Slashdot Mirror
Passwords Can Sit on Hard Disks for Years
CygnusXII writes ""As people spend more time on the web and hackers become more sophisticated, the dangers of storing personal information on computers are growing by the day, security experts say. There are some obvious safeguards, such as never allowing your computer to store your passwords. But even that is no guarantee of security." "
What about encrypting swap space? This will not a) solve the problem completely, and b) may waste CPU cycles, but should be within easy reach of OS implementors. If your system swaps so often that that becomes a problem, you're in trouble anyway...
-- Gideon
My favorite MacGyver episodes were the ones where he used fingerprinting dust to read the numbers on a keypad. Of course, anyone using the keypad for a password is only going to press the keys involved in the password.
The most dangerous thing to security is people. Why go routing around on a hard drive when you can just ask someone what the password is, and they'll probably tell you anyways?
stuff |
Just put your swap on another partition and zero it every so often (any way to do this automatically during shutdown, after VM is suspended?) - that takes care of your passwords in memory. As for programs that store them on disk, they better be encrypted, ala Apple's Keychain.
I don't know what kind of crack I was on, but I suspect it was decaf.
I know a guy whose dad worked for the gov't in some sensitive research position. His official work computer was a portable with 1 gig of RAM (mind you this was back in the early 1990s, when RAM was about $40 a MEG) and no hard disk, to ensure that nothing would be permanently stored. Every time he booted up, he had to dump the entire working image from tape to this gigantic RAMdisk.
The catch? the tape drive. That's just as permanent as a HD, and he took it home along with the PC, so he could work at home as needed.
~REZ~ #43301. Who'd fake being me anyway?
and I did RTFA, and realize they're talking about the swap file... ...but I have 1.5GB of RAM, and I have a 20MB swap file that's overwritten each time I reboot my PC.
:)
Most Windows systems use the default setting for virtual memory, which is "windows managed" -- which means it's overwritten each time the system is rebooted. What's the big deal?
Has anyone here actually hex edited a swap file before? How is the data actually stored? For the reasons mentioned in the article, I imagine it would at least... not store data transmitted via SSL in plain text (why the heck would form data stick around in RAM anyway?)
Sounds like a neat project for after work today.
[an error occured while processing this directive]
You can prevent writing pages to swap using mlock(2). Works on most *NIXes. You do have to be root though. Perhaps an idea for Linux: allow non-root users to lock just one page for passwords ?
I keep my passwords on my computer, but in an encrypted database. I don't know of any safer way to manage my passwords and user accounts for countless web sites and pieces of software.
The only potential downsides to this threat are two-fold. One, a hacker could install a keylogger on my machine. I find that unlikely as I keep my anti-virus software up to date and I don't receive any spam or virus emails since they are all filtered. It is possible that one could install via a worm, but unlikely that it would go undetected for long.
Second, someone could break the encryption used on the database. I find that doubtful since it's pretty high-level encryption and the amount of effort to crack it would not be trivial.
The primary issue I see above is whether the value of the information exceeds the potential effort in obtaining it. I really doubt anyone would ever want my personal information thus I see the value of my information as being far lower than the difficulty needed to obtain it.
Actually, assuming your place of work is secure (i.e., in an out of the way place), putting your password on stickies can be a pretty good form of security, assuming that you need to use stickies because you're frequently changing the password.
Using the same password for years on every site you visit just because it's easy to remember *really* opens you up to security problems.
Perhaps the ultimate solution would be to encrypt data as it is entered, before it is saved into RAM,
Not to mention when you look at how the data is entered, it passes through RAM as one of its very first stages.
This would literally require a kernel patch.
I am unamerican, and proud of it!
That was my thought too...
Back in the Win3.1x era, when the typical swapfile was still small enough to peruse with a hex editor, I cruised through my permanent swapfile with LIST, just to see what was being dumped out of RAM. I found data in there that was identifiably over 3 years old. And therein, I also found some passwords archived -- as plaintext.
Not to mention logfiles; I have some that stretch back several years, and I'm sure I'm not alone.
So I don't find this exactly "news" either. Then again, I could turn this into a rant on the "expertise" of the typical tech journalist... (one of my PC maintenance clients is one. Regular exposure has given me a complete lack of respect for the breed.)
~REZ~ #43301. Who'd fake being me anyway?
You'd be amazed what you can find on Kazaa when you search for documents with password or resume or account as the keyword. People don't realize that you don't need to be a hacker to break into your machine - just someone with access to the folder you share on and P2P network...which, if it happens to be your My Documents folder....look out.
