Secure Desktop itself is a counter measure to keystroke loggers. Trustwave SpiderLabs might grab fewer headlines by having done the right thing, but they have done the right thing. We very much appreciate SpiderLabs for giving us the opportunity to put a fix in place before announcing their discovery to the public. We have since added a mechanism which prevents that particular counter measure to Secure Desktop. They have now reported this publicly (link might be having trouble, but it’s listed among their Security Advisories). Márcio Almeida de Macêdo and Bruno Gonçalves de Oliveira of Trustwave SpiderLabs have discovered a way that a keystroke logger could work around our use of Secure Desktop and reported this to us. This change was added recently to 1Password 1 for Windows and has been included in 1Password 4 for Windows since its launch. I will get to the details below, but this article aims to describe and explain a change in how 1Password for Windows secures its Secure Desktop, a counter measure against a common type of keystroke logger. This attacker is running a program on your computer that attempts to record everything you type on the keyboard or enter through some sort of keyboard-like device. In this article, I’m focusing on another kind of attack in which the attacker tries to “listen in” to you typing your Master Password. It is also why we’ve put in measures to make it much harder for an attacker to try to guess your Master Password in the event that they do capture your data.Įven if an attacker gains access to your computer and 1Password data, there is little she can do without your Master Password. This is why your data is encrypted with keys derived from your Master Password. The 1Password data format is designed with just such attacks in mind. 1Password does protect you from the attacker who breaks into your computer and steals your 1Password data. Let me clarify one thing before going on. In practice, however, there are steps we can and do take which dramatically reduce the chances that some malware running on your computer, particularly keystroke loggers, could capture your Master Password. There is a saying (for which I cannot find a source), “Once an attacker has broken into your computer, it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised. I have said it before, and I’ll say it again: 1Password and Knox cannot provide complete protection against a compromised operating system.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |