Web Browser Password Managers – panacea or paranoia ? Mikhael Felker [mikhael@ieee.org]

Who am I? Mikhael Felker, CISSP M.S., MSISPM, CMU Research Assistant, CERT/NetSA B.S., Comp. Sci., UCLA Sandia Labs, Information Security (R&D) UCLA Laboratory for Advanced Systems Research (LASR) Plus the regular IT stuff (Institute of Pure and Applied Mathematics, UCLA Medical Center, Westwood Financial Corp., etc.)

Mikhael Felker, CISSP

M.S., MSISPM, CMU

Research Assistant, CERT/NetSA

B.S., Comp. Sci., UCLA

Sandia Labs, Information Security (R&D)

UCLA Laboratory for Advanced Systems Research (LASR)

Plus the regular IT stuff (Institute of Pure and Applied Mathematics, UCLA Medical Center, Westwood Financial Corp., etc.)

Topics covered Why study browser password managers? Attacks (the juicy info) Some Demos Usability (not juicy, but necessary) Mitigation (why we partially get paid)

Why study browser password managers?

Attacks (the juicy info)

Some Demos

Usability (not juicy, but necessary)

Mitigation (why we partially get paid)

Password Managers

Banking (PNC, Chase, JP Morgan, etc.) School/Workplace Insurance (Car (Allstate), Life (Hartford), Medical(UPMC) Social Networking ( Myspace, facebook, xanga, etc.) Forums (expertexchange, sci.crypt, Slashdot, etc.) E-mail (Gmail, Hotmail, Yahoo!, etc.) Investments (Fidelity, Vanguard, E*Trade, etc.) Professional Associations (IEEE, ACM, etc.) Online Access For Just About Anything

Password Manager? Easy way to store different usernames AND passwords Can create random or pseudorandom passwords avoids one compromise having domino affect Can increase security if used effectively Sometimes protected with ‘master key’

Easy way to store different usernames AND passwords

Can create random or pseudorandom passwords

avoids one compromise having domino affect

Can increase security if used effectively

Sometimes protected with ‘master key’

Why Password Managers in Browsers versus separate application? Mainly Convenience Built-in (no extra download) Ease of use Free How are these compared to Others? Might have two step procedure (copy & paste--key/value i.e. PasswordSafe) Set up of keys etc. Some cost $$

Mainly Convenience

Built-in (no extra download)

Ease of use

Free

How are these compared to Others?

Might have two step procedure (copy & paste--key/value i.e. PasswordSafe)

Set up of keys etc.

Some cost $$

Case Study IE - ‘ AutoComplete ’ ~ (85 + 10) 95% market share Firefox - ‘Password Manager’

IE - ‘ AutoComplete ’

Firefox - ‘Password Manager’

Password Storage Internet Explorer Storage Construct: Registry Format: Binary, stored as a pair of hex values Encryption: TripleDES Access: Protected Storage API Requirements for Access: User logged in Transient Storage: Symmetric keys zeroed from memory after use Firefox Storage Construct: Text File ( signons.txt ) Format: ASCII, encoded in Base64 (except URL and tags) Encryption: TripleDES [CBC mode] Access: Network Security Services (NSS) API Requirements for Access: User logged in and Master Password (if set) Relevant files: Certificates (Signed Public Keys) cert N .db, Private Key Database key N .db, Security Module secmod.db HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerIntelliFormsSPW %userprofile%Application DataMozillaFirefoxProfilesxxxxxxxx.defaultsignons.txt

Internet Explorer

Storage Construct: Registry

Format: Binary, stored as a pair of hex values

Encryption: TripleDES

Access: Protected Storage API

Requirements for Access: User logged in

Transient Storage: Symmetric keys zeroed from memory after use

Firefox

Storage Construct: Text File ( signons.txt )

Format: ASCII, encoded in Base64 (except URL and tags)

Encryption: TripleDES [CBC mode]

Access: Network Security Services (NSS) API

Requirements for Access: User logged in and Master Password (if set)

Relevant files: Certificates (Signed Public Keys) cert N .db, Private Key Database key N .db, Security Module secmod.db

Attacks INTERNET Proximity Application Layer (MITM) Network Layer (MITM) Server based

Attacks (IE) What is PStore ? Protected Storage System Provider Successor is Data Protection API (DPAPI) API calls to get “protected information” Used in? IE ( AutoComplete Forms ) Outlook Express MSN Explorer

What is PStore ?

