Schneier on Security
A blog covering security and security technology.
« Ass Bomber |
| Predicting Characteristics of People by the Company they Keep »
September 28, 2009
In computer security, a lot of effort is spent on the authentication problem. Whether it's passwords, secure tokens, secret questions, image mnemonics, or something else, engineers are continually coming up with more complicated—and hopefully more secure—ways for you to prove you are who you say you are over the Internet.
This is important stuff, as anyone with an online bank account or remote corporate network knows. But a lot less thought and work have gone into the other end of the problem: how do you tell the system on the other end of the line that you're no longer there? How do you unauthenticate yourself?
My home computer requires me to log out or turn my computer off when I want to unauthenticate. This works for me because I know enough to do it, but lots of people just leave their computers on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.
The most common way to combat this is by having the system time out. I could have my computer log me out automatically after a certain period of inactivity—five minutes, for example. Getting it right requires some fine tuning, though. Log the person out too quickly, and he gets annoyed; wait too long before logging him out, and the system could be vulnerable during that time. My corporate e-mail server logs me out after 10 minutes or so, and I regularly get annoyed at my corporate e-mail system.
Some systems have experimented with a token: a USB authentication token that has to be plugged in for the computer to operate, or an RFID token that logs people out automatically when the token moves more than a certain distance from the computer. Of course, people will be prone to just leave the token plugged in to their computer all the time; but if you attach it to their car keys or the badge they have to wear at all times when walking around the office, the risk is minimized.
That's expensive, though. A research project used a Bluetooth device, like a cellphone, and measured its proximity to a computer. The system could be programmed to lock the computer if the Bluetooth device moved out of range.
Some systems log people out after every transaction. This wouldn't work for computers, but it can work for ATMs. The machine spits my card out before it gives me my cash, or just requires a card swipe, and makes sure I take it out of the machine. If I want to perform another transaction, I have to reinsert my card and enter my PIN a second time.
There's a physical analogue that everyone can explain: door locks. Does your door lock behind you when you close the door, or does it remain unlocked until you lock it? The first instance is a system that automatically logs you out, and the second requires you to log out manually. Both types of locks are sold and used, and which one you choose depends on both how you use the door and who you expect to try to break in.
Designing systems for usability is hard, especially when security is involved. Almost by definition, making something secure makes it less usable. Choosing an unauthentication method depends a lot on how the system is used as well as the threat model. You have to balance increasing security with pissing the users off, and getting that balance right takes time and testing, and is much more an art than a science.
This essay originally appeared on ThreatPost.
Posted on September 28, 2009 at 1:34 PM
• 41 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
An obvious solution for careless walkers-away: timed password-protected screen lock. This secures the machine left alone, but does not destroy user's work context, so does not annoy the user too much. It also works nicely for the security-savvy people: I routinely lock my worsktation when I walk away - it's a single keypress. Re-typing one's password when returning is a very slight inconvenience if at all.
For more security one may configure additionally auto-logout with a much longer timeout. It would be also nice to combine this with some token - engage screen lock when the token is removed and disengage when it is back in place.
Of course that works for personal devices, like laptops, non-shared office workstations etc.
I want to be able to leave all my apps up overnight and still access them exactly where I left off the next day.
DO NOT AUTOMATICALLY LOG ME OUT AFTER ANY AMOUNT OF TIME unless I select some option indicating I am at a "public terminal" or some such. My office at home is physically locked. My computers at work have screensaver locks.
My "session cookies" should never expire before I, the user, WANT them to expire. And I only want them to expire when I click "log out" or click 'I'm using a public terminal."
On Linux, KDE has a daemon which locks/unlocks your session based on whether a paired Bluetooth device is nearby. Many people keep their phone on them most of the time, so that can be quite a good yet unattended token.
Mac OS X and GNOME have an option to lock the screen after some time, different of the screensaver one.
I quite like the first one as it's not time-based but presence based, although it has its loopholes when you forget the device.
Microsoft has supported "smart card logon" since Windows 2000 and will lock the workstation (by default) when the card is removed. To unlock, insert the card and type in the PIN. When the card is also tied to the physical access control system you have a very solid solution.
