Flashback to Leopard

OS X LeopardIt seems that my ability to predict the future with respect to Mac malware is, indeed, on par with Digitime’s ability to predict anything. Just recently I wrote, “on the Mac, Leopard and Tiger are no longer being updated”. To prove me wrong (yeah, I’m sure that’s why they did it), Apple has just released a couple of security updates for Mac OS X 10.5 (Leopard). These are “Flashback Removal Security Update for Leopard (Intel)” and “Leopard Security Update 2012-003.” Both of these are available through Software Update.

The Flashback Removal Security tool is now available for Leopard users on Intel Macs. Leopard Security Update doesn’t actually fix any weaknesses in the operating system; its only job is to disable old versions of Adobe Flash Player and encourage people to upgrade to more recent versions of the Flash Player.

Beyond the ordinary

I am hesitant, without doing more research, to call this kind of security update “unprecedented” from Apple, but I am more than willing to call it “extraordinary”. Providing an security update to systems that have long fallen off the “supported” versions is highly unusual. I can only speculate that Apple has examined which systems have been most effected by Flashback and it taking extraordinary steps to help clear that up where it needs to.

Leopard users are still not covered

I have been pleading with people to keep their systems up to date. If you must run OS X Leopard then you should take extra care to keep your web browsers up to date, and (if you use it at all)  Adobe’s Flash player up to date.  Adobe’s Flash about page will let you know what version you are currently running.

Failure to keep systems up to date with the latest versions of software is an enormous security risk. Good updating habits not only help keep your system free of malware, but these habits can help reduce the amount of malware in the environment.

Apple’s two extraordinary updates do only two things. They provide the Flashback removal tool for Leopard users and they prevent Leopard users from using outdated versions of Adobe Flash. They do nothing whatsoever to bring the enormous security enhancements and fixes that have been brought to Snow Leopard and Lion.

You scream, I scream, we all scream for Apple security updates!

Mac Software UpdateI’ve been talking a lot lately about the importance of keeping systems up to date and the role this plays in keeping malware at bay. I even suggested that Mac users are particularly good at keeping there systems up to date. So if you’re on OS X 10.6 Snow Leopard or 10.7 Lion, please help prove me right by running Software Update now.

Apple has released a big update from OS X 10.7.3 to 10.7.4, which includes many important security fixes, among them a fix for the the FileVault issue we talked about a few days ago. The security update is also available for those running 10.6.8 (Snow Leopard). Among the many important security updates are fixes for  Safari, WebKit (used by Safari and much, much more), Bluetooth, and QuickTime.

Unsupported systems are unsupported

If, for some reason, you are using an older, unsupported, version of Mac OS X such as Leopard  (OS X 10.5) or Tiger  (10.4), your system is unprotected. As I explained last week, the large majority of security flaws that get exploited by malware are things that people could have avoided if only they kept their systems up to date.

On a similar note, Mozilla, the makers of Firefox, stopped support for Firefox 3.6 in April. Running the updater from within Firefox 3.6 should bring you to the current version, Firefox 12. Our modern 1Password extension for Firefox uses the same powerful and flexible design that we have for Safari and Chrome; and it makes future browser upgrades a breeze.

Home Folders, FileVault, and passwords

One of the things that the OS X update fixes is the aforementioned FileVault problem. If your system was set up in such a way that your login password was needed for your Home Folder FileVault iconto get loaded by the system, your login password may have been written to system logs in plain text. The most typical way for this to happen is if you had configured FileVault to encrypt your Home Folder back before OS X 10.7 (Lion) and upgraded your way to 10.7.3.

The same problem may also occur if your Home Folder is mounted from a network server. This is because, even under these circumstances, the actual bug was not in FileVault itself, but in the system that handles using login passwords for mounting Home Folders. Anyone with administrator powers on affected Macs could simply read everyone’s login password.

You might think that, if someone has administrative powers, it doesn’t matter if they also have your login password for your Mac. As usual, things are not that simple. It does matter if others get ahold of your login password, even if they already have administrative power on the Mac you use. First, there is the fact that many people reuse passwords like this (so they could compromise your other accounts), but your login password is also used to encrypt your OS X keychain. This includes things like passwords that Mail.app, iCloud, iChat, Safari, and many other apps may store in your OS X login keychain. An attacker with administrative powers, but without your login password, can not get at that information. But they can if they have your login password.

There are three things that affected users need to do:

  1. Run software update to prevent any further logging of passwords
  2. Change your login password through System Preferences > Users & Groups
  3. Remove old system logs that contain the old password by following the instructions in Apple’s support document on removing sensitive information from system logs.

It’s great that Apple was able to fix this quickly. The error really was an embarrassing blunder. But while this particular fix may be getting the headlines, there are many other important security fixes. Don’t for a moment think that you can skip it just because you aren’t affected by that specific bug.

Only you should 0wn your data, Part 3: The Mac malware landscape

It’s tough to make predictions, especially about the future.

—Yogi Berra

In Part 1 of this series I discussed how your 1Password data may (or may not) be threatened if your computer gets infected with some kind of malware, particularly Flashback. In Part 2, I reviewed the few simple things everyone should do to keep their systems safe. In this part, I will discuss ideas about the relative threats of malware on Mac and Windows, and what has been changing.

I have a nearly perfect record of making incorrect predictions about malware on the Mac, putting my prognostication skills on par with DigiTimes. For many years I’ve been saying that malware will become a serious issue on OS X “in the next year or two”. I have been consistently wrong with those predictions. So about a year ago, I took a different approach. I tried to understand why I had been wrong, and listed a few new reasons why there hasn’t been a real malware problem on OS X. What I offer here – instead of anything resembling predictions – are some things to keep in mind when trying to understand the relative frequency of malware on OS X versus Windows.

It isn’t 2002 any more

Bob and Charlie are out camping when a bear attacks their campsite and comes menacingly toward them. Bob puts on his running shoes. Charlie asks, “why are you putting on your running shoes? You can’t out run the bear.” Bob answers, “I don’t need to out run the bear. I only need to out run you.”

When OS X was first introduced, it was perfectly correct for people to be pleased that Apple had “brought the security of Unix” to the Mac. In comparison to the competition, and especially in comparison to Mac OS 9, the Unix security architecture was a great improvement. Unix had been designed from the outset to be a multiuser system. A single Unix computer was designed so that several different people could use the computer (and at the same time). This meant that not everyone using to computer was supposed be be master of everything that is on it. Individual users needed to be protected from things done deliberately or accidentally by other users, and the system as a whole needed to be protected from its users.

Unix, then, had important security features built into it from the beginning. Operating systems that were designed for personal computers didn’t initially have these kinds of protections. For the most part, the user, and any program that they ran, could do anything with the system. Over time, Microsoft added more protections into Windows, but it still was hampered by its legacy. Macintosh operating systems, up to and including Mac OS 9, offered no protections against the damage that a single user program could do. In the years immediately after OS X was introduced it was perfectly correct to say that it has better security because OS X rests on secure Unix foundations. Some of you may recall the “I’m a Mac” adverts that highlighted the fact that Macs were far less prone to malware than Windows systems were. Apple’s relatively low market share, and the relative security strength of OS X at the time, meant that few malware developers targeted the Mac.

But a lot has changed since those days. Not only has the number of Mac users increased enormously since OS X was introduced, but Windows operating systems became much more secure. Between the time that Windows Vista was introduced in January 2007 and OS X 10.7 (Lion) was introduced in July 2011, it is very reasonable to say that Windows had the more secure design. (People may legitimately argue that Windows was stronger during other periods as well, but I want to specify a time that pretty much everyone will agree on.) It should be noted that it was near the time that Vista came out that Apple toned down its claims of relative security in its advertising.

