Posts

Shellshock is bad, unique passwords are good

Shellshock bash terminalA new security bug, commonly known as Shellshock (Officially CVE-2014-6271, is bad. It is fair to say that a large number of servers (particularly web servers) were vulnerable to serious attack for some time. It is likely that many still are, and we are unlikely to learn about most of them.

What are we do to? Answer: Use unique passwords for each site and service.

Squirrels, rabbits, and passwords

Squirrel mollyLet’s consider Molly, one of my dogs. She has a one track mind: Squirrels and rabbits. She also is not very good at counting, so she doesn’t understand the difference between one track and two tracks.

Molly tends to reuse the same password for lots of things. Her password for Barkbook is squirrel. It’s also the password for CatChasers and a number of other sites and services.

Suppose that Patty, my other dog, isn’t the sweet innocent little thing that she pretends to be. Suppose that she breaks into CatChasers and is able to steal user passwords from it. She learns that Molly’s password was “squirrel” on CatChasers, so she’ll check if Molly used the same password on Barkbook and other sites.

1P squirrel password

Password reuse is doubly bad

Indeed, when Molly uses the password “squirrel” on multiple sites, she is putting all those squirrels in one basket. If her password is stolen on any one of those sites, Patty can get into all of those.

The more places that Molly uses the password “squirrel,” the more likely it is that at least one of that sites will get breached, and the more damage is done when her password gets discovered at any one of those sites.

If Molly uses “squirrel” for twenty sites, there is a very strong chance that several of them are vulnerable to this new Shellshock flaw, Heartbleed, or any of the other known and unknown vulnerabilities being exploited. When Patty does break into one of those twenty sites, she will now have control of twenty of Molly’s accounts.

What you can do

In short, be careful. System administrators will be busy for a while. In addition to upgrading bash on systems that use it, they should be trying to track down which systems create environment variables with untrusted content and whether those systems ever invoke a shell.

But normal people (and I don’t think that many will dispute that system administrators are not “normal people”) are left with the knowledge that there are a lot of vulnerable systems out there. By far, the single best things we can do is to cut down on our password reuse. The easiest way to do that with 1Password is to give Security Audit a whirl.

There is so much more to say

Everyone with some sort of security point to make is using Shellshock to help illustrate and draw their favorite lesson from it. This is easy to do because Shellshock isn’t just a bug, it is a bug that can be exploited because of a series of design decisions that were pretty much asking for trouble. Each one of those decisions (or non-decisions) is something that everyone in the business really does know better about. But somehow, the software and systems engineering community has managed to ignore its own wisdom at each step of the way.

  1. We members of this community know not to pass untrusted data to various other processes, yet we’ve allowed systems that create shell environment variables (things designed to be passed all over the place) from the most untrusted sources of all. [E.g. CGI, DHCP Clients, etc].
  2. Our community knows that tricking systems into executing “data” is often how attacks happen, yet bash has a feature that deliberately allows what is normally data passed around to be executed.
  3. Whether computer science students like it or not they are taught that when data is in a particular class of languages it is impossible to validate it, yet with bash we’ve stuck a Type 0 languages inside of variables.
  4. Scripts and programs should (generally) avoid invoking a shell as even the Linux manual page for system(3) says

    Do not use system() from a program with set-user-ID or set-group-ID privileges, because strange values for some environment variables might be used to subvert system integrity.

    Yet calling system(3) is common practice because it is easier than invoking other programs the proper way.

When a system falls victim to Shellshock, it is because every one of those principles and guidelines have been ignored. The first one is in the design of various network services (such as web servers). Numbers two and three are in the design of bash, and number four crops up in innumerable scripts and programs. None of them are actually about the specific bug in bash. Instead, one through three are about specific design features of various systems.

There is a great deal I would like to say about each of these, but I will leave that ranting for another time. Today, I just wish to remind everyone about the importance of using unique passwords for each and every service.

