Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

1Password and the loss of local sync

By

(c) www.depositphotos / Olivier Le Moal

Revised update:

I’ve had conversations with AgileBits via their support forum, and there’s been some back and forth, so let me revise my update and consolidate what I’ve learned.

  • For existing users on OSX and iOS, local vaults and local sync remains in place. Agile states no plans to remove, but will not commit to that functionality long term.
  • For users on Windows and Android, local vaults and local sync are not available.
  • New users must buy a subscription to 1Password.com, which forces them to create a web vault, master passphrase and such. Once signed up, OSX and iOS users can jump through some hoops and convert to a local vault.  This will result in challenges, accidental use of the incorrect vault, and is generally a pain – it’s well hidden, by design.
  • As The Register put it, “1Password won’t axe private vaults. It’ll choke ’em to death instead.”  That pretty well sums it up.

I understand that the company needs a more sustainable revenue model, and a subscription option is the way to go.  Adobe and Microsoft are right there too.  But the insistence on linking subscription to cloud vaults just makes no sense.  We in the security industry are often painted as acting as if we are ‘smarter than the users’, and this is a prime example of it.  While cloud vaults may make sense for the majority of users, it is by no means appropriate for everyone.

Our job as security professionals is not to say yes or no to a solution, it’s to present options, risks, and yes, recommendations, but then let each user make their own decision.  Once they decide, then we tell them how to be safe given their own constraints and preferences.   We do not own the risk, users do.

Until and unless AgileBits allows users to download the software, purchase a subscription, and use local vaults and local syncing without any cloud involvement, across all four major platforms, I can no longer recommend 1Password for new users.  Again, let me be clear – I’m happy to move to a subscription model, but artificially linking that to a cloud service is an unacceptable downgrade in the security of the solution.

I welcome suggestions in the comments for alternative products that provide this important capability.

Original post follows:

Go to any talk or read almost any blog post on ‘keeping safe online’ and you’ll see a recommendation to use a password manager.  They mitigate the impact of any individual site being breached and substantially upgrade defenses against password guessing.  But they also consolidate all your passwords into a single place, which raises risk in a different way.  When using one, you’re betting that the tradeoff is worth it (and it generally is).    Security is all about making those tradeoffs – there’s no one-size-fits all solution for any security risk.

Which brings me to AgileBits, 1Password and the tradeoff they’ve decided to make for us.  1Password has long been a favorite of security professionals because of its reliable functionality, ease of use, solid crypto, and comprehensive set of features that address many different threat models.  Now one of those key features is on the chopping block – as part of their move to a subscription model, they’re also forcing folks to their cloud service, and they will make no statements of continued support for local syncing.  For anyone who manages risk for a living, it means we have to assume that it will die from neglect and start looking for alternatives.

Unfortunately, they are providing overly simplistic responses when objections are raised, and like many things in security, the nuances are important, so let me try to clear up a few things.

First, they’ve chosen to confuse two completely separate issues – the move to a subscription model (business decision) with the move to a cloud-only syncing solution (technical decision).  They need not be linked.  Adobe and Microsoft have both shown that a company can successfully move to a subscription model for locally installed software – neither require the use of their cloud service.   And while Apple is intentionally making it more and more difficult to stay local, even there you still can.  So let’s set aside subscriptions as irrelevant to the discussion.

The design of the new cloud based system appears robust, and they’ve had audits done on the code and service.  Good so far.  Then they state “We are advocating memberships since we feel it’s the best way to use 1Password.”  Fair enough, and for a class of users, probably the majority, the threat model tilts towards convenience being a key feature.  I know folks like that myself, and recommend that they use Dropbox or 1Password’s cloud service – but also tell them to use two factor everywhere they can, and be prepared to go change every single password if there’s a breach (more on that in a moment).  For them, the tradeoff is worth it because the alternative is to not use a password vault at all.