Protected Storage System Provider

Successor is Data Protection API (DPAPI)

API calls to get “protected information”

Used in?

IE ( AutoComplete Forms )

Outlook Express

MSN Explorer

DEMO – Pstore vs. PassView Freeware program: Protected Storage PassView v1.62 (Nir Sofer) Outlook Express Passwords “ Be aware that if delete an existing Outlook Express account, the password won't be removed from the Protected Storage” AutoComplete Passwords AutoComplete Fields Password-Protected sites “ basic-authentication” MSN Explorer passwords Multiple Passwords (similar to Firefox) “ In some circumstances, multiple pairs of user-name and passwords are stored for the same logon window “ Commercial software also available: Elcomsoft Advanced Internet Explorer Password Recovery (AIEPR)program

Freeware program: Protected Storage PassView v1.62 (Nir Sofer)

Outlook Express Passwords

“ Be aware that if delete an existing Outlook Express account, the password won't be removed from the Protected Storage”

AutoComplete Passwords

AutoComplete Fields

Password-Protected sites

“ basic-authentication”

MSN Explorer passwords

Multiple Passwords (similar to Firefox)

“ In some circumstances, multiple pairs of user-name and passwords are stored for the same logon window “

Commercial software also available: Elcomsoft Advanced Internet Explorer Password Recovery (AIEPR)program

Attacks ( Firefox ) Walk up and take what you like No ‘Master Password’ Master Password Set Password Cracking (“FireMaster”) Dictionary Brute Force Hybrid Denial of Service

Walk up and take what you like

No ‘Master Password’

Master Password Set

Password Cracking (“FireMaster”)

Dictionary

Brute Force

Hybrid

Denial of Service

FireMaster - Password Cracking Dictionary words ~ seconds Hybrid ~ minutes (depends) Brute Force 32 char [a-z] + [0-9] ~ 3 years Exhaustive search On avg. 1.5 years Distributed? We’re in trouble!! Any 2 words (10 6 incl. scientific + medical) any length 10000 CPUs ~ 10 hours

Dictionary words

~ seconds

Hybrid

~ minutes (depends)

Brute Force

32 char

[a-z] + [0-9]

~ 3 years

Exhaustive search

On avg. 1.5 years

Distributed?

We’re in trouble!!

Any 2 words (10 6 incl. scientific + medical)

any length

10000 CPUs ~ 10 hours

Attacks (Firefox) cont. Denial of Service Delete key N .db, cert N .db, signons.txt No access to any sites

Denial of Service

Delete key N .db, cert N .db, signons.txt

No access to any sites

Attacks (independent- JavaScript)

javascript:( function(){ var s,F,j,f,i; s = &quot;&quot;; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if (f[i].type.toLowerCase() == &quot;password&quot;) s += f[i].value + &quot;
&quot;; } } if (s) alert(&quot;Passwords in forms on this page:
&quot; + s); else alert(&quot;There are no passwords in forms on this page.&quot;);})(); JavaScript “ bookmarklet ” iterate all forms iterate all objects check password type and save value print out IE

javascript:(

function(){

var s,F,j,f,i;

s = &quot;&quot;;

F = document.forms;

for(j=0; j<F.length; ++j)

{

f = F[j];

for (i=0; i<f.length; ++i)

{ if (f[i].type.toLowerCase() == &quot;password&quot;)

s += f[i].value + &quot;
&quot;;

}

}

if (s) alert(&quot;Passwords in forms on this page:
&quot; + s);

else alert(&quot;There are no passwords in forms on this page.&quot;);})();

Quick Transition to Mitigation Strategies (browser independent) Develop web sites that prevent use of saved fields Special attributes ( not W3C standard) Pretty good adoption (Chase, Fidelity, E*Trade, etc.) This text is saved: <INPUT TYPE=&quot;text&quot; NAME=&quot;AutoCompleteTest&quot;> This text is not saved: <INPUT TYPE=&quot;text&quot; NAME=&quot;AutoCompleteIgnore&quot; AUTOCOMPLETE=&quot;OFF&quot; > Source: MSDN

Develop web sites that prevent use of saved fields

Special attributes ( not W3C standard)

Pretty good adoption (Chase, Fidelity, E*Trade, etc.)

