Forgot your password?
typodupeerror
Security IT

Schneier On Un-Authentication 336

Posted by CmdrTaco
from the gimme-back-my-keys dept.
Trailrunner7 writes "Bruce Schenier writes on Threatpost.com: 'In computer security, a lot of effort is spent on the authentication problem. Whether it is passwords, secure tokens, secret questions, image mnemonics, or something else, engineers are continually coming up with more complicated — and hopefully more secure — ways for you to prove you are who you say you are over the Internet. This is important stuff, as anyone with an online bank account or remote corporate network knows. But a lot less thought and work have gone into the other end of the problem: how do you tell the system on the other end of the line that you are no longer there? How do you un-authenticate yourself? My home computer requires me to log out or turn my computer off when I want to un-authenticate. This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.'"
This discussion has been archived. No new comments can be posted.

Schneier on Un-authentication

Comments Filter:
  • by stefanb (21140) * on Monday September 28, 2009 @10:52AM (#29566669) Homepage

    A bank I did some consulting work for had a very effective cultural rule to force people to lock their machines when they left their desks: if you find an unlocked machine, pull up the email client and send a message to everyone: "today's my birthday, drinks on me after work!" (other NSFW messages left to the readers imagination.)

    Apparently, very few people left their machines unlocked more than once...

    • Re: (Score:2, Insightful)

      by Opportunist (166417)

      This is brilliant!

      Or it would be if I, as the sysadmin, couldn't easily send email in anyone's name...

      • by suso (153703) *

        Who says you need to be the sysadmin? Since email is insecure and most people can't read headers anyways, anyone could do that from their own system.

      • Re: (Score:3, Informative)

        by mcrbids (148650)

        This is brilliant!

        Or it would be if I, as the sysadmin, couldn't easily send email in anyone's name...

        Wow. Don't you feel important? Except that, really, ANYONE can send an email as ANYONE else, at ANY TIME. Here's a tip: type the following in a telnet prompt, where your ISP's mail server is called "smtp.myisp.com"

        # telnet smtp.myisp.com 25
        HELO foobar
        MAIL FROM: billgates@microsoft.com
        RCPT TO: samjones109@yahoo.com
        SUBJECT: Free drinks on the house!

        Hey! I gots my billions of dollars so come down to Joe's bar at 5:30 and drinks are on me!

        -Billie Richboy. .

        Congratulations! You've just faked being Bill Gates to Sam Jones! Wasn't that hard?

        A few times, I've gotten a cheap kick sending text messages via the SMS gateway to cell phone users from themselv

    • Re: (Score:2, Insightful)

      by DevStar (943486)
      We used to do the same thing at my job, until someone quoted the employee guide to point out that using someone elses computer without permission was against company policy and potentially a firing offense. That ended that.
    • Re: (Score:3, Interesting)

      by Ephemeriis (315124)

      The bank in one of our local grocery stores has frighteningly lax security...

      There's a computer running Windows XP there, against the back wall, with the screen in plain view of anyone walking by. It is pretty much always on and always logged in, sitting at the Windows XP desktop. Usually with a couple programs minimized in the taskbar. It's also got a desktop wallpaper set with BGINFO, so it's displaying the computer name and IP address and whatever else.

      The grocery store itself stays open long after th

    • I did that, but I usually IM'd the boss with something wacky... like "Man, I'm soooo drunk right now. :-)"

    • Re: (Score:3, Interesting)

      by ScrewMaster (602015) *
      At one point, I put together a low-powered 40 Khz. IR transmitter and receiver that would detect when anyone was sitting in front of my computer. As soon as I got up and walked away, it would invoke the screen saver. As soon as anyone sat back in front of the machine, it would bring up the login prompt. Worked very well, actually. I'm sure some company somewhere marketed some similar security scheme, although I never bothered to look. Huh, now that you made me think of it I should go see if I can find the t
    • Re: (Score:3, Interesting)

      by MobyDisk (75490)

      I worked at an office where we used Baggy pantsing [jargondb.org] to achieve this same effect. It worked brilliantly until on particular manager tried to make it seem like we were causing the problem, not pointing it out. I don't think that person lasted too long though.

  • by yincrash (854885) on Monday September 28, 2009 @10:53AM (#29566685)
    ctl + alt + del -> k on windows, and ctrl + alt + l on ubuntu. that's all. a lot of offices also have windows security policies set to lock the screen after 5 minutes idle.
    • by Deag (250823) on Monday September 28, 2009 @10:55AM (#29566721)

      I'll save you a keystroke, windows-L works too.

      • by sam0737 (648914)

        or apparently Windows-P on my keyboard...oh I'm using Dvorak.

    • ctl + alt + del -> k on windows

      For XP and newer there's an even easier way...

      WinKey + L

      Instantly locks your computer.

    • by tlhIngan (30335)

      ctl + alt + del -> k on windows

      Other than Win-L, you can save yourself a hunt for the 'K' key and realize that "Lock Computer" is the first button in the "security dialog" that pops up. Ctrl-Alt-Del-Enter works far faster since Enter on the numpad works and is a convenient location to hit it whilst standing up.

      Doesn't work for everyone (especially those where group policy disables lock) - but hitting enter to "Log Off" doesn't do anything disaterous until you hit it again (it pops up a dialog asking for

      • by pla (258480)
        Doesn't work for everyone (especially those where group policy disables lock)

        Okay, I realize you can disable locking via GP, but why would you? Most IT staffs fight with their users to lock their machines, or try to negotiate a reasonable timeout (I keep my own workstation at a timeout of one minute, with a lock-grace period of 15 seconds (so if it accidentally comes on while reading something, I can just bump the mouse without needing to reenter my password).

        Not like the admins can't get into your ma
        • by xalorous (883991)

          The only reaction I can put into words is, "They're doing it wrong!"

          If you're on my network I can see your stuff and the only person who knows your password had better be you.

        • Disabling locking makes more sense in multi-user lab environments than in one user/one desk setups.

          Admins can always log users out; but having a few putzes lock their machines and wander away can substantially reduce the throughput of a public drop-in lab. For schools and the like, this is the primary motivation.

          Now, a better solution would be to allow any user to log out a locked user, or have locked accounts automatically become eligible for one-click logout after x minutes, or a combination of the
      • Other than Win-L, you can save yourself a hunt for the 'K' key and realize that "Lock Computer" is the first button in the "security dialog" that pops up.

        Errm....
        How crappy a typist do you have to be to have to "hunt" for the K key? It's not like it moves around on a frequent basis.....

    • by Patch86 (1465427)

      Indeed. And the company I work for has an effective way of ensuring employees complete the above steps, too: if you don't, you get fired. Or a formal disciplinary, at any rate.

      You'd be amazed how effective a method that is for ensuring "un-authentication". There's a 5 minute screensaver for good measure, and most network services on the intranet have a very short time-out.

      What more do you need?

  • User education. It won't go away, you always need to do it, and for most users, you have to do it multiple times. Proximity systems may help, but...

    For the record, on a winders machine, window-L. Two keystrokes, you're done. Well, mostly, but that'll keep most people out.

    • Catch a coworker with their screen unlocked, get a small bonus.

      Get caught that way more than x number of times, get fired. The pink slip is the most effective LART, when it's feasible to use it.

      Oh, and make it easy. On KDE, ctrl+alt+l locks my screen. Logging out isn't much harder (win+backspace, then alt+l), but it's not significantly more secure, and it is less convenient (I have to close everything, and I have to watch the logout process to make sure it completes -- lock screen is instantaneous).

  • This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.

    Sounds like lazy IT PHBs. At my company you're required to have a password-protected screen saver that kicks in after fifteen minutes, with policies set up so that you're automatically logged off an hour after your quitti

    • This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.

      Sounds like lazy IT PHBs. At my company you're required to have a password-protected screen saver that kicks in after fifteen minutes, with policies set up so that you're automatically logged off an hour after your quitting time.

      Yeah... I did that once...

      It's easy enough to do, a couple clicks of the mouse. Group Policy lets you do all sorts of stuff. Set it up to lock the computers after about 15 minutes of inactivity, and log everyone off about an hour after closing time. Seemed like a great idea to me, especially since it was a medical office and they had expressed numerous concerns about security and confidentiality.

      Then the screaming started. Folks would walk away from their computers and come back to a locked screen...

      • You got that in writing, right? So you have some lawsuit insurance when someone figures out how easy it would be to steal some identifying information and they blame the IT guy?

      • Or someone would walk away for an hour or two without logging off, and someone else would have to use their computer while they were gone.

        Doesn't windows support multiple sessions, these days? Leave their session alone and log in to yours. "Switch user", I think it's called.

        They didn't even want the account to automatically log off after work, because it was easier to leave everything up and running overnight and come back to it in the morning...

        What about automatically locking, at least?

        But yes, I aggree with zippthorne -- get it in writing, especially if you can get them to sign something along the lines of "I understand that this will significantly decrease security, below what many professionals consider to be acceptable."

