Lazybit

If you're monitoring the pulse of the IT world, you probably stumbled upon this story:

ElcomSoft has discovered and filed for a US patent on a breakthrough technology that will decrease the time that it takes to perform password recovery by a factor of up to 25. ElcomSoft has harnessed the combined power of a PC's Central Processing Unit and its video card's Graphics Processing Unit. The resulting hardware/software powerhouse will allow cryptology professionals to build affordable PCs that will work like supercomputers when recovering lost passwords.

Now, let me translate that into plain English - they can use the computer's video card to speed up the process of brute-forcing a password. Modern computers have powerful video cards, and it is a pity to let them do nothing while the CPU is working hard.

The part which I find funny is "discovered a breakthrough technology". Was it hidden somewhere in the snows of Siberia, or in the sands of Sahara? ... waiting for hundreds of years for someone to come and discover it... How about "develop" or "invent"?

If I ignore that and only consider the serious stuff, there are several things that I have to say:

• This is not new, and others have been using the GPU to process data for quite some time;
• While this does make things a bit faster for the attacker, you should not worry - just add one more letter to your password and you've made their job 26 times slower. And that's a conservative estimate, because we're only dealing with letters. How about making it a bit more complicated and using small-case and upcase letters? How about signs like these: "!#%^*@?", numbers, foreign languages? If you use a character-set that goes beyond the 26 small latin letters, making the password one character longer makes the promised x25 speed-up completely useless;
• Another thing is that a video card with plenty of horse power is very expensive, so it is difficult to imagine how such a "supercomputer" is affordable. Finally, I would rather invest my funds into more RAM or a better CPU, instead of getting a better video card (but that's me, a 99% non-gamer).

So, if that story made you a bit worried of your privacy, you can relax now. Either of these tips will help you out:

• Use a stronger password (either longer, or use one with unusual characters, or do both);
• Switch to smart-cards and tokens, coupled with biometric authentication;

Many years ago I decided I was not going to use an antivirus for my computer. My friends and colleagues find this unbelievable, but they are more surprised when I tell them that throughout the years this decision never came back to haunt me.

The #1 reason was to get rid of the performance penalties that are an obvious consequence of an antivirus that runs in the background and checks all the files that are being accessed. The second reason was that [at that time] I did not have a permanent Internet connection, so I was always sure that I never had the most recent updates. In other words, I was aware of the fact that my antivirus would probably miss a threat or two. In those circumstances it was obvious that

• I have to live with permanent performance issues;
• And in spite of that, there is a great chance I'll get infected anyway.

Naturally, I decided to remove the antivirus. This sounds like a crazy decision, but it is not, if you analyze the problem. Think about the sources from which viruses come:

• Emails with attachments
• Things you copy from CDs, DVDs or USB flash drives when you exchange data with friends
• Files downloaded from Internet sites
• Source-X (you'll find out below)

Now, let's deal with each item:

Email - this is not a real threat, as long as you follow some basic rules:

• Don't run programs that came in attachments;
• If the attachment comes from a trusted person; either ask them if they really sent that file, or simply ignore the email because (see below)
• Normally people don't send programs (EXE files) via email. Usually we exchange photos, documents, movies... why would we suddenly change the pattern and send a program?

Files copied from various media - the same logic applies: photos, movies and texts are not executable files, hence they pose no harm. If the CD or DVD is from a store, then we can trust the vendor made sure there are no infected files there. If it comes from an unreliable source, then try to obtain the same file from a trusted one.

Files downloaded from various web-sites are the ones more likely to be harmful, especially if they come from P2P networks like eDonkey or Kazaa. As in the previous case, you are pretty safe if you ignore EXE files and only use the .mp3 or .avi ones - they are not executable programs, so they can't cause trouble. (Note, if you're the "download stuff off P2P networks" type, you might find PD FileMove useful)

As you can see above, most of the times you can get away by simply taking a look at the type of the file and making sure it is not a EXE. An antivirus is not needed for that, all you need is to think for a second before double-clicking a file.

Now, what if you received a file from a friend, and they confirmed they really sent it, so it's supposed to be safe... but your defensive instincts tell you that the file might be harmful, what then? The solution is to use an antivirus which is not resident, i.e. it does not permanently reside in the computer's memory and you only use it when you think you need it.

I do have an antivirus on my computer, a free program called ClamWin. If my "psychic virus detection" skills are not convincing enough, I can right-click the suspect file and scan it:

Knowing that I can do this, gives me the psychological comfort of feeling protected. But here's the funny thing - in no less than 5 years of not using an antivirus, I used this option no more than 10 times. Each time I used it, the antivirus confirmed that the suspect file was indeed malicious - but I was able to determine that myself just by analyzing the file (its name, extension, size, the date it was created).

