Slashdot Mirror
Schneier On Un-Authentication
Trailrunner7 writes "Bruce Schenier writes on Threatpost.com: 'In computer security, a lot of effort is spent on the authentication problem. Whether it is passwords, secure tokens, secret questions, image mnemonics, or something else, engineers are continually coming up with more complicated — and hopefully more secure — ways for you to prove you are who you say you are over the Internet. This is important stuff, as anyone with an online bank account or remote corporate network knows. But a lot less thought and work have gone into the other end of the problem: how do you tell the system on the other end of the line that you are no longer there? How do you un-authenticate yourself? My home computer requires me to log out or turn my computer off when I want to un-authenticate. This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.'"
A bank I did some consulting work for had a very effective cultural rule to force people to lock their machines when they left their desks: if you find an unlocked machine, pull up the email client and send a message to everyone: "today's my birthday, drinks on me after work!" (other NSFW messages left to the readers imagination.)
Apparently, very few people left their machines unlocked more than once...
By disconnecting. Problem solved. Next story, please.
ctl + alt + del -> k on windows, and ctrl + alt + l on ubuntu. that's all. a lot of offices also have windows security policies set to lock the screen after 5 minutes idle.
User education. It won't go away, you always need to do it, and for most users, you have to do it multiple times. Proximity systems may help, but...
For the record, on a winders machine, window-L. Two keystrokes, you're done. Well, mostly, but that'll keep most people out.
stored on computers from birth to the grave
This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.
Sounds like lazy IT PHBs. At my company you're required to have a password-protected screen saver that kicks in after fifteen minutes, with policies set up so that you're automatically logged off an hour after your quitting time.
Free Martian Whores!
... that would detect if the logged in user is around would probably solve the problem. Automatic locking of the screen is a nightmare if you have other things to do (phone etc.) but in case need the computer immediately.
CC.
TaijiQuan (Huang, 5 loosenings)
In organisations where data is sensitive they use smartcards.
If you make the same smartcard open the doors to the building then you ensure that nobody will leave it in their PC while they go out for a break.
When people at the office leave their systems unlocked we see a teachable moment. Choose from any number of good techniques and have some fun. Some good ones include changing the keyboard layout, installing keyloggers, switching their homepage to something horribly inappropriate, impersonating them on IM. Interestingly enough, most people learn fast after that.
Designing systems for usability is hard, especially when security is involved.
Meh.. I was hoping for some deeper insights than that.
I've lost all my marbles except one & It's fun to test angular & centripetal acceleration in my skull
Back before ease of use eclipsed security, I once encountered a military system where the access terminal was surrounded by a small fence. Opening the gate in the fence forced an immediate logout.
Nobody would tolerate that today. Except, maybe, for an ATM.
If you really do need to do this kind of thing (I suppose people sometimes do have legitimate requirements to wire large amounts of money to offshore accounts), it's not a big hassle to log in again.
http://www.geoffreylandis.com
Windows 95/98/ME had a built-in solution to this problem, but MS removed it in the Win 2K and newer. They simply had the machine crash every 2 hours. Heavy handed, sure, but it worked.
While yes, there are technical measures that you can put in place to automatically lock screens and accounts and such after a pre determined time period, the best solution is a policy, and actual enforcement of that policy. There in lies the problems in many organizations, enforcement is not being done consistently.
With technical controls, there is always that time frame, for example idle accounts, usually 30 days from last login and then automatically lock the account, well a malicious user has 30 days to which to attempt access to that account. Same goes for screen locks, 15 min is a common default, well you walk away and I have 15 min to make my way over and have fun with the account. You can reduce the amount of time, but that has other issues, users get annoyed at the screen locking while they are on the phone, or whatever while they are at their desk, results in crappy passwords.
With a policy, and enforcement behind it, accounts can be removed, users will lock their screens (hopefully) within a timely manner.
I came, I conquered, I coredumped
Or rather the locking option of xscreensaver has worked very well for years for me. You just need to make it a habit.
Otherwise logging out has been solved for half a century now, just use a reasonably security aware OS.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
What is this "paper" of which you speak?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
In my office an unlocked computer is fair game for harmless pranks that have become known simply as pwning.
Nothing too nasty happens as the shame is in having been pwnd, not in the severity of damage inflicted.