There are 01 types of people in this world. Those that understand binary, and me.
OpenBSD encrypts the swap space by default, specifically to avoid these problems. I would hazard a guess somebody has hacked Linux to do the same, but I haven't seen it.
Of course, if you have so much RAM that you never swap, this is less of an issue.
Of course there is a guarantee...
Just buy a boatload of ram and disable virtual memory. Problem solved.
Of course, you could always use Knoppix or something similar whenever buying on-line. This would also solve the problem for the truly paranoid.
"-1 Troll" is the apparently the same as "-1 I disagree with you."
I know you said you don't like the Keychain, but by using it, you surf to the webpage and... it's already filled in from an encrypted database. Why reinvent the wheel, especially for web logins and such?
Keychain expects/assumes that all the stuff you store in there is conventional logins at certain URLs, etc. A lot of the entries I store don't fit that mold: my local router login/pass, my credit card pins, and some server logins that have unconventional fields. Most importantly, I want all those fields to be encrypted, not just the password field--that's a huge issue. If someone is logged in w/ my Mac OS X acct, i don't want them to just browse my keychain's non-password fields.
G-Force music visualization
Some basic tips that not enough people know, in no particular order:
1. Make sure you have a firewall configured to allow incoming connections from only ports you need open. You might be able to do just fine with no incoming connections allowed at all.
2. Have an updated virus checker.. Norton or Mcafee. By updated, I mean having it auto-update for you. Have it check every file accessed on media accessed by the computer, and email. At the very least, all the incoming media and email should be scanned on the fly, but outgoing is a good idea too.
3. Use Spybot or Ad Aware at least once a month to scan for spyware. Also keep these updated. I forget if they auto-update, but just be sure it checks for updates before you run them.
4. Only use credit cards that keep you free of liability for any fraud.
5. Buy a separate unnetworked little organizer with a keyboard to store hints to remember your passwords. Don't store the actual password.
6. Cancel credit cards you don't use.
7. Photocopy the backs and fronts of all the credit/debit cards you use and whatever else you keep in your wallet. Write in the customer service phone numbers if they're not clear.
8. Have Windows auto-update and auto-install all critical patches, or keep your Linux distro updated.
9. Don't open email attachments that you have no reason to trust, and certainly not until you have antivirus software checking incoming emails.
I use a handy javascript I wrote (and ported to PHP, Perl, JSP, and ColdFusion) to generate pronounceable passwords for my work computer. They make me change it every month and I'm not allowed to use the same one for twelve months. This keeps me out of a rotation, and it's really easy to remember because it's pronouncable.
I'm in the hole of the broadband donut.
Wouldn't this be a good reason for the OS to permit programs to pin pages in RAM? The only reason I can think of not to permit that would be that a hostile program could DOS a system by pinning lots of memory in RAM; if the OS strictly limits the amount of memory that a program can lock in RAM, that would fix that.
I think that gpg runs setuid just so that it can lock its memory in RAM; why don't Linux and Windows offer this feature to non-privileged programs?
Go download Eraser. It will erase empty space and swap files using DoD mil quality and even higher. It will erase empty space on your drive while you sleeping swiping it clean of bits 32 times over. On shutdown it will erase the swap file with the same quality. You can also get the source code and make it better if you want.
I have mine run once a week. I'm more concerned of my hard drive failing having to returning it under warranty and someone else receiving that drive they could then retrieve my data.
I have a computer services company, and a client of ours, a lawyer, never ever lets his computer out of his office. All repairs, no matter what, are done in his office, under his scrutiny. He has no problems paying for it, he says he is required by law (we are in Spain) to be sure that his clients' data is safe at all times. There just isn't another option.
"If God created us in his own image we have more than reciprocated." - Voltaire
Nah, reinstalling is just a sign of incompetence at dealing with Windows. And I mean that seriously. On average it takes Win32 about 3 years of average-user neglect and outright abuse to get to the point where it's nonfunctional, and even then it's recoverable with simple maintenance procedures.
:)
As a SOHO tech, my job is not just to get the machine working, but also to get it to the state the client expects it to be in -- with all his apps and data intact (whether he has a good backup or not). I've only had to reinstall Windows *once*, and that was due to AOL5 FUBAR'ing both DUN and the entire WinEx/IE setup -- on a system that had gone five years with a PEBKAC owner and ZERO maintenance. I find it is faster and easier to resurrect the system than to hope to find all the body parts (apps, data, passwords, settings, CD keys, etc, etc.) and reinstall them where someone else expects them to be.
