Slashdot Mirror
Passwords Can Sit on Hard Disks for Years
CygnusXII writes ""As people spend more time on the web and hackers become more sophisticated, the dangers of storing personal information on computers are growing by the day, security experts say. There are some obvious safeguards, such as never allowing your computer to store your passwords. But even that is no guarantee of security." "
Run for the hills! There's no guarantee of security! Everyone stop using your computers right now!
I'm in the hole of the broadband donut.
I've got to stop using c:\windows as my password!
It looks like some reporter just discovered the page file. :)
The project was written in C++. We started out using a custom string class that performed its own memory management (with zeroing the buffer on deallocation), but then promptly ran into problems with the STL. We wound up writing a memory allocator that also cleans up after itself. Those two solutions took care of the vast majority of the data leakage "problem" -- the only thing left was reinitializing stack variables within functions.
The same customer actually requested this first. The problems associated with it were were terrible, especially in a multithreaded application. Plus, performance basically sucked. Wiping the data afterwards seemed to have the same end result, the performance was still good, and the customer was happy.BTW, the memory allocator and string class both made their way into the company's downloadable core library (MIT license).
Computers not secure? What a relief all my passwords are on stickies stuck to my monitor. I'm set!
What does it mean to wake out of a dream
and be wearing someone else's shorts?
BNL, Born on a Pirate Ship (1998)
My favorite MacGyver episodes were the ones where he used fingerprinting dust to read the numbers on a keypad. Of course, anyone using the keypad for a password is only going to press the keys involved in the password.
The most dangerous thing to security is people. Why go routing around on a hard drive when you can just ask someone what the password is, and they'll probably tell you anyways?
stuff |
Let's just do a brain scan of everyone. I mean, you can forge fingerprints, voice prints, etc, but you can't beat a mind probe!
talk about hacker sophistication...
This is not my opinion. Actually, it's not even an opinion. And I'm nowhere to be seen near it
It's amazing how easy it is to find people's password files shared on P2P apps like DirectConnect, Gnutella, etc. There's everything - Total Commander (FTP), WS FTP, mail clients, you just have to search for the proper file name.
I'd really like to sell you my old computer since this is a yard sale and all, but I see that you're wearing a mask, carrying a saber, and have a black hat on that says "l33t h4x0r!" I can't help but think that you might somehow be up to some nefarious shenanigans!
I've still got a three year old password on a postit note on the side of my monitor. It just goes to show you that passwords can sit anywhere.
The real question is, if a password's that old, what use SHOULD it still have? Hopefully, people adopt policies where they update passwords every month, or few months, especially if it's dealing with anything financial/uber personal (doctor's records.. etc).
Get real, stop trying to scare us with your security warnings; just educate people to change their passwords.
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
Passwords have been on hard drives for many many years. No matter if you are using M$ operating system or a linux there are passwords on the machine. If people don't know how to protect their computers than many they should just give their ATM card password to the public domain.
with that, all my passwords are automatically filled in by Gator.....
... and nobody's figured it out yet. I actually use several passwords, depending on the level of security. The "lowest" password, "password", is used for signing up to things like mailing lists, etc where there's little chance of me returning. The mid-level password, a pair of words with numbers in them, is used for mid-level security, such as my email, etc. The highest level password, a random collection of numbers, letters, and symbols, is used for the most secure information, such as my bank account, slashdot login and my pr0n encryption key.
Now if I could only remember the combination to my safe.....
Just my 46fctfj6&*23's worth....
-Rick the WizKid
(oooops...)
Ah, funny this story was posted--I just had to address this issue the other day. I run Mac OS X and I happened to be doing a fresh install, moving all my data over from an old HD. Before this, I had always stored my slew of account info in a text file in an obscure and unlabeled file (I know, I know--very careless of me--that's way I was ready to change my ways!).
Mac OS X's built-in "Keychain" services/util isn't streamlined for repeated user use, not to mention it doesn't have several auxiliary/free-form fields (that are also fully encrypted with the password field). After some research and trying a few of the freeware and shareware apps out there, I came across Pastor, a freeware, super-lightweight and user-friendly app that basically lets you maintain a catalog of username, pass, and about 6 auxiliary fields, stored in an encrypted file (when you go to open a file, it prompts you for the password and decodes it on the fly). If for some reason you don't dig this particular app, there's a couple others like it as well with increasingly levels of features (I happen to prefer lightweight).