There, my computer just announced "it's one thirty" in a robot voice. Nice. Thanks a lot, guys.
At least it does on my compu[BSOD graphic goes here]
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
You make the client system re-authenticate after a configurable amount of time, and that authentication comes via central storage of authentication passwords/tokens. For example, Keychain.
My laptop is set up with SSHKeychain, and it has options for locking my Keychain. If I activate the screensaver and don't come back within 3 minutes or so, it locks the keychain, and any program that wants to use a stored password triggers a password authenticaton dialog box for the system keychain password.
This puts the power of security in the hands of the user or organization. Computer at home, no roommates? Probably not an issue to lock your keychain any time except when you shut down your computer. Work in a cube? After 5-10 minutes of inactivity or whenever you lock your screensaver.
Please help metamoderate.
Catch a coworker with their screen unlocked, get a small bonus.
Get caught that way more than x number of times, get fired. The pink slip is the most effective LART, when it's feasible to use it.
Oh, and make it easy. On KDE, ctrl+alt+l locks my screen. Logging out isn't much harder (win+backspace, then alt+l), but it's not significantly more secure, and it is less convenient (I have to close everything, and I have to watch the logout process to make sure it completes -- lock screen is instantaneous).
Don't thank God, thank a doctor!
So i can remember to logout or lock the screen as muck as the other, but I keep my phone in my pocket at work so using bluetooth is quite handy for me. I lowered the sensitivity so a few steps from my desk and instant screen lock. Keeps other employees from abusing my irc client when im close but not paying attention. http://blueproximity.sourceforge.net/ Have not seen this for windows but who cares us linux at work.
Some places use smartcards, the card must be in the slot or it locks your screen... The same card is also used to open the doors so if you leave the room without taking the card then you can't get back in. Most people had the card attached to their belt or similar.
Another idea is to track the location of your phone using bluetooth (10 meters range), if you walk too far away it loses signal and locks the screen.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
One other system used more prevalently is the simple locking screen saver. The idea is only the user, and sysadmin have the password to unlock the screen, and access through the system is prohibited until the screen saver password is entered. I'm not a fan of this, as generally screen-saver passwords are more-often assigned by the users themselves, and so are easier to guess than the back-end passwords which on occasion are set by the site, or by the sysadmin in the case of accessing corporate systems via corporate-policy. Now a minor, but important distinction. This isn't "un-authentication" this is de-authorizing the computer from which you're logged in accessing the place you're logged in to. You want to "authenticate a de-authorization" that is verify that you are the person removing access privileges. If the system doesn't require authentication to de-authorize access, then a denial of service attack is made (somewhat) trivial, and if more thought process went into understanding the difference I think more places would realize how serious the solution needs to be.
âoeThe wall between art and engineering exists only in our minds.â -- Theo Jansen
I like the rfid card cars that detect when the user is near by and unlocks. The car starts with a button when the rfid is near by to make things even easier. Of course it has to be a secure challenge, answer style system like SIM cards or it is just as bad as those enhanced id things.
Our Group Policy is set to auto-lock the system after 15 minutes of non-use. Everyone gets it, almost no exceptions.
Bring the hammer!
If you have an Android-based phone, Vista supports user-initiated remote crashing with a third-party tool.
Salling Clicker is an app that will auto lock when it loses the Bluetooth signal from a device like your phone. Instant auto lock when you walk off as long as your phone is on you.
It can also unlock when you return, but thats obviously dangerous in a few different ways since it effectively makes your bluetooth device a token for authentication and that is easy enough to clone off.
http://www.salling.com/clicker/
The problem is you have to have it installed and your phone/device must be paired. This is acceptable for machines you use all the time, but doesn't really help at a kiosk or any other machine you're going to use once in a while.
For Unix there is the simple solution of just using one of the auto logoff deamons to kick you off after some idle time to cover when you forget to do so yourself. Of course, any sort of acceptable idle time that isn't annoyingly short is also long enough to be dangerous as hell.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Our PHB IT's went very tight on network security. (haha) User's have to authenticate with the firewall every 12 hours. They originally wanted 8 hours. We pointed out that the main users (R&D), would work 10-12 hours a day. Everyone else is on a different network. It slows down starting up a windoze PC, every morning by about 10-20 minutes, as many taskbar apps, automatically start-up and check the network for updates. We have removed auto-connecting networks disks and moved them to a script, started manually after authentication. How much does this cost in productivity?
