Researchers Show How To Take Control of Windows 7

alphadogg writes "Security researchers demonstrated how to take control of a computer running Microsoft's upcoming Windows 7 operating system at the Hack In The Box Security Conference (HITB) in Dubai on Thursday. Researchers Vipin Kumar and Nitin Kumar used proof-of-concept code they developed, called VBootkit 2.0, to take control of a Windows 7 virtual machine while it was booting up. 'There's no fix for this. It cannot be fixed. It's a design problem,' Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack. While VBootkit 2.0 shows how an attacker can take control of a Windows 7 computer, it's not necessarily a serious threat. For the attack to work, an attacker must have physical access to the victim's computer. The attack can not be done remotely." Which makes me wonder why I'm posting this :)

Physical Security is a big issue

[mc1138]

We hear about it all the time, laptops being stolen, left out, all with tons of sensitive data. Combine this with a lot of companies having very poor physical security this could be more than something to just write off.

Re:Physical Security is a big issue

[xmarkd400x]

Your "problem" has already been solved. Encrypt the hard drive. Companies don't care about losing sensitive data other than the monetary and reputation loss. If you lose a hard drive with private info on it, you only have to report a "breach" if it's encrypted.

Somebody with physical access can just use a boot CD and do what they want anyways.

Re:Physical Security is a big issue

[Lovedumplingx]

I was thinking that same thing.

Sure it's not really much of a problem for the home user but for the businessman/government worker who travels and leaves his laptop or has it stolen this means that the data on that machine will be compromised.

Re:Physical Security is a big issue

[Rayeth]

Also isn't an axiom of computer security that if someone can get physical access to your machine there is pretty much no software in the world that can stop them? Its all well and good to encrypt, but that won't help you if they remove the drive and have their beowulf cluster break your your RSA.

Re:Physical Security is a big issue

[seanellis]

Given your mention of encryption-cracking clusters, I would be remiss not to post this XKCD comic in response.

Re:Physical Security is a big issue

[MozeeToby]

If someone has physical access to your computer, you've already lost. That's been the general rule for decades now. Even with a fully encrypted harddrive someone could install an inline usb key-logger and you would probably never notice it. Sensitive information should never go on a laptop and desktops should be physically secured. Anything else is 100% defeatable.

Re:Physical Security is a big issue

If someone has physical access to your computer, you've already lost.

Not really. My box has a nice chunk of C4 explosive inside it. Three failed login attempts and you're gone.

Re:Physical Security is a big issue

[Rayeth]

This is even more true, because if they have physical access you are in much closer proximity (probably) to that very same $5 wrench.

Re:Physical Security is a big issue

[mhall119]

Even if you're using Windows to encrypt your hard drive, this exploit might still be effective. From the very few details in the article, it modified the Windows boot files in memory while it's booting. If they can do that, then they just wait for you to log in and decrypt your hard drive, and their tainted processes have access to all your data.

Re:Physical Security is a big issue

[maxume]

Does encrypting some of the stuff on my laptop (to limit and/or mitigate the potential consequences of someone stealing it for the hardware) make me a crypto nerd?

Re:Physical Security is a big issue

http://www.isxkcdshittytoday.com/

Re:Physical Security is a big issue

[afidel]

The only way to inject code during boot if you are using bitlocker would be to use a DMA controller to do the injection. Firewire ports are one of the few devices commonly found in a PC with a DMA controller that can be used in this manner.

Re:Physical Security is a big issue

[V!NCENT]

Do you want to fit the group so badly? If your interested in this kinda stuff on /. then welcome, on behalf of everyone who also thinks it's interesting.

The definition of a nerd is a person who is simultaniously interested in mature, more inteligent stuff and also very childish things at the same time. A person is only a nerd if he also fits the "Jikes! Go away loser." -"Yeah go play with your Star... Wars... whatever toys" group of people.

I am not really the nerd kinda guy... et all. But who cares? I like it here so it is here I stay... Go make up your own damn mind.

Re:Physical Security is a big issue

[maxume]

Actually, I was sort of pointing out that you can use encryption for purposes other than the narrow one defined in that cartoon (which is roughly, protection against imaginary, wrench wielding bad guys).

Re:Physical Security is a big issue

[imemyself]

If you're using full disk encryption with BitLocker or TrueCrypt or something then I doubt this would be effective. With both BitLocker and TrueCrypt, the only things that can be loaded without decrypting the drive is the bootloader/BitLocker/TrueCrypt software that prompts for the password or key. Unless someone has found a vulnerability in the actual encryption software that's used, I don't think it would be vulnerable in that way.

Re:Physical Security is a big issue

[shutdown+-p+now]

I don't know much about it, but doesn't BitLocker with TCPA chip support enabled verifies the loader code, and refuses to boot if it's compromised?

Re:Physical Security is a big issue

[Patch86]

Depends how much of your waking life you devote to thinking about it.

If you thought "hey, maybe I'll encrypt my data" and then did it, and that's that, then you're not a nerd. If you thought about it pretty much any more than that, then bad news...