In other words, I have empirical evidence that life without an antivirus is not only possible, but also very successful. Of course, this requires rather advanced computer-oriented thinking (not everyone can guess that a file is a spyware program just by looking at it), but even this has a simple solution - don't mess with unknown EXEcutable files.

This story would be incomplete, and misleading, if I didn't mention that I am using a firewall, and I am pretty sure that my firewall is the second most important layer of defense (the first one being my intuition; the term 'intuition' is not very good, but discussing its appropriateness is beyond the scope of this story).

This occurred to me in the days of MSBlast, when many people suddenly found themselves with a "System is shutting down in X seconds" message on the screen. That's when I learned that threats don't necessarily come in the form of a EXE file which I must run; an unprotected system with known vulnerabilities can easily become the target of an attack. Afterwards files can be run on the system without my permission, so I can get infected. The obvious conclusion is that there is another source of threats - network connections (this is what "Source-X" referred to). And the other obvious conclusion is that I needed a firewall. Nowadays Windows comes with a built-in firewall, so we've got this attack vector taken care of. Note that this firewall does not monitor outbound connections, and is not very flexible, but choosing a perfect firewall is beyond the scope of this story.

Finally, there is another layer of defense, the one which never fails, the one that gives me the greatest psychological comfort (i.e. if everything else lets me down, I can be 100% I am not totally lost). What I'm talking about, is Disk Firewall. The defensive strategy is simple and very easy to implement:

1. Separate system files from your personal files (see the 4th message in the forum thread);
2. Store your personal data in a virtual encrypted disk, restricting access to the data using Disk Firewall and a list of trusted applications.

In this case, even if your system was compromised, you can be sure that your data are absolutely intact. Moreover, if you've implemented the 'separate system from personal data' approach - restoring your system to a stable state is "one-two-threasy" :-)

Conclusions

• Life without an antivirus is possible;
• Most of the security threats can be dealt with by simply being attentive to details;
• If you insist on having an antivirus (which you will rarely use), why pay when there is a free alternative?
• If your antivirus program comes with a built-in firewall, perhaps you can make your system faster by leaving only the firewall enabled, disabling the resident scanner and manually scanning files that you think are suspect;

Secondary conclusions

• I save money because I don't pay for an antivirus, nor I pay for updates;
• I never complain about my system being painfully slow (unlike some of my colleagues, who are so well-protected that they can't even use their computers for any real-world tasks, other than watching progress bars ;-)

On July the 4th we've released a new version of Password Carrier, 2.04 is now available. This story will review the list of changes and provide additional details about the most interesting entries in the changelog.

• Multiple identities - a very cool feature that helps you deal with cases in which you have more than one account on a web-site. Normally, Password Carrier will memorize only one account for a site; if you use another one, the previously collected data will be overwritten with the new details. However, now you can create multiple identities, each of them having a custom user profile assigned to it, and having its own PIN.
  

  • You can switch between identities with just a couple of clicks in the context menu - fast and easy;
  • Identities can be deleted, or a copy can be made from an existing one. From that point, the new identity will evolve separately;
  • Next time you start the program, the last used identity will be used;
  • Identities were previously discussed, see Intelligent form filling for more details.

  
  

  
• Adobe PDF form filling - Password Carrier is now able to fill forms in PDF documents

• Automatic lockdown - If you leave the computer for a while, your identity might be at risk if you forgot to quit Password Carrier. The program will not prevent that from happening, by locking your data when there is no keyboard or mouse activity for 5 minutes. You can see when that happens, the program's icon changes:
  

  
• Additional safety measures were implemented to make sure that any unfortunate events are prevented. Password Carrier will remind you from time to time that:
  • It is time to backup the data;
  • There is no PIN assigned to the key;
• Local installation makes possible the use of Password Carrier without a removable drive. You can use it on your home or office computer without the need to have a USB key.
• Smart data loss prevention scheme - this one was designed to avoid problems caused by the incorrect removal of the external drive (force remove vs "safe hardware removal"). In certain circumstances, such a removal can corrupt data on the USB drive, so there is a chance that you will lose some information. Now Password Carrier makes an encrypted snapshot of your personal information, which you can use as a restore point.

• Fill only mode was implemented after being requested on our forum. The idea is as follows - once you've collected all your passwords, and you know they will not be modified, you can use the 'fill only' mode - which only fills forms with the data you have, but will not attempt to capture new passwords, or update old ones. (Note: in the previous version, disabling capturing passwords also disabled form filling, which was quite inconvenient)
  

  
• Organized collected favorites - most popular entries are listed, while the less popular ones are hidden, to keep the menu of bookmarks clean; you can see the entire list by pressing show all collected favorites.

• Edit passwords and names using the fine tuning dialog (another feature request on our forum). This means that you can actually see the name and the password memorized by Password Carrier.
  

