Risk Assessment - Atom Table Bombing and 1Password

laugher

http://www.ibtimes.co.uk/all-windows-versions-potentially-exposed-cyberattacks-thanks-new-code-injection-atom-bombing-1588719

In my attempts to try to understand the concept of Atom table bombing techniques, I am being led to believe that keystrokes and passwords can be theoretically retrieved using this code injection technique to bypass Windows security.

What I am trying to ascertain is whether this could also affect 1Password for Windows and to what extent. The whole intent of this post is to understand the risks surfaced with this new technique in compromising Windows security.

Any thoughts from the 1Password Windows Security Team?

---

1Password Version: 4.6.1.616
Extension Version: Not Provided
OS Version: Windows 10 Build 14393.351
Sync Type: Not Provided

laugher

Here's another treatise on the topic. This one attempts to demonstrate how you can pull off the vulnerability.

https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows/

jpgoldberg

Hi @laugher! Thanks for asking.

We haven't had a chance to look closely at this particular windows malware, but it does initially appear to hard to stop and allows for the compromise of nearly any process.

If you are running 1Password (or anything else) on a compromised operating system all bets are off. There are steps that we can (and do) take to defend against some common and superficial malware attacks, but ultimately we have to acknowledge the truth of the slogan: once the operating system on your computer is compromised it is no longer your computer. Anything that is available to you (such as your passwords after you have unlocked 1Password) is available to the operating system. If that operating system is "owned" by an attacker, then you are in trouble.

As I said, where there are simple things that we can do that make things harder for attackers who have some power over your computer, we do. See for example Watch what you type: 1Password's defenses against keystroke loggers

What that article concluded with two years ago still holds true today:

Lessons

1. Keep your system and software up to date
   The single biggest thing you can do for your computer security is to keep your system and software up to date. The overwhelming majority of actual break-ins are through vulnerabilities that have already been fixed by the software vendors.

2. Pay attention to what software you install and where you get it from
   Keystroke loggers and other malware are often installed unwittingly by the victims themselves. Try not to be one of those victims. Be particularly careful of anything that tries to frighten you into installing it. Fake security software and alerts are a common way to get people to install malicious software.

   The move toward curated app stores offers additional protections, but it isn’t a complete solution. Still, using those where available will reduce your risks.

3. Use Windows Defender on Windows
   I have long been skeptical of most anti-virus software, but Microsoft Security Essentials is something I can unequivocally recommend for those using Windows 7. In Windows 8, Windows Defender is automatically built in and enabled.

4. Understand what software can and can’t do for you
   The core security design of 1Password is extremely strong. Quite simply: if you have a good Master Password, nobody who gets a copy of your 1Password data will be able to decrypt it. 1Password can and does offer outstanding security.

   At the same time, 1Password is limited in what it can do to protect you when you are using a compromised computer. It can (and does) offer some protection against shallow (the most common) attacks. But this is a bit of an arms race. As you see, we have had to put into place a counter measure to a counter measure to our counter measure against common keystroke loggers.

   This is why the first two items on this list are so important.