Like most security, data encryption is just a way of raising the barrier to entry. Almost all security can be beaten with enough time/effort/resources; but by taking precautions, you can deter anyone who doesn't want to dedicate [X] to the task. Of course you pay for every new barrier in kind, with your own time/effort/system resource...

Anyone who thinks they can make their data completely uncrackable might want to think again.

Re:Physical Security is a big issue

[mhall119]

From what I've read, it verifies that the BIOS and MBR are untouched, but I haven't read that it checks what is in RAM. This exploit modified what is in RAM only.

Re:Physical Security is a big issue

[V!NCENT]

Using something for a purpose it was not invented/created for makes you a hacker, not a nerd persé.

Re:Physical Security is a big issue

[AmiMoJo]

It still isn't a realistic threat.

In order to modify parts of Windows in memory during boot, the virus would have to install a driver that is loaded fairly early on in the boot sequence. To do that it would need full admin rights, which in Vista trigger a UAC warning even if you are logged in as an admin. Presumably you would get a warning about signed drivers too. Windows 7 is supposed to be even more secure than that, and you can't really could it as a vulnerability any more than you could count a virus patching the kernel in Linux as one, because only the user giving the virus root access would allow it to function.

Physical security is still maintained because the encrypted drive protects the Windows installation from being patched or modified off-line.

Re:Physical Security is a big issue

[jonadab]

> We hear about it all the time, laptops being stolen, left out, all with tons of sensitive data.

Fundamentally, the operating system can't fix this. If the attacker has physical control of the hardware, the software cannot really be protected. If you published a method for taking control of an OpenBSD system by having physical control of the hardware, the OpenBSD guys would shrug and say, basically, "Duh". In fact, I can tell you how to do that right now: boot from a live CD, mount the filesystem, and clear root's hashed password out of /etc/shadow, then take the CD out, boot from the hard drive, log in as root, and set whatever password you want. Congratulations, you've now rooted a default OpenBSD install. Woo.

If the system is not physically secure, it should not have enencrypted sensitive data on it.

If the system is not physically secure, it should not have enencrypted sensitive data on it.

If the system is not physically secure, it should not have enencrypted sensitive data on it.

Incidentally, the encryption passwords count as sensitive data, so it shouldn't have those either.

Re:Physical Security is a big issue

[mhall119]

The article didn't go into specifics, but it seemed to imply that the exploit code wasn't being executed by Windows, but by something else that could manipulate the contents of the computer's memory during the Windows boot sequence. Basically Windows checks that the BIOS and MBR are intact before booting, then verifies anything that runs after booting, but it doesn't check that the boot files loaded into memory match the untouched files on disk.

Re:Physical Security is a big issue

[jggimi]

If you published a method for taking control of an OpenBSD system by having physical control of the hardware...

The method is already published in OpenBSD FAQ 8.1: I forgot my root password, what do I do now?

...In fact, I can tell you how to do that right now...

Your guidance is incorrect. No live media needed, and there is no such thing as /etc/shadow. OpenBSD is not Linux.

Re:Physical Security is a big issue

[AmiMoJo]

That still doesn't explain how it could be used to compromise a computer with just physical access. Even if it did load something before Windows and essentially virtualised the whole thing, the disk is still encrypted and won't be accessible to the attacker.

I suppose in theory someone with physical access could install the loader and then wait for the user to enter their password, but why not just take the far simpler route and install a hardware keylogger? There is no way the machine could be infected by remote either, unless the user gave an untrusted program root access which essentially means it's the same level of security as Linux.

Actually, the article doesn't explain why a similar hack could not be used on a Linux system. It seems like it could, I guess they just picked Windows to get a headline.

Physical access = root

If you got physical access already, it shouldn't be a surprise you can root the box.

Re:Physical access = root

[tepples]

If you got physical access already, it shouldn't be a surprise you can root the box.

Then why haven't TiVo DVRs, Linux boxes to which the user has physical access, been rooted?

Re:Physical access = root

[paroneayea]

Linux boxes are rootable. They *should* be rootable. The only time they aren't are when you don't have control any more (because of DRM & etc). But then they are only Linux in as much as the Kernel goes, not as much as the kind of Linux that Linux users advocate. I've recovered a broken plenty of times by popping in a boot cd and chrooting it.

The only time a system can be protected from this type of stuff is if it's encrypted. But then again, that's only protecting someone from accessing information you want to keep private, not protecting from reinstalling your operating system.

Re:Physical access = root

Maybe because the data on them isn't the slightest bit interesting? I mean, shoot - no credit card numbers, no email addresses. Just some silly soap operas with commercials in them.

Re:Physical access = root

[LordLimecat]

some quick googling indicates they have.

Re:Physical access = root

I'm sure they have.

But I've also read that TiVo digitally signs its boot image, and the firmware won't boot something that's not signed by TiVo. This automatically makes it not in the same level playing field as a PC, where the BIOS will load and run anything that's on a disk where the end of the first sector is "0x55aa".