So I went w/ this model and it's had great payoffs--when I need a particular login, I click on an alias to my main password (Pastor) file, enter the file's password to decrypt it, look for what I need (it alphabetizes), and I'm all set--meanwhile, there's absolutely no risk of security--I love it.
G-Force music visualization
There's no way to be 100% secure with passwords and the likes, but there are some things everyone should do. 1.) don't have the same password for everything! The website admins to every site you use a password for have access to it (and no one can trust a slashdot editor!). 2.) change your password often. The more often the better. This won't always work since most people, when they get a password, will do their damage immediately... but you never know. Another advantage here is OLD websites that you visitted a long time ago may change and new administrators will have access to your password.
pretty redundant stuff, but good advice that most people are too lazy to follow.
Just put your swap on another partition and zero it every so often (any way to do this automatically during shutdown, after VM is suspended?) - that takes care of your passwords in memory. As for programs that store them on disk, they better be encrypted, ala Apple's Keychain.
I don't know what kind of crack I was on, but I suspect it was decaf.
Store all your passwords on a burned CD, that way they'll have a shelf-life of 3-5 years tops.
and I did RTFA, and realize they're talking about the swap file... ...but I have 1.5GB of RAM, and I have a 20MB swap file that's overwritten each time I reboot my PC.
:)
Most Windows systems use the default setting for virtual memory, which is "windows managed" -- which means it's overwritten each time the system is rebooted. What's the big deal?
Has anyone here actually hex edited a swap file before? How is the data actually stored? For the reasons mentioned in the article, I imagine it would at least... not store data transmitted via SSL in plain text (why the heck would form data stick around in RAM anyway?)
Sounds like a neat project for after work today.
[an error occured while processing this directive]
And everyone laughed at me when I put 2GB of RAM in my computer, allocated 1GB as a RAM disk, and pulled the harddrive out. None of those security issues here!
One thing that worries me is sending machines away to get repaired.
I have a Sony Vaio laptop which I had to send to be repaired. I phoned the support number to tell them I was going to take the hard disc out before sending it. They said that if I did I would be charged for a new hard disc (at a hugely inflated price) and they wouldn't repair it without one.
I once sent a PC for repair and the teenage dork who repaired it actually said I had some great games on my machine and that he had played them. In another case in the UK, some padeophile was caught (was it Garry Glitter?) when he sent his PC in for repair. Now, I'm all for catching kiddie fiddlers, but that is not the way to do it.
I don't want the repair staff looking through the stuff on my hard disc. There should be a standard industry guarantee that this won't happen, or a privacy law about it or something.
When I read the headline, I was alarmed. But
and keep your goatsex links and pictures confidential.
then I read the article, and all my worries went away.
I encrypt my swap partition, and that fixes the problem.
It's not hard, and since it's swap (i.e., data
you don't need for very long), you don't even need
to remember a password (your computer uses a random
one every time is sets up the swap). Really, it's
pretty easy -- see the HOWTO at http://www.tldp.org/HOWTO/Disk-Encryption-HOWTO/
----- Why sig when you can sign? PGP key id 7675D05E
Be careful, passwords can sit on paper for decades!
I keep my passwords on my computer, but in an encrypted database. I don't know of any safer way to manage my passwords and user accounts for countless web sites and pieces of software.
The only potential downsides to this threat are two-fold. One, a hacker could install a keylogger on my machine. I find that unlikely as I keep my anti-virus software up to date and I don't receive any spam or virus emails since they are all filtered. It is possible that one could install via a worm, but unlikely that it would go undetected for long.
Second, someone could break the encryption used on the database. I find that doubtful since it's pretty high-level encryption and the amount of effort to crack it would not be trivial.
The primary issue I see above is whether the value of the information exceeds the potential effort in obtaining it. I really doubt anyone would ever want my personal information thus I see the value of my information as being far lower than the difficulty needed to obtain it.
Rumor has it that XP SP3 includes this optimization.
You'd be amazed what you can find on Kazaa when you search for documents with password or resume or account as the keyword. People don't realize that you don't need to be a hacker to break into your machine - just someone with access to the folder you share on and P2P network...which, if it happens to be your My Documents folder....look out.
There are 01 types of people in this world. Those that understand binary, and me.
OpenBSD encrypts the swap space by default, specifically to avoid these problems. I would hazard a guess somebody has hacked Linux to do the same, but I haven't seen it.
Of course, if you have so much RAM that you never swap, this is less of an issue.
Yep. From MSDN: "The VirtualLock function enables a process to lock one or more pages of committed memory into physical memory (RAM), preventing the system from swapping the pages out to the paging file"
Correct me if I'm wrong, but if an attacker has the permissions to trawl through the swap, then couldn't they just insert a keylogger, instead? That seems to be considerably simpler, to me.
