Author Topic: Worst case scenarios  (Read 8154 times)

Offline thibros

  • Full Member
  • ***
  • Posts: 107
Worst case scenarios
« on: June 03, 2006, 09:47:38 PM »
I'd like to discuss a few worst case scenarios. And how any security system might protect your passwords. Here's what I came up with so far, can you think of others?

An internet cafe has a keylogger installed. The keylogger takes screenshots, and monitors the clipboard. Users are not allowed to run executables. Is there a chance for a user to keep his passwords safe?

A man wants to spy on his wife, to get her (PasswordMaker) master password, or at least several of her email and paypal passwords, etc. It's his computer she uses, he's a computer freak, and she doesn't really suspect anything. Can she be saved?

Assuming that a PasswordMaker windows edition has become a general tool for many, a virus is developed aimed at PasswordMaker users. What is the worst thing the virus can do?

You may mention features and editions not yet implemented but which might be possible in PasswordMaker. Of course, there ain't no such thing as a free lunch 100% security, we all know that. This is all meant as brain training, so imagine the very worst cases, and how to make them at least improbable. You may mention third party products, too.

Any thoughts about this?

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Worst case scenarios
« Reply #1 on: June 04, 2006, 01:54:30 AM »
The keylogger one: I can't think of a way to keep passwords safe. The most you can do is make a PHP proxy type thing (and use it to store the passwords, hence the PHP edition comes into play) in which allows you to scramble the password to access it with a click of a button, and you just need to check an e-mail that the keylogger infected computer does/shouldn't know about.

The man and his wife one: if she has her directory encrypted (assuming her profile is on a NTFS drive with Windows), she can be saved, as the husband would need the password to her account on the computer to read the directory.

Windows edition one: It can steal whatever settings you have saved (accounts, default password generation, maybe even the master password). This applies to any edition that allows storing the settings. This allows the writer to know what sites to use the passwords at as well.
"I'm not drunk, just sleep deprived."

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Worst case scenarios
« Reply #2 on: June 04, 2006, 02:57:46 AM »
Keylogger: if the keylogger takes screenshots and the passwords are displayed with asterisks or white-on-white as with the new online edition (beta), how will a screenshot reveal the password?

As for the other issues, why not use TrueCrypt for the settings file?

Offline thibros

  • Full Member
  • ***
  • Posts: 107
Worst case scenarios
« Reply #3 on: June 04, 2006, 04:48:19 AM »
Quote from: miquelfire
The keylogger one: I can't think of a way to keep passwords safe. The most you can do is make a PHP proxy type thing (and use it to store the passwords, hence the PHP edition comes into play) in which allows you to scramble the password to access it with a click of a button, and you just need to check an e-mail that the keylogger infected computer does/shouldn't know about.
I'm not sure I know what you mean, what is the email for? The keylogger logs all input, so it could reconstruct everything you typed, couldn't it?

Quote from: Eric H. Jung
Keylogger: if the keylogger takes screenshots and the passwords are displayed with asterisks or white-on-white as with the new online edition (beta), how will a screenshot reveal the password?
While you're selecting it with the mouse, maybe.  The keylogger would also know the master password, and the settings if you changed them from the default ones. It could reconstruct the password. I DON'T want to enter the master password there.

I was thinking, if the online edition had some storage ability (php, mysql) it could produce a "one time password" to store and retrieve settings. Like this: on the storing page the master password is encrypted with a second password. The first four characters are cut off, the user writes them on a piece of paper, it's like a transaction pass. The rest of the hash is stored on the server, wich returns a settings ID.

In the internet cafe, the online edition is called with that settings ID, and the javascript will have the rest of the hash inside, in its code. The user provides the second password and the four characters of the hash, from which the script computes the master password for the session. The complete hash is never sent, making brute force attacks impossible.

The server deletes its own copy of the hash, of course. The second password becomes useless.

But here's the problem, if the keylogger monitors the clipboard, how can the user get the generated password from one window to the other? Is there any way to have two frames, and one frame fills a field in the other fram via javascript?

This is for people who are really paranoid, of course.

Quote
As for the other issues, why not use TrueCrypt for the settings file?
Quote
The man and his wife one: if she has her directory encrypted (assuming her profile is on a NTFS drive with Windows), she can be saved, as the husband would need the password to her account on the computer to read the directory.
Encryption is good, but again, what about a keylogger? If I were that husband, that's the first thing I'd install.   Not really, of course. Chances are, she doesn't have her own windows account with her own privacy, and he's the administrator after all. What about using a USB stick? Can that be made secure? Or a SD memory card?