Of course, this is why my clients won't let anyone else touch their PCs, either
My own everyday setups date back to 1998 (Win95), 2001 (Win98), 1999 (WinME -- hasn't crashed since Sept.99, and this is a test box!!), 2002 (XP Pro). Plus I have a couple part-time-use Win95 machines that date back to '95 and '96. And my Win16 setup (1994) was finally retired at 7 years old. All are original installs and all work their asses off. -- I hadn't looked in WFWG's swapfile in some time, but it's a safe bet that if I inspect the CD where it's archived, I'll find data in the perserved swapfile that is now over 10 years old.
~REZ~ #43301. Who'd fake being me anyway?
The memory block, with your data, can still be claimed by another application after the page is unlocked. From there it can be written to swap, and we're back to the original problem.
But like someone later in the threads pointed out, if someone has access to your swap file then you probably have bigger problems....
Yep, pretty much. If someone's that fascinated with your current personal stuff, there are easier and less-chancy ways to access the data. And if you're worried, use a wipe utility on that old HD before you trash it or donate it. Or if your tinfoil hat fits really tight, take the platters out and expose them to a hammer and a blowtorch.
IOW, tho the security issue exists, it's not exactly something to lose sleep over -- because if someone wants to compromise your security, why not get current data right from today's data input, instead of possibly-obsolete data of unknown relevance!
~REZ~ #43301. Who'd fake being me anyway?
Of course, I've used the same password for years and nobody's figured it out yet.
Or maybe you've used the same password for years and haven't figured out that somebody else has.
It's a good policy, but what happens if you can't do anything with the hard drive? I possess a single laptop computer, and when its motherboard went faulty a while back, I had no choice but to send it in to be serviced without touching the hard disk.
I tell you, getting a guarantee from the service company that they wouldn't do a 'system restore' or anything else destructive to the hard disk was a nightmare.
"We recommend you perform a backup before sending the computer in."
That's really useful, but the system won't boot and I don't have any others with the right connector for the hard disk.
Eraser is a GPL program that (among other uses) will overwrite empty hard disk space as many times as you specify. Simply change the pagefile size to 0MB, restart, and run eraser on free disk space. Tell it to overwrite 7 times. There's no way anyone's recovering it then.
Actually data in RAM can be recovered too, depending on how long ago it was written and the memory chip has been used since then: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_ del.html
$5 / month hosted VPS on linux = awesome!
Maybe a removable hard drive would be much easier on the wallet. Keep the programs/OS on the computer's hard drive, but all client data can be kept on an external firewire/USB hard drive. You can even buy two and copy one to the other once a week or so for backup. All for under $100 (if you shop around).
"-1 Troll" is the apparently the same as "-1 I disagree with you."
I said you've got to be f'ing kidding me. I used this PC for contract programming work, the drive had hundreds of files of clients' source code on it. And since I couldn't access it, there was no way to erase them. Physically destroying the drive with a hammer was not an option (I asked.)
After hours of complaining to Dell on the phone, I was only given one choice: pay for the new drive, or give it back. So the bottom line is, the mfg warranty on hard drives is utterly worthless, unless you don't mind handing over all of your files and personal data to a complete stranger.
I read Usenet for the articles.
No, I'm not a M$ fanboy. You'll see me bitch about their business practices, and sometimes about their software, as often as anyone here -- you want to see software flamed to a crisp, get me started on M$Office! and just wait til I catch up with the idiot who thought "browser as your desktop" was such a great idea, or the moron who didn't fully test the .MSI installer on Win98. And as to M$ getting in bed with DRM/media... that's why I keep hoping for a *NIX desktop I can next-gen my clients to, but so far it hasn't happened.
/. article about the router! talk about a field where they should know better!!)
But in my experience, whining about *Windows* instability is based more in ignorance, and failing to consider the influence of bad hardware, than in objective reality. Considering all the random shit hardware people use, the ill-mannered software that abounds these days (most no longer bothers to clean up after itself, but rather expects Windows to do it for 'em), and the ignorance of average users, Windows gracefully absorbs a helluva lot of abuse. Yeah, it's possible to mangle the registry, but that's actually pretty rare; I've not seen it happen in years. And yeah, there are security holes and stupid default settings, but that's hardly unique to Windows (see the concurrent
I also have a Mandrake box, and while I generally like it well enough (tho I view BSD as more mature than linux), I do find it a whole lot easier to confuse or crash. Lordy, the lockup I get if I accidentally feed it a bad CDR!! Have to power down to get the CDROM drive back.