Last summer I had the pleasure of visiting the Grizzly and Wolf Discovery Center in West Yellowstone, Montana. Among other things, they test containers for “bear resistance”. It is clear that bears will take the easier approach. If the carefully designed bear proof lid is too much trouble for them, they will look for something less secure. If bears understand that relative security is what matters, I think we should learn this lesson from them. Returning to Bob and Charlie we see that when running away from an angry bear,you don’t need to be faster than the bear itself; you only need to be faster than others that the bear might be after.

OS X has been consistently improved over the last five years, but by many measures it had a poorer security architecture than what was available from Microsoft during that time. When malware developers are looking what targets to put effort into, they are looking at the relative payoffs and ease of attack. Andy Greenberg, over at Forbes, discusses the importance of looking at strengths and weaknesses in relative terms.

The increasing number of Macs and the shifts in the relative strength of the security architecture led me to make my spectacularly incorrect predictions about Mac malware during the past decade. (Fortunately for any reputation I might have, I only made those predictions on Usenet, which – I suppose – almost keeps those statements protected by stegenography.)

Although my predictions turned out wrong, I don’t think it was because I misevaluated the relative security of the systems. Nor do I think that I was wrong about the importance of relative security. After all, I should be smarter than the average bear. Instead my error was that I failed to look at other things that kept malware developers focused on Windows. Let’s look at those now.

Malware development toolkits were Windows specific

When a malware developer finds a way into a system, they need to be able to do something once they are inside. Returning to the Trojan wars analogy from the previous article, when Ulysses and his army were finally inside the gates of Troy, they needed to have swords and spears to complete the job. Pea-shooters would not have done them much good, even though they did breach the defenses. Over the decades, malware developers have assembled a large arsenal of tools they can use once they’ve found a way to sneak in.

Because malware developers have a huge set of tools and knowledge developed over decades from exploiting Windows systems, it is easier for them to get results attacking Windows systems. If they attacked Macs, they would need to develop many of those tools from scratch. Economists call this “asset specificity.” If you manufacture trucks, but see a potential for more profit in selling motorcycles, you will be reluctant to make the move because you would have to retool your factories and develop entirely new sales and distribution networks. That is: you already have a system (assets) in place for manufacturing and selling trucks, and you would need to acquire new (costly) assets to shift to the motorcycle business.

My biggest worry for malware on the Mac is that the bad guys have developed the specific assets needed to make going after the Mac profitable for them. The (still developing) history of Flashback illustrates that toolkits are now being developed for the Mac. When Flashback was first discovered in September 2011, it was delivered as a Trojan; in fact, it masqueraded as an Adobe Flash installer. It got into a system because people downloaded and installed software that they thought was legitimate but turned out to be malicious. But Flashback didn’t spread very much that way. This history, by the way, is why Flashback is still described as “Flashback Trojan”—the label it received first.

Flashback really got going after its delivery mechanism was changed to exploit a vulnerability in Java. The guts of Flashback could be reused in light of a new way into someone’s computer. Now that the version of Java installed on Macs has been fixed (for those who keep their systems up to date), there is yet a new version which makes use of a (patched) vulnerability in MS Office 2011 for Mac. Microsoft has issued a fix for this vulnerability, but if people aren’t keeping MS Office up to date on their systems, Flashback can get in this way.

Flashback has been something new in a number of ways, and so it isn’t clear whether it will remain an exception or whether it does signal that things are changing. Either way, I don’t think that Mac users can rely much longer on malware developers lacking the toolkits to go after Macs. Fortunately, there are other things that may still keep Mac users relatively safe.

Different update habits

I’ve described at great length in Part 2 the importance of keeping systems and software up to date to prevent infection. As I explained there (complete with a slick chart), the majority of bugs that get exploited on Windows are things that have already been fixed, and users would have been protected from those if they kept their software up to date.

Flashback was an exception to this. The Java bug that Flashback exploited to get into people’s system remained unpatched for several weeks after it was known to be leveraged by Flashback. It is interesting that, while most Windows exploits take advantage of patched vulnerabilities, the one substantial OS X exploit grew through an unpatched vulnerability.

This difference illustrates my point in why Mac users may have been safer than Windows users. Mac users may simply be better at keeping their systems and software up to date. There may be a number of reasons for this, and I would like to speculate about some of them. Let me be clear that I do not have evidence that Mac users are better about updates than Windows users, although there is some suggestive evidence.

For example, more than 40% of all Windows users are still using Windows XP (superseded by Windows Vista in January 2007), while fewer than 10% of Mac users are using Leopard (superseded by Snow Leopard in August 2009). However, we can’t say that this is because of better update habits. OS X Version over time [from OmniGroup]First, the numbers I reported were collected in different ways, so they might not be directly comparable. More importantly, Apple has maintained for years that around 50 percent of its quarterly Mac sales are to new customers—also known as “switchers”—so they have more recent systems, and therefore current versions of Apple’s OS by default. Still, I am going to offer ideas about why Mac users may be better with updates.

More of the software that people use on OS X comes from a single source (Apple) than is typical on Windows. Other than the operating system and Microsoft Office, the software that Windows users regularly use comes from a variety of different places. Where a Windows user will be using Adobe Reader for reading PDFs, a Mac user will be using Apple’s Preview; where a Windows user might be using Photoshop Elements, the Mac user will be using Apple’s iPhoto or Aperture; where a Windows user may be using iTunes to organize music for the iPods and iOS devices, the Mac user will be using, well, iTunes. For the Mac user, all of these come from the same place and are updated via tools Apple built into its OS, which have long been configured out of the box to run once a week.

Mac users know where their hardware and operating system comes from. Windows, like OS X, is typically purchased with the computer hardware. But while the Mac user will typically be making their purchase from Apple, a Windows user is not making their purchase from Microsoft. Instead, they are purchasing from an Original Equipment Manufacturer (OEM). The OEM—such as Gateway, Dell, or Hewlett-Packard—also add a bunch of stuff to the Windows systems that get distributed. Among these will be items that highlight the brand of the OEM. As a result, many Windows users are left confused about their operating system and where to go for updates. Many times when I’ve asked a Windows user what version of Windows they are running, I would get an answer like “Dell” or “Hewlett-Packard.” Whatever complaints people may legitimately have about Apple’s control over both the software and hardware, it does avoid confusion for the user.

Where you get your software

I discussed Trojan horses extensively in Part 2 of this series, and as with keeping systems up to date, there may be behavioral differences between Mac and Windows users that make Mac users less vulnerable.

One recent difference is that Mac users have the Mac App Store. Apps sold there have been reviewed by Apple. Although some anomalies may occasionally slip through that review process (though, to date, I am not aware of any), it dramatically reduces the chances of anything installed from the Mac App Store containing a Trojan. And in the future, the use of Gatekeeper in Mountain Lion will provide additional ways for Mac users to see who their software is coming from and that it hasn’t been tampered with along the way. The Windows 7 installer, though, already checks the digital signature attached to distributed software.

But those differences are too recent (or yet-to-arrive) to offer any explanation of what has happened over the past decade. It is possible that there are, to some extent, differences in people’s willingness to acquire software through less than reputable third parties. I have no evidence to back this up, other than the (surprising to me) relative lack of Mac infections due to Trojans over the past decade.

About the future

Given my abysmal track record on predicting malware on the Mac, I will hedge and qualify any predictions that I hint at here. I will note that Flashback did overcome some of the things that I’ve said protect the Mac environment. It suggests that malware creators are developing toolkits for use against OS X. This is what I see as the most worrying sign for Mac users.

On the other hand, I am confident that Apple learned a great deal about getting things patched quickly; they are already being very proactive in reducing the threats of Trojans, and Mac users may continue to be relatively good about keeping systems up to date.

New Problem for Old FileVault users

FileVault iconIf you have been using Apple’s FileVault to encrypt your home folder on OS X, read on. There is an important security bug and action you should take. This is an Apple security issue that does not affect 1Password 3 or Knox for Mac, but it is an important enough issue that I’m announcing it here.

This only affects those who had set up FileVault to encrypt their Home Folders (not the entire disk) prior to OS 10.7 (Lion) and have since upgraded to Lion 10.7.3. If you don’t use FileVault, or if you use FileVault to encrypt your entire disk, all is fine on your system.

Very simply, if you use FileVault on your Home Folder (something that can only be set up prior to OS X 10.7) then a bug in OS X 10.7.3 is logging your OS X login password in system logs. This is described in an article on ZDNet’s Zero Day Blog.

If you are among the affected users, then you should

  1. Go to System Preferences > Security > FileVault and change your settings to encrypt the entire disk. That is, you should use the much improved FileVault in OS X Lion.
  2. Change your OS X Login Password through account preferences

There will be other concerns as well, as your old password (usable for decrypting Time Machine backups) may still be available to other administrator users on your system. This typically isn’t a concern for home users, but it can be important for Mac in an office environment.

As David Emery, a discoverer of this problem, said in his report.

carefully built crypto has a unfortunate tendency to consist of three thick impregnable walls and a picket fence in the back with the gate left open … Nobody breaks encryption by climbing the high walls in front when the garden gate is open for millions of machines.

Only you should 0wn your data, Part 2: Staying safe

Just the place for a Snark! I have said it twice:
That alone should encourage the crew.
Just the place for a Snark! I have said it thrice:
What I tell you three times is true.

—Lewis Carroll “The Hunting of the Snark”

In Part 1 of this series I discussed how your 1Password data may (or may not) be threatened if your computer gets infected with some kind of malware, particularly Flashback. Of course, it is better for your computer to not be infected in the first place, so in this article I focus on a few tips to help keep your computer safe from malware. Part 3 will outline a way of thinking about the differences and similarities in the threats from malware on Mac and Windows.

Before I get into the list of tips that you can do to help keep your computer malware free, I’d like to say a few words about a few words. I hate the word “malware”; it’s awkward and ugly. Unfortunately that is the word we have. Words like “virus”, “worm”, “trojan”, “drive-by” and so on refer to how the particular piece of malicious software spreads. It tells us nothing about what they do. I will use the term “infected” to refer to a computer system that has some malware installed and functional on it.

As I said twice before in Part 1 (and, really, as we’ve always said), the most important thing you can do to specifically protect your 1Password data is to use a good Master Password. The proof is complete if only I’ve stated it thrice.

1. Keep your software up to date

The single most important thing you can do to protect against malware is to keep your software up to date.

Mac Software UpdateThe large majority of system compromises are through vulnerabilities that the software vender has already released a fix for. Flashback was unusual is that the Java vulnerability that was exploited had not already been patched (although it had been public for a while).

Let me introduce a few terms. A “vulnerability” is a flaw in a system (either a bug or a design error) that allows something to breach security. A “patched vulnerability” is a vulnerability that has been fixed by the supplier and the fixed version is available to users. An “unpatched vulnerability” is one for which there is no fix from the vendor yet. This distinction is important because research shows that when computers are compromised through these sorts of vulnerabilities, the large majority of them are through patched vulnerabilities. That is, if the user had kept their software up to date, they would not have become a victim.

Some people use these terms a bit differently. You will sometimes hear “zero day” to refer to what I am calling an unpatched vulnerability. But I reserve that term to refer to vulnerabilities that the software provider isn’t even aware of.

Flashback did not exploit a vulnerability that Apple didn’t know about. The particular bug in Java had been done for months before Flashback started to exploit it. Instead, Flashback exploited a vulnerability that Apple was well aware of, but had not yet fixed. Flashback, then, is an exception to my claim that keeping your software up to date will keep your computer malware free. I’ll come back to this in the third article in the series.

So if Flashback actually goes against my point, why do I insist that keeping systems and software up-to-date is the most important thing you can do to prevent infection? I’m basing my claim on a great deal of research on this question, but I will draw most of my examples from Microsoft Security Intelligence Report volume 11 (PDF). It contains the clearest arguments and data.

The Microsoft report offers the example of the number of new infected Windows systems through a particular vulnerability in Adobe’s Flash Player and Adobe Reader. The red part of the graph covers the time between when the malware was exploiting the vulnerability and the time that Adobe first issued a fix for it. As you see, there is a decline in infection rates shortly after Adobe issued updates for Flash on April 15, 2011 and for Reader on April 21 a week later.

Infection rate before and after vulnerability fixed

But as you look at what happened two months after Adobe fixed the vulnerability (the green part of the graph), there is an enormous resurgence of the malware. The number of systems infected before Adobe fixed the vulnerability is tiny compared the infections that happened much later. This particular example illustrates the general pattern. Most system compromises through vulnerabilities could have easily been avoided if people kept their software up to date.

That particular infection is just one example to illustrate what is a very common infection pattern. Indeed, what may be the most widely spread malware on Windows—Conficker—is still infecting Windows systems more than five years after the vulnerabilities that it exploits have been fixed by Microsoft. Keep in mind that, once it gets onto a corporate network in the first place, much of Conficker’s ability to spread is to just find users on the network with weak passwords. Still, it does help illustrate the problem of people not keeping their software up to date, as the password guessing tactic only works after Conficker makes it onto the local network by some other means.

How to keep things up to date

On the Mac, Leopard and Tiger are no longer being updated. If you are using one of those systems, please move to Snow Leopard or Lion quickly. And if history is much of a guide, Snow Leopard will lose support within a few months after the release of Mountain Lion, which Apple has scheduled for summer 2012. As of this week, Mozilla has discontinued support for Firefox 3.6. In short: don’t use unsupported operating systems or web browsers. Just don’t.

Windows Update iconOn Windows, Microsoft still provides security updates for Windows XP (Server Pack 2), but they do so only reluctantly. They had wanted to end support in 2010, but are now continuing it through April 2014. If you are using Windows XP, you shouldn’t wait until 2014. The security changes between XP (released over a decade ago) and Vista are enormous, not to mention Windows 7 came out in 2009, and Windows 8 is almost upon us.

The operating systems are probably the easiest thing to keep up to date because they are typically configured to periodically check for available updates. But the software you install later can, traditionally, come from many different places, so it is usually harder to maintain. An increasing amount of software will automatically update itself, though, and Google Chrome is one notable example, with more browsers following suit. Some software will periodically check whether it needs to be updated and alert you, but new software delivery services like Apple’s App Store and Microsoft’s upcoming Windows Store can do all that heavy lifting for you.

For your most important software, it is vital to have some sort of easy or automatic way of checking for and install updates. In terms of security, here is an ordered list of what I think are the most important things to keep up to date:

  1. Operating Systems. You need to schedule Software Update (on the Mac) or Windows Update (on Windows) to check for updates automatically.
  2. Web browsers. In each web browser, you will be able to configure its updating habits in its preferences.
  3. Web browser plug-ins. These are the programs – such as Adobe Flash Player, Adobe Reader (on Windows), Java, and Silverlight – that are used to open certain kinds “in the browser” that the browser itself can’t handle natively.
  4. Email software. If you are using the email software that comes with your operating system (Mail.app or Outlook), then they will be updated with the operating system. But if you use a third party mail program, then you need to make sure that that is kept up to date.
  5. Anything that opens files that you did not create yourself. Whatever software you use to look at pictures, read word processor documents, work with spreadsheets, or listen to music files must be kept up to date.
  6. 1Password. Well, really any software that has to do with your security. 1Password automatically checks for updates after it is launched and will only check periodically in case you are like me and never relaunch it because you never close it. You can configure 1Password’s updating behavior in Preferences > Updates. You should also keep the 1Password browser extensions up to date, which is typically done automatically right within the browser.

