Categories
Uncategorized

Memo from 2008: Chrome stores passwords in plain text (*gasp*)

Just when I thought shoddy tech "journalism" couldn't stoop any lower, there is now a supposedly "new" report out that Chrome stores its passwords in plain text.

From Google Chrome security flaw offers unrestricted password access at The Guardian:

A serious flaw in the security of Google's Chrome browser lets anyone with access to a user's computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.

Absolutely no mention that this has been known for years. Why this is being reported now, I have no idea.

From Google Chrome flaw exposes user passwords at The Telegraph:

Software developer Elliott Kember stumbled across the vulnerability when importing his bookmarks from Apple's Safari browser to Google Chrome. He discovered that it was mandatory to import saved passwords from one browser to the other – something he described as 'odd'.

After doing a bit more digging, he found that Google does not protect passwords from being viewed when a user is logged in and running Chrome. Anyone with access to the computer can view stored passwords by going to the advanced settings page and clicking on the “Passwords and forms” option, followed by “Manage saved passwords”.

Here the reporter goes a step further to make it sound as if this is some new discovery.

This is not a new discovery. Many people, including the developers at Google, know about this, and have known about this for years. It's a deliberate (albeit bad) design choice. I knew about it in 2009, and I've known about it ever since.

Someone back in December 2008 already reported it to Google:

Google, Why does your browser Chrome not have a master password for saved passwords? This is ridiculous

and Google's response:

Hi everybody,

We understand that many of you want a master password for your saved passwords in Google Chrome. You’ve laid out many scenarios in which this might be useful, but the most common is that if your computer were to fall into the wrong hands, that person would then have access to your saved passwords.

While we agree that this situation would be terrible, we believe that a master password would not sufficiently protect you from danger. Someone with physical access to your computer could install a keylogger to steal your passwords or go to the sites where your passwords are stored and get them from the automatically filled-in password fields. A master password required to show saved passwords would not prevent these outcomes.

Currently, the best method for protecting your saved passwords is to lock your computer whenever you step away from it, even for a short period of time. We encrypt your saved passwords on your hard disk. To access these passwords, someone would either need to log in as you or circumvent the encryption.

We know this is a long-standing issue, and we see where you're coming from. Please know that your security is our highest priority, and our decision not to implement the master password feature is base

Okay. It took Google almost a year to make that official response, but that's still almost three years ago!

I thought the "There are millions of Android malware apps (which no one is actually installing)" scare headlines were bad enough. Now known bugs that are deliberate design choices are suddenly newly-discovered security flaws. I can't palm forehead this enough...

If you want to store passwords with a master password, use Firefox. The master password encrypts your saved passwords. It's not a perfect solution, but it's better than what Chrome's doing... and has been doing for years.

Categories
Uncategorized

Do non-Nexus, non-rooted Android users really have no choice?

I get where the ACLU is coming from, but I don't know if I agree that the customers didn't know what they were getting into and now have no recourse: ACLU Seeks Carrier Smackdown Over Android Updates

Maybe back in 2009 or 2010, they could have made a good case. Back then, consumers didn't know that most Android devices wouldn't get timely updates. By now (it's 2013), it's well established that your Android phone will probably not get a timely update unless it is either a Nexus phone or rooted.

Consumers, who now know that non-Nexus, non-rooted Android phones will either A) never get updated or B) get updates extremely late (months or years later) really have no excuse. If they want security updates, they should get a Nexus phone, learn how to root their Android phones, or buy another non-Android phone (e.g., iPhone or Windows phone).

The good news is the now-Google-owned Motorola will soon begin releases vanilla Android devices. Once HTC, Samsung, and LG see Motorola and Nexus phones flying off the shelves, they'll have to either start releasing updates in a more timely fashion... or just install vanilla Android with a different default theme. Vanilla Android is the way to go, people. Vote with your wallets!

Categories
Uncategorized

Cloud computing isn’t all bad

A lot of reactions to this story seem to be along the lines of “See? Cloud computing is bad!” which is kind of a simplistic conclusion to draw from this unfortunate incident.

I would suggest these as better takeaways than “Cloud computing bad!”:

  1. Your data can live in the cloud but doesn’t have to live only in the cloud. I back up to an external hard drive and to “the cloud” (multiple clouds, actually). Also, some cloud services are built that way anyway. For example, Dropbox doesn’t store your stuff only on their servers. It takes an existing folder that lives on your hard drive and then makes copies of it on their servers.
  2. Social engineering is the least talked-about but most often exploited security vulnerability. People make too much of “strong passwords” and so-called “antivirus” software. I definitely recommend people use strong passwords, and antivirus software can have its place (though its usefulness is often overstated). Just realize that it doesn’t matter how strong the gate is if the gatekeeper will open it to anyone. These aren’t the droids you’re looking for… oh, wait—they are!
  3. Mat Honan has some actually good points to make. Amazon should not allow people to randomly add credit cards to your account (apparently, Amazon’s fixed the problem in question). Apple should not allow the last four digits of your credit card to be used as verification. Having one place that remotely wipes all three of your computing devices makes no sense.
  4. If someone is determined to get you, she’ll go to great lengths to get you. You can improve security and make things better, but you cannot make yourself invincible. When you read Honan’s account of what the “hacker” did to get into his Twitter account, it’s quite involved… not just some one-minute exploit.

