Password managers fail! Oh noes!

The sad state of computer security

Photo: Andri - pexels.com
The problem with computer security is that it's bad. Really bad. I mean, security professionals are downright horrified by what passes for "security" in most places. Real security professionals find another career. To be a computer security professional in most companies is like being a maritime safety consultant on the Titanic.

Let's face it: bad guys ("black hats") are in today's computing environment like burglars in a paper house village.

Enter the press

So naturally, you are going to read about problems and big, fat, juicy security fails. Most journalists are not specialists, and they know that fear sells. So they have no qualms about amplifying and distorting security stories. This results in a constant stream of security-related bad news. Which ones are relevant and which ones are noise?

Here is my contribution to clarifying things a bit. There have been a recent slew of stories about how password managers are hopelessly compromised (see link at the bottom). According to security researchers from an outfit called Independent Security Evaluators (ISE), you can take an up-to-date password manager and make it spit out its secrets -- namely, the passwords that you entrusted to its encrypted entrails. So why bother, right?

Oh noes! The securities, they do nothing!

Not so fast. Let's examine the claims. The ISE investigation took a Windows 10 PC (already not the most secure operating system) and installed a software tool (a debugger) that lets you examine memory while the system is running. So, while the password manager was running, the investigators switched to the debugger and scrubbed the PC's memory and found, surprise, that some secret info was stored in memory.

Well, duh.

The problem with that approach is that they needed administrator access to the machine in order to install the debugger. If black hats have admin access to a Windows PC, they will install key loggers, screen shotters, and remote access tools. Why would they dig into the bowels of the system for passwords when they can just intercept them while you type (or paste) the passwords? This is akin to saying "if a burglar can get inside your house, he can make a copy of keys hanging from your key hook". This is technically correct. But notice the part about the burglar being already inside the house.  The keys are irrelevant at this point.
Photo: George Becker

The morale is: If someone has physical access to your machine, he can compromise your secrets. So make sure your passwords are kept encrypted (that's what passwords managers do). And don't trust a machine that has been in the possession of a black hat.

"Severe vulnerabilities uncovered in popular password managers": https://www.zdnet.com/article/critical-vulnerabilities-uncovered-in-popular-password-managers/


A comic about the "evil maid" attack

Here is another comic about security! I swear, everything a security expert needs to know can be learned by reading old comics. If you ask me, these security guys are overpaid. Wait, I am one of those security guys now! Never mind.

This is yet another Franco-Belgian comic. This one was published in 1971. How does a pre-AOL comic relate to computing security? Well, read on!

Context: The heroes are looking for a friend, who  disappeared after responding to a "help-wanted" classified ad in the local newspaper. The ad was anonymous, so only the newspaper knows who the ad poster was.

For Millenials: classified ads were pages covered with various ads and announcements you could publish for a fee. An anonymous ad was like Craiglist on paper, with not even a phone number, only a reference that you responded to by writing a letter to the newspaper. Say what? What's a newspaper, you ask? Oh, man... Forget it. Just enjoy the comic.

Click on image for original size.

A great social satire series

The comic is from the album "The Awkward Age", part of the "Walter Mellon" series (Achille Talon, "L'âge ingrat" in French).

Only one album of the series was translated into English, sadly: Magnesia's Treasure. The latter is a hilarious romp in a South American country where a local treasure is disputed between head-shrinking (but business-minded) natives, a no-nonsense military, greedy guerilla men, a naive countess, and scappy explorers. In a satirical tone, the series visits very serious topics such as war, terrorism, dictatorship, without every becoming preachy or strident.

But wait... What maid?

In information security, the "evil maid attack" happens when a dishonest employee steal his company's information, especially files. In this comic, the file in question is the confidential list of ad posters. In a modern, computerized company, the files would be located on a machine that is left unlocked, or would be intercepted and copied while the dishonest employee is able to access them.

In the last few years, I have seen  two cases where a sales manager left a company to join a competitor, bringing with him a list of the juiciest, most valuable customer contracts from his former employer. Of course, in both instances, they ended up in court. I don't know if these sales managers made money from the stolen customer lists, but their lawyers certainly did get richer.


A comic about password safety

This 1966 comic below is a perfect illustration of what not to do to validate a password.

Context: Our heroes are fleeing the state police in a German-speaking dictatorship and are trying to reach a dissident network. Click for original size.

Common sense, amirite?

 This is an English translation (mostly by artist Miriam Korver) of a page from "QRN over Bretzelburg", a graphic novel in the "Spirou and Fantasio" series. It was originally published in 1966.

The comic mocks a bad password management practice that seems obvious: When you ask strangers for a password, don't give them the password and ask them to make sure they already know it. Common sense, right? And not only that, but it predates personal computing, so you'd think it's old hat, right?

And yet, to this day, it is still common to have web site that send the password along with the page's Javascript, using a function like:
if user_typed_password = "Secret_P@SSW0RD!" {validate = true; }
Looking at the page source with Ctl-U is all it takes to reveal the "secret".

Also very popular: After validating the password, the authentication page appends "&login=true" to the URL, and that extra parameter is what passes for access control. Want to access the site? Just paste that string after the URL!

Thank God, this type of amateurism becomes increasingly rare.

Don't be like the bungling dissident in that comic. Do real authentication!


Who keeps the password keepers?

Keep your unmentionables safe

Hey folks! As a system administrator and security maniac, I am very much in favor of good password hygiene. Just like your undies, you should really know where your passwords have been. But contrary to your undies, your passwords are not always easy to change.

That's why I recommend using a good password manager. A password manager is a little application that lets you generate and store complex passwords that you use to log in to various sites. You don't have to remember the complex passwords. But you do have to remember the one that protects the password manager, of course.

When you use a password manager app, you implicitly trust that app to safekeep your secrets. So that's why the latest fail in that field is particularly cringe-worthy. Abine, the company that make the Blur password manager, has reported a customer data leak.

The fail

Francesco Paggiaro
To be more precise: Back in December, a security researcher found an exposed file that contains info about people who used Blur before January 6, 2018. The exposed file contained some users' first and last name, email addresses, password hints, and encrypted password, among others.

If you use Blur, the company recommends changing your Blur password.

Comment: The Blur password itself was not exposed, only its encrypted version. According to Abine, the Blur passwords were "encrypted using bcrypt with a unique salt for every user", which is pretty safe if done properly. There is no practical way to break a well-implemented bcrypt encryption. Also, no protected data (these complex passwords stored inside the Blur app) was compromised. So overall, it could have been worse.

Of course, this won't stop some users from feeling betrayed. Just like undies, you get pretty intimate with a password manager. If my Supersafe UndiesTM ripped and exposed some skin, I'd feel pretty let down.

Personally, I use and recommend Keepass, a free, open source password manager which, to the best of my knowledge, hasn't been breached so far.