|
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. |
.We urge folks to use stronger passwords, but then it’s hard to keep track of them. So we use password managers. But there’s news out that these mana
[See the full post at: Patch Lady – so should we freak out about passwords?]
Susan Bradley Patch Lady/Prudent patcher
Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore…
That bad guy is Microsoft. While the PC/hardware belongs to the user Windows OS belongs to Microsoft which has full ownership, runs the OS, updates, programs.. alters the OS at will, and has unrestricted access to the computer.
I think we have to trust the computer and OS maker. Or stay out of the game. It is what it is, no choice there.
You just hope that they would be worried enough that making a serious blunder would hurt their brand and cause the company to fail, and do the right thing. Don’t be evil.
It’s what you do to secure the device after the purchase that counts the most! You just assume that a new purchase, or wipe and clean install, precludes all possible traces of anything untrustworthy, and puts the machine back in “trusted” status.
I recall that the corporate IT team where I worked at never, ever tried to clean a malware infestation. It was always an immediate wipe and re-image for the machine. Then all clear was assumed again.
Windows 10 Pro 22H2
Patch Lady, thanks for starting this thread, that is another part of your ongoing series meant to warn and so forearm the rest of us.
My own thoughts on this: the problem every one has, to a lesser or greater extent, is that there is only so much time and effort one is prepared to put on personal security in general. It is always, ultimately, a compromise one has to make, between living and staying safe, is it not? A compromise more on the side of security when one is jointly responsible for one’s and someone elses’ security; less so, when is just one’s security alone. I believe that, given your professional responsibilities, you often have to make that compromise heavily weighted towards security, which has given you the opportunity to reflect on and study this question more than others do.
To illustrate my own situation with an example: I often have no choice but to drive in really bad, dangerous traffic on a city beltway when I go out in my own car; so I buckle up, do not use a phone, keep a weary eye on other drivers, and hope for the best. But the risk is mainly mine, unless it is I that causes an accident. With computer security I can do something a bit more effective, so I do. The attitude of someone who drives a school bus along the same roads as I must be quite different to mine, or so I would hope.
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV
I like your example!
I asked for (and received) this as a Christmas gift:
For the extremely cautious or extremely paranoid, you could use KeePass on a flash drive to manage your passwords. I used to use this program. You can even set it up to where you have to have a separate dongle to access the database. Make sure you have a backups of this database and dongle if you go that route. Flash drives do fail.
A manual password book such as the one linked to in the original post while appealing can be defeated if your computer is infected with a keyboard logger.
To me, a keyboard logger, with someone actually listening in its mothership, is like the larva of the alien in “Alien”: once it is inside the computer, one can forget about security: there is nothing to be done, unless one can find and extirpate it before it comes out by itself. Am I right?
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV
How to turn off Windows 10’s keylogger (yes, it still has one) (PCWorld)
Windows 10 “keylogger” setting moved in Windows 10 Spring Creators Update (ghacks.net)
How to disable Microsoft’s built in keylogger with the Windows 10 Spring Creators Update (MSPoweruser)
Turn off Windows 10 April Update’s keylogger using this workaround (Windowsreport)
Microsoft’s new Windows 10 privacy controls should avoid ‘keylogger’ concerns (The Verge)
Microsoft Windows 10 has a keylogger enabled by default – here’s how to disable it (Privacy News Online)
Ergo why I recommend Multi factor. The attacker will go next door to the easier computer to attack.
It seems in the case of Keepass when you use a password it leaves it in plain text in Ram which only Windows has access to and a memory dump immediately afterwards can pick it up. But surely even if you type a password manually in your browser it will also be stored in memory and passed to the site in plain text so is really no different. No issues were found with how Keepass stores the data within its own program.
See https://sourceforge.net/p/keepass/discussion/329220/thread/3141433d14/ for a discussion on this.
Some observations:
1) I am not worried about this report. It relies on Proof of Concept, and these fall into the category of : The attacker must have physical access to the computer. With the exception of memory-resident plain-text transient data, this seems to be the summary. This is not a likely occurrence for home and most small business users, so can be reasonably discounted.
2) A password book also needs physical security. Especially if its contents are not themselves somehow encoded. Better than any passwords file left on the computer or in the Cloud. (Password databases for use with Keepass can be left in the Cloud because they are encrypted. This allows use of Keepass or KeepassX portable editions across different PCs or devices without needing to install anything locally. Public PCs still may not allow program execution from USB sources, which will defeat the portable versions of these programs, and would probably also defeat YubiKey and its cousins.)
3) I hate to sound like a Johnny One-Note, but not using a password at all, and using a secure USB key instead is still better than any password or password manager scheme yet devised. More sites should be adopting this as an option, along with two-factor authentication, as time goes by. The second factor could be biometric for better safety.
4) Third party firewalls and third party security programs with active components may introduce security holes of their own into Windows, with full access to critical Windows system files. And with far less security auditing (both in-house and by White Hat hackers) than Windows regularly receives. Thus, in an effort to make ourselves more secure, we may actually be accomplishing the exact opposite. There have been several recent articles on tech sites and blogs about this issue.
-- rc primak
A problem with having all passwords only in “the Cloud”(or anything very important only there, for that matter) is this: what do you do when your Internet connection is down and you are in urgent need to access something, for example in a separate network that is still running OK, if for that it is necessary to login with a password?
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV
As you are writing in general terms, in general “the cloud” acts as a neutral repository to assist in synchronizing across your variety of devices. Where each device also stores this information for immediate use. When you make a change on one device, it is also made “in the cloud” on the next cloud connection; and subsequently on each discrete device as they make connection. This method appears seamless for users that are “always on” and “always connected”. A user who stays offline as a rule may have a rougher time of things. But then this is not a tool for that kind of person.