I use Google Music, Dropbox, Google Drive, SkyDrive, Amazon Cloud Player, Crashplan, and Firefox sync. I also keep local copies of everything and locally back them up to an external hard drive. Keep your bases covered and your fingers crossed. I’ve done everything sensible I can to protect myself. I don’t imagine, though, that a determined malicious party with some tech knowledge and social finesse couldn’t eventually compromise my security.

Categories
Apple and Mac OS X Computers

Tech “journalism” strikes again: of course Apple will recommend antivirus eventually

A self-proclaimed analyst at CNET has predicted that Apple will recommend antivirus.

Apart from the fact that Apple already did recommend antivirus a few months ago (but has since removed that page), isn’t that quite obvious? Some prediction. Unfortunately, the reasoning for that recommendation makes me wonder what Jon Oltsik is analyzing. Here are the reasons he gives for Apple recommending antivirus, and they’re all pretty much baseless:

Macs users are a lucrative target. Mac owners tend to affluent and Net savvy [sic]. To the bad guys, this means identities to steal and broadband connections to exploit.

If Mac users tend to be net-savvy, then why are their machines being compromised? Why don’t they have mechanisms in place to protect themselves from identity theft? If Macs are currently such a great target for malware, why is there so little malware out there for Macs now?

Organized cybercrime is diversifying. Cybercriminals tend to work as a loose confederation with each group specializing in a certain task. There are malware writers, botnet owners, mules, etc. Some entrepreneurial bad guy is bound to see a green field market in Mac cybercrime, recruit Mac hackers, develop expertise, and market these capabilities. If there is an equivalent of a cybercrime venture capital firm, they are probably looking at business plans like this already.

Diversifying ways to compromise machines doesn’t mean you attack multiple platforms. That’s just more work for very little return.

Macs are growing in the enterprise. In many large firms, Macs make up about 5 percent of endpoints. If the bad guys infect these systems, they can troll the network looking for other vulnerabilities and juicy data at will.

How about if the bad guys infected the machines that make up 95% of endpoints? Wouldn’t that give them more “juicy data”?

Macs are fairly easy to hack. In March as part of a contest, security expert Charlie Miller won $5,000 for exploiting a hole in Safari in about 10 seconds. If he can do this in 10 seconds, how many techies can do it in an hour? This is a frightening thought to me.

Okay, now this is totally ridiculous. Charlie Miller didn’t just walk into that competition and find a hole in 10 seconds. He knew about that hole for over a year and then exploited it in 10 seconds (in his own words: “It was an exploit against Safari 4 and it also works on Safari 3. I actually found this bug before last year’s Pwn2Own but, at the time, it was harder to exploit”). There’s a big difference there.

And all operating systems have security holes. That’s why Microsoft, Apple, and even Linux distribution maintainers all issue regular updates and patches.

I don’t understand why people imagine that you either have an unprotected computer or you have antivirus. (Or they think that an operating system that ever has a security hole is necessarily as insecure as another operating system with security holes.) Antivirus and protection are not the same thing. They’re not even similar. Antivirus does not offer you any real security at all. Don’t believe me? Go ask all the Windows users infected with malware what antivirus they’re running. Odds are that almost all of them will have some kind of fancy schmancy “security” software installed… software that did nothing to protect them.

Mac OS X isn’t a model in the best security, but its defaults are certainly better than Windows’ defaults. No operating system is invincible, and that includes Mac OS X. But Mac users will be no more protected with antivirus software than they will be without it. Know what the latest security breaches were for Macs? Trojans. Do you know how useful antivirus is against gullible users installing pirated software? Not at all.

Trojans rely on social engineering, and no operating system “security” can stop that, because the security hole is the user, not the computer. If the user can be tricked into giving away her password or giving a bad program access to system files, then you can have all the proper permission level separation or “security” suites in the world, and they will all be for naught. Have NoScript installed? She’ll whitelist every site. Have an algorithm for guessing malware? It’ll give so many false positives that she’ll learn to ignore its warnings.