But that statement is based an overly simplistic user base and threat model.  The truth is far more nuanced, and for substantial minority of users it’s not a good option.   These include folks who are prohibited by corporate policy from using non-contracted third-party cloud services (extremely widespread), and individuals willing to put up with the minor hassle of local syncing to reduce their risk. Having all the vaults in a single place makes it a tempting target for an attack, breach and disclosure.   Unfortunately, Agilebits asserts in forum posts that compromised vaults are “useless” to an attacker.  That’s grossly oversimplified, and I quickly came up with three ways they aren’t useless:

  • First, they are immediately useful as a business-level attack against Agilebits, as losing the vaults would be a material event to the company, undermining trust even if not compromised. If public trust is lost, and Agilebits goes out of business, or if a substantial portion of users leave for a less secure (or no) solution, then that’s a net gain for the bad guys.

 

  • Second, for users who’ve chosen a weak master passphrase they have some utility for decryption attacks using lists of common passwords. Granted that the computational defenses Agilebits has put in place make that more difficult, but attacks only get better with time.  Most likely, especially if vaults are linked with specific individuals, is a targeted attack to discover a weak passphrase based on social media and other research.

 

  • Last, for those with robust passphrases (which I suspect is a minority of users), stolen vaults are likely safe until and unless a defect in the implementation of the crypto is discovered.  While the math may be secure (a whole separate topic), that crypto is implemented by humans writing code.  As with any and every software package*, there are defects in the code. Some of those may impact security. Full Stop.  So all an attacker has to do is sit and wait – and if/when a vulnerability is found in the code that reduces the attack complexity, every vault and every password is at risk.   The chance of that is non-zero, but it’d be a black swan, and there’s no real way to quantify those.

The fact that Agilebits doesn’t have access to decrypt vaults, or ever touch master passphrases is irrelevant to these particular threats.   They generally respond to questions about code risks with a whitepaper about crypto risks.  Even with auditing, that’s still the major concern in the last bullet, not a fundamental break in the underlying crypto (e.g. quantum cryptanalysis).  If that happens, we have far more issues than our password vaults.

A breach of a password vault is catastrophic.  And that’s why security professionals keep them local – a diffuse target is a harder target to economically exploit.  If someone wants to go after an individual, an attacker is going to use a keylogger, at which point a password vault doesn’t help and cloud/local makes no difference.  But concentrating all the vaults in a single place makes an attack worthwhile.

Agilebits may be making a business decision – that the cost of maintaining local sync isn’t worth keeping those users.   That’s their call, but I wonder how many people use 1Password because it was endorsed by security professionals who do so because it does cover multiple threat models.  That’s a lot of high-quality free advertising that may be lost.

I wish they would acknowledge that there are diverse use cases and stop painting users with a blunt brush (apologies for the mixed metaphor).  For some users, ease of use is a security feature as the alternative is no vault at all.  But for others, the tradeoff just isn’t worth it (or even possible under company policy).

If they want to end support for perpetual licenses, fine, I’ll step up day one and sign up for a subscription license.  It’s easily worth a few bucks a month to my family.   But they really need to stop with the weasel words, admit that there are multiple threat models in play, that cloud only answers one of them, and commit to local syncing long term regardless of the licensing model.

 

*Footnote:  Yes, it’s theoretically possible to formally analyze a set of code and determine that it is complete and correct, but in practice that’s never done.  EAL 7 rarely exists in the real world, and never does in consumer-grade products as the cost of validation for each and every configuration of hardware and software is far beyond any reasonable investment.

Friday Photo – Dugout Ranch, Needles District, Canyonlands

By

For the Friday photo this week, we head back to Moab, then south to the Needles District of Canyonlands National Park.  The workshop my Dad and I were on took us to the Dugout Ranch, where we met Heidi – every bit the archetypal western rancher.  She was kind enough to let us shoot around her ranch – this is just one of a really cool series of images of this iconic area.

IT + OT = Internet of Threats: Securing a Converged Environment

By

© www.depositphotos.com / RA Studio

Back in the dark ages, before IOT, cloud, daily data breaches, and worldwide ransomware alerts (you know, before 2005), the utility industry started to become enamored with the idea of a smart grid and began merging the IT and OT networks – that’s one version of Internet of Things (IOT).  Unfortunately, IOT these days most often means ‘Internet of Threats’.

And that brings us to IOT security, because there’s common challenges across $15 webcams and $1.5M transformers and pumps.  In this post, I’ll address the industrial scale challenges, and pick up the consumer ones in another post.

In the past, the operational network (OT environment) usually ran SCADA over serial lines, and those networks weren’t directly accessible from the TCP/IP (IT) networks that ran the information systems.   To be sure, there was little security in the SCADA environment – in many cases you could plug directly into a remote terminal and have access to equipment, but you had to actually go on-site (or to a central control point) to do anything.  With the advent of SCADA over IP, those networks and that equipment is now largely routable from the Internet.

These devices were engineered with safety in mind, not security.  Some have direct code running on the device itself, and others are controlled by a workstation – but neither have good update mechanisms available.  Plus, many vendors never provided updated control software for the workstations, nor will allow security tools to be installed on them, so we have a lot of XP still hanging out in the world running multi-million dollar equipment.  At the time, perimeter control security architectures were all the rage (to be fair, that’s about all we had), so the IT and OT networks were segmented and firewalled off from each other.  That worked for a while…or so we thought.

Unfortunately the bad guys have gotten a lot better.  While moats and castles are great, they’ve gotten very good at sneaking in over, around, under or through a door someone put in the wall.  Sometimes there’s a PC with a modem running PCAnywhere (I kid you not – saw that last year) that they get through, and sometimes it’s sideways movement through the network.  In either case, they’re already inside.  On the IT side, it’s bad.  On the OT side, it can be catastrophic and life threatening, as we’ve seen recently with the attacks on the Ukrainian utilities.   So, the response was to stand up a separate OT security infrastructure – everything from SIEM to endpoint (where vendors allow), and all the other tools.  The challenge is that by segregating the IT and OT security infrastructures, you lose the ability to track movement across the organization.   This challenge is growing as the IT and OT environments are continuing to merge into a single infrastructure, not to mention the risk of OT penetration as a result.

So, what to do?  First, for companies with a large OT network – utility, oil & gas, petrochemical, and so forth, leverage your strengths.  Instead of taking a cyber security approach, move to a cyber safety focus.  The operations folks understand preventative maintenance, emergency procedures, and risk management from a safety standpoint – let’s go talk their language instead of ours.  Accident Zero = Incident Zero.

Second, align IT and OT technology infrastructure strategy, security, and architecture (I know, easier said than done).  As the convergence gains steam, it’s time to revisit the two-headed CIO-IT and CIO/CTO/COO-OT structure that’s typical.  Ultimately one person needs responsibility for both environments, and the CISO should report at that level – not just to the CIO-IT (or even further down the chain).  If there’s a chief risk or safety officer, that might be a good place for security to live.

Third, work with procurement to incorporate security requirements into both IT and OT purchases.  Some key ones are:

  • Secure update capability
  • Compatibility with major security solutions (endpoint, SIEM, antimalware)
  • Security SLA, including long-term commitments for patches on major capital equipment, remediation timeframes, and vulnerability alerts and disclosure guarantees
  • Pen testing and vulnerability scanning of OT components prior to release
  • Hands-off remote support – i.e. vendor does not have direct access without local staff involvement. I prefer a screen sharing approach, where the vendor tells staff what to do, so it’s always in-house hands on the keyboard.

Net: Don’t buy things that can’t be updated, or from vendors that don’t have a security plan.

Fourth, leverage what the IT folks have learned to secure the OT environment.  That includes vulnerability assessments and triage of assets.  If (when?) risks are found, have a mitigation plan put in place quickly.  Two cautions: remember that airgaps aren’t a panacea, and the IT folks need to realize that ‘maintenance window’ has a very different level of flexibility in the OT world than the IT – even in a cyber emergency.  The OT environment has to be able to function – perhaps for days or weeks – with an active threat.  Shutting down a blast furnace or drilling rig for a patch or other remediation is neither quick, nor cheap.

In the end, we’re going to see more Black Energy and similar attacks – I had one CISO speculate that their network was likely hosting bad guys who had access, but were dark and just waiting.  Kind of like pre-positioning military equipment in case you need rapid deployment.  While there’s a touch of FUD there, there’s also a bit of probability.    The convergence is happening, and it’s being driven largely by folks figuring how to make it work, not people wondering how it’ll break.  That’s human nature.  So, it’s up to we, the Cyber Safety professionals, to lead our IT and OT teams into a secure IOT future.