Slashdot Mirror
Schneier On Un-Authentication
Trailrunner7 writes "Bruce Schenier writes on Threatpost.com: 'In computer security, a lot of effort is spent on the authentication problem. Whether it is passwords, secure tokens, secret questions, image mnemonics, or something else, engineers are continually coming up with more complicated — and hopefully more secure — ways for you to prove you are who you say you are over the Internet. This is important stuff, as anyone with an online bank account or remote corporate network knows. But a lot less thought and work have gone into the other end of the problem: how do you tell the system on the other end of the line that you are no longer there? How do you un-authenticate yourself? My home computer requires me to log out or turn my computer off when I want to un-authenticate. This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.'"
A bank I did some consulting work for had a very effective cultural rule to force people to lock their machines when they left their desks: if you find an unlocked machine, pull up the email client and send a message to everyone: "today's my birthday, drinks on me after work!" (other NSFW messages left to the readers imagination.)
Apparently, very few people left their machines unlocked more than once...
By disconnecting. Problem solved. Next story, please.
ctl + alt + del -> k on windows, and ctrl + alt + l on ubuntu. that's all. a lot of offices also have windows security policies set to lock the screen after 5 minutes idle.
User education. It won't go away, you always need to do it, and for most users, you have to do it multiple times. Proximity systems may help, but...
For the record, on a winders machine, window-L. Two keystrokes, you're done. Well, mostly, but that'll keep most people out.
stored on computers from birth to the grave
Just set it to have password protected screen saver.
This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.
Sounds like lazy IT PHBs. At my company you're required to have a password-protected screen saver that kicks in after fifteen minutes, with policies set up so that you're automatically logged off an hour after your quitting time.
Free Martian Whores!
... that would detect if the logged in user is around would probably solve the problem. Automatic locking of the screen is a nightmare if you have other things to do (phone etc.) but in case need the computer immediately.
CC.
TaijiQuan (Huang, 5 loosenings)
In organisations where data is sensitive they use smartcards.
If you make the same smartcard open the doors to the building then you ensure that nobody will leave it in their PC while they go out for a break.
When people at the office leave their systems unlocked we see a teachable moment. Choose from any number of good techniques and have some fun. Some good ones include changing the keyboard layout, installing keyloggers, switching their homepage to something horribly inappropriate, impersonating them on IM. Interestingly enough, most people learn fast after that.
Designing systems for usability is hard, especially when security is involved.
Meh.. I was hoping for some deeper insights than that.
I've lost all my marbles except one & It's fun to test angular & centripetal acceleration in my skull
Back before ease of use eclipsed security, I once encountered a military system where the access terminal was surrounded by a small fence. Opening the gate in the fence forced an immediate logout.
Nobody would tolerate that today. Except, maybe, for an ATM.
If you really do need to do this kind of thing (I suppose people sometimes do have legitimate requirements to wire large amounts of money to offshore accounts), it's not a big hassle to log in again.
http://www.geoffreylandis.com
Windows 95/98/ME had a built-in solution to this problem, but MS removed it in the Win 2K and newer. They simply had the machine crash every 2 hours. Heavy handed, sure, but it worked.
While yes, there are technical measures that you can put in place to automatically lock screens and accounts and such after a pre determined time period, the best solution is a policy, and actual enforcement of that policy. There in lies the problems in many organizations, enforcement is not being done consistently.
With technical controls, there is always that time frame, for example idle accounts, usually 30 days from last login and then automatically lock the account, well a malicious user has 30 days to which to attempt access to that account. Same goes for screen locks, 15 min is a common default, well you walk away and I have 15 min to make my way over and have fun with the account. You can reduce the amount of time, but that has other issues, users get annoyed at the screen locking while they are on the phone, or whatever while they are at their desk, results in crappy passwords.
With a policy, and enforcement behind it, accounts can be removed, users will lock their screens (hopefully) within a timely manner.
I came, I conquered, I coredumped
Or rather the locking option of xscreensaver has worked very well for years for me. You just need to make it a habit.
Otherwise logging out has been solved for half a century now, just use a reasonably security aware OS.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
As early as the mid-90s the command-line Unix clients for AFS had a command to flush your credentials.
Students where I went to school were encouraged to flush unnecessary credentials or log off.
These were network credentials, not local ones.
What is this "paper" of which you speak?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
In my office an unlocked computer is fair game for harmless pranks that have become known simply as pwning.
Nothing too nasty happens as the shame is in having been pwnd, not in the severity of damage inflicted.
There, my computer just announced "it's one thirty" in a robot voice. Nice. Thanks a lot, guys.
At least it does on my compu[BSOD graphic goes here]
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
You make the client system re-authenticate after a configurable amount of time, and that authentication comes via central storage of authentication passwords/tokens. For example, Keychain.
My laptop is set up with SSHKeychain, and it has options for locking my Keychain. If I activate the screensaver and don't come back within 3 minutes or so, it locks the keychain, and any program that wants to use a stored password triggers a password authenticaton dialog box for the system keychain password.
This puts the power of security in the hands of the user or organization. Computer at home, no roommates? Probably not an issue to lock your keychain any time except when you shut down your computer. Work in a cube? After 5-10 minutes of inactivity or whenever you lock your screensaver.
Please help metamoderate.
Just force all machines to have password-protected screen savers. You can enforce that at an enterprise level so users can't disable it.
Much kinder than public humiliation, and safer too since it doesn't rely on someone else noticing.
Catch a coworker with their screen unlocked, get a small bonus.
Get caught that way more than x number of times, get fired. The pink slip is the most effective LART, when it's feasible to use it.
Oh, and make it easy. On KDE, ctrl+alt+l locks my screen. Logging out isn't much harder (win+backspace, then alt+l), but it's not significantly more secure, and it is less convenient (I have to close everything, and I have to watch the logout process to make sure it completes -- lock screen is instantaneous).
Don't thank God, thank a doctor!
So i can remember to logout or lock the screen as muck as the other, but I keep my phone in my pocket at work so using bluetooth is quite handy for me. I lowered the sensitivity so a few steps from my desk and instant screen lock. Keeps other employees from abusing my irc client when im close but not paying attention. http://blueproximity.sourceforge.net/ Have not seen this for windows but who cares us linux at work.
Some places use smartcards, the card must be in the slot or it locks your screen... The same card is also used to open the doors so if you leave the room without taking the card then you can't get back in. Most people had the card attached to their belt or similar.
Another idea is to track the location of your phone using bluetooth (10 meters range), if you walk too far away it loses signal and locks the screen.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I spent three years as the sysadmin for a high school with about 150 faculty. Thanks to teachers' unions going too far, it's practically illegal to fire [or even evaluate the performance of] a tenured public school teacher, even if they flat out refuse to do their job. Needless to say, I was dealing with a pretty big group of spoiled brats who cared nothing about security or confidentiality, which includes blabbing students' online grade retrieval passwords over the phone to any caller claiming to be a parent.
I set the screen lockout timer to 60 minutes, which was enough for a teacher to display an exam on a video projector and have it show through an entire 50-minute class. This sounds like a long time, but before I started working there, teachers would stay logged on and unlocked all summer.
Needless to say, there was one teacher who was _furious_ about the 60-minute lockout. She was furious at the fact that, every morning, she had to press Ctrl+Alt+Del and type per password; a whole 10 or so keystrokes. She went to an assistant principal and threatened to go to the district's IS chief.
When the assistant principal asked me if there was a way to make the group policy apply to everyone except her, I lied and said no. Anyone who knows Group Policy knows that you can scope a GPO to not apply to one user, but if I had admitted that I could do that, I'd be forced to, district security policy be damned.
One other system used more prevalently is the simple locking screen saver. The idea is only the user, and sysadmin have the password to unlock the screen, and access through the system is prohibited until the screen saver password is entered. I'm not a fan of this, as generally screen-saver passwords are more-often assigned by the users themselves, and so are easier to guess than the back-end passwords which on occasion are set by the site, or by the sysadmin in the case of accessing corporate systems via corporate-policy. Now a minor, but important distinction. This isn't "un-authentication" this is de-authorizing the computer from which you're logged in accessing the place you're logged in to. You want to "authenticate a de-authorization" that is verify that you are the person removing access privileges. If the system doesn't require authentication to de-authorize access, then a denial of service attack is made (somewhat) trivial, and if more thought process went into understanding the difference I think more places would realize how serious the solution needs to be.