A far bigger problem (imo) is the vast amount of web applications that do not properly unauthenticate users. Many webapps do *not* destroy session cookies server side, but rely upon the user closing their browser to terminate the session. Bad practice! To see if your site is guilty of this, see Microsoft has supported "smart card logon" since Windows 2000 and will lock the workstation (by default) when the card is removed. To unlock, insert the card and type in the PIN. When the card is also tied to the physical access control system you have a very solid solution.
A far bigger problem (imo) is the vast amount of web applications that do not properly unauthenticate users. Many webapps do *not* destroy session cookies server side, but rely upon the user closing their browser to terminate the session. Bad practice! To see if your site is guilty of this, see http://www.owasp.org/index.php/...
I liked the sunray from Sun Microsystems for this. Whilst I worked for them in the UK my ID badge was also my sunray card (you also used it in the vending machines).
You pull your badge out to leave your desk (as you need it to get through the turnstyles to go home), your session is locked and follows you to another sunray as long as the server didn't crash.
Hah. Just yesterday I was at a 7-11 ATM and the guy before me had left his account completely exposed at the "would you like another transaction?" menu. I see this all the time. (Hand over the camera, a couple of keypresses, and joila, free money...if I was less moral.) But is this a user problem?
The problem is session persistence and that is a problem with software. This problem exists in embedded systems, client systems, and servers.
Even with systems that force client logouts, often the session will persist on the server and it can be replayed at a later time using the SessionID.
And as we all end up using the exact same handful of websites (in keeping with the spirit of "channelization" and the human nature to mimic and simplify) the spectre of mass automated cross site request forgery attacks looms larger and larger, making session handling issues much more important.
The UBS Multimat (general self-service bank machines) here have a nice simple way - there's a pressure mat in front of them. Step off the mat and it terminates any transactions and returns your card
Bruce: "My home computer requires me to log out or turn my computer off when I want to unauthenticate."
That is not true, you can also lock your pc, leaving all sessions/programs open, but secured with a password.
At my university I always advise people to lock their system. We once had a time where it was popular to do something (mostly) unharmful and funny with someone's account when he/she didn't lock it: sending people e-mails saying he/she is giving a party that night, placing ten times the rule "fortune" in someone's .bashrc... etc.
This annoyed people enough to get them to lock their accounts every time they walk away :)
Most people now have a lock-button on their screen somewhere (mine is in the upper right), under Windows I use Win+L
Works like a charm and is less work and less annoying than other solutions.
Two keystrokes (hold Windows key, press L) and your Windows machine's locked; one menu selection and the Mac is in the same state. There's a free app for the Mac which automatically locks it when your cellphone (or other Bluetooth device) goes out of range; I had intended to install that a while ago, but forgot. I may give it a try in the next few days; in the mean time, I always lock the machine manually.
Some online banking systems now require additional authentication for "risky" transactions (sending money to a third party's account as opposed to just viewing transaction data and moving money between your own accounts, for example): a colleague of mine uses an account which uses a challenge-response keyfob to re-authenticate if you want to transfer funds to an account you haven't previously sent to, for example, which seems a smart compromise.
I'm quite sure the annoyance factor being discussed here is more along the lines of being logged out while still sitting at your workstation (perhaps lost in thought?).
I don't know many people who would find themselves annoyed that they had to re-type their password when they came back from lunch, or even the bathroom.
Obviously you're too honest to have known this, haha, but if you try to 'perform another transaction' on nearly any ATM, it will ask you to re-enter the PIN number. At least on every ATM I've ever used.
@Shane: I'm quite sure the annoyance factor being discussed here is more along the lines of being logged out while still sitting at your workstation (perhaps lost in thought?).
I agree. It's easy to work at your desk for 5 or 10 minutes without any mouse or keyboard activity.
After much debate, including arguments at both extremes of the spectrum -- 1 minute (which is overkill absurd) to 60 minutes (which may as well be no lock out), to no lockout enforced with a policy mandating manual lockout when leaving (yeah right, like that would work)--we settled on a balance of 15 minutes plus a policy of locking out when away. Perfect? No, but what is. Perhaps a bit too lax, but better than nothing. We've actually had some fun with it--someone in the hall leaves their terminal unlocked, we have sent them an email from their own account reminding them of the policy then locking it out. They get the point.
Shane: I can have dozens of applications up at once, and I am EXTREMELY annoyed when I have to re-type twelve passwords after going to the bathroom.
Authentication -Unauthentication is, like the issue with backups and "secure data destruction".
