Posts

Only you should 0wn your data, Part 3: The Mac malware landscape

It’s tough to make predictions, especially about the future.

—Yogi Berra

In Part 1 of this series I discussed how your 1Password data may (or may not) be threatened if your computer gets infected with some kind of malware, particularly Flashback. In Part 2, I reviewed the few simple things everyone should do to keep their systems safe. In this part, I will discuss ideas about the relative threats of malware on Mac and Windows, and what has been changing.

I have a nearly perfect record of making incorrect predictions about malware on the Mac, putting my prognostication skills on par with DigiTimes. For many years I’ve been saying that malware will become a serious issue on OS X “in the next year or two”. I have been consistently wrong with those predictions. So about a year ago, I took a different approach. I tried to understand why I had been wrong, and listed a few new reasons why there hasn’t been a real malware problem on OS X. What I offer here – instead of anything resembling predictions – are some things to keep in mind when trying to understand the relative frequency of malware on OS X versus Windows.

It isn’t 2002 any more

Bob and Charlie are out camping when a bear attacks their campsite and comes menacingly toward them. Bob puts on his running shoes. Charlie asks, “why are you putting on your running shoes? You can’t out run the bear.” Bob answers, “I don’t need to out run the bear. I only need to out run you.”

When OS X was first introduced, it was perfectly correct for people to be pleased that Apple had “brought the security of Unix” to the Mac. In comparison to the competition, and especially in comparison to Mac OS 9, the Unix security architecture was a great improvement. Unix had been designed from the outset to be a multiuser system. A single Unix computer was designed so that several different people could use the computer (and at the same time). This meant that not everyone using to computer was supposed be be master of everything that is on it. Individual users needed to be protected from things done deliberately or accidentally by other users, and the system as a whole needed to be protected from its users.

Unix, then, had important security features built into it from the beginning. Operating systems that were designed for personal computers didn’t initially have these kinds of protections. For the most part, the user, and any program that they ran, could do anything with the system. Over time, Microsoft added more protections into Windows, but it still was hampered by its legacy. Macintosh operating systems, up to and including Mac OS 9, offered no protections against the damage that a single user program could do. In the years immediately after OS X was introduced it was perfectly correct to say that it has better security because OS X rests on secure Unix foundations. Some of you may recall the “I’m a Mac” adverts that highlighted the fact that Macs were far less prone to malware than Windows systems were. Apple’s relatively low market share, and the relative security strength of OS X at the time, meant that few malware developers targeted the Mac.

But a lot has changed since those days. Not only has the number of Mac users increased enormously since OS X was introduced, but Windows operating systems became much more secure. Between the time that Windows Vista was introduced in January 2007 and OS X 10.7 (Lion) was introduced in July 2011, it is very reasonable to say that Windows had the more secure design. (People may legitimately argue that Windows was stronger during other periods as well, but I want to specify a time that pretty much everyone will agree on.) It should be noted that it was near the time that Vista came out that Apple toned down its claims of relative security in its advertising.

Last summer I had the pleasure of visiting the Grizzly and Wolf Discovery Center in West Yellowstone, Montana. Among other things, they test containers for “bear resistance”. It is clear that bears will take the easier approach. If the carefully designed bear proof lid is too much trouble for them, they will look for something less secure. If bears understand that relative security is what matters, I think we should learn this lesson from them. Returning to Bob and Charlie we see that when running away from an angry bear,you don’t need to be faster than the bear itself; you only need to be faster than others that the bear might be after.

OS X has been consistently improved over the last five years, but by many measures it had a poorer security architecture than what was available from Microsoft during that time. When malware developers are looking what targets to put effort into, they are looking at the relative payoffs and ease of attack. Andy Greenberg, over at Forbes, discusses the importance of looking at strengths and weaknesses in relative terms.

The increasing number of Macs and the shifts in the relative strength of the security architecture led me to make my spectacularly incorrect predictions about Mac malware during the past decade. (Fortunately for any reputation I might have, I only made those predictions on Usenet, which – I suppose – almost keeps those statements protected by stegenography.)

Although my predictions turned out wrong, I don’t think it was because I misevaluated the relative security of the systems. Nor do I think that I was wrong about the importance of relative security. After all, I should be smarter than the average bear. Instead my error was that I failed to look at other things that kept malware developers focused on Windows. Let’s look at those now.