That’s a lot of work to keep up with, but fortunately an increasing number of application developers are making updates easier and automatic. Tools like the Mac App Store make it even easier for people to see what needs to be updated. There will be some more discussion of that in Part 3.

2. Back up your data

Time MachineBacking up your data won’t actually do anything to prevent infection, but it will put you in a much better position to recover from one. Most malware tries to remain undetected so it won’t deliberately crash or destroy your system, but it can still introduce instabilities. Furthermore, there is a form of malware, known as ransomware, which encrypts your data and requires that you pay to get the decryption key.

Most importantly, good backups are a vital part of data security over all. As the saying goes, there are two kinds of computer users: those who haveexperienced a catastrophic disk failure, and those who will.

3. Pay attention to where your software comes from.

Even if the software and operating system you are using has no technical vulnerabilities that allow an attacker to get malicious software running on your computer, there is still a very simple way that they can get their software installed and running. They can ask you to install and launch it for them.

 Of course they don’t say, “Hey, here is some malicious software. Please download, install, and run it.” Instead, they say, “Hey, here’s a free horse riding game! No strings attached!” You can download and install it. Perhaps you enter your administrator password during the installation process. The download may even include a more or less working copy of the horse software.

Lurking inside the harmless game you brought in through your defenses could be enemies. They break out at night, kill your guards, and open the gates so their whole army can rush in.

The horse, standing high on the ramparts, pours out warriors,
and Sinon the conqueror exultantly stirs the flames.
Others are at the wide-open gates, as many thousands
as ever came from great Mycenae: more have blocked
the narrow streets with hostile weapons:
a line of standing steel with naked flickering blades
is ready for the slaughter

It should not come as a surprise that malware of this sort is called a “Trojan horse,” or just “Trojan.”

Trojan rabbitI am not for a moment suggesting that you shun all geeks bearing gifts. After all, making great things for people is what we geeks love to do. But along with not keeping software up to date, this a leading way that malicious software can be installed and run on your system.

This is one of the reasons why I’m excited by Gatekeeper, coming in OS X 10.8 Mountain Lion. It won’t be an entire solution to the problem of Trojans, but it may play a substantial part. In short, Gatekeeper will give you control over what apps run on your computer depending on who or where they come from.

4. Virus Scanning?

I’ve left anti-virus scanning for last on my list because I think it plays a distant third to keeping software and systems up to date and paying attention to where you get your software from. As one security researcher quipped, “anti-virus vendors have solved the malware problem so well on Windows that they are now bringing the same magic to the Mac.” On the other hand, it is useful to occasionally (or even regularly) run a scan of files on the system.

There are two ways that anti-virus software can operate. In one mode, they will search through most of the files on your system looking for malware,  either periodically or at a time you specify. In the more active mode, they inspect (almost) every file as it gets opened, but this mode can often slow down a system substantially or even make it less stable. (“Less stable” is a euphemism for crashing more.) Opinions about these vary widely (and heatedly). In both modes, the database that the anti-virus software uses needs to be kept very much up-to-date.

One thing to keep in mind is that, although Mac users should probably be more concerned about malware than they are used to (more on that below), they should be wary of reacting to the most alarming headlines, particularly when they are produced by by anti-virus vendors. While some vendors have kept a level head in their discussions, others have engaged in egregious fear mongering based on extremely misleading numbers. It is unfortunate that the least useful information with the most alarming headline is the one that gets the attention.

In any case, with Flashback, everyone should run one of the many free detection and removal tools that have been issued by reputable anti-virus vendors. One of the first was developed by Intego. Even if you have updated your software to fix the vulnerability that Flashback has been exploiting, once your computer is infected it will remain infected until the malware is explicitly removed.

Other tips?

There are load of other things you can do to improve system security. For example, I am a big advocate of not having your main user account be an administrator account. More steps to consider include adjusting firewall settings and using various blockers in web browsers. But the large majority of problems will be avoided simply by keeping software up to date and paying attention to where you get software from. We get diminishing gains in security from the more advanced techniques, particularly in comparison to the gains we get from the basic things that everyone should do.

In Part 3 of this series, I will offer some thoughts on the developing malware situation on the Mac, with a look at what might keep Macs relatively safe or not.

Only you should 0wn your data, Part 1: 1Password and Flashback

Over the last couple weeks, a topic in tech news has been Flashback, malware that seems to have gotten itself installed on (at least) about 600,000 Macs running OS X. Although there has been malware for Mac OS X for a long while, Flashback is the first to reportedly affect a substantial number of users. In at least one respect, it does represent an important change in the kinds of security threats facing Mac users.

This article is the first installment of a three-part series about the state of Mac malware and what all this means to you as a Mac and 1Password user. In today’s first part, I’ll discuss what kind of threat malware like Flashback does or does not pose to your password data. Part 2 will talk about malware more generally, with concrete tips about keeping yourself safe. Part 3 will talk about changes in threat landscape, and provide some ways of understanding the differences and similarities between the threats that Mac and Windows users face.

First things first

If you haven’t tested whether your system has been infected with Flashback, you should. By installing the latest security updates to Lion and Snow Leopard, you will get Apple’s Flashback removal tool. Just use Software Update on your Mac. I write more about keeping your system up to date in Part 2 of this series.

Mac Software UpdateApple, to say the least, has not been the most fleet of foot in addressing the threat, so you may be tempted to look elsewhere for detection and remove tools. Every anti-virus vendor offers free (or free trial) tools that will detect and remove Flashback. I’ll talk a bit more about anti-virus software in Part 2, but for now let me just point out that they have an incentive in scaring people and publishing hyperbolic claims. I haven’t (and won’t) evaluate the various products they have to offer, but personally I would be more trusting of those companies who provide useful, level headed information over those that try to scare you.

The quick answer

We do not see the Flashback infection as a significant threat to your 1Password data. But the single best thing you can do to protect your 1Password data if your machine is infected in any way is to have a good Master Password.

The encryption on your 1Password data has been designed from the outset to withstand concerted attack if it gets captured. Whether it is captured through your computer being stolen, a compromise of a syncing service, or through a compromise of your computer through malware, it can’t be decrypted without your Master Password.

The second thing about 1Password’s design is that it only decrypts the smallest amount of information needed at any one time. Even when your 1Password data is unlocked, all of the information is encrypted except for the particular item you are dealing with at the time. This means that there are no decrypted temporary files. This is an important – and often overlooked – security feature. 1Password never decrypted usernames and passwords while just sitting around.

Of course, when it comes to security questions, there really are no quick answers. So the rest of this article goes into more detail.

Theory and Practice

It’s a wonderful day when I can meaningfully quote Yogi Berra:

In theory there is no difference between theory and practice. In practice, there is.

In principle, once your computer is compromised it is no longer “your” computer. In some juvenile jargon your system is ownedIn theory, if malicious software is running (with sufficient privileges) on your computer, then everything you do and see belongs to the attacker. This could, in principle, involve modifying all of the software (including the Operating System) that you use. So in theory, once your computer is taken over, there is pretty much nothing that can protect you. Fortunately, practice is much different than theory.

In practice, malware tries to remain small. It makes only the minimal changes to your system that are required for its specific job, and most of those changes are attempts to cover its tracks. Because we know the kinds of things that malware–in practice–does, we have been able to design 1Password to protect your data against those sorts of attacks.

Flashback, for the most part, opens a back door that allows its operator to install or modify things on the infected computers later. That is, computers that are infected become part of what is called a botnet. These are often used to relay or to launch certain attacks on more high-value targets. By using machines in a botnet, the attackers can cover their tracks and leverage huge numbers of machines to make their attacks more powerful.

