Friday, May 30, 2008

Who needs COFEE!?

Talk about timing! This is the perfect follow-up to my previous article about Microsoft's Computer Online Forensic Evidence Extractor (COFEE).

Remember I said:

Actually, my outrage is dramatized for purposes of this article. Most of us know this game of security we play only stops the casual passer-by. If someone has physical access, it's only a matter of time before they get in. If not through back doors created by Microsoft then through bugs or unknown technical trickery.
Despite Microsoft's claim that Vista is their most secure OS ever (Vista is 'more secure' says Gates), I just found a demo of the easiest hack ever! It uses the exact same trick I used on XP years ago - but much more dramatically.

On XP I used a Linux boot CD to mount my disk volume. This allowed me to bypass Windows security and do such things as hack the passwords file to gain access to the administrator account. This got me what I wanted but was hardly stealthy - it would be quite clear to anyone wanting to log into the laptop afterward that someone had really messed things up since the old passwords would no longer work.

If I was into true esponiage, I would want something much more subtle. Something that would give me access over the long term without being discovered. The Vista hack demonstrated above basically gives a spy that ability! By temporarily modifying the Ease of Access button (Utilman.exe) to gain access to Vista as the elevated system account, I would be able to do anything I wanted on the system. I could setup scheduled tasks or services (keyloggers, etc.) or examine user data. But there would be no evidence that I had been there! The existing accounts would not be damaged by me and system logs would show no evidence of me even accessing the computer. This is key to me getting something into the system and allowing it to remain for an extended period of time (very bad).

I've really been enjoying showing the video to people this week. Those in the know give a good belly laugh and those who believe the hype get this empty, sick look on their face -- try it! BTW, there is more discussion about the video on Microsoft's own Channel9 blog. There are some additional perspectives there, but they kind of miss the point.

Want to protect yourself from this threat? There is no fool-proof way - but you can at least make it more difficult:
  • Using Bitlocker to encrypt the harddrive is the most obvious approach because the Linux boot CD will be unable to even find the System32 folder. But Bitlocker isn't practical for everyone since it requires all sorts of key management.
  • The easiest approach is to prevent someone from booting with Linux by turning off the system BIOS options that allow booting from USB thumb drives or CD/DVD devices. But this also means you must password protect the BIOS. It would also be a good idea to lock the case so that the BIOS override jumper can't be used to reset the BIOS. A lock would also prevent the harddrive from being temporarily removed from the system and placed in some other computer that does allow booting (maybe the spy has an external USB chasis on his laptop). But now you are managing real keys and your IT staff have a bit more work to do before they can boot from a recovery CD or something.
  • I found another novel approach was to disable the Ease of Access Button as described on the How-To Geek site. But don't be fooled. It turns out that someone just replaced Utilman.exe with an executable of their own :-) But it is a nice demo of how the hack can be done using a Windows install program without a Linux boot CD being needed at all.
I wish you all the best in securing your Vista environment. If you think you have a secure approach, share it with others here.

No comments: