Blog

Heartbleed Vulnerability Update

On Monday, April 7th the Heartbleed bug was announced by OpenSSL. Heartbleed is a vulnerability in the OpenSSL cryptographic library, you can get details at http://heartbleed.com/

Was Passpack vulnerable?

Passpack utilizes OpenSSL and we were vulnerable to this bug. Our systems were updated this morning April 8th, new SSL Keys were generated and new SSL Certificates requested and deployed. So Passpack is no longer vulnerable, we have also had a feature called “perfect forward secrecy” enabled on our SSL connection for some time which eliminates the ability to decrypt traffic retroactively. 

What should I do?

Sensitive data that is sent to Passpack is encrypted with a key that is not transmitted to our servers so your data is never transmitted over SSL unencrypted. While Hearbeat is a serious issue, your stored data would not have been affected. There is a concern that a Man In The Middle attack could have masqueraded as Passpack and served malicious Javascript back to users and compromised their Packing Key. While we do not have any evidence that any customer data was compromised, after analyzing the issue we feel it is better to err on the side of caution and recommend changing your Packing Key https://help.passpack.com/knowledgebase/idx.php/33/157/article/How-to-Change-Your-User-ID-Password-or-Packing-Key.html and we also recommend enabling two factor authentication on all accounts.

Since roughly 2/3 of the internet was also affected by this vulnerability we also recommend that you consider changing your passwords at other sites as they were likely vulnerable to the same attack.

Scheduled Maintenance Saturday 8PM MST

We will be upgrading our web servers to support the latest security standard, TLS 1.2, this Saturday between 8:00PM and 9:00PM MST.  We will be performing a rolling upgrade of the server software which should avoid any disruption of service, but we want to make everyone aware of the time in case there are any issues.

Welcome to 2014

Welcome to 2014

The Passpack Team has been working very hard the last two quarters of 2013 to make this year the best year yet for our users and team. We are excited to welcome 2014 with a brand new look and feel for the web site, and we also have a few announcements.

Since 2006, Passpack has grown organically, amassing a huge trove of industry and product knowledge, which can be found in blog posts and the online help center. Moving the knowledge base and help center to a more modern application will take some time.  We are, however, working to keep it to a minimum and hope to have it completed within the next few weeks. We hope you will like the new look and feel.

The Next Generation of Passpack

We acquired Passpack in July of 2013. It was our intention at that time, to rapidly bring improvements to our customers. Our team set to work assessing the state of the Passpack application, and digging through the feedback and support databases to see what our users had asked for, and where we could make improvements. That was challenging. We love a challenge. We then set about building it, and that has also been very challenging! Good thing we really love a challenge. In the coming weeks we will be announcing a Preview Program so that we can get our users feedback in an effort to be sure that we don’t miss opportunities to build and implement the features they need and want.

The number of improvements is rather large, so we will make a dedicated announcement separately; a few of the major features in the coming version will include Native Mobile Applications and Native Browser Extensions for all major platforms. The team and group features are both simpler to use and much more powerful. We’re pretty excited about it, and we hope you are too.

We love to hear from you

We have been very quiet while we were working on the completion of this new release, but you will be hearing much more from the Passpack Team in 2014. Over the last six months if you have needed support or had a question, you’ve probably interacted with one or all of the team, and while we’re happiest when things work for you exactly as they should or are as easy to use as we’d all like them to be, we want you, our users to know that if you need support or just have a question about the company, our team is here for you. We believe that we have a great product, and that we have great people using it. We enjoy interacting with all of you, and value your feedback too.

Here’s to a great 2014, everyone!
Best Regards and Warm Wishes,
The Passpack Team

PayPal issue

Since Yesterday, PayPal is not sending us confirmation notification of the payments. So the system is unable to update the status of the accounts. We could do this manually, but when PayPal will solve the issue, it will probably send all the notifications and this could create worse issues. So, we are waiting for a while. If nothing happens, we will fix the updates manually.

UPDATE, Jan. 29. The strategy worked because PayPal sent all the notification at one moment, and all the accounts have been upgraded correctly.

 

The new Adobe AIR damages the Passpack Desktop’s Local Storage

Your attention, please.

The new Adobe AIR, on some Operating Systems, resets the Encrypted Local Storage where the local Passpack Desktop data are stored. So, please, before upgrading to the new Adobe AIR, do a backup of your local data from “tools > backup” so that, if the data will be lost after the upgrading, you can restore it.

If your data is lost, the only way to recover it is to restore the status of your operating system to a restore point before the upgrade to the last Adobe AIR. Some users were able to recover all the data this way. After recovering the data, please, backup the entries before upgrade again and restore the entries after restarting the account.

Quick PIN on mobile devices

The biggest problem with the mobile version of Passpack is typing a long Packing Key. People often type the wrong one and have to repeat the process. That’s painful on a touchscreen keyboard.

So, I have just released a solution that solves this problem: a 4 character  PIN that substitutes your Packing Key. This PIN is device specific, in other words, you set up a different PIN for each phone and tablet.

It works in a very simple way:

  • your Packing Key is encoded using a randomly generated key
  • the random key is stored in the local storage of the broswer on your device
  • the encrypted Packing Key is send to the our server with the PIN

Next time you login to Passpack on that device, you’ll be asked for the PIN instead of the Packing Key. You have 3 attempts to type the correct one. At the third mistake the PIN will be deleted and yo’ll need to type the Packing Key as usual.

When used with the Remember me option, this is a great time saver!

Managing PINs and devices

From the Settings page, you can see what devices you have already activated and, possibly, remove them.
This is particularly important if you lose your mobile device.