Bash update for Mac OS X

Apple has made bash updates available to those who do not wish to wait
for regular software update:

OS X bash Update 1.0 may be obtained from the following webpages:
http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X MavericksTo check that bash has been updated:* Open Terminal
* Execute this command:
bash --version
* The version after applying this update will be:
OS X Mavericks:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)

Take Control of 1Password ebook updated for our new Watchtower service

Take Control 1P 1-2By now you’ve probably heard of 1Password Watchtower, our new service that warns and informs you when websites of your Logins have been compromised. Watchtower has been a huge hit with our Mac customers and is coming soon to Windows, and now you can learn more about it in the latest update to Take Control of 1Password, the comprehensive ebook by Joe Kissell.

This latest free update to the book—version 1.2.1 for those keeping track at home—adds a new section in “Perform a Password Security Audit” that explains what 1Password Watchtower is and does, and how to make it part of your security regimen. Honestly, that whole section is perfect to review and re-review for both current and new book owners alike, as it walks through some of 1Password’s most useful and effective tools under Security Audit.

Take Control of 1Password v1.2.1 is now available. Current owners can sign into their Take Control Ebooks account to grab the latest edition, or you can pick up your copy for just $10.

Our 1Password Watchtower service is now looking out for you, right in 1Password for Mac

1Password WatchtowerEarlier this month, we introduced our new Watchtower service on the web. In its initial version, Watchtower checks whether a website is (or ever was) vulnerable to the internet’s nasty Heartbleed security bug, then tells you whether it’s safe to update your password.

Now we’ve taken the next major step and made it much easier to stay secure online, as Watchtower can now check all your Logins at once, right inside 1Password for Mac.

1Password 4.4 for Mac is now available to website and Mac App Store customers, and it has Watchtower built right in. Watchtower is a free service, and once you enable it (either under Security Audit or Preferences), Watchtower will alert you if a website is found to be at risk.

Like Captain Picard sounding the call to battle stations, 1Password will display a red alert at the top of any affected Logins (see this post’s gallery for examples). Click the alert to learn more about what’s going on and when it is necessary and safe to update your password.

Watchtower in Security Audit

Watchtower in Security Audit

Watchtower is a new component of 1Password’s popular Security Audit feature, which shows you items with weak passwords, duplicate passwords, and other handy info to help you decide which Logins to update.

Now built into 1Password, Watchtower lists all vulnerable Logins in a single place and even sorts them by status, such as “Avoid”—for sites that have not yet patched their vulnerability—and “Change Password” for sites that have updated and it is now safe (and prudent) to change your passwords.

How it works

The Watchtower service is off by default. Once users enable it, 1Password will check daily for new website vulnerability information. Your website information is never transmitted to us. 1Password simply downloads this information and checks it locally against your Logins.

Now available

1Password 4.4 for Mac is now available as a free update to existing website and Mac App Store customers, and we have plans to add it to 1Password for Windows. Our new Watchtower service is a major step for 1Password and making you more secure on the web. We’d love for you to give it a try and let us know what you think on Twitter, Facebook, and in our forums!

Introducing the 1Password Watchtower service for Heartbleed and beyond

1Password Watchtower

When news of the internet’s Heartbleed bug broke last week, we published what we knew about it and the implications for 1Password and 1Password users.

To recap: 1Password is not affected by Heartbleed, but there are steps you need to take to protect your passwords from sites that may have been affected.

Today, we’re introducing a new service to help you check vulnerable sites and stay on top of your online security. We call it 1Password Watchtower.

A way to check if the bleeding has stopped

Your password data remains safe and secure within 1Password, but when your web browser sends a password to an insecure website, that particular password can be captured.

Most, but not all, websites have had some period of being insecure because of Heartbleed, and this is why so many passwords need to be changed.

Since those first few hours on April 7, we’ve gone from “what is this all about?” to “which sites do I need to change my password, and when?” Today, the 1Password Watchtower service will help you answer that question.

1Password Watchtower: Check this website

The categories of sites

With respect to Heartbleed, the 1Password Watchtower service will try to categorize websites into one of the following five categories.

1. Vulnerable

SiteChecker vulnerable example

Sites that are still exhibiting the Heartbleed bug should be avoided until they’ve fixed it. Once fixed, you should change your password.

If you reused a password for one of these sites, then all of those websites are also at risk. You should change your passwords on those other websites as soon as appropriate, and be sure to set up a different password for each of these sites.

