Building a Better Mousetrap: Two Factor Passphrases

The password debate never ends.  Instead, it seems to be increasing in intensity.  The problem is the use of passwords isn’t going away anytime soon.  The cost of replacing passwords with a more secure access control method is typically too high, making it impossible to sell related projects to management.  Even the use of strong passwords is often regarded as either less secure—because users inevitably write them down—or a hindrance to productivity.  However, there may be a middle ground which can help bridge the timeline between password use and multi-factor authentication.

Background

Before jumping into the how-to part of this article, I want to look at how security professionals view password risk and related management.  A recent post in the SANS Internet Storm Center Diary, along with reader posts, sums this up pretty well.

There are four basic ways for a bad guy to get your password:
(a) Ask for it. So-called “Phishing” and “Social Engineering” attacks still work, and always will
(b) Try dictionary words at the login prompt in the hope to get lucky (“Brute Force”)
(c) Obtain the encryped/hashed [sic] password somehow, and crack it
(d) Leech the password off your computer with keylogger malware

None of these four scenarios becomes less likely if you change your password every 90 days. If the bad guy can’t break the password hash (c) within a couple days, he’ll likely just look for an easier target. Attack (b) is also out for quick wins – either it works within the first couple dozen passwords tried, or the bad guy moves on to easier prey. If (b) or (c) are successful, or the attacker already has the password through (a) or (d), 45 days on average is more than enough to empty out your bank account or use your email address for a big spam run.

Source:  Password rules: Change them every 25 years, Daniel Wesemann, 2 November 2009

For me, the two takeaways from this article are:

• There is more than one way to compromise and use a password access control, all of them tested and in wide-spread use
• The common account policy of requiring a password change every 45, 60 or 90 days is not a good security control

No, this doesn’t mean you should throw up your hands, assign the same simple password to all your accounts, and hope for the best.  If you can use a second authentication factor, if your organization or you can afford it for work or personal use, then implement it.  If not, I may have an alternate safeguard.

Two Factor Passphrases

First, this is not an original idea of mine.  I heard Steve Gibson discuss the concept on a Security Now podcast.  However, I’m taking it a bit further by extrapolating the concept into a complete solution.

I am not a proponent of strong passwords.  Users write them down or forget them, causing either security audit or productivity issues.  I also agree with Wesemann and his readers that changing a password frequently isn’t a good way of protecting  personal or organizational assets.  So I combined the use of random passwords with a memorable passphrase to develop a process I believe solves most—not all—problems with passwords.

1. Obtain a 13 character random password.  I used Steve Gibson’s random password generator for my example, and selected GSD6BtvzM4A0j.
2. Write down a phrase with 7 or more words.  I used, “Every Day I Look Better and Better.”  (I hope my wife doesn’t read this…)
3. Use the first character of each word in the phrase to arrive at an initial series of characters.  In my example, this works out to EDILBAB.
4. Change one or more of these characters to make the string a little harder to guess.  3D1LB+B.
5. Enter the 13 character random password into a text file and memorize the 7 character string from Step 4.

We now have two factors for authentication—something we have (GSD6BtvzM4A0j) and something we know (3D1LB+B).  Combining these two character strings into a number of different passwords is easy.

1. Go to one of your password protected sites.  I used my bank.
2. Change your password to a new two factor passphrase:
   1. Copy the 13 character string from your text file and paste it into the new password field.
   2. Insert your memorized 7 characters into the 13 character string.  I decided to insert it in the second character position, coming up with G3D1LB+BSD6BtvzM4A0j as my 20 character, sort-of random, password for this site.
3. Record the site and the character position in your password text file.  I list three password insertion points in Figure 1.

Figure 1

Note the Bank location is 3, not 1.  I inserted another layer in the process by adding 2 to actual insertion points.  This probably isn’t necessary, but I’m more paranoid that most.

Each time I step through the new/change password process, I try to select a different insertion location.  Yes, I will quickly run out of insertion points.  However, I will still have 14 strong passwords instead of one. 

If every time I log in I copy and paste the 13 character string into the password field, most of the password is unreadable by typical keyloggers.  The only portion of the password a keylogger would see is the 7 memorized characters as I enter them.  Brute force attacks against those sites or networks without a maximum number of incorrect attempts set are very difficult when using passwords of this size.  In fact, the work factor required to crack my sample password should be high enough to deter anyone from getting to any data my computer or sites might have to offer.  This also solves the problem of strong passwords, since we are actually recording the hard-to-remember part of the password. 

The final step is safely storing the text file with your password fragment and insertion points.  The easiest way I found of both protecting the file and having access to login information wherever I go is to use a TrueCrypt protected USB memory stick.  I use a long passphrase which I never use for anything but accessing mobile TrueCrypt data stores.  An attacker would have to gain physical access to the device to crack the password.  There would be plenty of time between the time I lose my USB device and the cracking of the encryption (if ever) to allow me to change my passwords.