      • Re: (Score:3, Insightful)

        by mcgrew (92797) *

        Then the screaming started. Folks would walk away from their computers and come back to a locked screen... But they wouldn't know how to log in. They didn't know what username and password to put in there because it looked ever so slightly different from what they saw when they first showed up in the morning.

        You have to have the cooperation of the people at the top of the organization, who would send a memo to everyone saying that for security reaons, this is what you WILL do, and failure will result in dis

  • ... that would detect if the logged in user is around would probably solve the problem. Automatic locking of the screen is a nightmare if you have other things to do (phone etc.) but in case need the computer immediately.

    CC.
    • by j_sp_r (656354)

      I set my screensaver to appear after 5 minutes, and then lock after 10 seconds. If I see the screensaver starting I just touch the mouse and I can snoozy another 5 minutes. Don't know if it works with Windows, but I like the (KDE) option very much.

      • Re: (Score:3, Interesting)

        If you are running KDE, and want proximity detection, you can set it up to listen for your phone's bluetooth radio and lock/unlock in response to the absence/presence of that signal.

        Kbluelock.
  • In organisations where data is sensitive they use smartcards.

    If you make the same smartcard open the doors to the building then you ensure that nobody will leave it in their PC while they go out for a break.

  • When people at the office leave their systems unlocked we see a teachable moment. Choose from any number of good techniques and have some fun. Some good ones include changing the keyboard layout, installing keyloggers, switching their homepage to something horribly inappropriate, impersonating them on IM. Interestingly enough, most people learn fast after that.
    • Re: (Score:3, Informative)

      by Zordak (123132)
      Do a "Print Screen" of their desktop and set it as their wallpaper. Then set their taskbar to auto-hide and set the desktop to hide icons. Enjoy watching them click all over the reactionless bmp trying to open stuff.
  • by jbezorg (1263978) on Monday September 28, 2009 @11:07AM (#29566925)

    Designing systems for usability is hard, especially when security is involved.

    Meh.. I was hoping for some deeper insights than that.

    • by BitZtream (692029)

      Deeper would be nice, but being that usability is one of if not the single largest problem in the computing world, its probably good if we focus on the basics for a while, until everyone at least gets that part of it.

  • by Animats (122034) on Monday September 28, 2009 @11:14AM (#29567049) Homepage

    Back before ease of use eclipsed security, I once encountered a military system where the access terminal was surrounded by a small fence. Opening the gate in the fence forced an immediate logout.

    Nobody would tolerate that today. Except, maybe, for an ATM.

  • by Geoffrey.landis (926948) on Monday September 28, 2009 @11:16AM (#29567075) Homepage
    Requiring re-authentication whenever a logged-in user does something suspicious-- i.e., tranferring large amounts of money, installing a keylogger, sending out ten thousand e-mail messages, scanning networks for open ports, etc.-- might be useful.

    If you really do need to do this kind of thing (I suppose people sometimes do have legitimate requirements to wire large amounts of money to offshore accounts), it's not a big hassle to log in again.

    • That always annoys me. No one should be able to steal my session, if it's encrypted (replace with "session cookie" and "https" if we're talking about the Internet) -- if they could, they could probably steal my password, too. If they've got my password, that's a trivial annoyance. And if you're worried about leaving people logged in, add an inactivity timeout.

  • by Tumbleweed (3706) on Monday September 28, 2009 @11:19AM (#29567141)

    Windows 95/98/ME had a built-in solution to this problem, but MS removed it in the Win 2K and newer. They simply had the machine crash every 2 hours. Heavy handed, sure, but it worked.

  • by bleh-of-the-huns (17740) on Monday September 28, 2009 @11:22AM (#29567195)

    While yes, there are technical measures that you can put in place to automatically lock screens and accounts and such after a pre determined time period, the best solution is a policy, and actual enforcement of that policy. There in lies the problems in many organizations, enforcement is not being done consistently.

    With technical controls, there is always that time frame, for example idle accounts, usually 30 days from last login and then automatically lock the account, well a malicious user has 30 days to which to attempt access to that account. Same goes for screen locks, 15 min is a common default, well you walk away and I have 15 min to make my way over and have fun with the account. You can reduce the amount of time, but that has other issues, users get annoyed at the screen locking while they are on the phone, or whatever while they are at their desk, results in crappy passwords.

    With a policy, and enforcement behind it, accounts can be removed, users will lock their screens (hopefully) within a timely manner.