Because machines in a botnet are awaiting commands from those who control the botnet, it is hard to answer the question “what does Flashback do?”  Symantec has just published a fascinating analysis of  how Flashback has made money for its operators. It inserts itself into web browsers to hijack certain advertisements and clicks, so ad revenue that would otherwise go to Google goes to the operators of Flashback.

Even with our better understanding of what the Flashback operators were after, we still have to ask what the operators of a botnet could, in practice, do with an infected computer. Here I will focus on two things that malware can do that pose a risk to password data, even if this isn’t primarily what Flashback was after. One thing is that malware can install software that would scan your computer for lists of passwords. The other point of concern is that is can install malicious software into browsers that try to capture passwords as you use them.

Hunting for lists of passwords

One thing that can be installed through the backdoor is a system that searches your computer for lists of passwords. There is a history of this in Windows malware, so we should assume that those who have a back door into your computer have the same capabilities and interests.
The good news for 1Password users is that such malware goes after “home-grown” password management systems. They are not at all prepared for a well-designed system like 1Password.

Many people, faced with the problem of remembering lots of passwords, develop their own password management system. Often people will simply list their passwords in a word processor document, such as Microsoft Word, or in a spread-sheet. It is those files that this sort of malware goes after. Even when people encrypt those files, the password that they use to encrypt that data is often not protected by measures to resist automatic password cracking tools. Furthermore, when people decrypt those files to work with them, often temporary files are created with the data decrypted. Password collecting malware goes after those too.

1Password’s design resists those sorts of attacks. We use PBKDF2 to make it much much harder for an attacker to run a program that tries to guess your Master Password. We’ve also been beefing up this defense to keep ahead of developing threats.

We are also very careful to only decrypt small amounts of data at a time instead of decrypting everything. This means that (with the exception of file attachments) decrypted data is never written to disk. This means that there are no temporary or cache files that could be picked up by an attacker on your system. These are some of the behind-the-scenes considerations that go into 1Password, but are rarely considered in home-grown systems, which makes them such ripe target for malware.

Target of the DevilRobber

Poorly designed, home-grown, systems are the typical targets of malware data collection, but does that mean no malware would ever include 1Password data among its targets? Not at all. Indeed, I wrote about a case like that last November involving DevilRobber, another piece of malware. DevilRobber didn’t get much attention because it didn’t get very far, but it did collect a great deal of information from the few machines that were infected.

Whoever collected that data would still need to guess someone’s 1Password Master Password to get encrypted information out of the file. But once we learned that people were actively going after 1Password data files, we made some changes with some more to come.

If I can be forgiven for repeating myself, the single best thing you can do to protect your 1Password data is to have a good Master Password.

Password collection in Safari

Some versions of Flashback are reported to have added things into Safari to capture password you might enter for sites in the browser. If your browser had been infected this way, then passwords that you typed or pasted into web pages are likely to have been captured. This does not include your 1Password Master Password.

Passwords that were filled by 1Password (not pasted or manually typed) are unlikely to have been captured, but I can’t be absolutely certain of that. Although it may seem that 1Password is just pasting in or typing in your usernames and passwords for you, that’s not what is really going on. 1Password’s form filling mechanism works much closer to the bone, thus reducing the chances that something could intercept the data that 1Password fills in.

Still, because you may have pasted passwords instead of having 1Password fill everything, if your system has been infected, you should use Apple’s aforementioned Flashback removal tool and change some of your passwords. Start with your more important and frequently used ones. Passwords for email services are the first thing that attackers like to go after. After that, it’s banking and popular on-line retailers.

Even if your system was infected, there are a lot of unknowns that all act in your favor: whether you had a Flashback variant that monkeyed with Safari; whether passwords were entered in a way that the malicious software could capture; whether the people gathering that data have the resources to exploit it. One of the biggest unknowns is that many infected Macs have not been able to communicate with the command centers—the systems on the network that are set up to give instructions to infected Macs or collect data from them. Network operators and security companies substantially disrupted communication with the command centers.

Complacency or panic

Frightened people make poor security decisions, just as people who are overly complacent do. Flashback poses a non-negligible threat to your 1Password data, but “non-negligible” doesn’t mean “large”. It doesn’t even mean “significant” in this case, but it does mean that we shouldn’t ignore it. So let me repeat the advice I gave above that if your machine was, in fact, infected with Flashback, after you get it removed and your system up to date, do change your most important and frequently used passwords.

1Password 3.6.5 for iOS is out with PBKDF2 goodness!

1Password Pro icon1Password for iPhone, 1Password for iPad, and 1Password Pro (for both iPhone and iPad) have just been updated to version 3.6.5. All of the changes are behind the scenes, but they include a great security enhancement to how your Master Password is protected. Different versions may become available at different times in different locations, so if your free update isn’t ready for download just yet, try again in a little bit.

In addition to the security enhancements discussed below, there are a few bug fixes, more syncing in the background, and some images tailored for the Retina display in the new iPad. If you just want the cliffnotes, here we go:

★ Improved security. Now using 10,000 PBKDF2 iterations to protect the encryption key.
★ Dropbox authentication tokens are now stored in the system keychain.
★ Better support for iPad retina display.
★ Improved Login filling.
☂ Bug fixes.

But if you want to learn a little more about what we’re doing under the hood to protect your 1Password data, venture on.

10000 PBKDF2 iterations

Your Master Password on your device is now protected with 10,000 iterations of PBKDF2. What this means is that if an attacker were somehow to get hold of your encrypted 1Password data from your phone (not an easy thing to do if you take proper precautions), it will be even harder for them to run automatic password guessing software against your master password. PBKDF2 makes the mathematical process of checking whether a Master Password is correct much longer and more difficult.

Your secrets are very well encrypted and protected by your Master Password, but these new measures strengthen that protection. You can read about PBKDF2 in an old article, Defending against crackers: Peanut Butter Keeps Dogs Friendly, Too to get more details as it applies to 1Password on the desktop; the same ideas work on iOS devices.

Why change things now?

We’ve long considered using PBKDF2 in 1Password for iOS. The advantages of using it are clear: It provides substantial additional resistance to attacks by password guessing software if your encrypted data falls into the wrong hands. There are a few reasons why now was the right time.

We have faster devices

The principle reason this didn’t come sooner is that, with PBKDF2, unlocking your 1Password data on older devices will take noticeably longer and will consume more power than not using PBKDF2. People running 1Password on first generation iPhones will now have an unlocking delay that may last up to a couple of seconds, and a delay of about one second on the iPhone 3G and on the  first generation iPod touch. Delays should not be particularly noticeable on newer devices, and the vast majority of our customers now use 1Password for iOS on said newer devices.

A great feature of iOS 5 and OS X 10.7 is that the number of PBKDF2 iterations can be calibrated to the particular device. We will be making use of that in 1Password 4 for iOS, and we already make use of that in 1Password 3.9 on Lion.

Finding the right implementation

A lesser reason is that the development toolkits for iOS 3 don’t include functions for performing PBKDF2. We try to work with established tool kits as much as possible. iOS 4 (and particularly iOS 5) contain built-in features that make it easier to write programs that perform complicated encryption functions.

That said, we are still able to bring PBKDF2 to 1Password running on iOS 3. Yes, it will be slow and power hungry on older devices, but it is possible because we found a way to take the PBKDF2 function from the OpenSSL libraries and incorporate it into our code. So even though this isn’t in the Apple supplied SDK for iOS 3, we are able to use a well tested and reviewed implementation.