Malware development toolkits were Windows specific

When a malware developer finds a way into a system, they need to be able to do something once they are inside. Returning to the Trojan wars analogy from the previous article, when Ulysses and his army were finally inside the gates of Troy, they needed to have swords and spears to complete the job. Pea-shooters would not have done them much good, even though they did breach the defenses. Over the decades, malware developers have assembled a large arsenal of tools they can use once they’ve found a way to sneak in.

Because malware developers have a huge set of tools and knowledge developed over decades from exploiting Windows systems, it is easier for them to get results attacking Windows systems. If they attacked Macs, they would need to develop many of those tools from scratch. Economists call this “asset specificity.” If you manufacture trucks, but see a potential for more profit in selling motorcycles, you will be reluctant to make the move because you would have to retool your factories and develop entirely new sales and distribution networks. That is: you already have a system (assets) in place for manufacturing and selling trucks, and you would need to acquire new (costly) assets to shift to the motorcycle business.

My biggest worry for malware on the Mac is that the bad guys have developed the specific assets needed to make going after the Mac profitable for them. The (still developing) history of Flashback illustrates that toolkits are now being developed for the Mac. When Flashback was first discovered in September 2011, it was delivered as a Trojan; in fact, it masqueraded as an Adobe Flash installer. It got into a system because people downloaded and installed software that they thought was legitimate but turned out to be malicious. But Flashback didn’t spread very much that way. This history, by the way, is why Flashback is still described as “Flashback Trojan”—the label it received first.

Flashback really got going after its delivery mechanism was changed to exploit a vulnerability in Java. The guts of Flashback could be reused in light of a new way into someone’s computer. Now that the version of Java installed on Macs has been fixed (for those who keep their systems up to date), there is yet a new version which makes use of a (patched) vulnerability in MS Office 2011 for Mac. Microsoft has issued a fix for this vulnerability, but if people aren’t keeping MS Office up to date on their systems, Flashback can get in this way.

Flashback has been something new in a number of ways, and so it isn’t clear whether it will remain an exception or whether it does signal that things are changing. Either way, I don’t think that Mac users can rely much longer on malware developers lacking the toolkits to go after Macs. Fortunately, there are other things that may still keep Mac users relatively safe.

Different update habits

I’ve described at great length in Part 2 the importance of keeping systems and software up to date to prevent infection. As I explained there (complete with a slick chart), the majority of bugs that get exploited on Windows are things that have already been fixed, and users would have been protected from those if they kept their software up to date.

Flashback was an exception to this. The Java bug that Flashback exploited to get into people’s system remained unpatched for several weeks after it was known to be leveraged by Flashback. It is interesting that, while most Windows exploits take advantage of patched vulnerabilities, the one substantial OS X exploit grew through an unpatched vulnerability.

This difference illustrates my point in why Mac users may have been safer than Windows users. Mac users may simply be better at keeping their systems and software up to date. There may be a number of reasons for this, and I would like to speculate about some of them. Let me be clear that I do not have evidence that Mac users are better about updates than Windows users, although there is some suggestive evidence.

For example, more than 40% of all Windows users are still using Windows XP (superseded by Windows Vista in January 2007), while fewer than 10% of Mac users are using Leopard (superseded by Snow Leopard in August 2009). However, we can’t say that this is because of better update habits. OS X Version over time [from OmniGroup]First, the numbers I reported were collected in different ways, so they might not be directly comparable. More importantly, Apple has maintained for years that around 50 percent of its quarterly Mac sales are to new customers—also known as “switchers”—so they have more recent systems, and therefore current versions of Apple’s OS by default. Still, I am going to offer ideas about why Mac users may be better with updates.

More of the software that people use on OS X comes from a single source (Apple) than is typical on Windows. Other than the operating system and Microsoft Office, the software that Windows users regularly use comes from a variety of different places. Where a Windows user will be using Adobe Reader for reading PDFs, a Mac user will be using Apple’s Preview; where a Windows user might be using Photoshop Elements, the Mac user will be using Apple’s iPhoto or Aperture; where a Windows user may be using iTunes to organize music for the iPods and iOS devices, the Mac user will be using, well, iTunes. For the Mac user, all of these come from the same place and are updated via tools Apple built into its OS, which have long been configured out of the box to run once a week.

Mac users know where their hardware and operating system comes from. Windows, like OS X, is typically purchased with the computer hardware. But while the Mac user will typically be making their purchase from Apple, a Windows user is not making their purchase from Microsoft. Instead, they are purchasing from an Original Equipment Manufacturer (OEM). The OEM—such as Gateway, Dell, or Hewlett-Packard—also add a bunch of stuff to the Windows systems that get distributed. Among these will be items that highlight the brand of the OEM. As a result, many Windows users are left confused about their operating system and where to go for updates. Many times when I’ve asked a Windows user what version of Windows they are running, I would get an answer like “Dell” or “Hewlett-Packard.” Whatever complaints people may legitimately have about Apple’s control over both the software and hardware, it does avoid confusion for the user.

Where you get your software

I discussed Trojan horses extensively in Part 2 of this series, and as with keeping systems up to date, there may be behavioral differences between Mac and Windows users that make Mac users less vulnerable.

One recent difference is that Mac users have the Mac App Store. Apps sold there have been reviewed by Apple. Although some anomalies may occasionally slip through that review process (though, to date, I am not aware of any), it dramatically reduces the chances of anything installed from the Mac App Store containing a Trojan. And in the future, the use of Gatekeeper in Mountain Lion will provide additional ways for Mac users to see who their software is coming from and that it hasn’t been tampered with along the way. The Windows 7 installer, though, already checks the digital signature attached to distributed software.

But those differences are too recent (or yet-to-arrive) to offer any explanation of what has happened over the past decade. It is possible that there are, to some extent, differences in people’s willingness to acquire software through less than reputable third parties. I have no evidence to back this up, other than the (surprising to me) relative lack of Mac infections due to Trojans over the past decade.

About the future

Given my abysmal track record on predicting malware on the Mac, I will hedge and qualify any predictions that I hint at here. I will note that Flashback did overcome some of the things that I’ve said protect the Mac environment. It suggests that malware creators are developing toolkits for use against OS X. This is what I see as the most worrying sign for Mac users.

On the other hand, I am confident that Apple learned a great deal about getting things patched quickly; they are already being very proactive in reducing the threats of Trojans, and Mac users may continue to be relatively good about keeping systems up to date.

Only you should 0wn your data, Part 2: Staying safe

Just the place for a Snark! I have said it twice:
That alone should encourage the crew.
Just the place for a Snark! I have said it thrice:
What I tell you three times is true.

—Lewis Carroll “The Hunting of the Snark”

In Part 1 of this series I discussed how your 1Password data may (or may not) be threatened if your computer gets infected with some kind of malware, particularly Flashback. Of course, it is better for your computer to not be infected in the first place, so in this article I focus on a few tips to help keep your computer safe from malware. Part 3 will outline a way of thinking about the differences and similarities in the threats from malware on Mac and Windows.

Before I get into the list of tips that you can do to help keep your computer malware free, I’d like to say a few words about a few words. I hate the word “malware”; it’s awkward and ugly. Unfortunately that is the word we have. Words like “virus”, “worm”, “trojan”, “drive-by” and so on refer to how the particular piece of malicious software spreads. It tells us nothing about what they do. I will use the term “infected” to refer to a computer system that has some malware installed and functional on it.

As I said twice before in Part 1 (and, really, as we’ve always said), the most important thing you can do to specifically protect your 1Password data is to use a good Master Password. The proof is complete if only I’ve stated it thrice.

1. Keep your software up to date

The single most important thing you can do to protect against malware is to keep your software up to date.

Mac Software UpdateThe large majority of system compromises are through vulnerabilities that the software vender has already released a fix for. Flashback was unusual is that the Java vulnerability that was exploited had not already been patched (although it had been public for a while).

Let me introduce a few terms. A “vulnerability” is a flaw in a system (either a bug or a design error) that allows something to breach security. A “patched vulnerability” is a vulnerability that has been fixed by the supplier and the fixed version is available to users. An “unpatched vulnerability” is one for which there is no fix from the vendor yet. This distinction is important because research shows that when computers are compromised through these sorts of vulnerabilities, the large majority of them are through patched vulnerabilities. That is, if the user had kept their software up to date, they would not have become a victim.