Screens savers automatically lock at predetermined 15 minutes.
Never trust a man wearing a coat and tie!
Using google to learn something is superior to using a dictionary. It should be your first choice. Only if google does not supply an acceptable answer (or if the answer you get proves you to be a fool who believes everything he reads online) should you consult dead trees.
If you have an Android-based phone, Vista supports user-initiated remote crashing with a third-party tool.
That Microsoft, always thinking ahead and innovating the features users really want! You don't see Linux with that feature! I hope Microsoft patents the hell out of that so noone else can use it.
Microsoft, we innovate the HELL outta your ass! :)
I'm less interested in being de-authenticated from my web logins. I'm much more interested in finding a way to deauthenticate website security certificates. When a malicious website obtains a security certificate, how do you remove it?
Write your representatives! Repeal the 2nd Law of Thermodynamics!
I run "brightside" to enable hot corner actions in X.
http://lifehacker.com/263508/add-screen-actions-with-brightside
So throwing the mouse onto one corner of the screen locks X and puts on a pretty screensaver, another corner puts the display on standby, and one corner disables the screensaver for when I'm watching movies or slideshows or something like that.
At some point, I recompiled brightside to use xscreensaver-command instead of gnome-screensaver-command, but I eventually gave up on that.
I also use xbindkeys + xbindkeys-config to configure some of the extra keys on my multimedia keyboard to do things like that too.
Really, you'll just have to nuke the authenticating partner from orbit. It's the only way to be sure...
The standard *nix command to tell your computer (and the rest of the world) that you are not longer you is kill. Your body could be more or less the same, but you are not there anymore. If you refuse to die, the superuser, superhero, or even the government could make sure that you are effectively dead.
I didn't think much of it before; use a timeout, and there you have it. However, I can see the challenge being posed here: the only immediately obvious solution to determining whether a person's there or not is by timing inactivity. As mentioned in the article, determining an "inactive threshold" requires quite a bit of fine tuning and knowledge of usability with the obvious risk of malicious adversaries having access to that open channel for the amount of time the channel is open.
First thing I could think of, at least for laptop users with integrated cameras, is using light mapping to determine whether the computer user is physically there or not. Facial biometrics could be applied, but I think that would be way too computationally intensive (b/c if the face moves even a slight bit, the hash would need to be completely recalculated. Wouldn't it be harsh if we had to check our account balances completely frozen!). However, I'm sure there is some research out there that shows what an average light (luminance) distribution should look like without the person actually being there. Of course, this is flawed, since it only works with laptops that have integrated cameras and cannot distinguish one person from another.
Then, I thought a few other things, and realized that any other somewhat obvious solution probably involves gathering the user's current location and measuring displacement between the user and computer somehow. These would raise great challenges regarding user privacy, though I think that people are becoming much more complacent with privacy violations for security enhancements and/or personal leisure a la Google and Facebook (myself included).
Any time someone left a machine unlocked in the MC we would pounce on it. It would take less than 2 minutes to get emails out to the appropriate members of the chain of command to volunteer the Marine for every shit duty we could find (and swap his or her desktop background screen saver to something highly entertaining or inappropriate).
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Like cattle. Then you could really be accounted for. No problemo.
It's the old issue of "polling" vs automatic "interrupts". In this case, the polling solution would appear to have less impact on personal privacy. Anything that could generate an "interrupt" when you moved away from your computer could just as well track you as you moved eleswhere. As I said, cattle tags.
I think I'd rather put up with the minor annoyance of having my systems periodically time out on me.
Hi this guy left his computer unlocked and on slashdot! stupid haha!!
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
It is great that systems are being created in order to ensure user security, however, privacy protection can only go so far. It is the responsibility of the user to log-off when leaving a computer unattended to in an environment that poses the risk of a possible security breach.
Absolutely agreed.
And, in my thirty years working in the industry, I've observed that most organizations either have no security policy or have a rather tenuous linkage between the policy and its implementation.