âoeThe wall between art and engineering exists only in our minds.â -- Theo Jansen
I like the rfid card cars that detect when the user is near by and unlocks. The car starts with a button when the rfid is near by to make things even easier. Of course it has to be a secure challenge, answer style system like SIM cards or it is just as bad as those enhanced id things.
Our Group Policy is set to auto-lock the system after 15 minutes of non-use. Everyone gets it, almost no exceptions.
Bring the hammer!
If you have an Android-based phone, Vista supports user-initiated remote crashing with a third-party tool.
Salling Clicker is an app that will auto lock when it loses the Bluetooth signal from a device like your phone. Instant auto lock when you walk off as long as your phone is on you.
It can also unlock when you return, but thats obviously dangerous in a few different ways since it effectively makes your bluetooth device a token for authentication and that is easy enough to clone off.
http://www.salling.com/clicker/
The problem is you have to have it installed and your phone/device must be paired. This is acceptable for machines you use all the time, but doesn't really help at a kiosk or any other machine you're going to use once in a while.
For Unix there is the simple solution of just using one of the auto logoff deamons to kick you off after some idle time to cover when you forget to do so yourself. Of course, any sort of acceptable idle time that isn't annoyingly short is also long enough to be dangerous as hell.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Our PHB IT's went very tight on network security. (haha) User's have to authenticate with the firewall every 12 hours. They originally wanted 8 hours. We pointed out that the main users (R&D), would work 10-12 hours a day. Everyone else is on a different network. It slows down starting up a windoze PC, every morning by about 10-20 minutes, as many taskbar apps, automatically start-up and check the network for updates. We have removed auto-connecting networks disks and moved them to a script, started manually after authentication. How much does this cost in productivity?
Screens savers automatically lock at predetermined 15 minutes.
Never trust a man wearing a coat and tie!
Using google to learn something is superior to using a dictionary. It should be your first choice. Only if google does not supply an acceptable answer (or if the answer you get proves you to be a fool who believes everything he reads online) should you consult dead trees.
If you have an Android-based phone, Vista supports user-initiated remote crashing with a third-party tool.
That Microsoft, always thinking ahead and innovating the features users really want! You don't see Linux with that feature! I hope Microsoft patents the hell out of that so noone else can use it.
Microsoft, we innovate the HELL outta your ass! :)
I don't know, but thats pretty obvious, isn't it?
The last time Bruce Schneier found out that Google Desktop Search may index files of your hidden TrueCrypt partition if you let the daemon index it.
Nothing against Bruce, but I think there are more important things to investigate than this stuff...
I'm less interested in being de-authenticated from my web logins. I'm much more interested in finding a way to deauthenticate website security certificates. When a malicious website obtains a security certificate, how do you remove it?
Write your representatives! Repeal the 2nd Law of Thermodynamics!
I usually just pull the plug on the powercord of my PC to 'un-authenticate'...
I run "brightside" to enable hot corner actions in X.
http://lifehacker.com/263508/add-screen-actions-with-brightside
So throwing the mouse onto one corner of the screen locks X and puts on a pretty screensaver, another corner puts the display on standby, and one corner disables the screensaver for when I'm watching movies or slideshows or something like that.
At some point, I recompiled brightside to use xscreensaver-command instead of gnome-screensaver-command, but I eventually gave up on that.
I also use xbindkeys + xbindkeys-config to configure some of the extra keys on my multimedia keyboard to do things like that too.
The standard *nix command to tell your computer (and the rest of the world) that you are not longer you is kill. Your body could be more or less the same, but you are not there anymore. If you refuse to die, the superuser, superhero, or even the government could make sure that you are effectively dead.
I didn't think much of it before; use a timeout, and there you have it. However, I can see the challenge being posed here: the only immediately obvious solution to determining whether a person's there or not is by timing inactivity. As mentioned in the article, determining an "inactive threshold" requires quite a bit of fine tuning and knowledge of usability with the obvious risk of malicious adversaries having access to that open channel for the amount of time the channel is open.