Some people use these terms a bit differently. You will sometimes hear “zero day” to refer to what I am calling an unpatched vulnerability. But I reserve that term to refer to vulnerabilities that the software provider isn’t even aware of.

Flashback did not exploit a vulnerability that Apple didn’t know about. The particular bug in Java had been done for months before Flashback started to exploit it. Instead, Flashback exploited a vulnerability that Apple was well aware of, but had not yet fixed. Flashback, then, is an exception to my claim that keeping your software up to date will keep your computer malware free. I’ll come back to this in the third article in the series.

So if Flashback actually goes against my point, why do I insist that keeping systems and software up-to-date is the most important thing you can do to prevent infection? I’m basing my claim on a great deal of research on this question, but I will draw most of my examples from Microsoft Security Intelligence Report volume 11 (PDF). It contains the clearest arguments and data.

The Microsoft report offers the example of the number of new infected Windows systems through a particular vulnerability in Adobe’s Flash Player and Adobe Reader. The red part of the graph covers the time between when the malware was exploiting the vulnerability and the time that Adobe first issued a fix for it. As you see, there is a decline in infection rates shortly after Adobe issued updates for Flash on April 15, 2011 and for Reader on April 21 a week later.

Infection rate before and after vulnerability fixed

But as you look at what happened two months after Adobe fixed the vulnerability (the green part of the graph), there is an enormous resurgence of the malware. The number of systems infected before Adobe fixed the vulnerability is tiny compared the infections that happened much later. This particular example illustrates the general pattern. Most system compromises through vulnerabilities could have easily been avoided if people kept their software up to date.

That particular infection is just one example to illustrate what is a very common infection pattern. Indeed, what may be the most widely spread malware on Windows—Conficker—is still infecting Windows systems more than five years after the vulnerabilities that it exploits have been fixed by Microsoft. Keep in mind that, once it gets onto a corporate network in the first place, much of Conficker’s ability to spread is to just find users on the network with weak passwords. Still, it does help illustrate the problem of people not keeping their software up to date, as the password guessing tactic only works after Conficker makes it onto the local network by some other means.

How to keep things up to date

On the Mac, Leopard and Tiger are no longer being updated. If you are using one of those systems, please move to Snow Leopard or Lion quickly. And if history is much of a guide, Snow Leopard will lose support within a few months after the release of Mountain Lion, which Apple has scheduled for summer 2012. As of this week, Mozilla has discontinued support for Firefox 3.6. In short: don’t use unsupported operating systems or web browsers. Just don’t.

Windows Update iconOn Windows, Microsoft still provides security updates for Windows XP (Server Pack 2), but they do so only reluctantly. They had wanted to end support in 2010, but are now continuing it through April 2014. If you are using Windows XP, you shouldn’t wait until 2014. The security changes between XP (released over a decade ago) and Vista are enormous, not to mention Windows 7 came out in 2009, and Windows 8 is almost upon us.

The operating systems are probably the easiest thing to keep up to date because they are typically configured to periodically check for available updates. But the software you install later can, traditionally, come from many different places, so it is usually harder to maintain. An increasing amount of software will automatically update itself, though, and Google Chrome is one notable example, with more browsers following suit. Some software will periodically check whether it needs to be updated and alert you, but new software delivery services like Apple’s App Store and Microsoft’s upcoming Windows Store can do all that heavy lifting for you.

For your most important software, it is vital to have some sort of easy or automatic way of checking for and install updates. In terms of security, here is an ordered list of what I think are the most important things to keep up to date:

  1. Operating Systems. You need to schedule Software Update (on the Mac) or Windows Update (on Windows) to check for updates automatically.
  2. Web browsers. In each web browser, you will be able to configure its updating habits in its preferences.
  3. Web browser plug-ins. These are the programs – such as Adobe Flash Player, Adobe Reader (on Windows), Java, and Silverlight – that are used to open certain kinds “in the browser” that the browser itself can’t handle natively.
  4. Email software. If you are using the email software that comes with your operating system (Mail.app or Outlook), then they will be updated with the operating system. But if you use a third party mail program, then you need to make sure that that is kept up to date.
  5. Anything that opens files that you did not create yourself. Whatever software you use to look at pictures, read word processor documents, work with spreadsheets, or listen to music files must be kept up to date.
  6. 1Password. Well, really any software that has to do with your security. 1Password automatically checks for updates after it is launched and will only check periodically in case you are like me and never relaunch it because you never close it. You can configure 1Password’s updating behavior in Preferences > Updates. You should also keep the 1Password browser extensions up to date, which is typically done automatically right within the browser.

