Forensically-Sound Analysis of Security Risks of using Local Password Managers

Password managers have been developed to address the human challenges associated with password security, i.e., to solve usability issues in a secure way. They offer, e.g., features to create strong passwords, to manage the increasing number of passwords a typical user has, and to auto-fill passwords, sparing users the hassle of not only remembering but also typing them. Previous studies have focused mainly on the security analysis of cloud-based and browser-based password managers; security of local password managers remains mostly under-explored. This paper takes a forensic approach and reports on a case study of three popular local password managers: KeePass (v2.28), Password Safe (v3.35.1) and RoboForm (v7.9.12). Results revealed that either the master password or the content of the password database could be found unencrypted in Temp folders, Page files or Recycle bin, even after the applications had been closed. Therefore, an attacker or malware with temporary access to the computer on which the password managers were running may be able to steal sensitive information, even though these password managers are meant to keep the databases encrypted and protected at all times

Hardening the security analysis of browser extensions

Browser extensions boost the browsing experience by a range of features from automatic translation and grammar correction to password management, ad blocking, and remote desktops. Yet the power of extensions poses significant privacy and security challenges because extensions can be malicious and/or vulnerable. We observe that there are gaps in the previous work on analyzing the security of browser extensions and present a systematic study of attack entry points in the browser extension ecosystem. Our study reveals novel password stealing, traffic stealing, and inter-extension attacks. Based on a combination of static and dynamic analysis we show how to discover extension attacks, both known and novel ones, and study their prevalence in the wild. We show that 1,349 extensions are vulnerable to inter-extension attacks leading to XSS. Our empirical study uncovers a remarkable cluster of "New Tab"extensions where 4,410 extensions perform traffic stealing attacks. We suggest several avenues for the countermeasures against the uncovered attacks, ranging from refining the permission model to mitigating the attacks by declarations in manifest files

MS IPTV audit collection services

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011Microsoft Mediaroom Internet Protocol Television (MS IPTV), uma plataforma de televisão digital, levou o conceito de televisão a uma dimensão totalmente nova. MS IPTV é um sistema onde o serviço de televisão digital é entregue aos clientes usando Internet Protocol (IP), através de uma conexão de banda larga. Com o advento do IPTV começaram a aparecer novas situações relacionadas com a segurança da televisão, uma vez que, a infra-estrutura começou a ganhar complexidade e exposição a uma série de novos riscos. Por esta razão, a segurança numa infra-estrutura de MS IPTV não é apenas mais uma funcionalidade, mas sim uma necessidade. Podemos mesmo dizer que hoje em dia é obrigatório aguçar o engenho para estar um passo à frente dos atacantes, uma vez que estes estão sempre à espera de uma brecha, para comprometer os sistemas. Uma infra-estrutura como o MS IPTV armazena por omissão dados relativos ao comportamento dos utilizadores ao nível dos logs, no entanto esta informação só se torna relevante se puder ser consultada e analisada com o objetivo de proporcionar uma compreensão a alto nível sobre os diferentes padrões que estão a ocorrer nos servidores ou no comportamento dos utilizadores, uma tarefa que envolve poderosas técnicas de data parsing. A tese apresenta uma abordagem que combina técnicas de data parsing, a fim de analisar os logs relevantes da infra-estrutura de MS IPTV, com o objetivo principal de aumentar a segurança através da investigação dos tipos de informações adicionais que pode ser extraída. Tentámos assim entender se é possível determinar que tipos de ataques estão a ser perpetrados contra a infra-estrutura MS IPTV, com base na análise dos logs. Como o foco central desta tese está no diagnóstico, propomos uma abordagem para descobrir ataques, onde os logs são verificados para identificar grupos coerentes de ocorrências susceptíveis de constituir ataques que apelidámos de padrões. Nos testes, verificámos que a nossa abordagem consegue bons resultados na descoberta de ataques. Os resultados obtidos têm a vantagem adicional de poderem ser integrados na ferramenta de monitorização utilizada pelas equipas de operação dos sistemas da Portugal Telecom, o System Center Operations Manager (SCOM).Microsoft Mediaroom Internet Protocol TeleVision (MS IPTV), one of the platforms for digital TV, took television to an all new dimension level. MS IPTV is described as a system where a digital television service is delivered to consumers using the Internet Protocol over a broadband connection. Since the infrastructure started to gain complexity and exposure to a number of new risks, never envisaged situations related to television security started to appear. For this reason, MS IPTV security is not only a great asset, but also a necessity. Nowadays it is mandatory to sharpen the wit to get ahead of attackers, who are always waiting for a breach to compromise our systems. MS IPTV log servers collect information about user and system behavior. However, this information only becomes relevant if it can be queried and analyzed with the purpose of providing high-level understanding about the different patterns. This task must comprise powerful data parsing techniques, since MS IPTV is able to generate close to one terabyte of logs per day. This thesis presents an approach that combines data parsing techniques in order to analyze relevant MS IPTV logs, with the main objective to increase security through the investigation of what type of additional information can be extracted from the server log files of a MS IPTV platform. The thesis focus is on diagnosis, trying to understand if it is possible to determine what type of attacks are being perpetrated against the MS IPTV infrastructure. We propose an approach for discovering attacks, where the application logs are scanned to identify coherent groups of occurrences that we call patterns, which are likely to constitute attacks. Our results showed that our approach achieves good results in discovering potential attacks. Our output results can be integrated into the MS IPTV monitoring system tool SCOM (System Center Operations Manager), which is an additional advantage over the other monitoring and log management systems

