Passwords Can Sit on Hard Disks for Years

CygnusXII writes ""As people spend more time on the web and hackers become more sophisticated, the dangers of storing personal information on computers are growing by the day, security experts say. There are some obvious safeguards, such as never allowing your computer to store your passwords. But even that is no guarantee of security." "

No Guarantee of Security?!?!

[Paulrothrock]

Run for the hills! There's no guarantee of security! Everyone stop using your computers right now!

Re:No Guarantee of Security?!?!

[harrkev]

Of course there is a guarantee...

Just buy a boatload of ram and disable virtual memory. Problem solved.

Of course, you could always use Knoppix or something similar whenever buying on-line. This would also solve the problem for the truly paranoid.

Re:No Guarantee of Security?!?!

[Lehk228]

Knoppix doesn't touch the hard drive at all, that is the whole point of a live CD, so no it doesn't use any swap

Re:No Guarantee of Security?!?!

[harrkev]

Actually, you only need to overwrite once to make it invisible to the computer over the IDE cable.

There ARE methods to get data off of a hard drive platter that has been overwritten only once, but this requires the hard drive to be removed from the computer and physicly disassembled, and is quite expensive.

Yikes!

[mogrinz]

I've got to stop using c:\windows as my password!

Hehe

[mgs1000]

It looks like some reporter just discovered the page file. :)

Re:Hehe

[Reziac]

That was my thought too...

Back in the Win3.1x era, when the typical swapfile was still small enough to peruse with a hex editor, I cruised through my permanent swapfile with LIST, just to see what was being dumped out of RAM. I found data in there that was identifiably over 3 years old. And therein, I also found some passwords archived -- as plaintext.

Not to mention logfiles; I have some that stretch back several years, and I'm sure I'm not alone.

So I don't find this exactly "news" either. Then again, I could turn this into a rant on the "expertise" of the typical tech journalist... (one of my PC maintenance clients is one. Regular exposure has given me a complete lack of respect for the breed.)

Re:Hehe

[Jokkey]

The article does go into a bit more detail than that... They use a program called TaintBochs (probably hacked from the open source emulater Bochs) to track sensitive data and find out where exactly it goes and how long it's there. This sounds to me like a nifty hack, and they're actually doing research to come up with quantitative results on how long data sticks around, instead of just saying, "Um, yeah, stuff gets swapped out."

Re:Hehe

[Reziac]

Nah, reinstalling is just a sign of incompetence at dealing with Windows. And I mean that seriously. On average it takes Win32 about 3 years of average-user neglect and outright abuse to get to the point where it's nonfunctional, and even then it's recoverable with simple maintenance procedures.

As a SOHO tech, my job is not just to get the machine working, but also to get it to the state the client expects it to be in -- with all his apps and data intact (whether he has a good backup or not). I've only had to reinstall Windows *once*, and that was due to AOL5 FUBAR'ing both DUN and the entire WinEx/IE setup -- on a system that had gone five years with a PEBKAC owner and ZERO maintenance. I find it is faster and easier to resurrect the system than to hope to find all the body parts (apps, data, passwords, settings, CD keys, etc, etc.) and reinstall them where someone else expects them to be.

Of course, this is why my clients won't let anyone else touch their PCs, either :)

My own everyday setups date back to 1998 (Win95), 2001 (Win98), 1999 (WinME -- hasn't crashed since Sept.99, and this is a test box!!), 2002 (XP Pro). Plus I have a couple part-time-use Win95 machines that date back to '95 and '96. And my Win16 setup (1994) was finally retired at 7 years old. All are original installs and all work their asses off. -- I hadn't looked in WFWG's swapfile in some time, but it's a safe bet that if I inspect the CD where it's archived, I'll find data in the perserved swapfile that is now over 10 years old.

Re:Hehe

[Mortoc]

The fact that a password can sit on a hard drive is really irrevelent. If someone has access to your hard drive, they might as well just set up a keylogger and wait till you access a bank account or something, that would be much easier than wading through hundreds of megabytes of swap. This security hole is almost completely irrevelent, the only time that I would worry about something like that is when throwing away a a computer (which should be recycled anyway). Someone interested enough could go through your trash, removed an old hard drive and start snooping around.

Re:Hehe

[operagost]

Too bad he didn't discover the setting in Windows XP that clears the pagefile on shutdown. Instead, he plays programmer and suggests that only a few measly lines of code will fix the problem; and no one will mind the huge performance hit because computers are so fast already.

Even if you aren't running Windows, other OSes like OS/2 will recreate a fresh pagefile on every boot.

Zero the data

[Lord+Grey]

One way to achieve this is for all data in RAM to be automatically turned into a string of zeros once it is finished with - something he [Tal Garfinkel] says could be done with just a few extra lines of code in application programs.

My company worked on a project a few years ago that required this very thing. It wasn't just passwords, though: The customer demanded that all data passing through the applications be wiped as soon as possible.