I suppose there's an argument about someone getting the passwords off old machines that have been thrown out. But even then, surely any respectable business will use some software to scrub out all the last traces of sensitive data on any hard drives they're dumping.
An encrypted hard drive wouldn't protect against a key logger. It would protect sensitive data against physical theft, I suppose. But I wouldn't call that "hacking".
2) To delete things properly, turn off paging and disk caching, reboot, then run something like Mutilate to fill all the unused disk space with rubbish. Remember to turn paging and caching back on afterwards or performance will be slooooow.
3) If you're disposing of a PC and you want to sell it with the HDD, it's usually easiest to reformat the HDD in another PC (as a slave) then run a file wiper as above.
4) Running a good file wiper once is perfectly adequate. Physical data recovery techniques using misaligned drive heads to pick up "ghost" images may or may not exist (hence the occasional recommendation to wipe 9 times) but the cost of doing so is so high that it would have to be a matter of national security. Commercial data recovery/forensic services do NOT use physical recovery techniques, they just go for deleted files and slack space.
When I am king, you will be first against the wall.
"...and hackers become more sophisticated..." ...and WHO become more sophisticated?
Dude, they dont just rollerblade around with laptops going to phone booths anymore...
They have moved up to segways and wireless!
Sophisti-mication
[I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
Some basic tips that not enough people know, in no particular order:
1. Make sure you have a firewall configured to allow incoming connections from only ports you need open. You might be able to do just fine with no incoming connections allowed at all.
2. Have an updated virus checker.. Norton or Mcafee. By updated, I mean having it auto-update for you. Have it check every file accessed on media accessed by the computer, and email. At the very least, all the incoming media and email should be scanned on the fly, but outgoing is a good idea too.
3. Use Spybot or Ad Aware at least once a month to scan for spyware. Also keep these updated. I forget if they auto-update, but just be sure it checks for updates before you run them.
4. Only use credit cards that keep you free of liability for any fraud.
5. Buy a separate unnetworked little organizer with a keyboard to store hints to remember your passwords. Don't store the actual password.
6. Cancel credit cards you don't use.
7. Photocopy the backs and fronts of all the credit/debit cards you use and whatever else you keep in your wallet. Write in the customer service phone numbers if they're not clear.
8. Have Windows auto-update and auto-install all critical patches, or keep your Linux distro updated.
9. Don't open email attachments that you have no reason to trust, and certainly not until you have antivirus software checking incoming emails.
I use a handy javascript I wrote (and ported to PHP, Perl, JSP, and ColdFusion) to generate pronounceable passwords for my work computer. They make me change it every month and I'm not allowed to use the same one for twelve months. This keeps me out of a rotation, and it's really easy to remember because it's pronouncable.
I'm in the hole of the broadband donut.
And sometimes, they just sit on the front page of Slashdot.
Passwords are written on little yellow sticky paper, then they sit on the side of the monitor.
["Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive."]
In fact.. such operating systems are DESIGNED to write to the hard disk..
(like someone said above.. someone just discovered the swap/page file)
I think the author needed to be alittle more articulate with the wording.
----- The internet has given everyone the ability to have their voice heard equally as loud.. even if they shouldn't be
Wouldn't this be a good reason for the OS to permit programs to pin pages in RAM? The only reason I can think of not to permit that would be that a hostile program could DOS a system by pinning lots of memory in RAM; if the OS strictly limits the amount of memory that a program can lock in RAM, that would fix that.
I think that gpg runs setuid just so that it can lock its memory in RAM; why don't Linux and Windows offer this feature to non-privileged programs?
That a hacker will necromance your password off the hard drive, or that you'll get a keylogging spyware installation? To avoid the first you need to never store your password, to avoid the second you need to always store it. Sure, we could all go to scratch pads couple with retinal scans, but nobody's going to pay for that infrastructure.
Bottom line, patch your software, get a firewall, be carfeul about opening email, don't use IE or Outlook, and do virus/spyware scans regularly. You'll be safe from all but the most determined hackers, and they don't care about your password.
Go download Eraser. It will erase empty space and swap files using DoD mil quality and even higher. It will erase empty space on your drive while you sleeping swiping it clean of bits 32 times over. On shutdown it will erase the swap file with the same quality. You can also get the source code and make it better if you want.
I have mine run once a week. I'm more concerned of my hard drive failing having to returning it under warranty and someone else receiving that drive they could then retrieve my data.
Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive.
That's a flat out lie.
$ man mlock
MLOCK(2) Linux Programmer's Manual MLOCK(2)
NAME
mlock - disable paging for some parts of memory
SYNOPSIS
#include
int mlock(const void *addr, size_t len);
DESCRIPTION
mlock disables paging for the memory in the range starting at addr with length len bytes.
OpenSSH uses paging protection. It also zeroes out the password in memory. Immediately upon hashing it. I've seen the code.
Authors are at Stanford? Paper at USENIX? Can't believe this shit.
The problem of swap containing sensitive data from running programs was addressed some time ago by OpenBSD. They generate a random key at boot time and use it to encrypt reads and writes to swap. By definition, you are not interested in the contents of swap the next time you boot up, so you can start with a brand new key. Not only is swap space secure against fishing expeditions like in TFA, but it's also secure against someone getting read privileges on the raw disk (unless they also get permissions on kernel memory and can go look up the key).
Too bad more systems don't embrace the idea.
Next they'll be relieving themselves by HTTP POST transaction...
Even the fathers never saw these days...
Funny... gator...
Here's another excellent password utility, from Bruce Schneier called Password Safe, which stores the passwords in a file and uses Blowfish to encrypt it. Very lightweight (requires only the executable -- no installation) but has the features everybody needs.
Of course, I've used the same password for years and nobody's figured it out yet.
Or maybe you've used the same password for years and haven't figured out that somebody else has.
Provos wrote this in 2001: Encrypting Virtual Memory
The new scientist sort of misrepresented the findings of the paper. The fact that passwords and other sensitive information gets retained on swap for a long time. The paper was looking at memory tainting, i.e. if an application handles a password where does it end up in memory. The results were slightly surprising. Nontheless, most people would be even more surprised to see how much sensitive information ends up in swap. That's why you want to encrypt your swap partition.
$5 / month hosted VPS on linux = awesome!
"Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive."
Incorrect. Set the page file to 0 and watch Win2000/03 run dog slow. Or, configure Win2000/03 to erase its page file when the computer shuts down.
http://msdn.microsoft.com/library/default.asp?url= /library/en-us/gp/567.asp
Is this new news? Maybe to some. However, the problem with many of these new Microsoft engineers is that they do not read the manual or pay attention during the MCSE courses.
My two cents (and yes, I am an MCSE).
Whenever I am programming an encryption program or something that needs to be secure, I use a bit eraser algorithm that is modeled after one presented in th book "Secure Programming in C and C++" (very good book btw. Very Practical) I am surprised no one has written open source for a cron job that does the same thing.
Altough this might sound like an ad (it is not - it is not commercial) one might take a look at 'libsd': libsd makes ALL applications on your system do a secure delete without changing a single line of code.
It does this by intercepting calls like 'unlink' (delete files) and 'truncate': before deleting or truncating a file, the previous contents is first overwritten with garbage which is forced to disk.
So if you use this library and you delete a file with a password in it, that password should not be recoverable (altough it might still reside in your swappartition...).
www.vanheusden.com - home of Multitail, HTTPing, CoffeeSaint, EntropyBroker, rsstail, bsod, listener, nagcon, nagi
This is the media version of an academic paper for USENIX Security '04. It glosses over a lot of details.
Examples:
- mlock(). Available to root only under Linux, so useless outside of setuid programs - and we all have so many of those we trust, right?
- VirtualLock()/VirtualUnlock(). Win32 versions of mlock(). Not implemented in the 9x series, advisory in a few other Windowses (I can't find the docs on where, but it's in the original paper).
- zeroing memory. Oops, your optimizing compiler just optimized away that memset() call as dead code. This was a known flaw in some crypto libraries a few years ago.
The system described is a whole-system simulator, it traces bytes of input from the moment they pass the keyboard through the kernel, into the user-mode applications that use the bytes (e.g. kernel to X server to Mozilla), and how long those bytes hang around in the physical RAM of the machine.
This does not necessarily describe a highly practical attack, but more a quantification of how vunerable systems are to such an attack. In fact, the original paper is about data lifetime information.
- Did you know the most recent 4K keystrokes (passwords included) are stored in the kernel's tty buffer?
- Did you know several dozen of your keystrokes are stored in the Linux kernel's entropy buffer (for random number generation)? They aren't actually consumed for as long as several hours.
A witty [sig] proves nothing. --Voltaire
For everything else, there is KWallet.
In Soviet Washington the swamp drains you.