An Analysis of Modern Password Manager Security and Usage on Desktop and Mobile Devices

Security experts recommend password managers to help users generate, store, and enter strong, unique passwords. Prior research confirms that managers do help users move towards these objectives, but it also identified usability and security issues that had the potential to leak user data or prevent users from making full use of their manager. In this dissertation, I set out to measure to what extent modern managers have addressed these security issues on both desktop and mobile environments. Additionally, I have interviewed individuals to understand their password management behavior. I begin my analysis by conducting the first security evaluation of the full password manager lifecycle (generation, storage, and autofill) on desktop devices, including the creation and analysis of a corpus of 147 million generated passwords. My results show that a small percentage of generated passwords are weak against both online and offline attacks, and that attacks against autofill mechanisms are still possible in modern managers. Next, I present a comparative analysis of autofill frameworks on iOS and Android. I find that these frameworks fail to properly verify webpage security and identify a new class of phishing attacks enabled by incorrect handling of autofill within WebView controls hosted in apps. Finally, I interview users of third-party password managers to understand both how and why they use their managers as they do. I find evidence that many users leverage multiple password managers to address issues with existing managers, as well as provide explanations for why password reuse continues even in the presence of a password manager. Based on these results, I conclude with recommendations addressing the attacks and usability issues identified in this work

PALPAS - PAsswordLess PAssword Synchronization

Tools that synchronize passwords over several user devices typically store the encrypted passwords in a central online database. For encryption, a low-entropy, password-based key is used. Such a database may be subject to unauthorized access which can lead to the disclosure of all passwords by an offline brute-force attack. In this paper, we present PALPAS, a secure and user-friendly tool that synchronizes passwords between user devices without storing information about them centrally. The idea of PALPAS is to generate a password from a high entropy secret shared by all devices and a random salt value for each service. Only the salt values are stored on a server but not the secret. The salt enables the user devices to generate the same password but is statistically independent of the password. In order for PALPAS to generate passwords according to different password policies, we also present a mechanism that automatically retrieves and processes the password requirements of services. PALPAS users need to only memorize a single password and the setup of PALPAS on a further device demands only a one-time transfer of few static data.Comment: An extended abstract of this work appears in the proceedings of ARES 201