Why will Apple eventually recommend antivirus? Plain and simple—because antivirus software is the most successful placebo ever introduced to the mass populace. As Mac marketshare continues to grow, more and more trojans will pop up, and more and more gullible users will keep installing them, and Apple will finally have to admit that Macs are just computers and not magic. But instead of saying “Users are stupid and need education,” they’ll toe the party line and recommend people install useless antivirus software, just as Microsoft does now. At least then they can enter into lucrative business partnerships with antivirus software companies.

Break out the sheepskin condoms, people.

Categories
Computers Windows

Conficker worm – silent is still deadly

I find the “news” coverage of Conficker to be absolutely disgraceful. Is this what passes for journalism?

I want you to imagine that there is a parasite that can invade your body and reside in there indefinitely. Once in your body, it could give you a heart attack, it could poison your blood stream, or it could make your liver fail. Once the parasite was discovered to be in the wild, doctors discovered that you could avoid getting the parasite by simply washing your hands before you ate. They also figured out that the parasite was going to change shape on a certain day. As that day approaches, people who haven’t been washing their hands go into a panic. They don’t know if they have the parasite or not. They start running to quack doctors who say they’ll make sure to protect these people against the worm if the potentially infected individuals just buy a prescription subscription for a special drug. After the parasite changes shape, though, no one’s had a heart attack or failed liver yet. So all the parasite-infected people celebrate that the parasite hasn’t done anything.

What?! Did I miss something?

Yes, the scenario I’ve just described in biological terms is exactly what just happened with the Conficker worm that’s infected an estimated 10 million Windows computers.

Microsoft discovered a flaw in its operating system and patched the flaw back in October 2008. The latest iteration of the Conficker worm, which takes advantage of this flaw, began surfacing around November 2008 and kept infecting Windows computers for months. The experts all knew that on April 1, 2009 the infected computers would have the worm checking for updated instructions from its creators.

Then the panic came in. Oh, no! It’s coming! It’ll be the end of the internet as we know it. I’m turning off my computer that day. If I buy this antivirus software will it protect me? Hide the children! Oh. Nothing happened? It has the power to attack and bring down major websites and government systems or steal personal information but nothing appeared to happen today? Oh. Okay. It was a big joke then. Ha ha. Who cares if I’m infected? I’m just going to go on my merry way.

Uh, no. First of all, Windows users should regularly install Windows updates. This was patched even before it was a real threat. And it doesn’t matter if the world didn’t seem to end today. The Conficker worm has the power to do serious damage, and no one knows when it’ll decide to do that damage or what kind of damage it will decide to do. It doesn’t mean you fly into a panic as if it were Orson Welles’ reading of War of the Worlds. But it doesn’t mean you go on your merry, care-free way either.

Educate yourself. Protect yourself. Be sensible. Conficker is dangerous but instead of flying into blind paranoia, just take practical and level-headed steps to protect your computer and your personal information. Silent can still be deadly, and I’m not just talking about flatulence.

Categories
Life

Disneyland “Security”?

I have to say that Disneyland and California Adventure have a pretty smooth operation. Yes, they charge you an arm and a leg and a kidney for the two theme parks (especially if you want to go to both and not just one), but they know how to manage large crowds of people.

The people leaving rides exit one direction. The people getting on the rides enter from the other side, and only after the people leaving have left. The staff rope off sidewalks for parades so that there’s a clear division between those who want to sit and watch the parade and those who want to pass through the area. The “fast pass” system makes it easy to get into semi-popular (not the absolute newest, though) rides without waiting in line for hours.

But what is up with the “security” check when you first arrive at the park? It’s not like airport security (which has its own problems and holes)… it doesn’t even resemble security. If you have a bag, they have you open the bag, and they take a cursory glance inside the bag. I had a backpack and unzipped the large pocket and that’s all they saw. I don’t know if they were checking for guns, drugs, or bombs, but I could have had any or all of the above in the small pocket of my backpack, the large pocket (but buried underneath the top layer of stuff), or my jacket pockets.

The second time I went through the check, they picked up my little insulated lunch bag and asked “What’s in this?” I said it was some snacks. They believed me and put it down. How is that security? I can say it’s full of snacks. Of course I can say that. It could really be full of fireworks or spray paint or box cutters. They’re going to take my word for it?

Generally Disney has a smooth operation going in its theme parks. If they could just get the “security” check out of there—or actually checking people’s bags thoroughly—it’d be even smoother.

Categories
Apple and Mac OS X Computers Linux Ubuntu Windows

The effectiveness of “security through obscurity”

I don’t believe that security through obscurity is ideal or ultimately effective. I don’t believe it’s a generally good security approach. Nevertheless, it is not often the same as no security at all. Security through obscurity can have its place.