Changes in the threat landscape

There has also been a change in the threat landscape since we first developed 1Password 3 for iOS. There are several “forensic” tool kits on the market for breaking into iOS devices. As new ways in which data can be taken from iOS devices come to light, we need to provide even better protection against off-line attacks on your 1Password data.

It is probably far less likely that that someone will capture your encrypted 1Password data from your iOS device than your 1Password data from your computer. A stolen computer, unless you use FileVault or some other disk encryption, means that your 1Password data will be available to who ever gets a hold of your disk. This is why we built PBKDF2 into 1Password on the desktop a long time ago.

But it is also the case that most people use better Master Passwords on their desktop systems than on their mobile devices. And so, in the less likely event that the data gets captured from an iOS device, the master password could do with extra protection. If everyone had sufficiently strong Master Passwords, PBKDF2 wouldn’t be necessary. But let’s face it: a very strong Master Password on an iPhone is a Master Password that won’t get used much.

Elcomsoft analysis

Although we have long been aware of the benefits of using PBKDF2, a recent report (PDF) by researchers at Elcomsoft highlighted how quickly a master password could be cracked without the additional protection of PBKDF2. We discussed that report in a recent blog post, “Strong Security Requires Strong Passwords“.

Other security improvements

Dropbox OAuth tokens

1Password stores your Dropbox username and password very securely on iOS for automatic syncing, but it hasn’t been quite as careful with the OAuth tokens used when connecting with Dropbox. If this data is copied and used on another device, it would grant access from that other device to a Dropbox account. We have fixed this in 1Password 3.6.5 for iOS.

We’ve discussed this issue extensively in a recent blog post: OAuth, Dropbox, and your 1Password data.

Padding, integrity, and standards

We try to stick to standards when it comes to encryption and protocols, but even well established standards can later be discovered to be flawed. There turns out to be a design problem with the padding scheme used as parts of the PKCS standards. Introducing PBKDF2 (also defined in the same set of standards) gets around the problem.

I won’t go into much detail, but here is a little background into the issue. An encryption algorithm like AES works on a block of data at a time. In the case of AES the blocks are 16 bytes (128-bits) long. Because the data to be encrypted won’t always be a multiple of 16 bytes, some extra data gets added to the end to “pad” it out to a multiple of 16 bytes. The details of the padding scheme have to include some clever tricks so that when the data in decrypted, the decryption process can recognize where the pad begins, so it knows what to remove.

The problem is that the padding scheme has also been used as an integrity check. That is, it provides a signal to the one decrypting the message whether the data has been modified. Padding is not well suited to that purpose, but that usage means that under certain circumstances it can be used to very quickly verify whether something has been decrypted correctly. The attacker is saved an extra decryption trial in testing whether they have “guessed” the right password.

The simple solution is to make use of cryptographically appropriate integrity checks, Message Authentication Codes (MACs) after encrypting the data. That is, the integrity check is performed on the encrypted data instead of on the plaintext. By using PBKDF2 we are forcing an attacker to go through a large number of extra steps with each “guess”, overwhelming any advantage an attacker might gain through the PKCS padding problem.

Processes and products

All this allows me to bring up a point that we’ve made before but will continue to make: Security is a process, not a product. One aspect of this is that a tool that your security depends on is never “done”. This is not the first security improvement we’ve made over the years, and it certainly won’t be the last. But process isn’t only in updating product. Process is about how people do things. That includes our own testing procedures, and it also includes always working to understand how people use 1Password so that we can continue in our effort to make the easy thing to do also the secure thing to do for people.

[Update April 11: Several people, including Quirks In Tech, have correctly pointed out that I should have been much more explicit in this post about the role that the Elcomsoft report played in our decision to start using PBKDF2. Earlier drafts of this included an extensive section on exactly that, but it got lost as I tried to cut this down to size. I've added a short section back into this post. -jeff]

OAuth, Dropbox, and your 1Password data

1Password in DropboxA number of iOS apps, including 1Password, have a security problem in how they handle OAuth tokens. 1Password 3.6.5, which was submitted to Apple several days ago, fixes this. This will be a free update for all owners of 1Password for iPhone, 1Password for iPad, and 1Password Pro (for iPhone and iPad). We can’t predict how long Apple’s approval process will take, but the update should be available soon, if it isn’t already by the time you read this.

Because of this bug, someone who gains physical access to your device may be able to copy authentication tokens off of it, then install those tokens on their own device to access your Dropbox data. It is not entirely clear at the moment under what circumstances an attacker will also need the device passcode. It appears that if the device has previously been synced with the computer the passcode isn’t required. In any case it is important to protect your iPhone, iPad, or iPod Touch protected with a good passcode.

We have been extremely careful in how we store your Dropbox username and password for automatic syncing, but like many others, we didn’t take the appropriate precautions when it came to OAuth tokens. These tokens allow quick connection to Dropbox (Facebook and other services also use OAuth). Of course, any 1Password data that an attacker fetches from your Dropbox account is still encrypted by 1Password.

In 1Password 3.6.5, which we submitted to Apple at the beginning of the week, we store OAuth tokens securely in the iOS keychain, where they are properly encrypted and cannot be copied to other devices. However, if other apps that use Dropbox have the same problem (and it looks pretty common), then OAuth tokens can be copied from those apps as well.

The OAuth problem

The problem of how OAuth tokens are stored was first discussed Tuesday (April 3) by Gareth Wright reporting on the Facebook iOS app.OAuth logo Since then, it became clear that the Dropbox app itself has the same problem. Presumably there are many other apps that connect to services like Facebook or Dropbox that are unfortunately in the same boat.

Dropbox have told The Next Web that:

[Our] Android app is not impacted because it stores access tokens in a protected location. We are currently updating our iOS app to do the same.

Facebook’s initial statements have been less clear, but no doubt they will be submitting a fix soon.

For one of the best discussions of this whole thing, please see the report and analysis by The Next Web.

What this means for you and your 1Password data

1Password Pro iconThis design problem, both in versions of 1Password prior to 3.6.5 and in other apps, means that it is easier for an attacker to get hold of and manipulate your 1Password data stored on Dropbox than we had anticipated. I used to say that it was far more likely that someone could get hold of your 1Password data by stealing your Desktop computer than by getting it off of Dropbox. I certainly have to revise that assessment.

The good news is that your usernames and passwords  (along with notes and attachments) are well encrypted. Even if someone gains full control of your Dropbox account they will not be able to get at the secrets encrypted in your 1Password data. We have also been busily working on an updated version of our data format that is even better suited for life in the cloud.

You can also manage which devices are allowed to connect to Dropbox. That is, you can instruct Dropbox to reject certain OAuth tokens and also view the the last few times each authorized device has connected.

To manage your Dropbox devices, log in to your Dropbox account with a web browser, and under your account name, go to Settings and then “My Computers”. If you suspect that an OAuth token has been stolen, you can unlink the computer or device. After that you will need to relink the computer or device to your Dropbox account using your Dropbox username and password.

Alternatives to Dropbox

Every time there is a security issue with Dropbox, people rightfully suggest that we offer alternative syncing mechanisms. At this point, there is nothing that I’m in a position to say beyond what we’ve said earlier in “Dropbox Terms“. There are developments, but nothing I am even willing to hint at just yet.

More security changes to come in 3.6.5

The changes coming in 3.6.5 are all about security and bug fixes. Please see “1Password 3.6.5 for iOS is out with PBKDF2 goodness!” for details.

Appendix: When is a passcode required for this attack?

When an iOS device is connected to a computer that it hasn’t connected to previously, the user will be prompted to enter the passcode on the iOS device. After that first connection, the computer will store some keys that will allow it to unlock the iOS device for future connections.

So once you have unlocked your iPhone for a particular computer, when you plug it in later, you do not need to unlock it for the file system on the device to bevisible to tools like iExporer. This is presumably why initial reports of this issue claimed that no device passcode was necessary to extract the files containing the OAuth tokens.