The Final Word

No, this isn’t for everyone.  The complexity of this process would bring a normal user to tears.  However, this approach or your version of it can help protect,

• Network administrator accounts
• Accounts used to access highly sensitive information
• Your own accounts

Protecting core productivity apps with EMET

This week Microsoft released a toolkit designed to help IT professionals protect systems from common threats.  Named the Enhanced Mitigation Evaluation Toolkit (EMET), this little gem is easy to implement, once you install the very small executables on your workstations.

Before I walk you through setting up FireFox, I want to take a minute to tell you why you should care about this.

Why you should care

In its initial release, EMET protects against exploitation of four common attack vectors.  When an application is “configured,” requisite behavior necessary for an effective compromise of a system is blocked.  The following information is from readme.rtf included in the downloadable EMET .zip file:

1. SEHOP – Structured exception handling (SEH) chain validation breaks SEH overwrite exploitation techniques.
2. Dynamic DEP – Certain portions of memory are marked as non-executable.  Using EMET, you can target specific applications instead of fighting with compatibility issues caused by setting DEP in the BIOS.
3. Null page allocation – Attackers are blocked from taking advantage of NULL dereferences in user mode.
4. Heap spray allocation – Heap spraying involves filling a process’ heap  with specially crafted content to aid system exploitation.  EMET pre-allocates those memory addresses and blocks these attacks.

Although Microsoft hasn’t testing all possible applications, they have successfully tested the following:

1. iexplore.exe (IE) – although there are apparently some problems getting IE to behave all the time.
2. winword.exe (Word)
3. excel.exe
4. acrord32.exe (Acrobat Reader)
5. firefox.exe
6. outlook.exe
7. powerpnt.exe

The developers of EMET warn it isn’t for everyone.  Since EMET turns off functionality some applications may need to work as expected, it should only be used by IT personnel willing and able to work through possible issues.

Using EMET

Using EMET starts with a quick download of a .zip file.  Extract the file in a folder not generally accessible.  This helps prevent unwanted visitors to the target system from messing with them.

Once I extracted the files on my Windows 7 Ultimate desktop, I was in such a big hurry to start testing I forgot about my “new enhanced” security.  EMET is run from a command prompt and requires elevated privileges.  So my initial run was thwarted until I performed the following steps to bring up a command line window with the proper permissions:

1. Click Start
2. Type Command Prompt in the search field.
3. Right click on Command Prompt at the top of the programs list to bring up the window shown below.
   

   Figure 1

4. Click Run as administrator

I then followed the simple example in the readme document to protect FireFox, as shown in Figure 2.

 

Figure 2

Pressing Enter resulting in a successful run of EMET.  I confirmed this by listing all protected applications.  See Figure 3.

Figure 3

That’s all there is to it.  EMET works with

• 32-bit Windows XP, Server 2003, Server 2008, Vista and Windows 7
• 64-bit Vista, Windows 7 and Windows 2008 R2

Security Note: New method for detecting forgeries

A new visualization approach to detecting forgeries was presented this summer at EuroVis 2009.  Songhua Xu demonstrated how pen angle and pressure provides enough information to determine if a signature, for example, is a forgery.

In this image, the signatures at the top are genuine.  It is easy to see that what Songhua Xu calls the “lilly” is different and inconsistent on the bottom, forged examples.  Supposedly, any forgery is easily detectable no matter how close it “looks” to genuine one.

Interesting Find: Chrome exposes links

Have you ever wanted to see where a link takes you or whether it actually downloads what you expect?  If so, you know there are add-ons for FireFox and other browsers that provide this functionality.  However, I just noticed this morning while working within my research SandBoxie sandbox that Google Chrome apparently provides this functionality out-of-the-box.

When I hover my mouse icon over a link, the destination or file references appears in the lower left corner of my browser window.  Not perfect, but a nice quick-check.

Security Tip: Patching must include ALL applications

Once again, patching isn’t just about plugging holes in Windows.  Most if not all applications have security vulnerabilities if someone looks hard enough.  Up until now, however, finding those vulnerabilities was harder than just whacking the OS.  But Microsoft has settled into a patch release routine that, when followed, pretty well hardens servers and user workstations.  And although there are still vulnerabilities, the level of effort required to find and exploit them has become harder—more difficult than shifting focus to widely installed user applications.

Adobe is experiencing attacker-love now.  They are a good target because their reader is everywhere. 

Adobe’s software has increasingly come under attack in recent years as hackers have come to realize that it can be easier to find flaws in popular software that runs on top of Windows than to dig up new vulnerabilities in the operating system itself.

That’s led to a round of new attacks that exploit bugs in products such as Adobe’s Reader, Apple’s QuickTime, and the Mozilla Firefox browser, for example.

It’s a reality that Adobe Chief Technology Officer Kevin Lynch freely acknowledged Monday in a press conference at the company’s annual Adobe MAX developer conference, held in Los Angeles.

Source:  After attacks, Adobe patches now come faster, Robert McMillan, Computerworld, 6 October 2009

But Adobe isn’t the only end user application on your endpoints.  It’s critical to get ahead of the attack curve by developing an overall patch process today, BEFORE that new user productivity tool becomes a target.