Doing the first is usually a "simple" solvable technical problem compared to the aparantly hard "human problem" that persistance causes.
After all Authentication and backups have clearly identified aims and objectives at a given point in time.
The obverse action usually has an ill defined time point and sometimes ill defined objectives due to complex relationships.
The solution unfortunatly requires that the obverse action be built into the initiating action of authentication and backup at the design stages. Which is currently something that is not done, hence the problems that arise.
One of the problems with security design is that we focus on specific functions without thinking about the opposit action.
A classic physical security example is turnstyles, they allow ingress but what about egress especialy in an emergancy such as a fire?
Often you see two sets of turnstyles or additional emergancy exits. These are effectivly "bolt on solutions" that have their own issues over and above that of additional cost.
As was once noted,
"That, that you seek to do you must first undo."
I like to hack into hotmail and gmail accounts by breaking into houses and learning details to answer people's security questions.
"The machine spits my card out before it gives me my cash"
I'm actually amazed by the number of banks/ATMs that do this in reverse order (I know Bank of America has it ass backwards).
I like my bank's ATMs because they keep my card until I'm done. It reminds me to finish completely to have it both log out and give me back the card. Then again, I've had a friend forget his card in one before. Thankfully, that system was setup to "eat" the card after a few seconds and he went back to the bank and retrieved it.
I dislike websites that log me out when I log in on a different machine (obviously, I log out when I'm doing business, but I don't really care if I'm logged out of recreational sites). However, I've seen the option before that says "Log me out on all other computers". That lets you log out of a remote machine if you have forgotten.
For my apartment, I have two locks: a standard latch-lock that locks as the door closes, and a proper deadlock. The first gives me unobtrusive, but limited, security (useful when I pop out of the house for 5 minutes). The second lock gives much better security at the cost of more inconvenience (for when I leave the house all day).
What's the computing authentication equivalent? Screen lock versus log out? Is logging out actually any more secure, given that it's usually a common authentication mechanism?
``when I want to unauthenticate.''
Unauthenticated is a state meaning ``not authenticated''.
It cannot be used as a verb, just as unencrypted or unknown cannot be used in that manner.
Wouldn't you correct the speaker if someone said `I need to unknown that information?''
De-authenticate is a perfectly valid and correct term.
"My home computer requires me to log out or turn my computer off when I want to unauthenticate. This works for me because I know enough to do it, but lots of people just leave their computers on and running when they walk away. [...] The most common way to combat this is by having the system time out."
The most efficient way would be
1) Tell the users about Win+L
2) During lunch break, walk around the office and from each unlocked station, write a mail to the boss telling him what a idi&$&%le he is
3) Tell them again about Win+L. You'll find them much more intrested.
There are some things people just don't believe in until they see the consequences. So sometimes you have to find a way to show the consequences in a shocking, but harmless way.
oh.. and tell your boss about it beforehand...
another common example are ignition locks in cars: usually the authorized driver takes the key with him
i remember an reading interview with an audi exec a while ago about it: he stated it would be possible to have safer car locks but then the number of car-jackings would increase (to a level where potential buyers will stay away from a 'safe' brand)
Dell just released a new Latitude Z600 laptop model, whose built-in 2MP webcam spots when a registered user has stepped away from the computer. When the Z600 sees that the user has left, it automatically locks the machine.
I've seen laptops with a fingerprint reader which unlocks the screen.
Seems to work well.
"At my university I always advise people to lock their system."
I hope that advice wasn't to students. Because it is a huge annoyance when every computer in the computer lab is locked by people that may or may not have already left for home.
The Bluetooth distance approach is not new; there is a commercial utility available for the Mac, called BluePhoneElite, that does this. I don't know exactly how long it exists, but I'm pretty sure that I tried it once at least three years ago.
Interesting, an additional issue for us is the use of thin client (Citrix) to distribute some applications. So you can be working in a local app then find the remote application has closed due to inactivity - which get annoying as you haven't actually left your machine.
@stuandgravy: Yes, logging out is sometimes more secure. That ensures that any programs that keep decrypted authentication data in memory (such as SSH key agents and web browsers) are no longer running.
Which leads me to my complaint about Mozilla.