First thing I could think of, at least for laptop users with integrated cameras, is using light mapping to determine whether the computer user is physically there or not. Facial biometrics could be applied, but I think that would be way too computationally intensive (b/c if the face moves even a slight bit, the hash would need to be completely recalculated. Wouldn't it be harsh if we had to check our account balances completely frozen!). However, I'm sure there is some research out there that shows what an average light (luminance) distribution should look like without the person actually being there. Of course, this is flawed, since it only works with laptops that have integrated cameras and cannot distinguish one person from another.
Then, I thought a few other things, and realized that any other somewhat obvious solution probably involves gathering the user's current location and measuring displacement between the user and computer somehow. These would raise great challenges regarding user privacy, though I think that people are becoming much more complacent with privacy violations for security enhancements and/or personal leisure a la Google and Facebook (myself included).
At work I just have it set up in group policy so everyone's PC goes to screensaver after 15 minutes with password protect on return.
Any time someone left a machine unlocked in the MC we would pounce on it. It would take less than 2 minutes to get emails out to the appropriate members of the chain of command to volunteer the Marine for every shit duty we could find (and swap his or her desktop background screen saver to something highly entertaining or inappropriate).
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Is it possible to lock a machine in bash, for example? Could I run `$cmdThatWillTakeAWhileToComplete &` and then `$lockCmd`?
Like cattle. Then you could really be accounted for. No problemo.
It's the old issue of "polling" vs automatic "interrupts". In this case, the polling solution would appear to have less impact on personal privacy. Anything that could generate an "interrupt" when you moved away from your computer could just as well track you as you moved eleswhere. As I said, cattle tags.
I think I'd rather put up with the minor annoyance of having my systems periodically time out on me.
Hi this guy left his computer unlocked and on slashdot! stupid haha!!
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
It is great that systems are being created in order to ensure user security, however, privacy protection can only go so far. It is the responsibility of the user to log-off when leaving a computer unattended to in an environment that poses the risk of a possible security breach.
1. Target needs to be authenticated to the user. This should require some positive action, as opposed to relying on certificates which are mostly ignored and whose provenance is not as strongly assured as was initially advertised.
2. Customer needs to authenticate to the target. Passwords are not enough since humans can remember approximately 1 password only, and only if they use it constantly. The authentication should change and replays should be rejected.
3. Customer must affirm details of the transaction before it is committed. This too must use some method that is changeable and disallows playback.
Ideally a transaction will have all these elements in one idempotent package, the way for example a check might if the signature were a better biometric than it is and if the signature were checked always. That is however technically awkward on a net, so the 3 elements listed may need to be separately done. Omitting any of the elements allows different classes of attacks. If all the elements are present and tied together, attacks become very hard. Also, note, step 3 makes it largely irrelevant whether the customer is declared not-present afterwards or not. It serves also to terminate the transaction. Whether another transaction is begun or not is for the most part immaterial. (A method I have advocated to accomplish these would allow several transactions to be tied together if desired, in one session, but there would always be a "signature" or "affirmation" step for each, even if the initial authentication steps were recent enough to continue to use them.)
This needs hardware. However it can be done very cheaply; the hardware needed can in quantity be had for perhaps $3 a copy, possibly less, even as electronics. Paper approximations could be far cheaper still.
Absolutely agreed.
And, in my thirty years working in the industry, I've observed that most organizations either have no security policy or have a rather tenuous linkage between the policy and its implementation.
Here's one example. On the first day at one of the smarter places I worked, I came back from a washroom break to find my screen locked with a cutesy warning from the manager of another group (in other words, not in my chain of command). I asked him why he felt that it was his business to tamper with my operations. He condescendingly explained his views on the matter. Fine, I said, are these your personal views or is there some kind of policy or guideline that you'd like me to know about? It turns out there was neither, and no training nor orientation for new staff, a lot of system capabilities that were left wide open, and very diverse practices among the seasoned staff.
