Credential / Data Security of SafeOnline - how does this work?

Discussion in 'Prevx Releases' started by guest, Jan 29, 2010.

Thread Status:
Not open for further replies.
  1. guest

    guest Guest

    Hello Joe,

    could you please elaborate with examples a little bit
    further, how this Advanced function of SafeOnline works
    and how we can 'see' (=test) it in action?

    Yes, I already read some comments from you like this ...

    ... and of course help site ...

    .. BUT I have to be honest here: this whole thing is still a mystery to me. :D
    My main goal is to test that somehow and to see it 'at work' and then using it properly.

    I guess what I don't understand is: if I have a site www.aaa.com
    and there login account with user=user and password=12345 ...

    .. should/would SafeOnline ring the alarm bell if I enter that
    protected password (12345) on another site, let's say www.bbb.com?

    Just if it is entered in an asterix password field? Any? Or even if this pass was stored before in browser (firefox) and is not typed in manually? - Or only if all this happens on the same domain (www.aaa.com) but if it is a phishing/fraudulent site revealed by SafeOnline IP Verification? o_O

    You see I really have no clue what this credential protection feature is exactly doing and maybe you could shed some light on it so that even I 'get it'? TIA!!!
    :D
     
  2. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Thanks for making my morning.
    It's not often that I run into someone more confused than me.
    As for your question, it seems to be working as advertised.
    I set the security level for whatever sites I want to be more secure in.
    I also use Roboform for all my passwords.
    Keep it simple. If it ain't broke don't fix it.
     
  3. guest

    guest Guest

    Glad I could help then. - Awake already? :-*

    I have really NO doubt about that. :rolleyes:


    BTW: My question was HOW this works and also how one could TEST this.


    => NO insight AT ALL gained from YOUR posting, waste of time so to speak, sleepyhead. *puppy*
    And the advertising is sort of unclear, that's the point I am trying to make here!

    Ooooh greeeaaaat ... you managed to operate the slider,
    wow .. pretty advanced Prevx power user you are!? :D

    Exactly - keep it simple: If you have no answer ... don't. ;)

    One goal of my posting is to show Joe (are you a Joe too?) that
    the explanation of this feature isn't sufficient at the moment.


    But thanks a lot for making my afternoon. *hug* :D
     
  4. kasperking

    kasperking Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    406
    hi guest.....the credential protection works...the popup may have chinese characters though :p ....i have my e-mail as protected so when i try to login into OA user area with it i get the credential protection alert.....see this thread https://www.wilderssecurity.com/showthread.php?t=264143
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    :D Sorry for the confusion - we'll be updating the help file with a more precise description soon.

    Essentially, the credential protection will lock down your password to a specific website. While this will cause a bit of an annoyance if you use the same password on many websites, it will prevent you from accidentally entering your login details into a phishing website. The warning which kaspersking has linked to will be fixed shortly (a bug in the recent beta :)) but if you try the current live build, it will work properly and show a warning with the URL that you tried to go to.

    So, for example, if you are on www.facebook.com and click Configure, then Advanced, and then enter in your credentials to be protected and then go to www.google.com and try to type in your credentials again, you will be blocked from doing so.

    Instead of locking this feature down to credentials alone, we've also made this flexible enough to be added as a parental control feature. For example, if your child has a PC, you may want to add protection over your last name or your street address, to prevent them from accidentally disclosing confidential information.

    I hope this helps! Let me know if you'd like any further clarification :)
     
  6. guest

    guest Guest

    Great! ;)

    I read your explanation (in help system and the other) many times
    and did understand it right as I now see ... ;)

    ... BUT I tried that and Prevx / SafeOnline build 3.0.5.64 did nothing,
    so I wanted to ask if I maybe understood something wrong.
    ;)

    Just tested it again. Used my protected password
    from one site on another ... nothing .. no warning!? o_O

    YES, thank you! :) - At least I know now how it SHOULD work
    and we will of course figure out somehow why it doesn't
    when I am testing it .. which btw. added to my confusion. ;)
     
    Last edited: Jan 29, 2010
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    There may be some issues with credential protection on passwords which contain unicode characters or other non-standard characters. Could you let me know the general format of your password and what language your keyboard is configured to use?

    Thanks! :)
     
  8. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    149
    Location:
    Australian Capital Territory
    I've just upgraded to Prevx 3.0.5.74 with the trial version of SafeOnline and have also found that my "locked down password" can be entered into websites other than the protected one. I use a standard english keyboard and the password contains a mixture of upper and lowercase letters, a number and some punctuation marks.
     