I've recently started using Mozilla's built-in password-remembering facility so that I can conveniently use a different password on every site, rather than having a group of common passwords of varying security levels. (This works for me now as it hasn't in the past because I can now use XMarks to synchronize my passwords across the various machines I use.) However, the user interface is awful, at least as far as figuring out whether or not your browser is allowing whomever's using it to use your authentication information.
First, there's no way to see if authentication information is currently being automatically filled in or not. Second, while there's a quick keystroke sequence to clear it, it appears not to work sometimes (conflicts between add-ons?). Without an easy way to see if your browser is filling in authentication information, you then have to turn on the "prompt" mode for the clear-auth-info function which means yet another dialogue box to deal with. Third, there's a "security.password_lifetime" setting which is supposed to time out the auto-fill-of-authentication-info function, but it doesn't appear to work. Looking up that setting just now, I see that there's a "signon.expireMasterPassword" setting that defaults to false; perhaps that needs to be true as well?
This security interface can only be described as "better than GnuPG."
Fortunately, Firefox can be set to remember the tabs and windows from the previous session, so existing the browser is a fairly convenient option. Still, it's something I need to remember to do when leaving my machine for more than a few minutes, if I want to maintain my desktop state and thus don't want to log out. I'm starting to build up a list of these things now, since I also need to remember to clear the keys in the ssh agent. The Gnome folks have yet to see fit to honour the timeout I ask for when I run ssh-add.
So yeah, deauthentication is in a very primitive state right now. Someone could do the world a big favour by coming up with a set of guidelines for both function and interface for programs storing authentication information, and maintaining a "wall of shame" for those applications that don't follow the guidelines.
btw, the Windows screensaver has some kind of "grace period" when it's activated but does not yet require a password to unlock the screen again.
It's only 1-2 seconds but usually it is enough for me to give the mouse a quick push once I notice the screen going blank.
I find that a very convenient solution.
@A Nonny Bunny:
"I hope that advice wasn't to students. Because it is a huge annoyance when every computer in the computer lab is locked..."
At our university, people are advised to lock their X-sessions but the only permitted application to do so displays a "log the current user out" button after 15 minutes.
In other words: Locking your system while going to the bathroom is fine. If you are away longer, you may well find your session killed.
While we are at it: Is there a client driven way to make a browser (firefox) forget the http-auth credential?
Drives me mad having to relaunch the browser after meddling with router/cups and such.
"RFID token that logs people out automatically when the token moves more than a certain distance from the computer" Has anyone actually implemented something like this? Looking for a non-sales-pitch-solution which workes on UX machines as well as wintel. Not looking for buildingblocks, but for a complete working package. (and by contactless i don't mean whithin 3 inches, but about 4 meter)
"Is there a client driven way to make a browser (firefox) forget the http-auth credential?"
and select "Active Logins" (or similar, I don't have an english version at hand) under "Details".
> Hah. Just yesterday I was at a 7-11 ATM and the guy before me had left his account completely exposed at the "would you like another transaction?" menu. I see this all the time. (Hand over the camera, a couple of keypresses, and joila, free money...if I was less moral.) But is this a user problem?
Try it. Many of these will ask you for the PIN as soon as you say "yes." I cancel out before leaving as it's one more button press, and it's out in the open, unlike an office computer.
I have worked on far too many systems where no one on the technical team can get their heads around this problem. For internal processes, they just enforce policies to sign off, or else. For external systems (e.g. websites) they just keep turning down the timeout, which has awful end-user problems (e.g. form that takes 10 minutes to fill out, 4 min timeout).
"... it is a huge annoyance when every computer in the computer lab is locked by people that may or may not have already left for home."
@A Nonny Bunny
The EE computing lab where I went to school had conspicuous signs posted:
"Leaving your terminal locked is punishable by loss of your account."
None of the CS labs had signs like that, though. Funny, since the EE and CS departments --although belonging to two different colleges-- were under more-or-less common top-level administration.
"The most efficient way would be
1) Tell the users about Win+L
2) During lunch break, walk around the office and from each unlocked station, write a mail to the boss telling him what a idi&$&%le he is
3) Tell them again about Win+L. You'll find them much more intrested."
At my work, step 2 was replaced by "and play pranks with those computers." Usually by e-mailing the boss (laid back company that understood the humor). Kept people from forgetting to log off.
I pretty regularly lock my windows machine while I'm away. Which means the only entities out there that can abuse it must either know my password, or hack into it (or have a virus / malware on it).