  
• Exit and eject can help you not to forget about the safe hardware removal procedure. Even though we've implemented plenty of features that will prevent you from losing data, we still strongly advise you to use the safe hardware removal procedure (because other program's data on the USB disk are not backed up by Password Carrier).
• Smart cards and tokens can be used to store the collected credentials; note that the storage capacity of a smart card is not very large, therefore the total number of accounts that can be collected by Password Carrier will be limited by the storage capacity of the smart card or token. This limitation can be pretty tight if the card/token is used with other programs as well.

Last week we've released an update of the SmartKey library, one of the additions is compatibility with ACOS5 cards provided by ACS. Now these cards can be used with any of our data encryption or user authentication software, provided the cards were formatted with this version of the Key Formatting Tool. The tool is not yet officially released, because other features are being added; however, ACOS5 support is now thoroughly tested.

• The capacity of the card after formatting is about ~30 K;
• Dekart formatting can be done before and after formatting with another vendor's tool, therefore the card can be used for other, non-Dekart programs too;
• No transport key is required when the card is formatted.

To find out what SmartKey is, take a look at the timeline of Dekart software; you might also be interested in checking out the list of other supported hardware.

Here is a set of points that emphasize the benefits of a smart-cart or token-based authentication solution, coupled with biometric authentication; the example is focused on Dekart Logon for Citrix, but it also applies to other user authentication software by Dekart.

Q: what are the benefits of using your product? Am I simply substituting a PIN for a user/password combination? And can an external user without a flash drive or smart card still access the server?
A: Dekart Logon for Citrix is not a server-side application, it should be used on the clients.

The benefits can be summarized as:

• users don't have to enter passwords manually
• therefore you can use extremely complex passwords (they won't have to memorize them anyway)
• since they don't have to memorize them, you can be sure your passwords won't show up in clear-text on sticky notes, or written somewhere under the keyboard, etc
• the fact that the credentials are stored on a smart card means that brute-force attacks are out of the question
• optional biometric authentication takes that one step further

• the software can also be used with flash disks, being entirely self-contained:

  • the Citrix client itself can be migrated to the USB disk
  • and the same applies to our program
  • as a result, an end-user can plug the USB drive into any computer (even where the Citrix ICA Client is absent), and log on to the Citrix server. (Of course, this is also possible if you use a web-based client, but in that case you have to beware of keyloggers [note: we have a solution for that too])

In this case the user is immune to keyloggers. Even if the keylogger manages to capture the PIN:

• they won't obtain the connection credentials themselves, therefore they won't be able to connect to the server without actually having the smart card (token, or USB drive)
• and even if they do - you can use biometry as an added layer of security
• further, the program can be installed in 'simple' and 'advanced' modes. In the first case, end-users can only connect to predefined servers, they cannot change the credentials, nor see the connection details - this makes the system fool-proof.

And as a side effect, this also means that unloyal end-users won't be able to disclose confidential data even if they want to. In other words, you can implement the "need to know" approach, by not giving users more information than they actually need to get their work done.

The data stored on USB drives are encrypted with AES-256 bit, our implementation of the algorithm is certified by NIST. This is much stronger encryption than the one used by the Citrix client itself.

Q: And can an external user without a flash drive or smart card still access the server?
A: Technically, this is possible, but you can counter that by:

• using extremely complex passwords, or randomly generated ones
• not disclosing them (just write the credentials to a key and issue it to an end-user)

You will probably want to take a look at Key Manager, this is the tool that allows you to write credentials to keys, make copies, edit contents of a key, etc.

Note - you can do these with Dekart Logon for Citrix itself, but if you're planning to operate with many keys (in a corporate environment), you'll find Key Manager very useful. A license for the tool is given for free if a certain number of licenses for Logon for Citrix is purchased.

Q: Couldn't someone with a citrix client installed on their machine get to my server logon screen on the remote machine and execute a brute force attack there?
A: Although that is technically possible, it is not an optimal scenario for the attacker to use:

• most network admins configure the servers in a way that prevents any host from connecting again if they've connected N times during the last M minutes (to prevent brute force attacks, conserve CPU cycles and network bandwidth, thus avoid denial-of-service attacks)
• from the attacker's point of view, the bottleneck of the procedure is the network bandwidth. When brute forcing a local resource, it goes much quicker because reading/writing RAM is much faster than crafting a packet, sending it over the network, then waiting for a response from the server, etc.

In other words, a local brute-force attack can take thousands or millions of years, while doing it over the network is totally insane. It may only work for trivial passwords such as '11111' or ones that can be found in any dictionay. But even in that case, a dictionary attack won't be feasible if the network admin took the right measures and prevents one from physically connecting to the server if they've had too many unsuccessful attempts.

Finally, the last detail is that you can use randomly generated passwords, which are extremely long - brute forcing THAT is impractical.

If I were an attacker, I'd try to find alternative ways, such as social engineering applied against a naive employee.