There is, unfortunately, one further complication. iTunes will automatically unlock the device for any user account on the same computer that the device has previously been unlocked on. That is, if Alice and Bob both have user accounts on the same Mac, and Alice has at one point entered the her passcode on her iPad to allow syncing, then Bob will be able to gain access to most of Alice’s iPad simply by using iTunes in his account on the Mac. What is worse is that Bob’s account on the computer can also be a guest account, and he will still have access.

All of the testing I have done has been with iTunes 10.6.1 on Mac OS X 10.7.3 (Lion). I have not tested this with iTunes on Microsoft operating systems.

What is worrisome here is that exactly the same people (co-workers, family members) who have the easiest access to your iOS devices are very likely to have some account on the same computer that you have used.

Still, passcodes do matter so please remember that a good device passcode is a good idea.

Data protection classes

As of 1Password 3.6.5 we put the OAuth information into the iOS keychain using the “ThisDeviceOnly” data protection class that will not allow the OAuth token to be copied from the device unencrypted. There is a bit of terminological muddle in that “ThisDeviceOnly” and “ProtectionComplete” mean the same thing except that the former is used with keychain items and the latter used with files. I prefer the term “non-migratable” to cover both.

The application property lists files, plists, contain app preference settings, and this plists do not have the non-migratable restriction on them; they are fully accessible once the device has been unlocked. Note that data with the non-migratable restriction  cannot be restored from an iTunes or iCloud backup to a different device. So if you replace your iPhone or iPad, you will need to re-enter your Dropbox credentials to reestablish automatic syncing.

Please join the discussion of this on our forums.

The ABCs of XRY: Not so simple passcodes

1Password Pro iconWhen talking about reports of tools that break into iPhones, it is very important to remember that the seller may be inclined to overemphasize its capabilities. It is also wise to keep in mind that the more sensational claims are the ones that tend to be picked up, and perhaps amplified, by the press. In this light, let’s talk about Micro Systemation’s XRY, a cracking/forensics tool for extracting data from iOS and Android devices.

XRY, despite its recent press attention, does not appear to represent anything new. Everything that we said in Lost iPhone? Safe passwords! still holds true. Your 1Password data remains encrypted. That is, even if an attacker gets through all of the the iOS security, including capture of the device passcode, he or she would still have to break your 1Password Master Password to get at your 1Password data.

XRY logo

News of XRY has been circulating since Andy Greenberg of Forbes drew attention to it and to Micro Systemation’s video demonstration. The demo shows discovery of an iPhone’s passcode in a matter of second. This should naturally cause concern for everyone who cares about their privacy.

But I’m going to try to sort out what the real concerns are, and what you can do to to better protect yourself.

Cracking passcodes

Elcomsoft logEven though your 1Password data remains protected, tools like XRY or Elcomsoft’s iOS forensic toolkit do represent a threat to the secrecy of other data stored on your device.  Furthermore, most people will have weaker 1Password Master Passwords on their phones than they will on their desktop systems. This means that we do need to be a bit more concerned about what happens if people steal your encrypted 1Password data from your iOS device than if they steal your encrypted 1Password data from your desktop or Dropbox. Therefore it is worth spending a bit of time talking about device passcodes and the security of your iOS device in general.

Note that when I talk about your “device passcode” I’m talking about the passcode that is used to unlock your iPhone, iPad or iPod touch in the first place (assuming you set one, of course). I am not talking about your 1Password unlock code or master password. Those are different things. The tools described are all about breaking the device passcode and what can be done once that is available.

First, these tools jailbreak the device. This allows the user to then run a brute force attack on the device passcode. That attack must be run on the phone itself because it is tied to a unique device key. You may think that running through all of the passcodes, 0000—9999 would just take a fraction of a second, and under normal circumstances you would be absolutely correct. But Apple has protected the passcode with PBKDF2, which forces each trial to perform thousands of complex computations. Although things will differ from device to device, Apple appears to have tuned things so that it takes about one quarter of a second to process a single guess.

Without having hands on experience with XRY I can’t be absolutely certain of this, but I strongly suspect that the reason that it was able to discover the passcode so quickly in the demonstration was because the passcode was “0000”. That is, “0000” may be the first passcode it tried. At four guesses per second, it would take about 40 minutes to try all possibilities, with an average break time of 20 minutes. As we’ve seen, sometimes it can hit upon the correct guess quickly, but in other cases it may take the full 40 minutes.

Not so simple passcodes

Settings screen to turn Simple Passcode OffTwenty minutes to break into your device is still too quick for many of us to be comfortable with. Fortunately it is easy to set a longer passcode on your device. Launch the Settings app and go to General > Passcode Lock. You will be asked to re-enter your passcode at this point; after all, you wouldn’t want anyone who picks up your unlocked phone to be able to fiddle with its security settings. Once you’ve done that, you will have a screen with lots of options. One is called “Simple Passcode”—switch that to “Off” (the Simple Passcode means using a simple 4-digit number). Once you switch Simple Passcode to “Off” you can have longer and more complex passcodes.

Passcode entry for all numeric codeLet’s suppose that you wanted to use a six digit passcode. It would take almost three days to attempt all one million possible six digit passcodes. The average crack time would be half that, at about 35 hours. All the while, the phone needs to be attached to the attacker’s computer. For an eight digit passcode, it would take on average about four and a half months to crack. Each additional digit multiplies the attack time by ten.

If you want to use just lowercase letters and the space key, then with a five letter passcode it would take about three weeks to guess, and for six lowercase letters it would take about a year and a half on average. Each additional letter (or space) multiplies the crack time by 27.

The table below gives some sample average crack times. Assuming that your passcode is random, I count 27 possible lowercase “letters” (26 letters, plus the spacebar) and 53 mixed case “letters” (52 letters, plus the space bar).  Although we don’t know how XRY guesses, Elcomsoft has previously advertised that when confronted with a non-simple passcode, their system will try some commonly used non-simple passwords first.

[Click for HTML version of this data table]

So what kind of passcode is right for me?

When trying to figure out what the best kind of passcode works for you, there are a couple of things to keep in mind. The first one is that for someone to launch this attack they need to be in full possession of your phone during the whole time. The attacker can’t just grab your phone briefly and then do the rest of the attack later. So you need to think realistically about how much time and effort someone would put into getting at your data.

Also remember that this is just to get at your device’s passcode. It is not about your 1Password data which is protected separately in a number of ways, including your Master Password.

You must consider how easy the passcode is for you to enter. One very convenient feature of iOS is that if your passcode is digits only, you will be presented with a numeric keypad, making it much easier and quicker to enter. Likewise, if you keep your passphrase to lowercase letters only, you don’t have to shift keyboards. The passcode that I’ve personally been using falls into the ‘months to crack’ category. Your choice may be different.

What about 1Password data?

Your 1Password data is protected by several layers, the device passcode is only one of them. iOS prevents one application from seeing the data belonging to another application on the device. This can also be a layer of defense, but it is not one which will withstand most jailbreaks.

So finally we come to your 1Password Master Password for the data on your device. This is the final layer of protection. Note that if you use a 4-digit 1Password unlock code, it is just a convenience feature to allow you to do some things within 1Password without having to enter your full Master Password; it is not intended to be a meaningful layer of security.

Put simply: you should use the longest master password on your device that you are comfortable typing regularly. If it is a real chore to type, you won’t use 1Password enough to get its security benefits. Because typing on a desktop system, an iPhone, and an iPad are very different experiences, we have set things up so that you can have a different Master Password for each. The Master Password that I use on Mac and Windows is complex enough to be entirely unusable on an iPhone. This means, however, that my Master Password on my iPhone and iPad are substantially weaker than what I use on the desktops, which brings us back to why I am concerned with overall security of iOS devices.

