Password Keystroke Snarfer Programs
Several articles on the PGP-users mailing list have discussed keystroke snarfers that unexpectedly grab and save keystrokes, including passwords, severely weakening any benefits from encryption. taoboy <taoboy@sprynet.com> mentioned Mac programs FileGuard and HiddenOasis and the SpellCatcher spell-check program's Ghostwriter feature, which he'd noticed had stuck his password into a disk file; he suggests that Windows machines probably have similar surprises. From: patm@connix.com (Pat McCotter)
Which is why, every once in a while, I do a search of my entire disk for my PGP pass phrase and various other passwords I use. [....] I do this with Norton DiskEditor. I have to upgrade to do this on my Win95 machine which I understand is much worse than Win3.x in this area.
Be careful - PGP goes to a lot of effort to overwrite your passphrase when it's done using it; Norton or grep or other disk-crawlers are unlikely to do so, because that sort of paranoia's not part of their job, and simply typing in a command in a command window will often get it saved in a command history file. So your search for the passphrase on disk makes it _more_ likely that some program will stash it on your disk... You could work around this by using a complex passphrase and adding a distinctive word to the end, e.g. "mumblefrotz foobaroid zarquon FINDTHIS", which doesn't become much less secure if the FINDTHIS gets left on the disk from your "grepemall FINDTHIS c:" command. # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list, please Cc: me on replies. Thanks.)
At 12:25 am -0800 12/19/96, Bill Stewart wrote:
Several articles on the PGP-users mailing list have discussed keystroke snarfers that unexpectedly grab and save keystrokes, including passwords, severely weakening any benefits from encryption. [elided] From: patm@connix.com (Pat McCotter)
Which is why, every once in a while, I do a search of my entire disk [...] with Norton DiskEditor. [elided]
Be careful - PGP goes to a lot of effort to overwrite your passphrase when it's done using it; Norton or grep or other disk-crawlers are unlikely to do so, because that sort of paranoia's not part of their job [elided]
Indeed, and any malignant passphrase-snarfer is probably going to anticipate this counter-attack and scramble the text stream it saves invisibly so that disk sector searches will be unlikely to pop up your passphrase. We definitely need to build better defenses against this sort of thing. dave ________________________________________________________________________ Dave Del Torto +1.415.524.6231 tel Manager, Strategic Technical Evangelism +1.415.631.0599 fax Pretty Good Privacy, Inc. http://www.pgp.com web
Are the Password Keystroke Snarfer programs anything like the Password Keystroke Snipe Programs? Some Cypherpunks told me they'd explain the Snipe Programs to me if I bought a case of beer, but I lost them on the way to their secret meeting place in the woods, and I had to walk home. Gee, they were sure nice guys, though. Toto
At 6:45 PM -0800 12/23/96, Norman Hardy wrote:
... Second they must not be encumbered with piles of tools written by people with no sense of security. Such tools are often installed with more authority than they should require. There is a Unix system call that displays the most recent command that any user has typed. This call is used by the ps command to describe the origin of a task.
Perhaps NT is new enough that it hasn't gathered all of these holes. I don't use NT so I wouldn't know.
NT 4.0 has a similar tool. ------------------------------------------------------------------------- Bill Frantz | Client in California, POP3 | Periwinkle -- Consulting (408)356-8506 | in Pittsburgh, Packets in | 16345 Englewood Ave. frantz@netcom.com | Pakistan. - me | Los Gatos, CA 95032, USA
At 8:45 AM -0800 12/19/96, Dave Del Torto wrote:
At 12:25 am -0800 12/19/96, Bill Stewart wrote: ....
Be careful - PGP goes to a lot of effort to overwrite your passphrase when it's done using it; Norton or grep or other disk-crawlers are unlikely to do so, because that sort of paranoia's not part of their job [elided]
Indeed, and any malignant passphrase-snarfer is probably going to anticipate this counter-attack and scramble the text stream it saves invisibly so that disk sector searches will be unlikely to pop up your passphrase. We definitely need to build better defenses against this sort of thing.
The only way I know to solve this problem is to get a real operating system. This excludes the Mac, DOS and its descendents. First the kernel must be designed to prevent programs from installing themselves wherever they wish. (Gasp, even useful prrograms!) Second they must not be encumbered with piles of tools written by people with no sense of security. Such tools are often installed with more authority than they should require. There is a Unix system call that displays the most recent command that any user has typed. This call is used by the ps command to describe the origin of a task. Perhaps NT is new enough that it hasn't gathered all of these holes. I don't use NT so I wouldn't know.
participants (5)
-
Bill Frantz -
Bill Stewart -
Carl Johnson -
Dave Del Torto -
Norman Hardy