The project was written in C++. We started out using a custom string class that performed its own memory management (with zeroing the buffer on deallocation), but then promptly ran into problems with the STL. We wound up writing a memory allocator that also cleans up after itself. Those two solutions took care of the vast majority of the data leakage "problem" -- the only thing left was reinitializing stack variables within functions.

Perhaps the ultimate solution would be to encrypt data as it is entered, before it is saved into RAM, and arrange for programs that use it to decrypt it first.

The same customer actually requested this first. The problems associated with it were were terrible, especially in a multithreaded application. Plus, performance basically sucked. Wiping the data afterwards seemed to have the same end result, the performance was still good, and the customer was happy.

BTW, the memory allocator and string class both made their way into the company's downloadable core library (MIT license).

Re:Zero the data

[Lord+Grey]

Can you really be sure that the data is wiped? What if the memory is swapped to a page file or swap partition, later swapped back into memory and then you only erase what's in the RAM?

You can either lock the RAM page so it doesn't swap, or force the page to write back out to swap after zeroing. The former is far easier (unless you want to do a lot of painful coding) and, if I remember correctly, was what was done with the project I talked about. I don't think the page locking/unlocking made it into the downloadable library, though.

Safe passwords?

[belgar]

Computers not secure? What a relief all my passwords are on stickies stuck to my monitor. I'm set!

Well, we can always do like in MacGyver

[192939495969798999]

My favorite MacGyver episodes were the ones where he used fingerprinting dust to read the numbers on a keypad. Of course, anyone using the keypad for a password is only going to press the keys involved in the password.

The most dangerous thing to security is people. Why go routing around on a hard drive when you can just ask someone what the password is, and they'll probably tell you anyways?

Re:Well, we can always do like in MacGyver

[paiste404]

dont question the macgyver. this is the same man who once picked an electronic lock with half-full wine glasses and a canary. you will accept the macgyver and you'll like it.

Ultimate solution

[desplesda]

Let's just do a brain scan of everyone. I mean, you can forge fingerprints, voice prints, etc, but you can't beat a mind probe!

Untrue

[frs_rbl]

Passwords don't sit on hard disks. It's more like under mouse pads

talk about hacker sophistication...

P2P

It's amazing how easy it is to find people's password files shared on P2P apps like DirectConnect, Gnutella, etc. There's everything - Total Commander (FTP), WS FTP, mail clients, you just have to search for the proper file name.

Sir?

[The+Ultimate+Fartkno]

I'd really like to sell you my old computer since this is a yard sale and all, but I see that you're wearing a mask, carrying a saber, and have a black hat on that says "l33t h4x0r!" I can't help but think that you might somehow be up to some nefarious shenanigans!

of course, I've used the same password for years..

[rickthewizkid]

... and nobody's figured it out yet. I actually use several passwords, depending on the level of security. The "lowest" password, "password", is used for signing up to things like mailing lists, etc where there's little chance of me returning. The mid-level password, a pair of words with numbers in them, is used for mid-level security, such as my email, etc. The highest level password, a random collection of numbers, letters, and symbols, is used for the most secure information, such as my bank account, slashdot login and my pr0n encryption key.

Now if I could only remember the combination to my safe.....

Just my 46fctfj6&*23's worth....
-Rick the WizKid
(oooops...)

Mac OS X and Pastor

[andy55]

Ah, funny this story was posted--I just had to address this issue the other day. I run Mac OS X and I happened to be doing a fresh install, moving all my data over from an old HD. Before this, I had always stored my slew of account info in a text file in an obscure and unlabeled file (I know, I know--very careless of me--that's way I was ready to change my ways!).

Mac OS X's built-in "Keychain" services/util isn't streamlined for repeated user use, not to mention it doesn't have several auxiliary/free-form fields (that are also fully encrypted with the password field). After some research and trying a few of the freeware and shareware apps out there, I came across Pastor, a freeware, super-lightweight and user-friendly app that basically lets you maintain a catalog of username, pass, and about 6 auxiliary fields, stored in an encrypted file (when you go to open a file, it prompts you for the password and decodes it on the fly). If for some reason you don't dig this particular app, there's a couple others like it as well with increasingly levels of features (I happen to prefer lightweight).

So I went w/ this model and it's had great payoffs--when I need a particular login, I click on an alias to my main password (Pastor) file, enter the file's password to decrypt it, look for what I need (it alphabetizes), and I'm all set--meanwhile, there's absolutely no risk of security--I love it.

Self-Expiring Password Hardware

[Nuclear+Elephant]

Store all your passwords on a burned CD, that way they'll have a shelf-life of 3-5 years tops.

Repairs

[pubjames]

One thing that worries me is sending machines away to get repaired.

I have a Sony Vaio laptop which I had to send to be repaired. I phoned the support number to tell them I was going to take the hard disc out before sending it. They said that if I did I would be charged for a new hard disc (at a hugely inflated price) and they wouldn't repair it without one.

I once sent a PC for repair and the teenage dork who repaired it actually said I had some great games on my machine and that he had played them. In another case in the UK, some padeophile was caught (was it Garry Glitter?) when he sent his PC in for repair. Now, I'm all for catching kiddie fiddlers, but that is not the way to do it.

I don't want the repair staff looking through the stuff on my hard disc. There should be a standard industry guarantee that this won't happen, or a privacy law about it or something.

Re:Repairs

[Woy]

I have a computer services company, and a client of ours, a lawyer, never ever lets his computer out of his office. All repairs, no matter what, are done in his office, under his scrutiny. He has no problems paying for it, he says he is required by law (we are in Spain) to be sure that his clients' data is safe at all times. There just isn't another option.

Encrypt your disk

[PSUspud]

When I read the headline, I was alarmed. But
then I read the article, and all my worries went away.
I encrypt my swap partition, and that fixes the problem.

It's not hard, and since it's swap (i.e., data
you don't need for very long), you don't even need
to remember a password (your computer uses a random
one every time is sets up the swap). Really, it's
pretty easy -- see the HOWTO at http://www.tldp.org/HOWTO/Disk-Encryption-HOWTO/
and keep your goatsex links and pictures confidential.

Find them using Kazaa

[Drunken_Jackass]

You'd be amazed what you can find on Kazaa when you search for documents with password or resume or account as the keyword. People don't realize that you don't need to be a hacker to break into your machine - just someone with access to the folder you share on and P2P network...which, if it happens to be your My Documents folder....look out.

OpenBSD

[GlobalEcho]

OpenBSD encrypts the swap space by default, specifically to avoid these problems. I would hazard a guess somebody has hacked Linux to do the same, but I haven't seen it.

Of course, if you have so much RAM that you never swap, this is less of an issue.

Protective measures

[Woogiemonger]

Some basic tips that not enough people know, in no particular order:

1. Make sure you have a firewall configured to allow incoming connections from only ports you need open. You might be able to do just fine with no incoming connections allowed at all.
2. Have an updated virus checker.. Norton or Mcafee. By updated, I mean having it auto-update for you. Have it check every file accessed on media accessed by the computer, and email. At the very least, all the incoming media and email should be scanned on the fly, but outgoing is a good idea too.
3. Use Spybot or Ad Aware at least once a month to scan for spyware. Also keep these updated. I forget if they auto-update, but just be sure it checks for updates before you run them.
4. Only use credit cards that keep you free of liability for any fraud.
5. Buy a separate unnetworked little organizer with a keyboard to store hints to remember your passwords. Don't store the actual password.
6. Cancel credit cards you don't use.
7. Photocopy the backs and fronts of all the credit/debit cards you use and whatever else you keep in your wallet. Write in the customer service phone numbers if they're not clear.
8. Have Windows auto-update and auto-install all critical patches, or keep your Linux distro updated.
9. Don't open email attachments that you have no reason to trust, and certainly not until you have antivirus software checking incoming emails.

Re:Protective measures

[evilviper]

4. Only use credit cards that keep you free of liability for any fraud.

Despite the FUD TV ads the credit-card companies want you to believe, THERE ARE NO OTHER KINDS OF CREDIT CARDS IN THE USA. It is federal law that you cannot be held liable for unauthorized charges on your credit card. Actually, I believe you may be required to pay up to $50, but that is really a trivial ammount.

So, don't believe the hype.

Eraser will help

[stecoop]

Go download Eraser. It will erase empty space and swap files using DoD mil quality and even higher. It will erase empty space on your drive while you sleeping swiping it clean of bits 32 times over. On shutdown it will erase the swap file with the same quality. You can also get the source code and make it better if you want.

I have mine run once a week. I'm more concerned of my hard drive failing having to returning it under warranty and someone else receiving that drive they could then retrieve my data.

Rubbish!

[arvindn]

Article says:

Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive.

That's a flat out lie.

$ man mlock

MLOCK(2) Linux Programmer's Manual MLOCK(2)

NAME

mlock - disable paging for some parts of memory

SYNOPSIS

#include

int mlock(const void *addr, size_t len);

DESCRIPTION

mlock disables paging for the memory in the range starting at addr with length len bytes.

OpenSSH uses paging protection. It also zeroes out the password in memory. Immediately upon hashing it. I've seen the code.

Authors are at Stanford? Paper at USENIX? Can't believe this shit.

Re:Rubbish!

[evilviper]

Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive.

That's a flat out lie.

$ man mlock

And if I remember correctly, you need root access to use mlock(). Now then, how do you feel about running Mozilla/Firefox as root? Mozilla and any other applications you might possibly type a password into... GPG has the same issue: http://www.gnupg.org/documentation/faqs.html#q6.1



Meanwhile, for quite some time, OpenBSD has had the "swapencrypt" sysctl option, which causes everything swapped to disk to be encrypted with a random key that is stored only temporarily in RAM, never on disk... thereby taking away any possibility of getting usable data out of the swap partition.

For more info: click here.