Only you should 0wn your data, Part 1: 1Password and Flashback

Over the last couple weeks, a topic in tech news has been Flashback, malware that seems to have gotten itself installed on (at least) about 600,000 Macs running OS X. Although there has been malware for Mac OS X for a long while, Flashback is the first to reportedly affect a substantial number of users. In at least one respect, it does represent an important change in the kinds of security threats facing Mac users.

This article is the first installment of a three-part series about the state of Mac malware and what all this means to you as a Mac and 1Password user. In today’s first part, I’ll discuss what kind of threat malware like Flashback does or does not pose to your password data. Part 2 will talk about malware more generally, with concrete tips about keeping yourself safe. Part 3 will talk about changes in threat landscape, and provide some ways of understanding the differences and similarities between the threats that Mac and Windows users face.

First things first

If you haven’t tested whether your system has been infected with Flashback, you should. By installing the latest security updates to Lion and Snow Leopard, you will get Apple’s Flashback removal tool. Just use Software Update on your Mac. I write more about keeping your system up to date in Part 2 of this series.

Mac Software UpdateApple, to say the least, has not been the most fleet of foot in addressing the threat, so you may be tempted to look elsewhere for detection and remove tools. Every anti-virus vendor offers free (or free trial) tools that will detect and remove Flashback. I’ll talk a bit more about anti-virus software in Part 2, but for now let me just point out that they have an incentive in scaring people and publishing hyperbolic claims. I haven’t (and won’t) evaluate the various products they have to offer, but personally I would be more trusting of those companies who provide useful, level headed information over those that try to scare you.

The quick answer

We do not see the Flashback infection as a significant threat to your 1Password data. But the single best thing you can do to protect your 1Password data if your machine is infected in any way is to have a good Master Password.

The encryption on your 1Password data has been designed from the outset to withstand concerted attack if it gets captured. Whether it is captured through your computer being stolen, a compromise of a syncing service, or through a compromise of your computer through malware, it can’t be decrypted without your Master Password.

The second thing about 1Password’s design is that it only decrypts the smallest amount of information needed at any one time. Even when your 1Password data is unlocked, all of the information is encrypted except for the particular item you are dealing with at the time. This means that there are no decrypted temporary files. This is an important – and often overlooked – security feature. 1Password never decrypted usernames and passwords while just sitting around.

Of course, when it comes to security questions, there really are no quick answers. So the rest of this article goes into more detail.

Theory and Practice

It’s a wonderful day when I can meaningfully quote Yogi Berra:

In theory there is no difference between theory and practice. In practice, there is.

In principle, once your computer is compromised it is no longer “your” computer. In some juvenile jargon your system is ownedIn theory, if malicious software is running (with sufficient privileges) on your computer, then everything you do and see belongs to the attacker. This could, in principle, involve modifying all of the software (including the Operating System) that you use. So in theory, once your computer is taken over, there is pretty much nothing that can protect you. Fortunately, practice is much different than theory.

In practice, malware tries to remain small. It makes only the minimal changes to your system that are required for its specific job, and most of those changes are attempts to cover its tracks. Because we know the kinds of things that malware–in practice–does, we have been able to design 1Password to protect your data against those sorts of attacks.

Flashback, for the most part, opens a back door that allows its operator to install or modify things on the infected computers later. That is, computers that are infected become part of what is called a botnet. These are often used to relay or to launch certain attacks on more high-value targets. By using machines in a botnet, the attackers can cover their tracks and leverage huge numbers of machines to make their attacks more powerful.

Because machines in a botnet are awaiting commands from those who control the botnet, it is hard to answer the question “what does Flashback do?”  Symantec has just published a fascinating analysis of  how Flashback has made money for its operators. It inserts itself into web browsers to hijack certain advertisements and clicks, so ad revenue that would otherwise go to Google goes to the operators of Flashback.

Even with our better understanding of what the Flashback operators were after, we still have to ask what the operators of a botnet could, in practice, do with an infected computer. Here I will focus on two things that malware can do that pose a risk to password data, even if this isn’t primarily what Flashback was after. One thing is that malware can install software that would scan your computer for lists of passwords. The other point of concern is that is can install malicious software into browsers that try to capture passwords as you use them.

Hunting for lists of passwords

One thing that can be installed through the backdoor is a system that searches your computer for lists of passwords. There is a history of this in Windows malware, so we should assume that those who have a back door into your computer have the same capabilities and interests.
The good news for 1Password users is that such malware goes after “home-grown” password management systems. They are not at all prepared for a well-designed system like 1Password.

Many people, faced with the problem of remembering lots of passwords, develop their own password management system. Often people will simply list their passwords in a word processor document, such as Microsoft Word, or in a spread-sheet. It is those files that this sort of malware goes after. Even when people encrypt those files, the password that they use to encrypt that data is often not protected by measures to resist automatic password cracking tools. Furthermore, when people decrypt those files to work with them, often temporary files are created with the data decrypted. Password collecting malware goes after those too.

1Password’s design resists those sorts of attacks. We use PBKDF2 to make it much much harder for an attacker to run a program that tries to guess your Master Password. We’ve also been beefing up this defense to keep ahead of developing threats.

We are also very careful to only decrypt small amounts of data at a time instead of decrypting everything. This means that (with the exception of file attachments) decrypted data is never written to disk. This means that there are no temporary or cache files that could be picked up by an attacker on your system. These are some of the behind-the-scenes considerations that go into 1Password, but are rarely considered in home-grown systems, which makes them such ripe target for malware.

Target of the DevilRobber

Poorly designed, home-grown, systems are the typical targets of malware data collection, but does that mean no malware would ever include 1Password data among its targets? Not at all. Indeed, I wrote about a case like that last November involving DevilRobber, another piece of malware. DevilRobber didn’t get much attention because it didn’t get very far, but it did collect a great deal of information from the few machines that were infected.

Whoever collected that data would still need to guess someone’s 1Password Master Password to get encrypted information out of the file. But once we learned that people were actively going after 1Password data files, we made some changes with some more to come.

If I can be forgiven for repeating myself, the single best thing you can do to protect your 1Password data is to have a good Master Password.

Password collection in Safari

Some versions of Flashback are reported to have added things into Safari to capture password you might enter for sites in the browser. If your browser had been infected this way, then passwords that you typed or pasted into web pages are likely to have been captured. This does not include your 1Password Master Password.

Passwords that were filled by 1Password (not pasted or manually typed) are unlikely to have been captured, but I can’t be absolutely certain of that. Although it may seem that 1Password is just pasting in or typing in your usernames and passwords for you, that’s not what is really going on. 1Password’s form filling mechanism works much closer to the bone, thus reducing the chances that something could intercept the data that 1Password fills in.

Still, because you may have pasted passwords instead of having 1Password fill everything, if your system has been infected, you should use Apple’s aforementioned Flashback removal tool and change some of your passwords. Start with your more important and frequently used ones. Passwords for email services are the first thing that attackers like to go after. After that, it’s banking and popular on-line retailers.

Even if your system was infected, there are a lot of unknowns that all act in your favor: whether you had a Flashback variant that monkeyed with Safari; whether passwords were entered in a way that the malicious software could capture; whether the people gathering that data have the resources to exploit it. One of the biggest unknowns is that many infected Macs have not been able to communicate with the command centers—the systems on the network that are set up to give instructions to infected Macs or collect data from them. Network operators and security companies substantially disrupted communication with the command centers.

Complacency or panic

Frightened people make poor security decisions, just as people who are overly complacent do. Flashback poses a non-negligible threat to your 1Password data, but “non-negligible” doesn’t mean “large”. It doesn’t even mean “significant” in this case, but it does mean that we shouldn’t ignore it. So let me repeat the advice I gave above that if your machine was, in fact, infected with Flashback, after you get it removed and your system up to date, do change your most important and frequently used passwords.

Other posts in this series

  1. Only you should 0wn your data, Part 3: The Mac malware landscape (May 7, 2012)
  2. Only you should 0wn your data, Part 2: Staying safe (May 2, 2012)
  3. Only you should 0wn your data, Part 1: 1Password and Flashback (April 30, 2012)