Tuesday, August 13, 2013

Et tu, Google?

I was just reading through the comments over at theYcombinator comments about Elliott Kember’s blog about Chrome. I am shocked. You, as my only reader, are already familiar with the fact that my hobby, education, and profession are all security. Initially software, but expanding to just security.

Not only shocked, but absolutely appalled. Mister Kember is writing about how Chrome has revealed that OS X provides programmatic access to your “Keychain” without requiring a password. Think about that again. OS X pretends to be guarding your passwords, but... not really. About half the comment replies are attacking Google, for not protecting something which is not otherwise protected!

What the Google haters are asking for is no different than “encrypting” your passwords.txt file by renaming it passwords.exe. Sure, it means that your Grandma can’t double click on the desktop icon to read them, but it doesn’t mean it is secure.

Justin Schuh, from Google, had this to say about the password security...

I'm the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater. Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants. We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.

… and it is all true. Thank you, Google for concerning yourself with true security instead of faking it.

Now, onto my list of favorite fails from the comments!

  1. This sets up a situation where Chrome actually circumvents and makes passwords originally stored in Safari less secure than they were initially - Without having a Mac to research, I can’t say for sure, but it sounds like neither Chrome nor Safari are storing the passwords on a Mac, they use the operating system keychain. Which obviously doesn’t require a password to access or Chrome couldn’t do it.
  2. This concerns me. I have friends that I would not trust around my computer now because... - Sorry mate, you shouldn’t be trusting those friends to access your computer then. Think a bit more about what all you are exposing yourself to. Chrome isn’t the problem.
  3. Also, going off what you have said, the "locking" process in windows is pointless since it offers a false sense of security. It can be broken just by rebooting the computer with a boot disk, right? - A rebooted machine has wiped system state and still doesn’t gain the attacker anything if you defended against it. *cough* disk encryption *cough* Applications can’t reasonably defend against the OS and the OS can’t defend against the hardware. Thems the breaks.
  4. that does make it psychologically harder - When your standard of security is “I’m protected against someone that doesn’t want to attack me” then you have lost. Leave up a sign that says “Key under mat” or don’t lock your door, neither is protecting you.
  5. Yes, but by your reasoning, surely obfuscating passwords when inputted into websites is also pointless, yet you do do this in Chrome - Masking passwords is not done to protect them from the user, it is done to protect them from anyone with visible access to the screen.

You only defend against the threats you try to defend against. Chrome has decided to not try to defend against the malicious user legitimately logged into your system, because they can’t. Not really. It even says so in their FAQ Why aren't physically-local attacks in Chrome's threat model?! So, either use Chrome as it is or don’t. Just realize that that whatever else you use is failing to protect you from a malicious user too. How long does it take to steal your Chrome passwords? No longer than it takes to install a RAT from a thumbdrive!

The title is just amusing to me, I don't feel betrayed by them at all. In fact when I forgot a password I had saved, Chrome reminded me. And I was glad for it.

Saturday, August 10, 2013

My Introduction to the Physical Side of Cybersecurity

Let me apologize if you came in expecting a discussion of cold-boot attacks.

A few months ago I moved to a new townhouse. The front door has an interesting handle lock/ deadbolt combination; in which the handle lock defaults to engaged with buttons on the covered side of the door which disables it. Interestingly, if the deadbolt is engaged then the buttons revert back to engage. Not knowing about that feature, the first time after moving in that I went to leave was the first time I was locked out of the house. It was a scary moment, as I didn't even know any of the neighbors yet and the landlord is out of state. Remembering a trick I was shown years ago by a neighbor helping us re-enter our apartment, I attempted to jimmy open the latch with an unused credit card. (Don’t use your primary debit card, the attempt can snap a card in half!) Thankfully, and terrifyingly, the front door opened with a soft click. My feelings about the moment were echoed back to me upon returning to the car when my house-guest stated “I’m glad you got it open but a big part of me was hoping it would be harder than that!”

That day and the sudden feeling of helplessness when the door first clicked shut told me that I don’t ever want to feel like that again. This event occurred about a month before my wedding anniversary, I informed my partner that the only gift I wanted was a set of lock picks and a how-to guide. Soon my very own copy of the “CIA Lock Picking: Field Operative Training Manual” arrived followed by a small set of lock picks. (Less than 4 stars on Amazon, not a very detailed book)

Once my picks arrived, I went searching through my house of locks to practice on. Turns out that all of the keyed lock in the house are the exterior doors; to practice I would have to sit in public picking at the lock. Something tells me that this sort of activity would not endear me to my new neighbors. So, off to Walmart I go, purchasing a Brinks deadbolt, single cylinder, spending about sixteen dollars. (Hindsight: who thinks that a sixteen dollar lock is a good choice to protect that 60 inch television?)

Television time became practice time, up to two hours a night, depending on when the days obligations finished. That first successful pick took a few weeks to occur. I kept practicing with that dead bolt until I could open it three times in a single show. The keyway scraped wide so that the tension wrench could slip without the chamber turning, so I felt it was time to retire that one.

Today I decided to try a new lock, so I picked up a Master padlock. One was labeled as “Level 5” and one was labeled as “Level 9”, so I grabbed the nine. My assumption was that it should provide me with another few weeks of practice. Wrong. Time to first pick was measured in seconds, what a waste. For the next few minutes I just kept clicking it back open. So much for “pick-resistant.”

These two locks are a significant milestone in the development of my security growth. Picking provides me an ability to assess the physical security of a space. Recommending ten to twenty dollar lock from Walmart to secure your spaces and data storage is not a recommendation I would make.

In my basement I discovered that there is a locked box from an old, disconnected security system. Fairly ironic that a metal box with the word ‘Security’ in the brand label has a lock which is trivial to pick.

Amusingly, one lock I have not yet attempted is my own front door. Not disturbing the neighbors is still the excuse I give myself, but maybe I just don’t actually want an honest assessment.

As a closing thought, I want to stress as strenuously as a newbie security blogger can that handle locks are worse than no lock. Security theater, where the lock does not do anything. An actor willing to walk into your house will likewise have no scruples against just unlatching the door. Cost required? Free, as I have found store club cards to be better than credit cards for doing this. They flex around the corners better than the stiffer credit cards and you can get more just by walking into a store and asking for one. My “pick” of choice right now is a Safeway card!

TLDR; Locks seem to really be a place where you get what you pay for! Handle locks just let you think you're secure!