Advanced JavaScript What kind of interesting attacks are possible with: Web proxies + AJAX? XMLHttpRequest HEAD / bobpassword HTTP/1.1 GET / HTTP/1.1 host:www.americanexpress.com Inject JavaScript + modify HTML (AutoComplete=“on”) PC Web Proxy INTERNET HTTP/1.1 200 OK [...<html>AMEX.....<script>......</html>

What kind of interesting attacks are possible with:

Web proxies + AJAX?

What else with AJAX? Time users entry + send passwords Remove form validation Automatically set AutoComplete to Save window.external.AutoCompleteSaveForm(form) Many more possibilities to come Historic trends: not everything that was intended to be “useful” is safe, vulnerabilities come much later—look at ARP, TCP/IP, SMTP, VoIP, ActiveX, etc. Quick Note: XMLHttpRequest—sends back to original host (can anyone say DNS poisoning?)

Time users entry + send passwords

Remove form validation

Automatically set AutoComplete to Save

window.external.AutoCompleteSaveForm(form)

Many more possibilities to come

Historic trends: not everything that was intended to be “useful” is safe, vulnerabilities come much later—look at ARP, TCP/IP, SMTP, VoIP, ActiveX, etc.

Quick Note: XMLHttpRequest—sends back to original host (can anyone say DNS poisoning?)

Serious Malware concerns Installed via e-mail, hacked pages, P2P networks, security exploits etc. BackDoor – AXJ Store AutoComplete info, sends back to attacker, or act as web proxy Srv.SSA-KeyLogger Installs on IE, turns on AutoComplete, sends passwords as seemingly innocuous HTTP GET Your Corporate firewall, and reverse proxy are not going to save the day What if these methods are widely used? Can anyone say Phishing? Identity theft? Cases of extortion? Blackmail? Others?

Installed via e-mail, hacked pages, P2P networks, security exploits etc.

BackDoor – AXJ

Store AutoComplete info, sends back to attacker, or act as web proxy

Srv.SSA-KeyLogger

Installs on IE, turns on AutoComplete, sends passwords as seemingly innocuous HTTP GET

Your Corporate firewall, and reverse proxy are not going to save the day

What if these methods are widely used?

Can anyone say Phishing? Identity theft?

Cases of extortion? Blackmail? Others?

Usability

Usability X Ability to choose to save URL, usernames, or passwords X Ability to easily access passwords in plaintext X X Ability to NOT save any information in forms X Ability to easily change per web site preference “saved” vs. “not saved” X X Prompted for saving passwords Firefox 1.5.0.1 Internet Explorer 6

Mitigation

Mitigation Strategies (IE) Abstain from using AutoComplete Disable manually IE options Can be turned on via Malware User different browser Corporate - Group Policy Objects ( GPO ) Usually in large ‘Active Directory’ environment Prevent users from using IE AutoComplete

Abstain from using AutoComplete

Disable manually IE options

Can be turned on via Malware

User different browser

Corporate - Group Policy Objects ( GPO )

Usually in large ‘Active Directory’ environment

Prevent users from using IE AutoComplete

Mitigation Strategies (Firefox) Set password Ensure Complexity Enable FIPS Require each session to be authenticated Prevent DoS Keep backup copies of (keyN.db, certN.db, signons.txt)

Set password

Ensure Complexity

Enable FIPS

Require each session to be authenticated

Prevent DoS

Keep backup copies of (keyN.db, certN.db, signons.txt)

Conclusion Internet Explorer = not good for securely saving passwords Firefox = Pretty good if STRONG password is set , otherwise equivalent to IE Be extremely cautious when using other machines to log into “sensitive” sites that require authentication

Internet Explorer = not good for securely saving passwords

Firefox = Pretty good if STRONG password is set , otherwise equivalent to IE

Be extremely cautious when using other machines to log into “sensitive” sites that require authentication

More Info. + References Official Paper, submitted to Symposium On Usable Privacy and Security ( SOUPS ) Available at: http://www.andrew.cmu.edu/user/mfelker/passmgrbrowsers.pdf

Official Paper, submitted to Symposium On Usable Privacy and Security ( SOUPS )

Available at: http://www.andrew.cmu.edu/user/mfelker/passmgrbrowsers.pdf