That’s a lot of work to keep up with, but fortunately an increasing number of application developers are making updates easier and automatic. Tools like the Mac App Store make it even easier for people to see what needs to be updated. There will be some more discussion of that in Part 3.

2. Back up your data

Time MachineBacking up your data won’t actually do anything to prevent infection, but it will put you in a much better position to recover from one. Most malware tries to remain undetected so it won’t deliberately crash or destroy your system, but it can still introduce instabilities. Furthermore, there is a form of malware, known as ransomware, which encrypts your data and requires that you pay to get the decryption key.

Most importantly, good backups are a vital part of data security over all. As the saying goes, there are two kinds of computer users: those who haveexperienced a catastrophic disk failure, and those who will.

3. Pay attention to where your software comes from.

Even if the software and operating system you are using has no technical vulnerabilities that allow an attacker to get malicious software running on your computer, there is still a very simple way that they can get their software installed and running. They can ask you to install and launch it for them.

 Of course they don’t say, “Hey, here is some malicious software. Please download, install, and run it.” Instead, they say, “Hey, here’s a free horse riding game! No strings attached!” You can download and install it. Perhaps you enter your administrator password during the installation process. The download may even include a more or less working copy of the horse software.

Lurking inside the harmless game you brought in through your defenses could be enemies. They break out at night, kill your guards, and open the gates so their whole army can rush in.

The horse, standing high on the ramparts, pours out warriors,
and Sinon the conqueror exultantly stirs the flames.
Others are at the wide-open gates, as many thousands
as ever came from great Mycenae: more have blocked
the narrow streets with hostile weapons:
a line of standing steel with naked flickering blades
is ready for the slaughter

It should not come as a surprise that malware of this sort is called a “Trojan horse,” or just “Trojan.”

Trojan rabbitI am not for a moment suggesting that you shun all geeks bearing gifts. After all, making great things for people is what we geeks love to do. But along with not keeping software up to date, this a leading way that malicious software can be installed and run on your system.

This is one of the reasons why I’m excited by Gatekeeper, coming in OS X 10.8 Mountain Lion. It won’t be an entire solution to the problem of Trojans, but it may play a substantial part. In short, Gatekeeper will give you control over what apps run on your computer depending on who or where they come from.

4. Virus Scanning?

I’ve left anti-virus scanning for last on my list because I think it plays a distant third to keeping software and systems up to date and paying attention to where you get your software from. As one security researcher quipped, “anti-virus vendors have solved the malware problem so well on Windows that they are now bringing the same magic to the Mac.” On the other hand, it is useful to occasionally (or even regularly) run a scan of files on the system.

There are two ways that anti-virus software can operate. In one mode, they will search through most of the files on your system looking for malware,  either periodically or at a time you specify. In the more active mode, they inspect (almost) every file as it gets opened, but this mode can often slow down a system substantially or even make it less stable. (“Less stable” is a euphemism for crashing more.) Opinions about these vary widely (and heatedly). In both modes, the database that the anti-virus software uses needs to be kept very much up-to-date.

One thing to keep in mind is that, although Mac users should probably be more concerned about malware than they are used to (more on that below), they should be wary of reacting to the most alarming headlines, particularly when they are produced by by anti-virus vendors. While some vendors have kept a level head in their discussions, others have engaged in egregious fear mongering based on extremely misleading numbers. It is unfortunate that the least useful information with the most alarming headline is the one that gets the attention.

In any case, with Flashback, everyone should run one of the many free detection and removal tools that have been issued by reputable anti-virus vendors. One of the first was developed by Intego. Even if you have updated your software to fix the vulnerability that Flashback has been exploiting, once your computer is infected it will remain infected until the malware is explicitly removed.

Other tips?

