wizard as fast as they possibly could and not unchecking the toolbar, bundle, bonus, whatever else.
AppGet solves these issues from a couple of different angles,
1. we only allow packages hosted on the official vendor, maintainer websites.
2. All package manifests are simple YAML files on GitHub where they go through a PR/Review before getting merged.
3. For your _tech normal_ friends or family, they can search for apps in https://appget.net/packages/ and click the install button, and we do the rest. No command line needed. 4. We disable all bundled app installations by default.
For example here is the page for Keepass https://appget.net/packages/i/keepass
Issues like this were one of the main reasons I started working on appget. I died a little bit inside every time I saw a friend google an app and click on the first link (usually an ad) or click through the installation wizard as fast as they possibly could and not unchecking the toolbar, bundle, bonus, whatever else.
AppGet solves these issues from a couple of different angles,
1. we only allow packages hosted on the official vendor, maintainer websites.
2. All package manifests are simple YAML files on GitHub where they go through a PR/Review before getting merged.
3. For your _tech normal_ friends or family, they can search for apps in https://appget.net/packages/ and click the install button, and we do the rest. No command line needed. 4. We disable all bundled app installations by default.
For example here is the page for Keepass https://appget.net/packages/i/keepass
Back in the days, when Google was still somewhat new, I tended to laugh a bit inside when my parents and other non-techies would search Google for a domain rather than to go in the address bar. They'd search for Ford or Ford.com, rather than just put Ford.com in the address bar.
Though I quickly realized it wasn't such a bad idea at all, for exactly the reasons such as this. Even I mess up domains sometimes, so I usually tend to use Google instead except for the ones I know by heart (or have bookmarked).
Though I quickly realized it wasn't such a bad idea at all, for exactly the reasons such as this. Even I mess up domains sometimes, so I usually tend to use Google instead except for the ones I know by heart (or have bookmarked).
This only really works if you have an ad-blocker, or at least know to ignore the ads. Otherwise google will frequently end up frequently serving ads for a malicious product (most commonly seen for crypto products)
Fair enough, although surfing without an ad-blocker is like having random one-night stands without a condom.
This is a super gnarly one to me because it is a PASSWORD MANAGER. Literally they could just supply a password manager that also sends all the passwords to a third party.
I get it open source, hard to keep the lights on, etc etc but I feel like if you take the steps of getting into a such a security heavy space, then you have to be able to keep up your end of the bargain.
In this case it might not mean registering every variation of keepass (keepass.com probably useful though) but it certainly means working aggressively with search engines to get things flagged, send push notifications to your users warning them of it, etc etc
I get it open source, hard to keep the lights on, etc etc but I feel like if you take the steps of getting into a such a security heavy space, then you have to be able to keep up your end of the bargain.
In this case it might not mean registering every variation of keepass (keepass.com probably useful though) but it certainly means working aggressively with search engines to get things flagged, send push notifications to your users warning them of it, etc etc
> Literally they could just supply a password manager that also sends all the passwords to a third party.
Could have taken the source, added the backup to 3rd party server, and released binaries.
Could have taken the source, added the backup to 3rd party server, and released binaries.
> but I feel like if you take the steps of getting into a such a security heavy space, then you have to be able to keep up your end of the bargain.
Why, if you don't earn enough money?
Why, if you don't earn enough money?
Because people have put their trust into you and you owe them something for that.
better to shut down a project and walk-away for example, then leave it up, never update it, have a vulnerability get exposed, and have everyone using your product get owned
better to shut down a project and walk-away for example, then leave it up, never update it, have a vulnerability get exposed, and have everyone using your product get owned
Your answer to the problem of malicious actors squatting domains is to shutdown the legitimate one? Did I read that right? keepass.com won't stop serving malware even if the keepass project has been abandoned. Your solution just makes the problem worse.
> you owe them something
Definitely not.
The companies even sell products, for which everybody directly pays, and then owe even to the millions of users nothing once they have sold the product (actually sold the "license"). I've even had to buy the exactly same product (the license) more than once, every time I've changed the platform or even just changed the computer.
So if I publish anything as open source, free for anybody to use, I own even less to anybody with whom I don't have a paid contract for support.
Definitely not.
The companies even sell products, for which everybody directly pays, and then owe even to the millions of users nothing once they have sold the product (actually sold the "license"). I've even had to buy the exactly same product (the license) more than once, every time I've changed the platform or even just changed the computer.
So if I publish anything as open source, free for anybody to use, I own even less to anybody with whom I don't have a paid contract for support.