2. Not currently vulnerable but needs new certificate

SiteChecker Needs new certificate

This is where things get complicated. While these sites have stopped the bleeding, their master keys may have been stolen while the site was vulnerable.

To protect against this, websites need to get new certificates signed by certification authorities, which simply takes time (especially when nearly every site needs to do it). It took two days to get our new certificate, and I would not be surprised if others will have to wait longer, especially if they submitted their requests after us.

For these sites we recommend that you change your password twice. Changing your password now will prevent an attacker from using any previously stolen passwords. Then you can change your passwords again once the site’s certificates have been reissued to guarantee that the new password is only known by you.

3. Not currently vulnerable and has a new certificate

SiteChecker new certificate example

These sites were vulnerable to Heartbleed at one time but have been completely fixed. You can go ahead and change your passwords on these sites.

You may find yourself with many sites for which you need to change passwords, but don’t let yourself get overwhelmed. Focus on changing passwords for your most important websites first.

1Password can help you through the process, and of course, this is a great opportunity to use 1Password’s Strong Password Generator to create a strong and unique password for each site.

4. Never vulnerable

SiteChecker Never Vulnerable example

Some sites and services were never vulnerable to Heartbleed, typically because they never used OpenSSL or had disabled various features.

One piece of good news is that, as far as we can tell, most banks fall into this category. However, to the annoyance of security researchers, banks are not telling us why they weren’t vulnerable; they are merely repeating that their customers are and have been safe.

For  sites that were never vulnerable, no special action is needed. You do not need to change those passwords if your passwords were unique to those sites.

But (and you will hear us repeating this often) if you used the same password on a “never vulnerable” site that you used on one which was vulnerable, then you should change your passwords to be strong and unique on both sites.

This illustrates why password reuse on multiple sites is so dangerous. Even services that have had excellent security on their own can be broken into with a password stolen from elsewhere. 1Password’s Security Audit will help you find duplicate passwords.

5. No SSL/TLS

SiteChecker: No SSL

Sites in this category are in no way affected by Heartbleed, but these are the services where it is most important that you don’t reuse passwords.

Some sites and services do not use SSL/TLS to secure connections between your web browser and their service. Because they have no transport security to break, their security can’t be “broken” by Heartbleed. Any password—or, really, any data—sent to such a site can be easily captured. If you have a password for one of these sites, make sure that you don’t use the same password for any other service.

Subdomains matter: It is important to remember that 1Password Watchtower checks the exact domain you tested. So even if go.com doesn’t use SSL, subdomains such as disney.go.com, may. It does not appear that one ever sends passwords to go.com itself, so its lack of SSL does not put passwords at risk.

How do we know which sites fall into which category?

Sorting hatAs 1Password Watchtower checks for Heartbleed, it performs a number of tests on a domain and its certificate, as well as looking at the results of earlier tests. But even with all of the tests that we run, there is some substantial “guess work” in the categorization.

We can reliably tell which sites are currently vulnerable and which sites aren’t. We can also check the start date for the validity of a certificate. We run other tests, but whether they produce results or not, they only offer hints at which category we should put a domain into.

If you are a site administrator and find that we are reporting incorrect results for your site or service, please make use of Heartbleed HTTP Headers to announce your condition or let us know.

Uncertainties

Never vulnerable or needs a new certificate?

The biggest uncertainty is that we have no reliable way to distinguish between sites waiting for new certificates and sites which were never vulnerable. Both such sites will not be currently vulnerable and will not have new certificates. We look at fragmentary results of previous scans as well as web server software to try to form a guess, but it remains a guess.

Is an old certificate really old?

Every certificate has a validity period. They have a “valid from” date and a “expiry” date. We are (mostly) using the date from which they are valid to see if they are old or new. However many recently reissued certificates have the same validity period as the one that they replaced. As a consequence, certificates that appear as if they are in need of replacement aren’t.

Are we talking to the right service?

Many high traffic web sites use load balancers, which don’t actually process your web request, but send off your request to a one of many back-end servers. The software on a load balancer is meant to be invisible, but it will often be different than what appears on the backend. The tests we perform involve a number of queries, some of which will be handled by the back-end servers and some by the load-balancer. For example, a load-balancer that was running an affected version of OpenSSL might be using IIS as a back end, and thus we might false report as “never vulnerable”.

