Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.
Impact, mitigation of MS golden backdoor keys & Secure Boot policy
http://www.theregister.co.uk/2016/08/10/microsoft_secure_boot_ms16_100/
Refer to above.
Q1:
Besides tablets & phones running Windows OS, are PCs/laptops affected?
Attachment 1 says PCs/Laptops are affected : is this article true?
Q2:
I suppose in our corporate which has a few thousand PCs/laptops which we
disallow users from getting into the BIOS (I suppose this is called 'locked-down
secure boot' PCs/laptops, then what's the mitigation? Not feasible to get the
thousands of PCs/laptops to our corporate end-user computing team (which
number about 15 only) to go into the BIOS to switch off "Secure Boot".
We have about 30 physical locations/offices
Q3:
Any idea if MS has released a patch for it or any workaround for this? Is
this only for certain flavors & versions of Windows ? Do list them
MSecureboot.jpg
Refer to above.
Q1:
Besides tablets & phones running Windows OS, are PCs/laptops affected?
Attachment 1 says PCs/Laptops are affected : is this article true?
Q2:
I suppose in our corporate which has a few thousand PCs/laptops which we
disallow users from getting into the BIOS (I suppose this is called 'locked-down
secure boot' PCs/laptops, then what's the mitigation? Not feasible to get the
thousands of PCs/laptops to our corporate end-user computing team (which
number about 15 only) to go into the BIOS to switch off "Secure Boot".
We have about 30 physical locations/offices
Q3:
Any idea if MS has released a patch for it or any workaround for this? Is
this only for certain flavors & versions of Windows ? Do list them
MSecureboot.jpg
Asked:
5-
5
4
5 Solutions
What you need to ask yourself: if someone came and booted his own, unsigned OS - so what? What is the problem with that? Your disk should be encrypted and have preboot authentication so there is nothing to fear anyway.
> Your disk should be encrypted
Erm, our PCs are not encrypted while the laptops are encrypted (mix of CheckPoint & McAfee encryption products).
But one colleague says this issue allows us to 'bypass' the disk encryptions (of CheckPoint & McAfee) : any truth in this?
>Q3 Windows 8 onwards
So I guess Win 10 (for tablets, PCs, laptops) & Win 8 for tablets/phones are affected?
One VIP in our organization uses a Windows phone though I don't know what version he is on
Erm, our PCs are not encrypted while the laptops are encrypted (mix of CheckPoint & McAfee encryption products).
But one colleague says this issue allows us to 'bypass' the disk encryptions (of CheckPoint & McAfee) : any truth in this?
>Q3 Windows 8 onwards
So I guess Win 10 (for tablets, PCs, laptops) & Win 8 for tablets/phones are affected?
One VIP in our organization uses a Windows phone though I don't know what version he is on
> Erm, our PCs are not encrypted ...
What I meant by PCs above are desktops.
>Q2 Microsoft is rolling out patches to fix the issue. Is this something to worry about? No.
Is the patch likely to be released this month (Aug) ?
Unlikely we have savvy hacker in our organization (I take it remote users ie remote via Internet
can't exploit this weakness) but quite a number of our laptop/desktop users are IT staff &
there's paranoid risk management who still insist to do something, so should we seriously
consider adopting the recommendations below from our security vendor:
Mitigation from a security product:
Through our threat landscape analysis, we see kernel-mode rootkits as
part of the broader advanced hidden attacks challenge, which we are
addressing with a comprehensive, layered approach:
a)VirusScan Enterprise (VSE) features on-demand scanning (ODS), which
provides memory protection for known rootkits. We recommend customers
of VSE to enable this functionality
b)M App Control (MAC) prevents the execution of unknown or non-
approved files from running, including rootkit installers. Do
evaluate this solution
c)M Threat Intelligence Exchange (TIE) acts as a unified threat
defense system & optimizes threat prevention to uncover advanced
targeted attacks & other hidden attacks. With TIE, customers can
prevent malware installation including installation of rootkits,
bootkits & other persistent threats, Do evaluate this solution
What I meant by PCs above are desktops.
>Q2 Microsoft is rolling out patches to fix the issue. Is this something to worry about? No.
Is the patch likely to be released this month (Aug) ?
Unlikely we have savvy hacker in our organization (I take it remote users ie remote via Internet
can't exploit this weakness) but quite a number of our laptop/desktop users are IT staff &
there's paranoid risk management who still insist to do something, so should we seriously
consider adopting the recommendations below from our security vendor:
Mitigation from a security product:
Through our threat landscape analysis, we see kernel-mode rootkits as
part of the broader advanced hidden attacks challenge, which we are
addressing with a comprehensive, layered approach:
a)VirusScan Enterprise (VSE) features on-demand scanning (ODS), which
provides memory protection for known rootkits. We recommend customers
of VSE to enable this functionality
b)M App Control (MAC) prevents the execution of unknown or non-
approved files from running, including rootkit installers. Do
evaluate this solution
c)M Threat Intelligence Exchange (TIE) acts as a unified threat
defense system & optimizes threat prevention to uncover advanced
targeted attacks & other hidden attacks. With TIE, customers can
prevent malware installation including installation of rootkits,
bootkits & other persistent threats, Do evaluate this solution
>if someone came and booted his own, unsigned OS - so what?
