Solved

Impact, mitigation of MS golden backdoor keys & Secure Boot policy

Posted on 2016-08-11
14
75 Views
Last Modified: 2016-08-13
http://www.theregister.co.uk/2016/08/10/microsoft_secure_boot_ms16_100/

Refer to above.  

Q1:
Besides tablets & phones running Windows OS, are PCs/laptops affected?
Attachment 1 says PCs/Laptops are affected : is this article true?

Q2:
I suppose in our corporate which has a few thousand PCs/laptops which we
disallow users from getting into the BIOS (I suppose this is called 'locked-down
secure boot'  PCs/laptops, then what's the mitigation?  Not feasible to get the
thousands of PCs/laptops to our corporate end-user computing team (which
number about 15 only) to go into the BIOS to switch off "Secure Boot".
We have about 30 physical locations/offices

Q3:
Any idea if MS has released a patch for it or any workaround for this?  Is
this only for certain flavors & versions of Windows ?  Do list them
MSecureboot.jpg
0
Comment
Question by:sunhux
  • 5
  • 5
  • 4
14 Comments
 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 250 total points
Comment Utility
Q1  PCs and laptops are affected.  Yes.

Q2  Microsoft is rolling out patches to fix the issue.  Is this something to worry about?  No.  Unless the user is a supreme hacker who wants to get into their own device and even then they would have to have the correct tools and software to do this.  Don't touch anything.  The Microsoft patches will do the job in the next month.

Q3  Windows 8 onwards.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
What you need to ask yourself: if someone came and booted his own, unsigned OS - so what? What is the problem with that? Your disk should be encrypted and have preboot authentication so there is nothing to fear anyway.
0
 

Author Comment

by:sunhux
Comment Utility
> Your disk should be encrypted
Erm, our PCs are not encrypted while the laptops are encrypted (mix of CheckPoint & McAfee encryption products).
But one colleague says this issue allows us to 'bypass' the disk encryptions (of CheckPoint & McAfee) : any truth in this?

>Q3  Windows 8 onwards
So I guess Win 10 (for tablets, PCs, laptops) & Win 8 for tablets/phones are affected?
One VIP in our organization uses a Windows phone though I don't know what version he is on
0
 

Author Comment

by:sunhux
Comment Utility
> Erm, our PCs are not encrypted ...
What I meant by PCs above are desktops.

>Q2  Microsoft is rolling out patches to fix the issue.  Is this something to worry about?  No.
Is the patch likely to be released this month (Aug) ?

Unlikely we have savvy hacker in our organization (I take it remote users ie remote via Internet
can't exploit this weakness) but quite a number of our laptop/desktop users are IT staff &
there's paranoid risk management who still insist to do something, so should we seriously
consider adopting the recommendations below from our security vendor:

Mitigation from a security product:

Through our threat landscape analysis, we see kernel-mode rootkits as
part of the broader advanced hidden attacks challenge, which we are
addressing with a comprehensive, layered approach:

a)VirusScan Enterprise (VSE) features on-demand scanning (ODS), which
 provides memory protection for known rootkits.  We recommend customers
 of VSE to enable this functionality

b)M App Control (MAC) prevents the execution of unknown or non-
 approved files from running, including rootkit installers.  Do
 evaluate this solution

c)M Threat Intelligence Exchange (TIE) acts as a unified threat
 defense system & optimizes threat prevention to uncover advanced
 targeted attacks & other hidden attacks.  With TIE, customers can
 prevent malware installation including installation of rootkits,
 bootkits & other persistent threats,  Do evaluate this solution
0
 

Author Comment

by:sunhux
Comment Utility
>if someone came and booted his own, unsigned OS - so what?
Any chance that a lost Windows 10 phone/tablet  is booted up by the thief (say via the microUSB)
 to an unsigned OS, can he access the data in it?
0
 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 250 total points
Comment Utility
>>  So I guess Win 10 (for tablets, PCs, laptops) & Win 8 for tablets/phones are affected?

Correct.

>>  But one colleague says this issue allows us to 'bypass' the disk encryptions (of CheckPoint & McAfee) : any truth in this?

I suspect not.  You'll probably still have an encrypted disk to try and unencrypt.  Others will comment.

Give it a month and I suspect M$oft will have fixed the problem.
0
 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 250 total points
Comment Utility
>>  Mitigation from a security product:

What follows the above heading is Advertising jargon mostly.  There is NO complete way to stop malware getting onto a computer / telephone if that device connects to another device.  This doesn't mean anti-virus products and such are useless but they are only 99.99%  or so effective.  And fancy jargon words mean nothing.  If your present product is working OK then no need to change because of jargon words.

>>  Any chance that a lost Windows 10 phone/tablet  is booted up by the thief (say via the microUSB)  to an unsigned OS, can he access the data in it?

He'd require Administrator privileges (I suspect for the BIOS but I might be wrong) to do so.  If he has those then he has to hack the Secure boot process with a software tool.  Once that is done he might be able to boot through the microUSB if the device permits that.  Then if the disk is unencrypted quite probably he could access the data.  There are a lot of ifs and possibles here.  And if he's got Adminstrator privileges to the device then that possibly gives him access to the data anyway.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 53

Expert Comment

by:McKnife
Comment Utility
"Erm, our PCs are not encrypted while the laptops are encrypted (mix of CheckPoint & McAfee encryption products)." - all machines need to be encrypted. That is the very security baseline nowadays.

"But one colleague says this issue allows us to 'bypass' the disk encryptions (of CheckPoint & McAfee) : any truth in this?" - no truth in this.

"Any chance that a lost Windows 10 phone/tablet  is booted up by the thief (say via the microUSB)
 to an unsigned OS, can he access the data in it?" - no chance if the disks are encrypted.
0
 

Author Comment

by:sunhux
Comment Utility
Last few questions:

If access to BIOS is protected by password (a complex one) known to our IT security team only (to prevent unauthorized access to BIOS) and current Secure Boot is disabled in BIOS, this weakness cant be exploited, right?

For Nokia, Lenovo n Asus Windows phones n tablets, they dont come with their
Do Windows phones n tablets (for Nokia, Lenovo, Asus brands) comes without storage encryption  right?
0
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
Comment Utility
Before you ask any other questions: Do you understand what secure boot is protecting against and what attack scenarios this protection would defeat?

Let me give you an example: Imagine a computer that is encrypted using a tpm chip as sole protector (for example bitlocker), so no password needs to be entered to boot the machine. The machine starts, the tpm releases the key and it resides in RAM. Attackers have found out that the key can be retrieved from RAM, if we

A are able to remove the RAM
B if the RAM is not removable (soldered) - are able to boot an OS that can read out the RAM
With that key, the whole encrypted disk could be decrypted and copied.

So against case B, we'd be protected with SecureBoot enabled.
Now with this mistake Microsoft made, SecureBoot might not be able to protect against B.
Ask yourself: what have you lost? You have lost the ability to confidently use machines with soldered (non-removable) RAM with TPM being the one and only protector.
Ask yourself - am I doing this, does it matter? It does not sound as if it did. But if it does, you should simply add another protector, a preboot authentication protector (password or PIN) to your machine and you don't have to worry about all this. Security experts have always been recommending to use PBA, long before this problem was discovered.
Conclusion: it's not really dramatic when it comes to securing the data on your hard drive.

Your question shows that you are not aware of what the secure boot function even did for you.

"Do Windows phones n tablets (for Nokia, Lenovo, Asus brands) comes without storage encryption  right" - windows phones by microsoft (manufactured during the last 2 years) will mostly be able to run windows 10 and yes, win10 offers device encryption. As for tablets, you would look for win10 certified tablets, those also do offer device encryption or bitlocker (depending on the OS edition it will be one or the other).
1
 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 250 total points
Comment Utility
>>  If access to BIOS is protected by password (a complex one) known to our IT security team only (to prevent unauthorized access to BIOS) and current Secure Boot is disabled in BIOS, this weakness cant be exploited, right?

WRONG but not for your reasoning

BIOS must be passworded.
Secure Boot must be enabled.  If you don't enable it you can change the OS on your system and do all sorts of nasty stuff.  The sort you are worried about.

If users try to bypass the Secure Boot with the hacks they first need Adminstrator access on the machine (You must be an administrator to update the firmware. from the Register article).  That should stop most of your staff unless they are IT.  And if you can't trust your IT people you have even bigger problems in your organization.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
"Secure Boot must be enabled.  If you don't enable it you can change the OS on your system and do all sorts of nasty stuff.  The sort you are worried about" - not if we fulfill the security baseline and encrypt the disk and use preboot authentication :-) Then, an attacker cannot abuse it. So to emphasize again: the new "exploit", or whatever we may call it, is only a problem in certain scenarios like the one I outlined in my previous comment.
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
So to emphasize again: the new "exploit", or whatever we may call it, is only a problem in certain scenarios like the one I outlined in my previous comment.

quoting McKnife
0
 

Author Comment

by:sunhux
Comment Utility
Gee thanks for clarifying on secure boot n TPM
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now