A few years ago, when it was brought to light that the newest (at the time) Ubuntu version stored the administrative password in plain text, that incident was a huge embarrassment to Ubuntu developers, and they fixed the security hole within hours of it having been brought to their attention. Nevertheless, it had been in place for months prior to being brought to the developers’ attention. Were any Ubuntu installations compromised because of this bug? Probably not.

Likewise, most people don’t know that physical access to a computer means (except in rare cases) total administrative access. If you encrypt your drive, you can prevent unauthorized access to your files. If you put a password on the BIOS and disable booting from CD, you can slow down or make more inconvenient the unauthorized access. Maybe that’ll stop people from compromising your computer if you’re away from it for only a few minutes.

Many users are naive to just what prolonged physical access means, though, in terms of security, and that’s dangerous, because then security through obscurity works against you. I used to believe (before I started using Linux) that having my laptop prompt me for a password upon waking the computer would mean that if my laptop were ever stolen, no one could get my files. Before I booted a Knoppix CD on his laptop, my dad used to think a fingerprint scanner would prevent people from seeing his files. In these cases, the “security” is obscured for the user and not the thief.

If a thief makes her living by taking the data off your computer (probably for the purposes of identity theft) and not solely by selling the hardware, she probably knows exactly how to access your data, whether it be resetting the BIOS password, booting from a live CD, or even moving the hard drive to another computer.

There have been quite a few debates about whether recovery mode in Ubuntu should exist or perhaps be hidden by default. In Windows, if you need emergency administrative access, you need to boot a CD. In Mac OS X, you have to know the relatively obscure hold-down-Cmd-S-while-booting procedue to get into recovery mode. In Ubuntu, though, it’s right there in the boot menu. Just press the down arrow once and you’re in recovery mode, which means you have root (or total administrative) access to the computer.

On the one hand, obscuring recovery mode might give people a false sense of security (thinking it’s difficult to gain root access). On the other hand, having it in the boot menu kind of advertises it, and you might have a curious sibling or roommate who selects it and starts getting playful on the command-line, and she might not have done so if it weren’t in her face the way it is.

Outside of the computer world, it’s a bit like keeping the key to your house underneath the welcome mat. Doing so is definitely bad security. On the other hand, most people won’t know exactly where you keep your key or if you keep it under the welcome mat at all. If you post up a big sign next to your door saying “Hey, the key is underneath this welcome mat!” you’ll be sure to have your home broken into.

When it comes to computer security, definitely encryption and restriction of physical access should be publicized more as real security options, but I do believe there are tradeoffs to embracing and eschewing security through obscurity. Just make sure you are obscuring access for others and not for yourself.

Categories
Apple and Mac OS X Computers Linux Ubuntu Windows

Without education, it doesn’t matter which OS is “more secure”

In Linux online communities, oftentimes there are debates about which operating is the most secure—Windows or a Linux-based distribution. The debates usually go something like this:
Do I have to worry about security in Linux the way I did in Windows? No, you don’t have to. Linux is much more secure. But isn’t that just because it’s less targeted? If it were as popular as Windows, it would have just as many security problems. No, it wouldn’t. Read this article about how Linux has better security, and don’t forget that Linux servers are huge targets and still more secure than Windows servers.

And it goes on and on. The details of a secure structure, sensible (from a security standpoint) defaults, and frequent patches for exploits are all important parts of security. Ultimately, though, security debates about the structures of the OS are moot when the user does not employ good security practices. It’s a bit like people debating whether kevlar is “more secure” than chainmail armor. Well, what if the attack is through biological warfare rather than a bullet or sword? What if the person you’re trying to secure can be tricked into taking off the kevlar/chainmail? Then it doesn’t really matter which covering is more difficult to penetrate, does it?

And this is also why bringing in servers into desktop security debates doesn’t shed light on whether an increase in user base will lead to more security compromises. Servers tend to be administered by server administrators—professionals whose job it is to constantly battle and prevent online security breaches. On the home desktop (and sometimes even the business workstation), users tend to be less savvy about what to click or not click, what to install or not to install, and when it’s a good idea to type one’s password.

Yes, developers should try to strengthen the security of the OS in terms of structure and defaults. Yes, developers should create patches for newly discovered exploits (buffer overflows, for example). Nevertheless, if the Linux user base does increase to the point where desktop Linux is a significant target for malicious users, and computer users in general remain as uneducated as they are now, then all those security patches will be for naught. Users who can’t discern the difference between a spoofed webpage and a real webpage are the security exploits that can be patched only through education. Users who will give their passwords away to untrustworthy sources are security exploits. Users who will install some “cool” program (yes, in Ubuntu it could be a .deb file you double-click or an added repository) that happens to contain spyware or a rootkit are security exploits.

A larger Linux user base with no better education than computer users as a whole have now is going to be subject to the same social engineering malware attacks that the current larger user base Windows has. No developer-created patch is going to fix that hole.