  • by gweihir (88907)

    Or rather the locking option of xscreensaver has worked very well for years for me. You just need to make it a habit.

    Otherwise logging out has been solved for half a century now, just use a reasonably security aware OS.

  • Pwning (Score:2, Interesting)

    by al3 (1285708)

    In my office an unlocked computer is fair game for harmless pranks that have become known simply as pwning.

    Nothing too nasty happens as the shame is in having been pwnd, not in the severity of damage inflicted.

    There, my computer just announced "it's one thirty" in a robot voice. Nice. Thanks a lot, guys.

  • by SuperBanana (662181) on Monday September 28, 2009 @11:37AM (#29567471)

    You make the client system re-authenticate after a configurable amount of time, and that authentication comes via central storage of authentication passwords/tokens. For example, Keychain.

    My laptop is set up with SSHKeychain, and it has options for locking my Keychain. If I activate the screensaver and don't come back within 3 minutes or so, it locks the keychain, and any program that wants to use a stored password triggers a password authenticaton dialog box for the system keychain password.

    This puts the power of security in the hands of the user or organization. Computer at home, no roommates? Probably not an issue to lock your keychain any time except when you shut down your computer. Work in a cube? After 5-10 minutes of inactivity or whenever you lock your screensaver.

  • by Bert64 (520050) <(bert) (at) (slashdot.firenzee.com)> on Monday September 28, 2009 @11:53AM (#29567735) Homepage

    Some places use smartcards, the card must be in the slot or it locks your screen... The same card is also used to open the doors so if you leave the room without taking the card then you can't get back in. Most people had the card attached to their belt or similar.

    Another idea is to track the location of your phone using bluetooth (10 meters range), if you walk too far away it loses signal and locks the screen.

  • by zentechno (800941) on Monday September 28, 2009 @11:58AM (#29567811)
    One other system used more prevalently is the simple locking screen saver. The idea is only the user, and sysadmin have the password to unlock the screen, and access through the system is prohibited until the screen saver password is entered. I'm not a fan of this, as generally screen-saver passwords are more-often assigned by the users themselves, and so are easier to guess than the back-end passwords which on occasion are set by the site, or by the sysadmin in the case of accessing corporate systems via corporate-policy. Now a minor, but important distinction. This isn't "un-authentication" this is de-authorizing the computer from which you're logged in accessing the place you're logged in to. You want to "authenticate a de-authorization" that is verify that you are the person removing access privileges. If the system doesn't require authentication to de-authorize access, then a denial of service attack is made (somewhat) trivial, and if more thought process went into understanding the difference I think more places would realize how serious the solution needs to be.
  • I like the rfid card cars that detect when the user is near by and unlocks. The car starts with a button when the rfid is near by to make things even easier. Of course it has to be a secure challenge, answer style system like SIM cards or it is just as bad as those enhanced id things.
  • Our Group Policy is set to auto-lock the system after 15 minutes of non-use. Everyone gets it, almost no exceptions.

    Bring the hammer!

  • Salling Clicker is an app that will auto lock when it loses the Bluetooth signal from a device like your phone. Instant auto lock when you walk off as long as your phone is on you.

    It can also unlock when you return, but thats obviously dangerous in a few different ways since it effectively makes your bluetooth device a token for authentication and that is easy enough to clone off.

    http://www.salling.com/clicker/ [salling.com]

    The problem is you have to have it installed and your phone/device must be paired. This is accep

  • Our PHB IT's went very tight on network security. (haha) User's have to authenticate with the firewall every 12 hours. They originally wanted 8 hours. We pointed out that the main users (R&D), would work 10-12 hours a day. Everyone else is on a different network. It slows down starting up a windoze PC, every morning by about 10-20 minutes, as many taskbar apps, automatically start-up and check the network for updates. We have removed auto-connecting networks disks and moved them to a script, started man

  • I'm less interested in being de-authenticated from my web logins. I'm much more interested in finding a way to deauthenticate website security certificates. When a malicious website obtains a security certificate, how do you remove it?

    • Re: (Score:3, Informative)

      by afidel (530433)
      OCSP/CRL, certificate revocation list. If you have found a fraudulent site or a legit site who's cert has been compromised contact the signer and have them add it to their CRL/OCSP blacklist. I'm not sure if there is any mechanism for a local CRL, though you can certainly stop trusting a signer if they show a significant lack of diligence in screening their clients.

"Well, social relevance is a schtick, like mysteries, social relevance, science fiction..." -- Art Spiegelman

Working...