About security

Initially I was thinking to use a numeric touchpad, like the kind many apps use for PIN numbers. But the risk is that you could be tempted to use the same numeric PIN that you use to access your device – and that would be bad. We don’t want anyone who can enter your device to be able to enter your Passpack account as well.

For this reason, I decided to allow a text PIN. This way you have a really better PIN since you can use everything, included international characters. For example, your PIN can be a string like arfk or xsTT but you can also decide to use a crazy strong PIN like Aò高8 that would be impossible to be guessed in three attempt. This strongly increases the security as compared to, for example, an ATM PIN.

Note. The quick PIN system needs an HTML5 browser to work. If your browser is not compatible, you won’t see the option to activate the PIN.

Solved an issue with corrupted exchange keys

From time to time, we receive a ticket from a user who is unable to invite another user, because the recipient can not see or accept the invitation. I have tried to replicate this issue without success, so my workaround has been to manually delete the invitation from the database so that the two users can restart the process. Generally this worked.
The strange thing was that the problem was repeating always within the same teams. As you know, Passpack has been built to be personal and private. So the best practice, in any case, is that one user access one account. If more than one user accesses the same account, this can create unpredictable problems.

A pratical example

We have three users: Bob, Alice and John.
  • Bob accesses his personal account (good!). Instead Alice and John access the same company’s account (bad!).
  • Alice invites Bob.
  • Before Bob has a chance to see the invitation, John checks for updates. The system finds a request for exchanging keys that is related with his current account (that Alice is also accessing, remember), elaborates the keys and delete the original RSA-encrypted keys for security purposes.
  • When Bob checks for updates he finds the invite, but the system is not able to generate its own keys because the original keys have since been removed.
  • The result is that Alice has invited Bob, but Bob can not see or accept the invitation because the exchange keys are bad.

How to fix the issue

When I discovered this practice I finally understood what was causing the key corruption. So I’ve added a more sofisticated control to avoid the problem. But, since it is impossible to propagate a change to previous versions, it was necessary that all the involved users reload their Passpack page to have the latest version of the application. If not, the invitations may seem correct but the user will not be able to see any shared entries because his keys are not compatible with the current keys of the sharer.
If you are experiencing a problem with invitations or with users that can not see any shared entry you should follow these steps:
  • Be sure that you have the latest Passpack version (logout and reload to be sure)
  • If you have tried to exchange secure messages with the user, delete all those messages and ask the other user to do the same
  • From the People tab delete  the invited user
  • Ask the other user to press their check for update button to verify that there aren’t any invitations from you
  • Invite him again

If you have any issues please open a support ticket.

We are going to change the feedback forum

We’ve been using UserVoice for a while to manage user feedback.

UserVoice is a great service to collect suggestions and ideas. It worked very well and now we know what is important for our users. But there are a lot of minor suggestions that are also important which remain without an answer. And, in many cases, people ask for a feature that already exists. If there were a live conversation, some other user might be able to quickly answer: “Hey Joe, you can already do this.” Instead, there  is no live converation and everyday someone adds a suggestion that risks getting lost. This is not good.

So, in the next weeks, we will try to limit the UserVoice forum to big suggestions and we will move the everyday feedback towards our Facebook page. Why Facebook? Because it is easy and social and solves the “conversation” problem. Of course, please don’t consider it a support page and especially don’t write any sensitive information. If you need customer support on your account, please open a support ticket instead and we will help you.

The Passpack Facebook page would like to be a place where you can start conversations with us and with other users about best practices, ideas, issues, etcetera.

What do you think?

 

Our provider has been hacked, but Passpack is safe. Zero data compromised.

First things first: your data is safe. 

Passpack runs on dedicated servers at a provider in Germany. Yesterday, that hosting provider was likely hacked into. Due to our application architecture, and the fact that we’ve completely isolated the servers from any access by the provider, Passpack has not been compromised. All user data is secure.

This announcement is simply because we believe in transparency.

Why Passpack was not affected

Fortunately I don’t trust anybody, not even our hosting providers (Passpack is, after all, built on the “Host-proof” Hosting pattern). As soon as our dedicated servers were delivered to us with the OS installed, the first order of operation was to make it so that our provider was completely unable to access our servers. Every default password was changed and (most importantly) the SSH setting only allows access via keys. Yes, that makes it more complex to handle eventual hardware problems, but it’s worth the trouble. Today, when I read the communication below, I knew it was the right choice.

This is the communication that we received today, like hundreds of others:

Dear Client,

We were informed yesterday, Wednesday 5 October, about an improper access to our internal system.
As far as we can presently reconstruct, the attackers could have been able to access internal customer data on [our] administrative systems.
[...] To our present knowledge we have no information regarding data abuse from customers.
Unfortunately, it is not possible for us to exclude this possibility completely and we would therefore ask that you change all passwords on your [Provider] system immediately as a precaution.
[...] To ensure complete and transparent clarification, we shall shortly be reporting this incident to the regulatory authorities.
[...]

As always, we’ve taken follow-up security available to us for good measure. We immediately updated the credentials to login to the the online account manager. Nobody has accessed the account manager, or changed any settings.

My biggest concern was that with access to the provider’s account management system, though they couldn’t have accessed any user data, a hacker could have been able to reset a server: starting a new installation while deleting all the current data. Fortunately, they didn’t. And the access codes have all since been changed. As you can imagine, this would have caused an interruption in service until we’d have reconfigured everything and restored the data from our remote backups.

A secondary concern would be that they could have gotten physical access to the servers while putting it into maintenance mode. Also in that case, there’d have been a noticeable downtime. There wasn’t. Anyway, as you know, our data are useless without hacking the entire distributed system.

Since we had no problems or outages, I could have easily not informed anyone about this. But I believe that transparency is the most important thing for a service like Passpack. So now you know.

Have a good day, and let me know if you have any questions.