Wrapped Heartbeed Heart: Strong, Unique, New Passwords

Use strong, unique passwords and carry on

Heartbleed is an astonishingly serious thing, but it isn’t cause to panic. Indeed, frightened people tend to make poor security decisions. The bulk of the work is being done by system administrators, and there are changes to come in the ways critical software is scrutinized. But for most people like you and me, the job is to improve our password practices.

Many—I’d like to think nearly all—1Password users are good about having strong, unique passwords for each site and service. That habit should already make the current task easier for you. Heartbleed and this initial version of 1Password Watchtower gives you another opportunity to improve even more. Doing so will make you safer now and long into the future.

1Password, Heartbleed, and You

Heartbleed icon 200pxOur co-founder, Dave Teare, sent an AgileBits newsletter to our subscribers Friday night about the internet’s Heartbleed bug and how you can use 1Password to defend yourself and change all your passwords. We had a surprising number of requests to republish it here, so I’m happy to oblige!

If you want to receive our occasional AgileBits newsletter with news and tips about 1Password and Knox, as well as other goodies, hit the button below.


And now, our Heartbleed newsletter, republished here for our blog readers.


Hello everyone,

I’m writing to you today with some very important news. A vulnerability named Heartbleed was discovered in the software that protects most web sites.

Please read on to see what actions you need to take.

What is Heartbleed?

Heartbleed is a problem in OpenSSL, a software library that is used by most websites to secure your communication using SSL. It provides the S in HTTPS, or if you prefer, it’s what’s responsible for the padlock icon in your browser’s URL bar while browsing the web.

Normally when browsing a site using SSL, you can trust that the information you send to the website can only be seen by the website itself. This keeps your private information, such as credit cards, usernames, and passwords, secure.

The Heartbleed exploit enables attackers to bypass the protections provided by SSL. This means any information you sent to a website that relied on vulnerable versions of OpenSSL could potentially already be in the hands of the bad guys.

I found this XKCD comic explained perfectly how the Heartbleed exploit works.

1P4 Mac icon

1Password is Not Affected

There is a lot of work to be done as a result of Heartbleed, but lets start by talking about what this vulnerability does not mean.

1Password does not rely on OpenSSL to secure your data. Your data in 1Password is protected using Authenticated AES 256-bit encryption and can only be unlocked with your Master Password.

This means 1Password is not affected by the Heartbleed bug and there is no need to change your Master Password.

With that said, there is still a lot of work to be done…

update passwords 200px

Update Your Passwords, Phase 1

While your data is safe within 1Password itself, there is a good chance websites you used were vulnerable and did not protect your username and password.

The knee jerk reaction to this news is to change all your passwords immediately. While I will be recommending you change your passwords, not all websites have been updated yet to protect against this vulnerability.

The best advice I can give you is to change your most important website passwords immediately, including your email, bank accounts, and other high value targets. This will provide your best defense against previous attacks.

After a few weeks, websites will have been upgraded with new SSL certificates, and you will be able to trust SSL again. At this point you should change all of your passwords again.

How to Change Your Passwords

Changing your passwords on every website is a chore. On the bright side, 1Password makes it easy to upgrade all your website passwords.

How to Update Your Passwords

Heartbleed is a very serious issue so I hope you will take the time needed to update your passwords. Ideally you would change all your passwords, but at the very least, please update the most important ones.

heartbleed sale 200px

Stop The Bleeding

New, strong, unique passwords are your best defense against Heartbleed. 1Password makes this easy.

To make it easier for everyone to improve their security we decided to put 1Password on sale.

Save 50% Off 1Password and Stop the Bleeding

Please share news of Heartbleed with your friends and families. Simply forwarding this email is a great first step to helping them know that this is a serious issue.

I know I will be using this opportunity to finally convince my mother that she needs to take her internet security more seriously. Hopefully you will also be able to turn this crisis into an opportunity for good.

Stay Tuned

The Heartbleed story is continuing to evolve. I’ll be in touch again soon with an update.