So the hazard of leaking is still very real. It is like making photocopies of your hard copy master list and posting them about town for your convenience, encrypted of course. But under this design you are not “cut off” by being offline for local password needs.
After all that, I must ask, how many local needs do you have for this level of password protection? Most use these products to keep the passwords they need for online accounts. Therefore, if you are already connected to the WWW, your cloud service should also be available. (Excepting short periods of natural disaster)
Specific products require specific investigation.
In your situation you should probably be employing multi-factor authentication, such as RSA SecurID. That was required for any access to corporate resources at the last company I worked for. https://www.rsa.com/en-us/products/rsa-securid-suite
Windows 10 Pro 22H2
But you were discussing “logging into government (or corporate) computers”.
Windows 10 Pro 22H2
Simple answer:
Store website passwords (non work related) = yes.
Store machine passwords anywhere = never! Memorize them!
Windows 10 Pro 22H2
As far as passwords synchronized through the cloud, you can avoid the problem with local passwords by simply memorizing your local passwords, and only use the pw manager for your online accounts.
Then if the network is down, you won’t need to log in to those online accounts anyway.
As far as synchronizing your docs and other content through the cloud, that stuff can be synchronized and stored in a local folder as well, so you are not completely cut off if the net goes down. It’s just that all your devices have access to the latest versions when they do go online and sync up!
A neat trick for memorizing a long random password (which you should always do for your password manager master password) is to take the first letter of each word in a random sentence that you made up, but can easily remember. Mix up at least one upper or lower case letter.
Then throw a date or something easily remembered in there for the numbers requirement. It’s also recommended (and sometimes necessary) to include a special character.
Windows 10 Pro 22H2
2) A password book also needs physical security. Especially if its contents are not themselves somehow encoded. Better than any passwords file left on the computer or in the Cloud. (Password databases for use with Keepass can be left in the Cloud because they are encrypted. This allows use of Keepass or KeepassX portable editions across different PCs or devices without needing to install anything locally. Public PCs still may not allow program execution from USB sources, which will defeat the portable versions of these programs, and would probably also defeat YubiKey and its cousins.)
Well yeah. A password database on a personal device, and protected on that, is helpful. (Smartphone with a suitable application… so you have the mobile security problem, especially if both the password database and the MFA tool are on the same device, and also keylogger risk on the public PC if not for MFA.)
Around here, you can find public PCs equipped with a smartcard slot, but YubiKey is a bit too new still for that…
4) Third party firewalls and third party security programs with active components may introduce security holes of their own into Windows, with full access to critical Windows system files. And with far less security auditing (both in-house and by White Hat hackers) than Windows regularly receives. Thus, in an effort to make ourselves more secure, we may actually be accomplishing the exact opposite. There have been several recent articles on tech sites and blogs about this issue.
And then you get the problem of Windows behaviour changing with an update and the third-party tools not keeping up.
In the past it was usually believed that the security products would have been better audited than Windows device drivers for example. This was even true for some combinations of products… I certainly hope it still is at least for some specific drivers that I won’t name.
Not freaking out. I have a plan. 🙂
I recently started testing the free LastPass, and so far I like it.https://www.lastpass.com/
It will generate and insert a unique complex password for any site that I want. And remember them, which I would find impossible, and I’d rather not write them down.
It offers multi-factor authentication for the master password. I like that!
Just in case, you could also be running anti-keylogger (local keystroke encryption) software on the machine. I am and it doesn’t seem to be conflicting with LastPass.
In addition, I still enable multi-factor access for any critical websites.
Windows 10 Pro 22H2
I like the list!
I have often thought of these three when considering the risk of any recently announced privilege elevation exploit vulnerability.
If any of the following are true, then you probably have much bigger problems than the potential vulnerability!
Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
Windows 10 Pro 22H2
The above should be changed to:
Law #1: If a bad guy at Microsoft can persuade you to run Windows 10 on your computer, it’s not solely your computer anymore.
Law #2: If a bad guy at Microsoft can alter the operating system of Windows 10 on your computer without your consent, it’s not your computer anymore.
Law #3: If a bad guy at Microsoft has unrestricted physical or remote access with Windows 10 to your computer, it’s not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it’s not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn’t practically achievable, online or offline.
Law #10: Technology is not a panacea.
Being devils advocate, isn’t that true for any other operating system vendor?
No, free OS give you access to review and modify the code in a way you want it. Plus it allows you to not update if you do not want to update. But MS does not allow you.
Freaking out. Warning: Prepare for incoming silliness. Thank you Patch Lady, security and paranoia alerts are a never ending business these days. Computer security is so very important, but also considering that life is short, I am going to offer a touch of humour. Susan said: “Excuse me while I go buy some aluminum foil.” Are we allowed to substitute tin foil for the aluminum foil? Because a most highly esteemed world famous security advisor known as Weird Al Yankovic has an important question to ask:
Also, does everyone realize that Amazon sells the very important ‘Archie McPhee Tin Foil Hat’
supposedly one size fits all. And please note, furthermore and henceforth, all passwords are to be reset to: ‘tinfoil’. Have a good day, Cheers 🙂
I don’t see too much to worry about with this report, i agree that using a password manager is far far better than using the same simple passwords across multiple sites. Though if a third party has physical access to your machine then of course all bets are off.
I’ve used keepass for years so i’m pleased to see that the audit appears to be solid, the weak link there being how windows handles things in memory. Personally though, i won’t touch an online password manager with a barge pole, lastpass in particular has had several security incidents – https://en.wikipedia.org/wiki/Lastpass#2017_incidents – if you leave your database in the cloud on somebody else’s computer then you’re taking a risk.
Also, i have to defend tinfoil hat wearers – it turns out they weren’t paranoid for all those years, they were simply paying attention.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