There are load of other things you can do to improve system security. For example, I am a big advocate of not having your main user account be an administrator account. More steps to consider include adjusting firewall settings and using various blockers in web browsers. But the large majority of problems will be avoided simply by keeping software up to date and paying attention to where you get software from. We get diminishing gains in security from the more advanced techniques, particularly in comparison to the gains we get from the basic things that everyone should do.

In Part 3 of this series, I will offer some thoughts on the developing malware situation on the Mac, with a look at what might keep Macs relatively safe or not.

Only you should 0wn your data, Part 1: 1Password and Flashback

Over the last couple weeks, a topic in tech news has been Flashback, malware that seems to have gotten itself installed on (at least) about 600,000 Macs running OS X. Although there has been malware for Mac OS X for a long while, Flashback is the first to reportedly affect a substantial number of users. In at least one respect, it does represent an important change in the kinds of security threats facing Mac users.

This article is the first installment of a three-part series about the state of Mac malware and what all this means to you as a Mac and 1Password user. In today’s first part, I’ll discuss what kind of threat malware like Flashback does or does not pose to your password data. Part 2 will talk about malware more generally, with concrete tips about keeping yourself safe. Part 3 will talk about changes in threat landscape, and provide some ways of understanding the differences and similarities between the threats that Mac and Windows users face.

First things first

If you haven’t tested whether your system has been infected with Flashback, you should. By installing the latest security updates to Lion and Snow Leopard, you will get Apple’s Flashback removal tool. Just use Software Update on your Mac. I write more about keeping your system up to date in Part 2 of this series.

Mac Software UpdateApple, to say the least, has not been the most fleet of foot in addressing the threat, so you may be tempted to look elsewhere for detection and remove tools. Every anti-virus vendor offers free (or free trial) tools that will detect and remove Flashback. I’ll talk a bit more about anti-virus software in Part 2, but for now let me just point out that they have an incentive in scaring people and publishing hyperbolic claims. I haven’t (and won’t) evaluate the various products they have to offer, but personally I would be more trusting of those companies who provide useful, level headed information over those that try to scare you.

The quick answer

We do not see the Flashback infection as a significant threat to your 1Password data. But the single best thing you can do to protect your 1Password data if your machine is infected in any way is to have a good Master Password.

The encryption on your 1Password data has been designed from the outset to withstand concerted attack if it gets captured. Whether it is captured through your computer being stolen, a compromise of a syncing service, or through a compromise of your computer through malware, it can’t be decrypted without your Master Password.

The second thing about 1Password’s design is that it only decrypts the smallest amount of information needed at any one time. Even when your 1Password data is unlocked, all of the information is encrypted except for the particular item you are dealing with at the time. This means that there are no decrypted temporary files. This is an important – and often overlooked – security feature. 1Password never decrypted usernames and passwords while just sitting around.

Of course, when it comes to security questions, there really are no quick answers. So the rest of this article goes into more detail.

Theory and Practice

It’s a wonderful day when I can meaningfully quote Yogi Berra:

In theory there is no difference between theory and practice. In practice, there is.

In principle, once your computer is compromised it is no longer “your” computer. In some juvenile jargon your system is ownedIn theory, if malicious software is running (with sufficient privileges) on your computer, then everything you do and see belongs to the attacker. This could, in principle, involve modifying all of the software (including the Operating System) that you use. So in theory, once your computer is taken over, there is pretty much nothing that can protect you. Fortunately, practice is much different than theory.

In practice, malware tries to remain small. It makes only the minimal changes to your system that are required for its specific job, and most of those changes are attempts to cover its tracks. Because we know the kinds of things that malware–in practice–does, we have been able to design 1Password to protect your data against those sorts of attacks.

Flashback, for the most part, opens a back door that allows its operator to install or modify things on the infected computers later. That is, computers that are infected become part of what is called a botnet. These are often used to relay or to launch certain attacks on more high-value targets. By using machines in a botnet, the attackers can cover their tracks and leverage huge numbers of machines to make their attacks more powerful.

Because machines in a botnet are awaiting commands from those who control the botnet, it is hard to answer the question “what does Flashback do?”  Symantec has just published a fascinating analysis of  how Flashback has made money for its operators. It inserts itself into web browsers to hijack certain advertisements and clicks, so ad revenue that would otherwise go to Google goes to the operators of Flashback.

