Does the secure attention key really increase security?

Question

Are there any statistics on whether requiring the secure attention key to be pressed on login actually increases security ?

I personally don't see the point of that :

• if you're after credentials, you're better off phishing email or other app's credentials that allow access from the Internet. Phishing OS credentials won't do any good as you still need to be physically on the network to use them
• if you're physically in the building and have access to the network you can do more damage, and the secure attention key won't do much either as you can completely replace the machine with your own one which doesn't care about the secure attention key (or rather does, but presents your fake login screen when pressed)

Also, there seems to be no SAK support in Mac and Linux support is weak (the code is in the kernel but no desktop manager appears to take advantage of it) and it seems no one is screaming about it, which makes me think it's more a security theatre popular in the Windows networks more than anything else.

Answer 1

The system-attention-key is mostly an historical remnant from the youth days of the engineers who designed the SAK. These engineers, when they think about security, actually think about the times when they were dabbling in security, and that was when they were students. More precisely, when they were students in the 1990s. That last item is important: in the 1990s, students did not usually have networked computers, in particular laptops; more commonly, the students were sharing a dozen workstations in a dedicated room. The students, being students, engaged into the kind of things that students do, in particular setting traps and jokes on each other. "Stealing" the password of a co-student was a common game.

And game here is an important word. The point was not really to have the password to enact mischief, but to demonstrate technical skill for boasting purposes (most human activities, at least from male people, are at their core about gaining or keeping Alpha male status, even to the point of absurdity because computer rooms of the 1990s were singularly devoid of any female that could have been wooed by such a display of technical skill). Thus, the "password stealing" needed not be efficient but elegant. This included amusing systems by which a user would keep a picture of the login screen running as a basic application under his own name, mimicking the true one and grabbing the password of other people -- the elegance coming from the fact that the attacker does not even need local administrative rights ("root privileges"). You will notice that the SAK prevents exactly that attack.

Real-life attackers don't play that nicely. When they have physical access to a machine, they first get kernel-level access, possibly by physically damaging the machine (an unthinkable heresy for a computer student), and if they want to log keys they just do, regardless of the SAK. But engineers who design operating systems now still think in terms of the golden days of their early twenties; they try to thwart not the practical real-life attacks, but the elegant shenanigans from a more civilized age.

So the SAK is there, mostly to give a feeling of safety to people who envision attacks and key logging like a game they played two decades ago and still fondly remember. Like most things in computers, it is there out of a matter of Tradition.

(Note that some of these engineers did not get jobs designing operating systems, but writing specifications of "security rules" to which organizations shall conform -- for an hilariously extended effect of lingering tradition. OS designers still have to include a SAK because they need it to comply to some regulations, even if they know it does not make a lot of sense.)

---

Now, in practice, what good does the SAK make ? Not a lot. One can still say that the login password of a user is sensitive data -- not because it grants access to the local network (an access that the attacker already has, by virtue of hijacking a machine that runs on that network), but because users have the habit of reusing passwords, either directly or through some transparent "rule" (if user's password on server QZ982 is "PasswordQZ982", guess what will be the user's password on server YH455 ?). But the SAK is not enough to resist key logging anyway.

Security is really increased, not by SAK-like attempts, but by (as usual) educating users, in particular to the necessity of not reusing passwords.

Answer 2

The credentials may be shared for the whole network (eg. LDAP credentials), allowing access to the local computer, mail, remote access…

Also note that Phishing OS credentials is very different than phishing a website. You don't go back to a computer and fill an Email prompt without even logging in (actually, I don't think many company users enter their password at their PCs except at the login screen, not even for configuring their email).

If you have access to the building, carry a compromised machine with the same appearance as the target one, and are left alone to exchange them then yes, you could overcome the SAK request.¹ And even then, you may not be able to really impersonate the original machine to the network, thus showing an odd behavior to the phished user.

I completely disagree with Tom's statement that "the attacker already has access to the local network". The stolen credentials may be used to conceal the attacker account at a later attack (would you stole using your real id?), or simply elevate priviledges.

«The base operator goes to the computer used by the soldier Bradley Manning to install the new Adobe Reader needed for document X. He has already signed off, so the operator simply enters the administrative username and password. It spits a "Wrong password" error. However, it has quietly logged the administrative password.»

Yes, it's the same story as the students game. But with nation secrets and spies instead.²

I don't think such phishes are common (and probably few people is pressing Ctrl-Alt-Del when confronted with the screen that would appear after it has been pressed). But they are indeed a possibility and SAK -correctly used- avoids them.

On the other hand, if they are single user machines and nobody else can log into them, I don't think it's worth having SAK activated.

¹ You would better install a hardware keylogger, though.

² Note that if there is somewhere else in the computer room at all times, this soldier wouldn't be able to open the computer, reset the bios and boot from a CD to compromise the system. Nor could replace it with its own computer.