Any chance that a lost Windows 10 phone/tablet is booted up by the thief (say via the microUSB)
to an unsigned OS, can he access the data in it?
Any chance that a lost Windows 10 phone/tablet is booted up by the thief (say via the microUSB)
to an unsigned OS, can he access the data in it?
>> So I guess Win 10 (for tablets, PCs, laptops) & Win 8 for tablets/phones are affected?
Correct.
>> But one colleague says this issue allows us to 'bypass' the disk encryptions (of CheckPoint & McAfee) : any truth in this?
I suspect not. You'll probably still have an encrypted disk to try and unencrypt. Others will comment.
Give it a month and I suspect M$oft will have fixed the problem.
Correct.
>> But one colleague says this issue allows us to 'bypass' the disk encryptions (of CheckPoint & McAfee) : any truth in this?
I suspect not. You'll probably still have an encrypted disk to try and unencrypt. Others will comment.
Give it a month and I suspect M$oft will have fixed the problem.
>> Mitigation from a security product:
What follows the above heading is Advertising jargon mostly. There is NO complete way to stop malware getting onto a computer / telephone if that device connects to another device. This doesn't mean anti-virus products and such are useless but they are only 99.99% or so effective. And fancy jargon words mean nothing. If your present product is working OK then no need to change because of jargon words.
>> Any chance that a lost Windows 10 phone/tablet is booted up by the thief (say via the microUSB) to an unsigned OS, can he access the data in it?
He'd require Administrator privileges (I suspect for the BIOS but I might be wrong) to do so. If he has those then he has to hack the Secure boot process with a software tool. Once that is done he might be able to boot through the microUSB if the device permits that. Then if the disk is unencrypted quite probably he could access the data. There are a lot of ifs and possibles here. And if he's got Adminstrator privileges to the device then that possibly gives him access to the data anyway.
What follows the above heading is Advertising jargon mostly. There is NO complete way to stop malware getting onto a computer / telephone if that device connects to another device. This doesn't mean anti-virus products and such are useless but they are only 99.99% or so effective. And fancy jargon words mean nothing. If your present product is working OK then no need to change because of jargon words.
>> Any chance that a lost Windows 10 phone/tablet is booted up by the thief (say via the microUSB) to an unsigned OS, can he access the data in it?
He'd require Administrator privileges (I suspect for the BIOS but I might be wrong) to do so. If he has those then he has to hack the Secure boot process with a software tool. Once that is done he might be able to boot through the microUSB if the device permits that. Then if the disk is unencrypted quite probably he could access the data. There are a lot of ifs and possibles here. And if he's got Adminstrator privileges to the device then that possibly gives him access to the data anyway.
"Erm, our PCs are not encrypted while the laptops are encrypted (mix of CheckPoint & McAfee encryption products)." - all machines need to be encrypted. That is the very security baseline nowadays.
"But one colleague says this issue allows us to 'bypass' the disk encryptions (of CheckPoint & McAfee) : any truth in this?" - no truth in this.
"Any chance that a lost Windows 10 phone/tablet is booted up by the thief (say via the microUSB)
to an unsigned OS, can he access the data in it?" - no chance if the disks are encrypted.
"But one colleague says this issue allows us to 'bypass' the disk encryptions (of CheckPoint & McAfee) : any truth in this?" - no truth in this.
"Any chance that a lost Windows 10 phone/tablet is booted up by the thief (say via the microUSB)
to an unsigned OS, can he access the data in it?" - no chance if the disks are encrypted.
Last few questions:
If access to BIOS is protected by password (a complex one) known to our IT security team only (to prevent unauthorized access to BIOS) and current Secure Boot is disabled in BIOS, this weakness cant be exploited, right?
For Nokia, Lenovo n Asus Windows phones n tablets, they dont come with their
Do Windows phones n tablets (for Nokia, Lenovo, Asus brands) comes without storage encryption right?
If access to BIOS is protected by password (a complex one) known to our IT security team only (to prevent unauthorized access to BIOS) and current Secure Boot is disabled in BIOS, this weakness cant be exploited, right?
For Nokia, Lenovo n Asus Windows phones n tablets, they dont come with their
Do Windows phones n tablets (for Nokia, Lenovo, Asus brands) comes without storage encryption right?
Before you ask any other questions: Do you understand what secure boot is protecting against and what attack scenarios this protection would defeat?
Let me give you an example: Imagine a computer that is encrypted using a tpm chip as sole protector (for example bitlocker), so no password needs to be entered to boot the machine. The machine starts, the tpm releases the key and it resides in RAM. Attackers have found out that the key can be retrieved from RAM, if we
A are able to remove the RAM
B if the RAM is not removable (soldered) - are able to boot an OS that can read out the RAM
With that key, the whole encrypted disk could be decrypted and copied.
So against case B, we'd be protected with SecureBoot enabled.
Now with this mistake Microsoft made, SecureBoot might not be able to protect against B.
Ask yourself: what have you lost? You have lost the ability to confidently use machines with soldered (non-removable) RAM with TPM being the one and only protector.
Ask yourself - am I doing this, does it matter? It does not sound as if it did. But if it does, you should simply add another protector, a preboot authentication protector (password or PIN) to your machine and you don't have to worry about all this. Security experts have always been recommending to use PBA, long before this problem was discovered.
Conclusion: it's not really dramatic when it comes to securing the data on your hard drive.
Your question shows that you are not aware of what the secure boot function even did for you.
"Do Windows phones n tablets (for Nokia, Lenovo, Asus brands) comes without storage encryption right" - windows phones by microsoft (manufactured during the last 2 years) will mostly be able to run windows 10 and yes, win10 offers device encryption. As for tablets, you would look for win10 certified tablets, those also do offer device encryption or bitlocker (depending on the OS edition it will be one or the other).
Let me give you an example: Imagine a computer that is encrypted using a tpm chip as sole protector (for example bitlocker), so no password needs to be entered to boot the machine. The machine starts, the tpm releases the key and it resides in RAM. Attackers have found out that the key can be retrieved from RAM, if we
A are able to remove the RAM
B if the RAM is not removable (soldered) - are able to boot an OS that can read out the RAM
With that key, the whole encrypted disk could be decrypted and copied.
So against case B, we'd be protected with SecureBoot enabled.
Now with this mistake Microsoft made, SecureBoot might not be able to protect against B.
Ask yourself: what have you lost? You have lost the ability to confidently use machines with soldered (non-removable) RAM with TPM being the one and only protector.
Ask yourself - am I doing this, does it matter? It does not sound as if it did. But if it does, you should simply add another protector, a preboot authentication protector (password or PIN) to your machine and you don't have to worry about all this. Security experts have always been recommending to use PBA, long before this problem was discovered.
Conclusion: it's not really dramatic when it comes to securing the data on your hard drive.
Your question shows that you are not aware of what the secure boot function even did for you.
"Do Windows phones n tablets (for Nokia, Lenovo, Asus brands) comes without storage encryption right" - windows phones by microsoft (manufactured during the last 2 years) will mostly be able to run windows 10 and yes, win10 offers device encryption. As for tablets, you would look for win10 certified tablets, those also do offer device encryption or bitlocker (depending on the OS edition it will be one or the other).
>> If access to BIOS is protected by password (a complex one) known to our IT security team only (to prevent unauthorized access to BIOS) and current Secure Boot is disabled in BIOS, this weakness cant be exploited, right?
WRONG but not for your reasoning
BIOS must be passworded.
Secure Boot must be enabled. If you don't enable it you can change the OS on your system and do all sorts of nasty stuff. The sort you are worried about.
If users try to bypass the Secure Boot with the hacks they first need Adminstrator access on the machine (You must be an administrator to update the firmware. from the Register article). That should stop most of your staff unless they are IT. And if you can't trust your IT people you have even bigger problems in your organization.
WRONG but not for your reasoning
BIOS must be passworded.
Secure Boot must be enabled. If you don't enable it you can change the OS on your system and do all sorts of nasty stuff. The sort you are worried about.
If users try to bypass the Secure Boot with the hacks they first need Adminstrator access on the machine (You must be an administrator to update the firmware. from the Register article). That should stop most of your staff unless they are IT. And if you can't trust your IT people you have even bigger problems in your organization.
"Secure Boot must be enabled. If you don't enable it you can change the OS on your system and do all sorts of nasty stuff. The sort you are worried about" - not if we fulfill the security baseline and encrypt the disk and use preboot authentication :-) Then, an attacker cannot abuse it. So to emphasize again: the new "exploit", or whatever we may call it, is only a problem in certain scenarios like the one I outlined in my previous comment.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.
Tackle projects and never again get stuck behind a technical roadblock.
Join Now
Q2 Microsoft is rolling out patches to fix the issue. Is this something to worry about? No. Unless the user is a supreme hacker who wants to get into their own device and even then they would have to have the correct tools and software to do this. Don't touch anything. The Microsoft patches will do the job in the next month.
Q3 Windows 8 onwards.