Quote
Windows edition one: It can steal whatever settings you have saved (accounts, default password generation, maybe even the master password). This applies to any edition that allows storing the settings. This allows the writer to know what sites to use the passwords at as well.
Maybe then the master password should be saved in a random location instead of a fixed location. But where to hide it? The writer of the virus knows the PasswordMaker source code, after all. I don't see a way, unless the user is willing to authenticate himself, like using a key card or biometric data, something that's not easily logged. Keyloggers are really nasty. And anything attacking a specific program is bound to find a way. All I can think of is having so many random factors inside the PasswordMaker program, that it's impossible to track them all in a reasonable amount of time....
« Last Edit: June 04, 2006, 04:49:23 AM by Thibros »

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Worst case scenarios
« Reply #4 on: June 05, 2006, 01:43:01 AM »
About my proxy thing with the e-mail, here's how it works:
User has a password to log into the proxy, the proxy take cares of filling out the login forms somehow (excerise for the programmer of the proxy) and all the internet cafe computer will see is the password entered to log into the proxy, but never has access to the login details of the sites visited to by the proxy. And the e-mail can be anything that the keylogger won't have access to (like the logger sends an e-mail to the user's cell phone, most cell services that provides SMS has a way to send messages to the phone with an e-mail address)

And yea, using a USB stick that somehow encrypts the data is the way to go. Just hope the wife doesn' t leak the access code(s) so her husband has access to all the data.
"I'm not drunk, just sleep deprived."

Offline thibros

  • Full Member
  • ***
  • Posts: 107
Worst case scenarios
« Reply #5 on: June 05, 2006, 08:29:24 PM »
Quote from: miquelfire
About my proxy thing with the e-mail, here's how it works:
User has a password to log into the proxy, the proxy take cares of filling out the login forms somehow (excerise for the programmer of the proxy) and all the internet cafe computer will see is the password entered to log into the proxy, but never has access to the login details of the sites visited to by the proxy. And the e-mail can be anything that the keylogger won't have access to (like the logger sends an e-mail to the user's cell phone, most cell services that provides SMS has a way to send messages to the phone with an e-mail address)
I really like that proxy idea. To prevent the keylogger from knowing the proxy password, we'd need one time passwords, of course. These could be sent to your phone via your email forwarding, or you can generate them at home and print them. It would be cool, for logging on you use the normal login page, but your proxy username and proxy 'one time password'. The proxy generates the login information. You can add a whole layer of security with this to any site.

But I'm not sure you can change the proxy in an internet cafe. Another way would be like one of those translation pages, using a web interface (like this one: http://www.rikai.com/perl/HomePage.pl?Language=Sp who adds a spanish OnMouseOver to every single word). But it maybe doesn't work with every site. Well, I was able to log into these forums using Rikai (although PasswordMaker generated a wrong password at first, of course). I think this has potential.

Quote
And yea, using a USB stick that somehow encrypts the data is the way to go. Just hope the wife doesn' t leak the access code(s) so her husband has access to all the data.
Nowadays anything you'd have to type into the computer isn't really safe any more. I'd sell her one of those USB sticks with a built-in fingerprint reader for 100$. Or maybe a secure smartcard reader.

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Worst case scenarios
« Reply #6 on: June 05, 2006, 08:37:14 PM »
A virus targets Passwordmaker by replacing the exe (or the jar file if it's the Firefox Extension) to gather passwords as they're generated. Anyway to keep you safe in this situation?
"I'm not drunk, just sleep deprived."

Offline thibros

  • Full Member
  • ***
  • Posts: 107
Worst case scenarios
« Reply #7 on: June 05, 2006, 09:32:09 PM »
I only see one way: custom compiles. If there's a hard coded welcome screen in the exe, which greets the user with a custom message, picture, etc. the exe coudn't be exchanged with a "fake". And so the exe couldn't be "cracked", the custom compile could have custom function names (could be random names), the user would have to change as much in the code as possible, moving blocks to the end, etc.

Then the only way for a cracker would be to let the virus upload the 'exe' to him, he'd examine it and build a custom "fake", and send it back. He'd only do that if he really targets you.

We should have a "build your own PasswordMaker kit" with complete instructions. Every single exe must be unique.

Would you be safe now?

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Worst case scenarios
« Reply #8 on: June 05, 2006, 09:54:24 PM »
You guys are nuts

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Worst case scenarios
« Reply #9 on: June 06, 2006, 02:40:53 AM »
Quote from: Thibros
I only see one way: custom compiles. If there's a hard coded welcome screen in the exe, which greets the user with a custom message, picture, etc. the exe coudn't be exchanged with a "fake". And so the exe couldn't be "cracked", the custom compile could have custom function names (could be random names), the user would have to change as much in the code as possible, moving blocks to the end, etc.

Then the only way for a cracker would be to let the virus upload the 'exe' to him, he'd examine it and build a custom "fake", and send it back. He'd only do that if he really targets you.

We should have a "build your own PasswordMaker kit" with complete instructions. Every single exe must be unique.

Would you be safe now?

Yea, I can see the user being safe. And with the ease that QT provides on Windows, it should be easy to allow for this.

Quote from: Eric H. Jung
You guys are nuts

And my quit message on IRC was what again? "I may be nuts, but I'm not nutty"
"I'm not drunk, just sleep deprived."

PasswordMaker Forums

Worst case scenarios
« Reply #9 on: June 06, 2006, 02:40:53 AM »