~REZ~ #43301. Who'd fake being me anyway?
Easy. Do what I do. Use a 4096-bit public/private key pair, and keep the private key on a USB dongle on your (physical) keychain. *shrug* Of course, you probably want to back on your key on another device (CD-ROM in a physically secure location, for example), in case the USB drive goes kaput.
I have the same concerns, but there are simple solutions...
#1. Backup all your data, and re-format your hard drive.
or
#2. Leave the original hard drive alone, remove it, and insert your own. Then when you need to send it in, remove your drive, and reinsert the original.
I do this myself because notebook manufacturers charge hundreds of dollars extra when you choose the same notebook with a larger hard drive. Screw them, I'll buy the cheap 20GB version, then insert my own 60GB hard drive. If they want to say I've voided my warranty, they can explain their position to a judge, most of whom have notebook computers themselves
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
This is the media version of an academic paper for USENIX Security '04. It glosses over a lot of details.
Examples:
- mlock(). Available to root only under Linux, so useless outside of setuid programs - and we all have so many of those we trust, right?
- VirtualLock()/VirtualUnlock(). Win32 versions of mlock(). Not implemented in the 9x series, advisory in a few other Windowses (I can't find the docs on where, but it's in the original paper).
- zeroing memory. Oops, your optimizing compiler just optimized away that memset() call as dead code. This was a known flaw in some crypto libraries a few years ago.
The system described is a whole-system simulator, it traces bytes of input from the moment they pass the keyboard through the kernel, into the user-mode applications that use the bytes (e.g. kernel to X server to Mozilla), and how long those bytes hang around in the physical RAM of the machine.
This does not necessarily describe a highly practical attack, but more a quantification of how vunerable systems are to such an attack. In fact, the original paper is about data lifetime information.
- Did you know the most recent 4K keystrokes (passwords included) are stored in the kernel's tty buffer?
- Did you know several dozen of your keystrokes are stored in the Linux kernel's entropy buffer (for random number generation)? They aren't actually consumed for as long as several hours.
A witty [sig] proves nothing. --Voltaire
You can get data off of a disk after several writes also.
An analogy I use, which is not terifically accurate on technical terms, but which does a good job of illustrating the point is this:
Think about hard disk heads writing 1xxxxxxx or 0xxxxxxx when they store data on the disk. The 1 and 0 are the signal strength at an arbitrary magnetic value of 10^8, while the remaining lesser magnetisms are left more or less unaffected. Actually, whatever existed there has its power diminished, so you sort of see a digit shift to the right.
The next write makes sure to set the most significant power of the disk, but physics causes the magnetism that previously resided there to leave some impact on the actual charge. Let's say I had a 0 in a given spot previously. Now I write a 1. The overall magnetic charge is actually just slightly below 1, which I will represent as 10xxxxxx. You see, 0 represents a negative charge and 1 represents a positive charge (north or south if you will). So you can recover data from the previous write by seeing whether each charge is a bit above or below the expected charge here. The next write (let's say a 0) causes the charge to be 010xxxxx. The charge is slightly above a 0 (south), and even more slightly below an expected 01 reading. This continues on out to infinity actually.
Given perfect media, perfect measuring equipment (read heads), perfect write heads, and perfect storage conditions (zero magnetic drift on the disk), data could be read off of a disk that was stored there billions of writes ago. In this perfect circumstance, there is an infinite amount of data that could be stored on a single atom.
Of course in reality, write heads leave a charge plus or minus a few percent of their target charge, magnetic drift caused by media imperfections (such as media decay) and environmental factors (such as errant magnetic fields, eg, from the earth or surrounding equipment), plus a limitation on the precision of reading equipment means we can only recover data from out a few writes, depending on the circumstances. As far as securing your workstation goes, keeping it in close proximity to other electronic devices will strongly boost the chances that environmental magnetism will push individual bits on the disk out of the realm of being able to recover that data. Surprisingly (or not), inexpensive disks work better toward securing your data this way since they have lower quality write heads with a wider fluctuation of write power, and lower quality surfaces causing higher material decay and quicker data loss. These same disks though have a higher failure rate for exactly the same reasons.
All of this is why data destroying tools offer you a option for how many passes you wish to make over the disk. The more times you write, the less likely the data will be recoverable. 8 times is usually more than sufficient for IDE disks, I'd recommend 16 or more times on a high quality disk, such as many SCSI drives.
Slay a dragon... over lunch!