Here's one example. On the first day at one of the smarter places I worked, I came back from a washroom break to find my screen locked with a cutesy warning from the manager of another group (in other words, not in my chain of command). I asked him why he felt that it was his business to tamper with my operations. He condescendingly explained his views on the matter. Fine, I said, are these your personal views or is there some kind of policy or guideline that you'd like me to know about? It turns out there was neither, and no training nor orientation for new staff, a lot of system capabilities that were left wide open, and very diverse practices among the seasoned staff.
The problem I have with situations like that is that they are profoundly irresponsible. It's one thing to have a computing environment that is basically adrift in terms of security. That's fine, if the organization determines that it's not a concern, and takes responsibility for the consequences. But to download that responsibility onto people who have literally just walked in the door is not only unethical, it's doomed to fail.
Parity: What to do when the weekend comes.
Most people I know take their mobile phone with them when they leave their desks, so why not use a Bluetooth app (like this one) to lock the screen once your phone is out of range.
Need an ISP in South Africa?
A dead man's switch. If it's good enough for the soviet nuclear arsenal, it's good enough for a PC.
I have no idea how to do it in bash, but you can easily lock a computer from the command line in Windows.
rundll32.exe user32.dll,LockWorkStation
Another one:
rundll32.exe shell32.dll,SHExitWindowsEx [0|1|2|4|8]
0: logoff, 1: shut down, 2: reboot, 4: forced shutdown, 8: powers down the machine
This would be a fun one to put in the Startup menu of someone who left their PC unlocked, actually... :D
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
This problem is a non-issue and has been for years. Every Windows, Mac and Linux desktop I have had the pleasure of administering over the last 10 years had an automatic computer lock after x minutes of non-use. It is easy to set up for both enterprise and home users. The idea that this password is "set by the end user and less secure" is just plain silly as it *should* just use the credentials of the logged in user. If this is in the enterprise, it will follow whatever the password policy is corporate wide. If this is an end user, they need to make a secure password, which is their responsibility if they care about safe computing.
For web resources, require re-authentication (the idea that re-authorization plays any part in this scenario is making it needlessly more complicated) after x amount of time. All web frameworks have a built in time out for this reason. You actually have to go out of your way to write something that doesn't automatically time out after a period of time.
To put this bluntly, if you're having a problem with this sort of issue.....you're doing it wrong.
Is there one for xscreensaver? I know in KDE v3.5.10, I can lock my key but that doesn't run xscreensaver (only blank my screen and uses KDE's login). :(
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Is it just me or does anyone else get the feeling that Schneier is tapped out of ideas so he sits around and finds the most obvious/minute things to write about. Honestly, who here deals in security and does not advise their users to ctrl+alt+del before they walk away?
You want vlock.
Give me Classic Slashdot or give me death!
Use screen.
Start screen
Run long running app
Ctrl-a then d to detach
ctrl-d to logout
Alternatively, just lock screen with ctrl-a x (I think its x, I don't use it myself, only run into it by accident due to fat fingers occasionally.)
You could also due 'longrunningapp ; exit' before exiting screen as well to have your screen session go away at the end.
Or ...
nohup $cmdThatWillTakeAWhileToComplete & ; exit
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
In a kerberized environment, kdestroy (or click on the "Remove Credentials Cache" option on the krb5-auth-dialog applet) is enough to ensure that all your access will not work until you re-authenticate. Remote shell sessions, web sites, email etc.
Now, if KDE had an option to kdestroy on screen saver lock, and if it correctly got tickets on unlock, it would be a lot more usable. /me logs some bugs ...
Pressure sensor on the chair hooked to the computer using bluetooth or something.
Wasn't their solution for 95/98/ME not to authenticate in the first place? I seem to remember just clicking "Cancel" on the login prompt let you into the computer.
Right, that's when it crashed. :)
Well, it depends on where it was.
If it was in the user's personal start menu, you could just log in as administrator and delete it from the %userprofile%\Start Menu\Programs\Startup folder in the user's settings. (Key would be to log in as someone else – and the someone else would have to have administrator rights on that computer.)
If it was in the All Users start menu, logging in as administrator wouldn't work either. In that case, I think booting into safe mode would prevent it from running, and if not, you could always boot to command prompt. Then delete the shortcut from the C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Or you could RTFA. Schneier already glossed over that.