Shocked !

I today discover how some people work with their passwords...not everyone is able or want to track what happen behind the scene or how things can be broken in the computer world...but let me explain why I was shocked....

The case

A group of people is responsible for infrastructure and use a lot of different passwords for all machines, stages, ssh, ftp. They decide to store them all in a convenient word documents, and to encrypt this file with PGP (Pretty Good Privacy), they are using either MSN desktop search or Google Desktop search...I look at one of them...
He decrypt the PGP encrypted file (the word document), and save it on the desktop, open, work, then close it...

SHOCK!
This is the worst security misunderstanding example and should probably be use in school, what is even worse it that it take me 10 minutes of explanations to say that he has no security at all... since it was such a surprise for him.

If  you think that it is a good way to work or would have done the same, prepared You to a big disappointment, I will make a lot of screen shots to show You how worse it is.

Note this is not Google Desktop Search nor MSN Desktop Search fault, and I still use their tool, it is user missunderstanding of sense of security.

Why  was I shocked?

1. First using Word document, while it is convenient as it allow to do tables, paragraph, change colors, it is in any way:

  • Not portable: to open this file, you will need to have Microsoft Office on all machines.  if You need to open it on a server where Microsoft Word is not installed...only VI or text pad, You will get in trouble...
  • A closed source format, you need to use a 120Mb application to open a file which may be 6kb big (as TEXT file),  not to speak about legacy problems: will You be able to open it in 2 years or what happen if Microsoft Office screw it?
  • A security nightmare: Microsoft Wordalways create a lot of buffers everywhere on disk (understand copy your file in c:\windows\temp for example or in your Document and Settings directory) which lead rapidly to a security problem

2. User has converted a file from an encrypted format (a PGP file) to the disk! when MSN Desktop Search is still monitoring user interaction!
This is probably the biggest problem, as soon as the user create, modify or delete a file, the Desktop Search  will see it and process the content of  file (process is call  indexation) and take some snapshots of its content! Deleting the file from disk wont delete snapshots in index either!

3. Users may forget to delete or encrypt all instances of file, moreover user will have hard time to really screw files from disk as there is no wiping solution integrated into Windows...

Let me show You how to loose passwords...

I have on disk a PGP file, and I am proud I have chosen a  well know encryption tool with a 8192 military encryption key...
steal password with Desktop Search

I decide to decrypt it and save result on disk (big mistake)
password stealing with Desktop Search

In between and without any warning the Desktop Search tool has index its content and take a snapshot of it....
I Open the file
password

I decide to delete it, empty the trash, then decide to query my favorite Desktop Search tool, I foud the file


   
and worse content is readable from the search cache:

even if the file do not exist anymore on disk....

And Now How to solve these issues

with

1. Review Your Desktop Search configuration

Do not allow Your Desktop Search tool to fully scan your hard disk! exclude disk partition and directory that should be excluded. At least file that will be copied wont be cached in index.

As in Google preferences page, I use the drive M (virtual) only for mounting my encrypted vault...

Do not allow Desktop Search tool  to index HTTPS pages!  Do You really want to have snapshot of your eBanking session saved in an unsafe ways on disk? Be careful when checking one of those options:

As in Google preferences page


Review Your index content! Type periodically some words and review the results, ex search for password, picture of familly, the word sex if you are often on some pages ;-), bank account credential etc...There is room for a small tool launched at regular interval or a word blacklist option in Google.

Encrypt Your Index file, Google is able to do it, not MSN Search. While it will make Your search query slower, I dont think it is even noticeable.

As in Google preferences page


Do not use PGP to encrypt unique file but use PGP disk to create a VAULT:  PGP disk is not free, but You may want to try TrueCrypt here. The idea is to create a virtual disk partition where all file can be saved without the need to copy them in an unsafe area. This kind of technology also allow You to set unmount options (unmount after XX minutes of inactivities, unmount virtual disk after loggoff )

comments powered by Disqus

You might like also

No Thumbnail was found
io17 Live Widget for direct access to Google IO 2017 livestream & social feed …
734 Days ago
No Thumbnail was found
Beyond Corp project scrap the notion of a corporate network and move to a zero-trust model.... Google sees little distinction between boardrooms and bars, cubicles and coffee shops; all are untrusted under its perimeter-less security model detailed in a paper published this week. The "BeyondCorp model" under development for more than five years is a zero-trust network model where the user is king and log in location means little. Staff devices including laptops and phones are logged into a device …
792 Days ago
Alternatives to Google Reader
I've been a huge fan of Google Reader for years. I usually start every morning with my coffee and Google Reader... Note: i am still not decided between Tiny RSS and Newsblur, both are running on my server… The bad news We launched Google Reader in 2005 in an effort to make it easy for people to discover and keep tabs on their favorite websites. While the product has a loyal following, over the years usage has declined. So, on …
2254 Days ago
Google Data Centers virtual visit
2 weeks ago, a post on Google&39;s official blog announced a project that allows users to step inside the private world of its data centers. For the first time, the company&39;s impressive efficiency records and green ethos have been given a face in the form of the stunning photographs by Connie Zhou and the Street View-able hallways of the Lenoir facility in North Carolina... http://www.google.com/about/datacenters/gallery/#/ …
2394 Days ago
Use always Google.com as default search engine in Chrome for direct search
Nothing is more disturbing than to be redirected to you local Google domain (.ch, .fr, .de or any other) when you want to do a search using English keywords. Did you notice by the way that the index returned is different? you do not get the same number of results or any accurate results at all if you use the same query on your local Google domains… Here is a small tip to force Google Chrome to redirect all your …
2769 Days ago
I’m Offering 50 Google+ invite !!!!!!
Google+ is a new social media platform currently in limited Field Trial only. You can only join Google Plus after invitation from a Google Plus user. How to get an invite? Send me your either your Gmail address/ Facebook email together with your website (if you have one) so I can verify that you won’t be selling them afterward on eBay. Do not publish your email on my blog in the comments below, send them to: This email address is being protected from spambots. You need JavaScript enabled to view it. To avoid spam, …
2867 Days ago
Internet is Best viewed in Chrome 12 Web browser
The latest version of a Chrome browser show its muscle in version 12 (just restart your chrome browser to get this new version), major new features Hardware accelerated 3D CSS New measures to prevent malware and phishing attempts Watch Shaun and his friends' antics in clips from "An Ill Wind", "Snowed In", "The Big Chase", and "Twos Company" through an interactive experiment created with hardware-accelerated HTML5 video, 3D CSS Transforms, and WebM. Use the controls to expand and shrink the …
2903 Days ago
Google IO Keynote are online
Day 1 keynote where they announced Google Music, Movie Rentals, Android @ Home, Android Open Accessory, Ice Cream Sandwich, Android 3.1 &160; Day 2 Day kicked off with the announcement that Chrome is now at 160M active users, up from 70M last year. Watch for more announcements from the Chrome Web Store, Angry Birds, Chromebooks and Chrome In-App Payments &160; …
2929 Days ago
Google Search Globe Visualizes Daily Queries Around The World
See the search globe yourself, best viewed in google chrome Developed and designed by the Google Data Arts Team using WebGL, the backend of the technology uses your computer’s hardware to generate fast, 3D graphics. Google says that in order to use Search Globe you need a WebGL-enabled browser (like Google Chrome), to see the Globe. and they open source the project so developers can build their own globe The WebGL Globe is an open platform for visualizing geographic information …
2937 Days ago
Google acquisitions and revenue streams
A  timelines of Google’s acquisition, really beautiful! …
3183 Days ago