Similar to this, I always set up my browser to delete all cookies as soon as I close the browser. This has the effect of un-authenticating me from any websites that would have remembered me ... except the ones that use flash cookies ... gotta work on that part.
Critical systems, like locomotives use a deadman switch, which shuts down all movement if the engineer gets up from their seat (or where ever the deadman switch is placed)... I think the MultiMat is an analogous system for ATM terminals, but could there be something similar for workstations, laptops and other consumer-weight products?
On another note, I recently tried a product called PrivateEye from Occulus(sp?) -- which blurs the window (and can lock the workstation) when there is no gaze factor... I think the nexct version will do some rudimentary facial recognition (not just any gaze). I thought this might be useful in some situations as well.
It seems Dell has been thinking about this, too. Their latest generation of business laptops - the Latitude Z - has a feature (using the webcam) that locks the machine when the user moves away from it.
Though I fear this may be *too* often for most users, and they may decide to turn the feature off (even worse for security). Then again, it's just 1 extra step to log back into a locked machine, so perhaps most users won't mind.
The essay makes some interesting points. It's generally accepted that security runs counter to usability by definition, and I definitely agree that finding the balancing point is truly the art form of intelligent security. It's always extremely easy to go to either extreme with very little thought, and often either extreme can be easily justified, but it's the middle that gets so murky. Just reading thru the posts, the universal problem shows up that everyone is different. It's normally accepted that the best solution is the one that does the most good for the most people, but honestly I'd like to see a solution to this head in a different direction.
Users normally get a moderate amount of input in the authentication process. Whether it's choosing your own username, choosing a security question, choosing your own password complexity, the user has at least some element of control. I have a paranoid friend that loves using a 30 character password whenever possible - to him this is perfect, he values peace of mind over usability. Users rarely get any choice over the unauthentication process. With websites it's often just a logout button, or a cookie expiration of unknown timeout duration to the user. Wouldn't it be wonderful if the user had more input into this part of the security equation? I would love to see developers acknowledge that no system can ever be perfect for everyone, take the security minded approach and default to high security unauthentication techniques, but advertise and communicate that these annoyances can be lessened with the tradeoff of laxing security - let the user establish his own risk/reward combination instead of a developer trying to determine it.
Personally, I've combinations of proximity and password authentication coupled with proximity and timeout unauthentication. Some of the best applications of this have been based around bluetooth cell phones. I would love to see this trend extended to different items that make even more sense to me - something like a wedding ring. I'm highly unlikely to ever: remove it from my person, forget to bring it with me, forget and leave it at my workstation, etc... Obviously this isn't perfect for everyone (or potentially even doable right now), but that's kind of my point =)
@frank: I wrote that bluetooth proximity paper in 2004, so while the citation isn't timely the research was (-:. A lot of the bluetooth 'proximity' systems are "is it in range", wherease bluemon tries to estimate distance more closely.
@jos: You can't do RFID over more that a few inches, so it's not the technology you are looking for. There are a number of products which will do something similar with bluetooth (see the other comments). Bluemon (linked from the article, there's software for download on my site as well) will do it for linux, with a small amount of setup, so it possibly counts as 'building blocks'.
I recently rented a car that unlocked ALL the doors as soon as I turned off the ignition.
Is this a de-authentication? Toyota decided for me that I no longer required security. Even though I'm not inclined to automatically lock car doors when I get in I found this function to be creepy and unsafe -- down-grading security, even if the original security was un-asked for, makes the user vulnerable. If I decide the car doors should be locked, I wouldn't unlock them just because I turned off the car. I'll never a buy a vehicle that does this.
While the automobile unlocking is the opposite of de-authenticating from a computer application what they have in common is someone external to the situation trying to solve a complex problem without any context information.
In a quest to make it easy, system administrators keep trying to predict and control a situation with complex variables, allowing the user to remain ignorant and avoid personal responsibility, without really achieving improved security.
I say make it hurt -- make people pay for their ignorance and carelessness. Let them lose face, money, or even their jobs. Put the risk and control back where it belongs -- with the user -- and a lot of these problems will go away.
Sure technology can solve a lot of problems but catering to ignorance and laziness doesn't solve the core problem of situational awareness. As Thoreau once said: "The problem with making things fool-proof is fools are so ingenious".
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.