Even with our better understanding of what the Flashback operators were after, we still have to ask what the operators of a botnet could, in practice, do with an infected computer. Here I will focus on two things that malware can do that pose a risk to password data, even if this isn’t primarily what Flashback was after. One thing is that malware can install software that would scan your computer for lists of passwords. The other point of concern is that is can install malicious software into browsers that try to capture passwords as you use them.

Hunting for lists of passwords

One thing that can be installed through the backdoor is a system that searches your computer for lists of passwords. There is a history of this in Windows malware, so we should assume that those who have a back door into your computer have the same capabilities and interests.
The good news for 1Password users is that such malware goes after “home-grown” password management systems. They are not at all prepared for a well-designed system like 1Password.

Many people, faced with the problem of remembering lots of passwords, develop their own password management system. Often people will simply list their passwords in a word processor document, such as Microsoft Word, or in a spread-sheet. It is those files that this sort of malware goes after. Even when people encrypt those files, the password that they use to encrypt that data is often not protected by measures to resist automatic password cracking tools. Furthermore, when people decrypt those files to work with them, often temporary files are created with the data decrypted. Password collecting malware goes after those too.

1Password’s design resists those sorts of attacks. We use PBKDF2 to make it much much harder for an attacker to run a program that tries to guess your Master Password. We’ve also been beefing up this defense to keep ahead of developing threats.

We are also very careful to only decrypt small amounts of data at a time instead of decrypting everything. This means that (with the exception of file attachments) decrypted data is never written to disk. This means that there are no temporary or cache files that could be picked up by an attacker on your system. These are some of the behind-the-scenes considerations that go into 1Password, but are rarely considered in home-grown systems, which makes them such ripe target for malware.

Target of the DevilRobber

Poorly designed, home-grown, systems are the typical targets of malware data collection, but does that mean no malware would ever include 1Password data among its targets? Not at all. Indeed, I wrote about a case like that last November involving DevilRobber, another piece of malware. DevilRobber didn’t get much attention because it didn’t get very far, but it did collect a great deal of information from the few machines that were infected.

Whoever collected that data would still need to guess someone’s 1Password Master Password to get encrypted information out of the file. But once we learned that people were actively going after 1Password data files, we made some changes with some more to come.

If I can be forgiven for repeating myself, the single best thing you can do to protect your 1Password data is to have a good Master Password.

Password collection in Safari

Some versions of Flashback are reported to have added things into Safari to capture password you might enter for sites in the browser. If your browser had been infected this way, then passwords that you typed or pasted into web pages are likely to have been captured. This does not include your 1Password Master Password.

Passwords that were filled by 1Password (not pasted or manually typed) are unlikely to have been captured, but I can’t be absolutely certain of that. Although it may seem that 1Password is just pasting in or typing in your usernames and passwords for you, that’s not what is really going on. 1Password’s form filling mechanism works much closer to the bone, thus reducing the chances that something could intercept the data that 1Password fills in.

Still, because you may have pasted passwords instead of having 1Password fill everything, if your system has been infected, you should use Apple’s aforementioned Flashback removal tool and change some of your passwords. Start with your more important and frequently used ones. Passwords for email services are the first thing that attackers like to go after. After that, it’s banking and popular on-line retailers.

Even if your system was infected, there are a lot of unknowns that all act in your favor: whether you had a Flashback variant that monkeyed with Safari; whether passwords were entered in a way that the malicious software could capture; whether the people gathering that data have the resources to exploit it. One of the biggest unknowns is that many infected Macs have not been able to communicate with the command centers—the systems on the network that are set up to give instructions to infected Macs or collect data from them. Network operators and security companies substantially disrupted communication with the command centers.

Complacency or panic

Frightened people make poor security decisions, just as people who are overly complacent do. Flashback poses a non-negligible threat to your 1Password data, but “non-negligible” doesn’t mean “large”. It doesn’t even mean “significant” in this case, but it does mean that we shouldn’t ignore it. So let me repeat the advice I gave above that if your machine was, in fact, infected with Flashback, after you get it removed and your system up to date, do change your most important and frequently used passwords.