While I normally send these newsletters infrequently, given the gravity of this situation, I’ll likely be sending a few extra this month. I hope you find this helpful.

To get updates even faster, be sure to friend us on Facebook or follow @1Password on Twitter.

Please keep in touch and let us know if there is anything we can do to help.

Heartbleed: Imagine no SSL encryption, it’s scary if you try

heartbleedOnly two months ago, in the wake of the “goto fail” bug, we had to point out that 1Password’s security does not depend on SSL/TLS. Today, with the far more damaging Heartbleed bug in OpenSSL, we need to tell you the same. 1Password’s technology is not built upon SSL/TLS in general, and not upon OpenSSL in particular. 1Password’s encryption remains safe.

This bug matters for everyone

Just because 1Password’s technology isn’t affected by this doesn’t mean that you aren’t. Pretty much everyone is affected by this. Many of the secure connections that you use with various services, including HTTPS connections to secure sites for shopping and many other activities, may be fully readable to attackers. Of course, this includes the usernames and passwords that you use to log in to various services. It’s not just HTTPS connections, but IMAPS—how your email program, such as Mail.app or Outlook, talks to a mail server—may be vulnerable.

“So I need to change all my login passwords, right?”

Your 1Password data remains safe, as does your 1Password Master Password. But whether or not you use 1Password to log into an affected site or service, your username and password, along with everything else that happens over that supposedly encrypted connection, may be exposed to attackers.

You will, at some point, need to change a lot of passwords. And 1Password makes this much easier than it other would be. But don’t rush to do that just yet. Not every server is affected, and those that are need to fix things at their end before you change your password. If you change your password before the servers fix things, then your new password will also be vulnerable to capture.

All that most of us can do is wait at this point. Presumably, various service providers will announce over the next few days when and whether users should change passwords or be aware that other confidential information may have been exposed.

Change password example

When changing your passwords, be sure to pick “Update existing Login” from 1Password’s prompt!

At this point, I can only guess at how long it will take for various service providers to make announcements. They are in a difficult position right now. First, they need to determine whether they are vulnerable. That means finding out if their particular SSL/TLS service was using OpenSSL (the most popular SSL library in use today) version 1.0.1 (Released March 2012) through 1.0.1f (1.0.1g, containing the fix, was released April 7, 2014).

Once a service upgrades to a fixed version of OpenSSL (or to some other cryptographic library), they will need to revoke the certificate that they had been using with with the vulnerable version of OpenSSL and obtain a new certificate. Exactly how long that takes will depend on how quickly they can get things sorted out with their certification authority. Certification authorities are going to be very busy over the next few weeks.

Only after a new, certified certificate is in place on a server that is not using a broken SSL/TLS library will it make sense for you to update your password for that service (or even trust your communication with it). Most of us simply have to wait until notified by various websites and services when and whether we should change passwords.

Certificates and keys

If you are curious about what is actually exposed by the heartbleed bug, read on. It requires some understanding of how certificates work, but I’ll try to give an overview of just the parts we need for this discussion. I will take a lot of shortcuts in the presentation and pretend that things are simpler than they actually are.

How certificates and keys work

In order for your browser and a web site to encrypt the communication between them, they need to use an encryption key. That key is typically a 128-bit number. Now, it may be that your browser and the particular website have never spoken to each other before, so they need to work out an encryption key for this session in such a way that someone listening in will not know what the key is. It’s as if they have to work out a password to share between them while communicating where anyone can listen.

The encryption key that they work out is just for that particular session. The next time your browser establishes a connection to that server, a new key is worked out. This is called a “session key”.

Establishing a session key

Your browser and the server work out a session key using something called “public key encryption”. Public key encryption is the nearest thing to magic you will find in mathematics and cryptography. When I describe what I do to school kids on career day, I say that I get to think like a criminal and do magic with math.

Anyway, the server will have a public key and a private key that are mathematically related. The public key is not a secret at all. The mathematically related private key is. It is possible to use the public key to encrypt stuff that can only be decrypted with knowledge of the private key.

