Schneier On Un-Authentication 336
Trailrunner7 writes "Bruce Schenier writes on Threatpost.com: 'In computer security, a lot of effort is spent on the authentication problem. Whether it is passwords, secure tokens, secret questions, image mnemonics, or something else, engineers are continually coming up with more complicated — and hopefully more secure — ways for you to prove you are who you say you are over the Internet. This is important stuff, as anyone with an online bank account or remote corporate network knows. But a lot less thought and work have gone into the other end of the problem: how do you tell the system on the other end of the line that you are no longer there? How do you un-authenticate yourself? My home computer requires me to log out or turn my computer off when I want to un-authenticate. This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.'"
Re:Effective way to keep screens locked (Score:3, Interesting)
The bank in one of our local grocery stores has frighteningly lax security...
There's a computer running Windows XP there, against the back wall, with the screen in plain view of anyone walking by. It is pretty much always on and always logged in, sitting at the Windows XP desktop. Usually with a couple programs minimized in the taskbar. It's also got a desktop wallpaper set with BGINFO, so it's displaying the computer name and IP address and whatever else.
The grocery store itself stays open long after the bank closes, and that computer is sitting there logged in and vulnerable. I don't know how many people (dozens? a hundred?) walk past it in a night. There's no security gate or anything, so somebody could probably just vault over the countertop and do something malicious if they wanted to... The security cameras would probably pick that up, but it might be too late. Of course there's a distinct possibility you wouldn't even need to do that... You might be able to get something useful just by standing at one of the checkout lines and snapping pictures with a decent digital camera.
And there's a couple more computers set up with their backs towards the customer... I assume these are for tellers to sit down and consult with people. They're set up kind of like a private consultation booth or something - maybe for folks looking to discuss a loan or whatever.
These two computers are literally sitting on the counter top with their backs towards the customer. Sure, you can't see the screen, which is an improvement... But I bet you could slip on a hardware keylogger without looking too suspicious. People are constantly walking through or idling there, waiting for someone to finish up in the store.
Reauthenticate when suspicious (Score:4, Interesting)
If you really do need to do this kind of thing (I suppose people sometimes do have legitimate requirements to wire large amounts of money to offshore accounts), it's not a big hassle to log in again.
Pwning (Score:2, Interesting)
In my office an unlocked computer is fair game for harmless pranks that have become known simply as pwning.
Nothing too nasty happens as the shame is in having been pwnd, not in the severity of damage inflicted.
There, my computer just announced "it's one thirty" in a robot voice. Nice. Thanks a lot, guys.
Re:Electronic Noses ... (Score:3, Interesting)
Kbluelock.
This is De-Authorizing, not De-Authenticating (Score:4, Interesting)
Re:Effective way to keep screens locked (Score:3, Interesting)
Re:I lock my computer when I walk away (Score:1, Interesting)
Re:Effective way to keep screens locked (Score:3, Interesting)
I worked at an office where we used Baggy pantsing [jargondb.org] to achieve this same effect. It worked brilliantly until on particular manager tried to make it seem like we were causing the problem, not pointing it out. I don't think that person lasted too long though.
Re:Effective way to keep screens locked (Score:5, Interesting)
You can get little RFID tokens that you keep in your pocket. When you move out of range of the RFID reader on the PC (about 3m away) it automatically locks the workstation and can either require a password to unlock or simply having the token back in range.
This is quite the problem! (Score:2, Interesting)
I didn't think much of it before; use a timeout, and there you have it. However, I can see the challenge being posed here: the only immediately obvious solution to determining whether a person's there or not is by timing inactivity. As mentioned in the article, determining an "inactive threshold" requires quite a bit of fine tuning and knowledge of usability with the obvious risk of malicious adversaries having access to that open channel for the amount of time the channel is open.
First thing I could think of, at least for laptop users with integrated cameras, is using light mapping to determine whether the computer user is physically there or not. Facial biometrics could be applied, but I think that would be way too computationally intensive (b/c if the face moves even a slight bit, the hash would need to be completely recalculated. Wouldn't it be harsh if we had to check our account balances completely frozen!). However, I'm sure there is some research out there that shows what an average light (luminance) distribution should look like without the person actually being there. Of course, this is flawed, since it only works with laptops that have integrated cameras and cannot distinguish one person from another.
Then, I thought a few other things, and realized that any other somewhat obvious solution probably involves gathering the user's current location and measuring displacement between the user and computer somehow. These would raise great challenges regarding user privacy, though I think that people are becoming much more complacent with privacy violations for security enhancements and/or personal leisure a la Google and Facebook (myself included).
Re:Effective way to keep screens locked (Score:3, Interesting)
I just hit Windows-L on the keyboard as I'm getting up.
In fact, if I'm not using the computer, it's usually locked – even if I'm at my desk doing paperwork.
Re:I lock my computer when I walk away (Score:3, Interesting)
Unless your password is in the hundreds of thousands of characters, I highly doubt that it is 'un-rememberable'. Just take your normal password, make the p455w0rd 1337, then make one of the letters in the p455W0rd capitalized. There, you have a secure password that only requires that you remember which letter you capitalized.
A secure password?? That would be easy enough if I only needed "a" password, not fifty. (and one of the rules I do follow-- apparently the only person in the universe who does-- is to never use the same password on two different systems). And if I didn't have to change it every month.
Except that even then your system fails, since it has to have upper and lower case and numbers and symbols, and has to start and end with a letter, and one of the first eight characters has to be a number, and a couple of other constraints that I won't mention.
Re:Locking a CLI? (Score:3, Interesting)
I have no idea how to do it in bash, but you can easily lock a computer from the command line in Windows.
rundll32.exe user32.dll,LockWorkStation
Another one:
rundll32.exe shell32.dll,SHExitWindowsEx [0|1|2|4|8]
0: logoff, 1: shut down, 2: reboot, 4: forced shutdown, 8: powers down the machine
This would be a fun one to put in the Startup menu of someone who left their PC unlocked, actually... :D
Re:Effective way to keep screens locked (Score:3, Interesting)
Another idea - bluetooth. Virtually all cell phones and a lot of laptops have it. A small BT adapter should cost about a few bucks. libpam-blue is already there.
Re:I lock my computer when I walk away (Score:3, Interesting)
A secure password?? That would be easy enough if I only needed "a" password, not fifty. (and one of the rules I do follow-- apparently the only person in the universe who does-- is to never use the same password on two different systems). And if I didn't have to change it every month.
Well, if you are able to set your own passwords you can still use a similar setup to what pwffff was suggesting.
Say you have 50 passwords, each needs to be diff, and they change every so often. Make all your passwords start with p455W0rd, then the next 2 (or more if you are so inclined) characters you could use to signify which server / app / product it is to be used with, and then have the next 2 characters increment for each time you are mandated to change your password.
i.e.[base password][few character to identify the system you are logging into][few character to increment your password for reoccuring passwd changes]
and really it can be in any order you are comfortable with and can be massaged into working with some crazy password requirements.
Password 1 = p455W0rd0101
In 3 months, or whatever the policy is, you'd change it to Password 1 = p455W0rd0102
And for your next password, you'd have it start as Password 2 = p455W0rd0201
and next time you change it, increment the last 2 digits. p455W0rd0202
Bottom line is if you never tell anyone that your base password starts with p455W0rd, then I don't think having a personalize system of 2+ characters to distinguish which system the password is for, and another 2+ characters to allow to reoccurring password changes would make your password any less secure, with the benefit of making them easier to remember. For extra security, add some ! _ - @ % etc characters to break up the 3 parts to your password. i.e. p455W0rd#02!01
I have an ungodly number of passwd's to remember, and I used to feel your pain until I started doing this. Good luck!