  9. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I had the same problem with a username that contains an embedded full stop. Maybe there's a problem with some punctuation symbols. :doubt:
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This is definitely possible - Zorak - can you let me know what punctuation characters you're trying to use? I'll be doing some tests here and will report back as to what we find!
     
  11. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    This is the crux of the matter. Ideally users should be using different passwords for every site they need to log-in to. Using a different username as well would be even better if at all possible.

    A phishing site should be obvious from the URL at least once you go there IF you follow the link from somewhere else. (My email client shows the correct URL when you hover the mouse over the incorrect link - this way I'm able to report the very few offending phishes I receive without even going there.)

    I've yet to use SafeOnline protection using credentials in the manner described. I do bank online, but that URL is stored in my favourites. The log-in for that isn't going to be used elsewhere. At the moment, I can't see the usefulness of this particular SOL feature for me personally.
     
  12. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    465
    Location:
    UK
    Careful you don't give too much away about your password Zorak :D

    I tested this by protecting the word "happy" for my bank HTTPS site (without the quotes).

    If I open my browser and type happy into google SafeOnline stops me when I hit the letter "y".

    Trouble is it also stops other variants like

    h a p p y
    h.a.p.p.y
    h. a. p. p. y.
    h.....a.....p.....p....y

    Lol. It shouldn't do this = Bug.

    Spaces and punctuation marks are not handled properly it seems.

    I can confirm that a user name like pling.man is not protected. = Bug.

    The problem here is that SafeOnline probably uses a rolling checksum of the data entered and looks for matches with the checksum of the data stored. It can't just do, say, an MD5 in the normal way because it would be too slow. (see http://en.wikipedia.org/wiki/Rsync). Looks like this is not coded correctly.

    I have only tried using it to protect simple user names and not complex passwords like the one I use for my bank (h67s$kj^78x-1 :)) But it is difficult to keep user names unique. Can't the program allow multiple uses of the same data as long as all the websites are protected (this is what Rapport does).

    i.e. why can't i protect "fred" on https://www.aa.com and on https://www.bb.com.

    I know PSO offers to go to the correct location when it finds the data entered somewhere else and so will not be able to do this. But this option could be turned off or disabled in such cases.
     
    Last edited: Feb 16, 2010
  13. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    well, I think it SHOULD do this.

    lets think of an example if someone puts in very confidential information such as credit card details, you wouldn't want the risk of these getting out-there just because of a typo with a few spaces or punctuation marks.
     
  14. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    On reflection, I think you're right. What you said made me wonder whether SafeOnline ignores redundant characters such as full stops when checking a website entry to see if it matches the stored credentials, and it appears that this is exactly what happens.

    However, it also appears that redundant characters that will be ignored on checking do appear to be significant at the time the credentials are set up as a value to protect. This enables protected values to be created that aren't checked correctly later when entered on websites. If redundant characters are omitted from the protected value at the time it is set up, the value does get checked correctly later.

    This enabled me to solve my problem by omitting the full stop from the username that I wanted to set up as a protected value within SafeOnline. I do think that this is a bug though, as the logic should be consistent. If some special characters are to be treated as redundant and ignored, this should apply both to when the protected value is initially set up, and also to when it is checked later as it is entered on a website.
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello :)
    Thank you all for the testing and feedback - we do indeed have a bug introduced in one of the newer versions which will cause certain characters to not be added into the check - including periods and some other punctuation.

    One note is that the "username" field is essentially an identifier for the login, not an area which is protected. You can, for instance, enter in:

    "Joe's Bank Login Password"

    for the Data Type field and then the password itself below. If you configure a password on a specific website and then configure the same password on another website, you will be able to use both without a problem, and, if you're on a website which is blocked because it isn't currently allowed to have that password entered in on it, you can click Allow and it will automatically add that password to the list of allowed passwords for that website.

    I hope that clears it up - let me know if you have any other questions! We're working on fixing support for non-alphanumeric characters as we speak and should hopefully have an updated version shortly!
     
  16. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    My understanding is that SafeOnline can be used to protect any kind of data, including usernames used as logins to websites. It is the "Data Caption" field that identifies the type of protected data for reference purposes.

    In my case, with my online banking website the reason for protecting the username, rather than the password, is that the username is unique to the website and has to be entered first on a separate screen before any other identifying information is requested. Three randomly selected characters from the password are then requested. There is no point trying to protect the online banking password itself, as it is never entered in full for security reasons. It made sense to use a value of "username" for the Data Caption as it is the username used to login to the website that is the value I wished to protect.