As we’ve often said before, security is a process, not a product. So look for further security enhancements in 1Password for iOS in the not too distant future. As usual, I don’t want to say anything more specific until this is delivered.

Other claims in reports about XRY

One the the most frightening paragraphs from the Forbes article on the XRY demo reads:

As the video shows, […] XRY can quickly crack an iOS or Android phone’s passcode, dump its data to a PC, decrypt it, and display information like the user’s GPS location, files, call logs, contacts, messages, even a log of its keystrokes.

While it is true that the demonstration video suggests that XRY can do most of that, I am far from convinced that it it actually exhibits those capabilities, at least not as stated in those words.

I have no hands-on experience with XRY or any information that isn’t publicly listed on the Micro Systemation website, so my comments here are necessarily speculative.

“Quickly crack passcodes”

As discussed above, there is absolutely no indication from the video that XRY can do much better than four guesses per second when cracking passcodes. It would be a truly major break(through) if they either found a way to defeat PBKDF2 (in which case it wouldn’t just be phones that they could go after) or discovered a way to perform these passcode trials off-line. Such breakthroughs would be widely trumpeted, and they would have been able to perform a very different demonstration. The fact that their target passcode was “0000” only reinforces my view that there is no breakthrough.

Note that they might be able to get a slightly better crack rate on an iPhone 4, running iOS 4. But iOS 5 contains mechanisms to set the PBKDF2 iterations appropriately for the hardware it is running on. It’s worth noting that they used iOS 4 on an iPhone 4 in their demonstration.

“Display user’s GPS location”

In the video we are told that they found some “google maps data”. Whether or not this is a place that the phone has been is left entirely unclear.  Because there were only a couple of such data items listed, I am skeptical that it does represent actual phone locations. There also was a bit of a kerfuffle about a year ago when it was believed that Apple tracks an iPhone’s location. As it turned out, that wasn’t quite what was going on. It doesn’t appear from the video that the location data they are getting is anything like what is in the location cache database.

“dump files”

The video shows the inspection of a file called “keychain-2.db”, which seems scary enough, but there is no reason to believe that data within that file can be decrypted.  However, with a sufficiently jailbroken device with the passcode in hand, it is plausible that the information in there can be decrypted. They then go on to “the log file” and show that the device passcode is in it. What may not be immediately clear is that this is log file is created from their own password cracking process.

The log file that is being read there was actually created by XRY itself. There will, of course, be sensitive data (such as contact information) available to them after a cracking the passcode, but the demonstration does not illustrate those examples.

“logs of its keystrokes”

I am not certain where the impression of a keystroke logger comes from. I saw no implication of that from the video. Perhaps it is the discovery of a swipe pattern on the Android 2.3.3 (Gingerbread) system that was shown. Note that there have been two major releases of Android (Honeycomb and Ice Cream Sandwich) since the version used in the demonstration.

A large grain of salt

I am not in any way disputing that tools like XRY and the Elcomsoft toolkit can be useful for law enforcement. And I am certainly not suggesting that these shouldn’t be worrying to anyone concerned about their data and privacy. My point is simply that sensational claims about security issues need to be examined carefully. The more we examine some of the claims about XRY, the less frightening they become.

In sum

This was a long article, so I’d like to highlight a few main points

  1. Press reports based on marketing videos are not the most reliable way to to understand security threats.
  2. XRY, in particular, illustrates no threat that we haven’t addressed before. In particular, your 1Password data on your phone is encrypted and protected by your 1Password master password even if your phone becomes entirely compromised.
  3. It is probably time to move beyond simple 4-digit pass codes for your iOS device. If you use a longer sequences of digits, it will still be quick and easy to enter.
  4. For advice on what to do if your iThingy gets stolen, please see an earlier post that includes such advice.

By adopting reasonable security practices, such as using 1Password and moving beyond a 4-digit device passcode, we can enjoy on the benefits of our mobile devices without having to live in fear of what happens to our data if someone gets a hold of the device.

Update: Micro Systemation have removed their demonstration video from YouTube. Also someone more familiar with the jailbreaking technology has reported on this and points out that the tools at XRY uses do not work with the iPhone 4S, the iPad 2, or the new iPad. It also confirms my view of the password cracking time.

One phish, two phish; old phish, new phish

The easiest way to discover someone’s password is to ask them for it.
—Folk wisdom in the security business

There are many ways to trick people into revealing their passwords, but one of the most commonly attempted is phishing. If you can lure people to a website that looks like Paypal’s, but is actually under your control, then you can often steal their usernames and password to Paypal. This is one of the reasons why so many sites of this nature warn users to pay close attention to the URL in the location bar. “paypal.com” is not the same as “paypalc.om”.

When location bars can’t be trusted

The information in the location bar is one of the defenses against phishing, but David Vieira-Kurz of Majorsecurity discovered a bug in AppleWebkit on the iPhone, iPad, and iPod Touch that gets around this defense. AppleWebkit is the technology that underlies not only Mobile Safari but pretty much every app that has a built in web browser. This bug allows a malicious website to place a false URL in the location bar of the browser. Now is probably a good time to point out that 1Password on your iOS device protects you against this, and I’ll get into the how and why below.

Mobile Safari majorsecurity demo

Mobile Safari incorrectly displays this as being from apple.com

Majorsecurity has set up a page to demonstrate this bug. If you visit that with Mobile Safari and tap the Demo button you will see a page that looks like Apple’s homepage and will falsely contain www.apple.com in the location bar. I haven’t investigated how this trick would interact with the website authentication provided by SSL/TLS (when you connect to a secure “https” site), but as people don’t always check whether they are connected to an https site, this new bug could definitely lead to more successful phishing.

1Password’s phishing defense

Login for majorsecurity.net

1Password provides defense against phishing by carefully checking the domain to which the browser is connected. So it will only report a match for your Login for, say, Paypal when you really are visiting a site in the paypal.com domain. As a quick demonstration of this, I’d like to show that 1Password on my iPhone correctly recognizes the Majorsecurity demonstration as being on majorsecurity.net and not as the apple.com site it masquerades as.

I already have a number of Logins for the domain apple.com, but I created a new Login for majorsecurity.net. The username and password I set up for that are “foo” and “bar”. (I think you will understand if I’m not going to tell you my username and password at Apple.com.)

1Pt at majorsecurity.net demo

1Password correctly sees this as majorsecurity.net

When I go to Majorsecurity’s demonstration page using 1Password on my iPhone, then tap their “demo” button, I am brought to a page that looks very much like Apple’s homepage. (Majorsecurity puts a little warning text in there to help you see that it is actually not Apple’s real home page.) And when I tap the 1Password globe to bring up the credential for the site, 1Password correctly gives me the username and password I’ve set up for majorsecurity.net; it does not bring up any of my apple.com Logins. 1Password knows what site I’m talking to despite the tricks that the site uses.

Ask and you shall receive

As you can see, 1Password makes it harder for you to fall victim to a phishing attack, but it can’t, for example, prevent you from revealing your passwords over the phone or in other ways.

Let me tell you about my own deviousness. Sometimes when I talk about password security to a group of people, I offer a challenge that I will be able to discover a password of their choosing. When I get a volunteer, I ask them to write the password down on a piece of paper, fold the paper and bring it to me. For a little while I go through a show of fiddling with my laptop, and I definitely ask them to use a password that doesn’t reveal a personal secret. (A surprising number of passwords people pick are things like “ILoveJenny”.) Finally, after enough mumbo-jumbo, I simply read the password that the victim so conveniently wrote down and gave to me. This is when I announce that the easiest way to discover someone’s password is to ask them for it.