Keepas is not the only software involved.... https://twitter.com/Gabry89/status/1125775980365217793
My company bought up as many related domains (e.g. misspelled, org, com) as we could think of to prevent this kind of thing.
A very cost effective way to protect your IP.
A very cost effective way to protect your IP.
uBlock Origin catches keepass.com correctly with the default filters.
Reaffirming my decision for the n-th time to never browse the modern web without adblock.
Reaffirming my decision for the n-th time to never browse the modern web without adblock.
opendns flags this as a phishing threat, which is nice:
https://phish.opendns.com/main?url=keepass.com&server=ams16&...
https://phish.opendns.com/main?url=keepass.com&server=ams16&...
Been using the KeePassXC[1] community fork for about three months now. The transition was smooth; it's pretty much identical to KeePass or KeePassX. Has TouchID integration for MBP which is super useful. Plus the source is available on Github and is actively maintained.
[1] https://keepassxc.org/
[1] https://keepassxc.org/
Same people are most likely hosting https://7zip.fr/
Update: The sites are now all blocked by https://www.squidblacklist.org/downloads/dg-malicious.acl, which is a list I recommend everyone to put into their pihole.
Still not blocked on Google Safe Browsing.
Still not blocked on Google Safe Browsing.
Just tested: uMatrix detects the site being a threat, preventing to load the homepage in the first place.
Is there an ICANN dispute avenue available for the Keepass to seize control of this domain?
Is there a way to figure out if an existing install was the compromised or real one?
Let’s get this shut down.
Can we not submit to Google to shut down for spreading malware or get the domain registrar involved?
I don't know if it helps to have multiple reports, but Google's Report malicious software form is here:
https://safebrowsing.google.com/safebrowsing/report_badware/...
https://safebrowsing.google.com/safebrowsing/report_badware/...
Reminds me of whitehouse.com vs whitehouse.gov back in the day...
We can fly rockets to space and then land them on barges at sea, cure diseases, use technology to reduce global hunger, create synthetic organs, and trade trillions of dollars of money across oceans in microseconds, yet we can't figure out which of two computers in an online card catalog is real and which is going to empty your bank account.
counterpoints:
* private space missions were financed from the sale of a predatory business (paypal)
* government space missions originated from the cold war arms races (that continue to this day)
* a few diseases are curable, many aren't. pharmaceuticals profit more from treatment than cure, however. Some ailments such as anaphalaxis and diabetes that are mostly treatable have been receding into "uncured/undertreated" territory because phama keeps raising the prices of insulin or epi pens.
* much of hunger, say in Africa, can be easily treated if we could find a way to keep warlords and corrupt gov's from stealing the aid, but our technology isn't helping us very much (not saying we shouldn't keep trying, but tech is of no use for this problem)
* synthetic organs sound great (if you need one). maybe this I concede is a victory for (bio)tech.
* trading money is really just trading information. Once the infrastructure is in place, it's a trivial matter.
deciding who gets to post content online is a much harder problem to solve. If you could make one call to google to have them de-listed from search, every company/political faction would be doing this to thier competitors/rivals.
* private space missions were financed from the sale of a predatory business (paypal)
* government space missions originated from the cold war arms races (that continue to this day)
* a few diseases are curable, many aren't. pharmaceuticals profit more from treatment than cure, however. Some ailments such as anaphalaxis and diabetes that are mostly treatable have been receding into "uncured/undertreated" territory because phama keeps raising the prices of insulin or epi pens.
* much of hunger, say in Africa, can be easily treated if we could find a way to keep warlords and corrupt gov's from stealing the aid, but our technology isn't helping us very much (not saying we shouldn't keep trying, but tech is of no use for this problem)
* synthetic organs sound great (if you need one). maybe this I concede is a victory for (bio)tech.
* trading money is really just trading information. Once the infrastructure is in place, it's a trivial matter.
deciding who gets to post content online is a much harder problem to solve. If you could make one call to google to have them de-listed from search, every company/political faction would be doing this to thier competitors/rivals.
Great reason to use your package manager or the Microsoft Store to get most of your software.
[deleted]
That's a bummer, keepass is pretty great... but then again that's probabbly why someone targeted it.
Heckuva name.
Should be flagged as a porn site
https://news.ycombinator.com/item?id=19311856
At the time the download links on the non-official Keepass.com site seemed to point back to the official sources, but I noted of course that could change in the future, or could even be different depending on who visits the site.
I ended up submitting an objection to the TrueCrypt trademark application to the USPTO, but I'm not sure how much good it will end up doing. I was not able to pay a lawyer the several thousand dollars they wanted to draft the letter themselves.