    Not being argumentative, just clarifying things. :)
     
  17. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    465
    Location:
    UK
    Exactly. Its up to the user what is protected.

    Very sensible. This is what I am trying to do too. At the moment I can't protect a couple of user names because I have full stops in them and I can't change them easily with the bank.
     
    Last edited: Feb 17, 2010
  18. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    465
    Location:
    UK
    I tried protecting a credit card number. When I tried to order something from amazon, SafeOnline logged me off. So I don't think protecting cards is that useful .... hang on though, I could use this to stop my wife from spending online. Brilliant feature PrevX :D
     
  19. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    I am now more confused than before.
    When I click on the green Prevx rectangle, then on configure, then on advanced, I see 'Data Caption/Type and below that is value to protect and repeat.
    If I want to protect my sign on at my bank what goes in the Data/Caption Type? The login name or something else?
    Same with Value to protect. Does that equal the password?
    Thanks.
    Hugger
     
  20. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    465
    Location:
    UK
    The Data Type/Caption is anything you like. It tells you what the data is.

    e.g. if Hugger is your user name and opensesame is your password at the bank:

    Enter User name in Data Caption type.
    Enter Hugger in Vaue
    Enter Hugger again in Repeat value

    Click + to add

    Do a similar thing for your password:

    Enter Password in Data Caption/Type
    Enter opensesame in Value
    Enter opensesame again in Repeat Value

    Click + to add

    It will be obvious when you have entered some values.

    You can press - to remove values once you've entered them. The - is hidded if nothing is protected.
     
  21. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Thanks, Pling Man.
    That helped.
    Hugger
     
  22. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Try setting up the full username in SafeOnline as a value to protect against the bank's website, but this time leaving out the full stop.

    In order to test if it works, go to any website other than the bank's website (I used Google) and enter the username exactly as you would on the bank's website, including the full stop. You should find that you get a SafeOnline Credential Protection alert from SafeOnline, blocking access to the website. Now repeat the test on the bank's website and you should be able to access it.

    It will be necessary to repeat the test when Prevx updates to a new version of SafeOnline. This is only a temporary workaround to get round the problem that will no doubt stop working (and no longer be needed) when the bug in SafeOnline checking is fixed.
     
  23. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    This needs to be a lot better thought out than this.
    I have two forums I visit where my 'User Name' is Dark Star 72 and another where it is DarkStar without a space between the words.
    If I set up Wilders protection as User Name: Dark Star 72 and then Password as ******** per pling_mans instructions and then go to the OA/TallEmu forum and set up protection as Dark Star 72 with my totally different password used there I cannot login to either site because SafeOnline is telling me that the other site has the same user name. So, I cannot protect sites unless I have different login user names as well as passwords.
    To further complicate matters if I go to the forum where my login user name is simply DarkStar I cannot log in there either because SafeOnline puts up the shutters as soon as I get to the 'r' in Dark :blink:
    As the login/user name for most of the https: sites where I use my credit card requires me to use my e-mail address and a password I get locked out as soon as I start to enter my e-mail address if that is protected on more than the one site. If I only enter my password as protected I can log in anywhere as this credential protection requires both a user name and then a password to work.
    I have tried this credential protection on a variety of sites and it works brilliantly, as long as the same or similar user names are not used on more than the one protected site. I said similar because SafeOnline blocked both DarkStar and Dark Star 72 at the first 'r'.
    Your thoughts on this Joe
     
  24. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    465
    Location:
    UK
    I did some testing of the Advanced tab with the latest version (3.0.5.85).

    The issue with non alphanumeric characters in confidential data (above) seems to be fixed. ;)

    However, confidential data is only protected if the user types the data into the "malicious" site - it does not protect the data if it entered using the clip board (copy/paste).


    This seems to be a shortcoming for users who use a password manager to keep such data (I use keypass).

    Can this be fixed?

    I suspect that the clipboard protection part of SafeOnline is protecting the clipboard and stopping this part from working properly.

    (I am using Firefox 3.6, KIS2010 on Vista in case its a problem with my setup.)
     
  25. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    149
    Location:
    Australian Capital Territory
    Hi all

    I've also upgraded to 3.0.5.85 but I'm afraid I'm still having problems with credential protection. I posted the following in the "Official Release - Prevx 3.0.5.80 with SafeOnline" thread, but it seems it may have slipped under the radar:

    Is credential protection functional in the PSO trial version? When I add credentials to be protected the "Save Button" is unavailable, but the credential entries do still remain.
     
Thread Status:
Not open for further replies.