The problem I have with situations like that is that they are profoundly irresponsible. It's one thing to have a computing environment that is basically adrift in terms of security. That's fine, if the organization determines that it's not a concern, and takes responsibility for the consequences. But to download that responsibility onto people who have literally just walked in the door is not only unethical, it's doomed to fail.
Parity: What to do when the weekend comes.
If only Timothy Leary listened to Schneier!
They brought back the feature in Vista
Most people I know take their mobile phone with them when they leave their desks, so why not use a Bluetooth app (like this one) to lock the screen once your phone is out of range.
Need an ISP in South Africa?
A dead man's switch. If it's good enough for the soviet nuclear arsenal, it's good enough for a PC.
Lock session.
...here's another post on it.
Winkey + L
This problem is a non-issue and has been for years. Every Windows, Mac and Linux desktop I have had the pleasure of administering over the last 10 years had an automatic computer lock after x minutes of non-use. It is easy to set up for both enterprise and home users. The idea that this password is "set by the end user and less secure" is just plain silly as it *should* just use the credentials of the logged in user. If this is in the enterprise, it will follow whatever the password policy is corporate wide. If this is an end user, they need to make a secure password, which is their responsibility if they care about safe computing.
For web resources, require re-authentication (the idea that re-authorization plays any part in this scenario is making it needlessly more complicated) after x amount of time. All web frameworks have a built in time out for this reason. You actually have to go out of your way to write something that doesn't automatically time out after a period of time.
To put this bluntly, if you're having a problem with this sort of issue.....you're doing it wrong.
Is there one for xscreensaver? I know in KDE v3.5.10, I can lock my key but that doesn't run xscreensaver (only blank my screen and uses KDE's login). :(
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Is it just me or does anyone else get the feeling that Schneier is tapped out of ideas so he sits around and finds the most obvious/minute things to write about. Honestly, who here deals in security and does not advise their users to ctrl+alt+del before they walk away?
Does this mean that ubuntu is going to 'lead the way' and force all their new desktop installs to auto-lock after 5 minutes, because making a headline ("We are better than everyone else because we once read this article on /. ...") is much more important than improving a product.
While its all good and well to have "hilarious" suggestions which run the idea of forcing behaviour into people, one way or another, we're totally off the mark.
while I will be using a windows scenario, I'm pretty much expecting *nix versions as well.... if they do not exist surely someone is already working on this.
smart card readers + certificate services = win.
As part of your Windows 2003 and 2008 MCSA (thus MCSE also includes this) you need to understand certificate services and how you can use smart cards to logon.
An example that i have seen is as follows:
- user has smart card on retractable, attached to themselves.
- user inserts smarrt card, and is prompted for a 4 digit pin number
- user puts in pin number, and they are now logged in.
- when they pull the card out, the workstation automatically locks
- policy states cards must be on staff at all times (quite common in most governments and enterprises)
Now this setup isn't hard coded and you can configure the policies to perform different actions on different events (e.g. logoff when the card is pulled).
While i recognise that you need a reader on every computer, in this day and age its quite easy to negotiate a built in reader with your next SOE/MOE rollout. In addition you require at the least 2 additional servers (one Root CA and one Intermediate CA) but with virtualisation and the fact that one of those servers is permanently turned off, its not that big of a deal.
I am unaware of what the administration is like and at what level it becomes economical, but the bottom line is that if you have the processing power to crunch the certificate services overhead, you can do this.
Next from Schneier,
SKY IS BLUE!
In a kerberized environment, kdestroy (or click on the "Remove Credentials Cache" option on the krb5-auth-dialog applet) is enough to ensure that all your access will not work until you re-authenticate. Remote shell sessions, web sites, email etc.
Now, if KDE had an option to kdestroy on screen saver lock, and if it correctly got tickets on unlock, it would be a lot more usable. /me logs some bugs ...
Pressure sensor on the chair hooked to the computer using bluetooth or something.
Wasn't their solution for 95/98/ME not to authenticate in the first place? I seem to remember just clicking "Cancel" on the login prompt let you into the computer.
Wasn't their solution for 95/98/ME not to authenticate in the first place? I seem to remember just clicking "Cancel" on the login prompt let you into the computer.
Right, that's when it crashed. :)