So (and this is taking a big shortcut), your browser can pick a random session key and encrypt it using the server’s public key. Because only the server knows the corresponding private key, only the server can decrypt the encrypted session key. Once your browser has sent a randomly chosen session key to the server, both the server and browser can use that session key for their communication throughout that session.

The private key is a big, long number. Often thousands of bits long. And it can’t be just anything; it has to have the appropriate mathematical relationship to the public key. Clearly no human is going to be dealing with those keys directly. Typically, those keys are stored in a something that can be used by the server software and is protected by a password.

This scheme of using a password to protect a key and then have the key be used for the encryption is typical of high security software. You find this in SSH, PGP, and in 1Password. A strong key is picked by the software and that key is then encrypted with a password that a human uses. With 1Password, your data is encrypted with a random 256-bit key that is chosen when your data vault is created. Your Master Password is used (indirectly) to encrypt that key (again, I’m skimming over some details).

How heartbleed bleeds your privacy

Anyway, the heartbleed bug pretty much allows an attacker to probe a server that will end up revealing the private key. Once an attacker knows the private key, they can decrypt session keys that have been sent to the server, and thus decrypt all of the encrypted traffic that goes back and forth between the browser and the server.

Another bit of magic with public key encryption is the notion of “digital signature.” Your browser can create a mathematical challenge using the public key that only someone with knowledge of the private key can solve. This is part of how a website proves to a browser that it is what it says it is. If an attacker learns the private key of some website, then it can masquerade as that site.

All in all, the capture of a server’s private key is a bad thing, and that is what this bug enables.

Update for system administrators

Most of us ordinary folk need to wait for sites that need fixing to actually get fixed, then wait for instructions on whether we need to change passwords. But some of us need to get working. The definitive source for information about Heartbleed is heartbleed.com.  Since this article was originally written, Filippo Valsorda has published a tool for checking which sites are vulnerable (this has also finally pushed me to play with the Go programming language I’ve been hearing so much about).

Heartbleed pass

The IMAPS server passes the Heartbleed test

Valsorda has also created a web page based on his testing tool, which makes it easy for people who don’t wish to install and run the command line program to see which websites (or other services) are currently vulnerable to Heartbleed. I wanted to test the IMAP (mail access) server used by Fastmail.fm (which I use for my personal mail).  The name of the IMAP server is “mail.messagingengine.com” (which I happened to look up in my Email accounts category in 1Password). Because I wasn’t testing normal HTTPS, which used port 443, I also had to enter the port number for IMAPS, 993.  So what I put in the form was “mail.messagingengine.com:993″. This nicely passed the test at the time I tested.

Heartbleed fail example

The Heartbleed test fails for Dreamhost at the time of testing

To test a website, you do not need to put in the port number. The test will default to port 443 (HTTPS). So I was able to test Dreamhost.com by just using “dreamhost.com” in the form. At the time I tested, dreamhost had not updated to the fixed version of OpenSSL, and so the test reported it as vulnerable.

Patching OpenSSL isn’t enough

It is important to remember that during the period that your site was vulnerable attackers could have captured the key for the SSL certificate. Once they have your key, they can (under most circumstances) continue to read and manipulate traffic to and from your site. So the next step is to generate a new certificate and get that signed by a Certificate Authority. This is also a good opportunity to ensure that your RSA or DSA key is at least 2048 bits long. 1024 bit RSA and DH keys are no longer considered safe.

Once you have your new certificate signed and in place, you should inform users that their sessions may have been compromised prior to the installation of the new certificate. They should then change their passwords and take whatever other action is appropriate given that confidential data may have been exposed.

Updates

The bulk of this article was drafted late Monday (April 6) night and in the wee hours of Tuesday morning. We will have a series of other articles and announcements coming soon, so please continue to watch the Agile Blog for news here and 1Password on Twitter,  on Facebook, and on App.net. We will also be providing only minor updates to this post, as we prepare new ones.

April 12

  • A new certificate for agilebits.com was put in place on April 10 and Dropbox.com put a new certificate in place on April 11.
  • Now that Dropbox is using a new certificate, we’ve removed the earlier advisory for users of the 1PasswordAnywhere feature.
  • We’ve added some links to password changing instructions for 1Password 4 for Mac.