2019-03-02

Password managers fail! Oh noes!

The sad state of computer security

Photo: Andri - pexels.com
The problem with computer security is that it's bad. Really bad. I mean, security professionals are downright horrified by what passes for "security" in most places. Real security professionals find another career. To be a computer security professional in most companies is like being a maritime safety consultant on the Titanic.

Let's face it: bad guys ("black hats") are in today's computing environment like burglars in a paper house village.

Enter the press

So naturally, you are going to read about problems and big, fat, juicy security fails. Most journalists are not specialists, and they know that fear sells. So they have no qualms about amplifying and distorting security stories. This results in a constant stream of security-related bad news. Which ones are relevant and which ones are noise?

Here is my contribution to clarifying things a bit. There have been a recent slew of stories about how password managers are hopelessly compromised (see link at the bottom). According to security researchers from an outfit called Independent Security Evaluators (ISE), you can take an up-to-date password manager and make it spit out its secrets -- namely, the passwords that you entrusted to its encrypted entrails. So why bother, right?


Oh noes! The securities, they do nothing!

Not so fast. Let's examine the claims. The ISE investigation took a Windows 10 PC (already not the most secure operating system) and installed a software tool (a debugger) that lets you examine memory while the system is running. So, while the password manager was running, the investigators switched to the debugger and scrubbed the PC's memory and found, surprise, that some secret info was stored in memory.

Well, duh.

The problem with that approach is that they needed administrator access to the machine in order to install the debugger. If black hats have admin access to a Windows PC, they will install key loggers, screen shotters, and remote access tools. Why would they dig into the bowels of the system for passwords when they can just intercept them while you type (or paste) the passwords? This is akin to saying "if a burglar can get inside your house, he can make a copy of keys hanging from your key hook". This is technically correct. But notice the part about the burglar being already inside the house.  The keys are irrelevant at this point.
Photo: George Becker


The morale is: If someone has physical access to your machine, he can compromise your secrets. So make sure your passwords are kept encrypted (that's what passwords managers do). And don't trust a machine that has been in the possession of a black hat.


"Severe vulnerabilities uncovered in popular password managers": https://www.zdnet.com/article/critical-vulnerabilities-uncovered-in-popular-password-managers/