By the way... Does anyone know how Microsoft's "BitLocker" and similar TPM-based solutions work? Does the TPM spec include BIOS extensions so that you can set it not to boot anything that's not signed? If so, that would be similar to the TiVo situation but somehow I doubt it.

Re:Physical access = root

They have, just search Tivo jailbreak on google.

Re:Physical access = root

[HTH+NE1]

some quick googling indicates they have.

Since there are a lot of references to the root partition of a TiVo that aren't about acquiring root access to a running Tivo, that search gives lots of false hits, most of which is just about adding larger or additional hard drives. Also, earlier models of TiVos were more vulnerable than current models.

The TiVo firmware checks a RAM disk image for validity, which in turn checks the kernel and file system for validity and purges anything it seems modified. However, it appears someone has worked out how to break this chain of trust.

Whether someone has figured out how to make encrypted digital channel recordings store themselves unencrypted and make them transferable to a PC I don't know, but would appreciate being informed.

For me, the point of 0wning one's own box is to enable it do things it's been told not to let you do.

Re:Physical access = root

[afidel]

TPM itself is just a secure key store, you would need a BIOS and signature checking agent to ensure nothing else was involved in the process. I don't believe there is currently anything like that available for the PC platform. It's what all the doom sayers from the Linux camp said TPM would bring but I don't believe it's here yet. The sophistication of attack needed to compromise a TPM protected system is very high though because you can set a BIOS password and have the system clear the TPM keystore when the BIOS is cleared so the only real means of attack is direct memory manipulation through a DMA controller.

Re:Physical access = root

[blackest_k]

The only time a system can be protected from this type of stuff is if it's encrypted. But then again, that's only protecting someone from accessing information you want to keep private, not protecting from reinstalling your operating system.

funny how this kind of thing comes up at an appropriate moment ubuntu 9.04 on a fresh install asks do you want to encrypt your home directory and it will be seamlessly decrypted when you use it.

I thought about this, then decided against it, the risk of losing everything due to having it in an encrypted home folder out weighs the risk of my data being readable by someone having physical access to the machine. on the other hand having everything easily readable also doesn't appeal either so I compromised and decided to use ubuntu's built in encryption for files to protect the important but replaceable stuff.

Re:Physical access = root

If you got physical access already, it shouldn't be a surprise you can root the box.

Then why haven't TiVo DVRs, Linux boxes to which the user has physical access, been rooted?

It already has, you just don't know it.

"I'm in your Tivoz, capturin yur showz!"

Re:Physical access = root

[YesIAmAScript]

TiVo is a secured system.

You cannot run just any code you want on it, it only runs code that was signed by TiVo.

So code injection is difficult.

This system could be applied to PCs, but the problem then is who is authorized to sign code to run on your machine? If just anyone can do it, then it's still easy to inject code. If only MS can do it, you can't run any code MS doesn't want you to run (say Linux) on your PC.

To me, the downside is not worth the advantages. I want to run what I want to run, not was MS wants me to run.

Re:Physical access = root

[turbidostato]

"This system could be applied to PCs, but the problem then is who is authorized to sign code to run on your machine?"

My machine, you say? The answer is obvious, then: me.

Re:Physical access = root

[YesIAmAScript]

Then the system isn't secure. If the data required to sign code to run on your machine is on your machine, then once they exploit your current OS they can get their code signed and change the boot code.

Re:Physical access = root

[tepples]

TiVo is a secured system.

But the AC's point is that such "a secured system" cannot exist.

This system could be applied to PCs, but the problem then is who is authorized to sign code to run on your machine?

The same entity authorized to sign code for Xbox 360: Microsoft Corporation.

I want to run what I want to run, not was MS wants me to run.

I agree with you, but there aren't a lot of other people who agree with us and prefer to play video games on a TV.

Re:Physical access = root

[turbidostato]

"Then the system isn't secure. If the data required to sign code to run on your machine is on your machine"

Who said that? Not me, obviously.

Yes, why post this?

[Control-Z]

If someone has physical control of the machine, all bets are off.

Re:Yes, why post this?

[Icegryphon]

Agreed, hell you can reset admin passwords or root passwords if you have physical access to the machine.
Unless you are using encryption on the drives.

Re:Yes, why post this?

That used to be true, it's less and less the case.

Re:Yes, why post this?

[MyDixieWrecked]

In today's Virtual world, physical access to the machine doesn't mean meatspace access. My company and several of my friend's companies are looking into virtualized desktops by using small desktop boxes and low-end PCs to connect to PCs in the datacenter over either RDP or other proprietary protocols.

With the proliferation of cloud-based applications, it's only a matter of time before someone offers a browser-based virtual desktop in the cloud. Once someone hacks into some server up there, they have physical access to the machines for all intents and purposes.

This is a very interesting threat from a virtual infrastructure security standpoint.

Re:Yes, why post this?

[Lord+Ender]

Some disk encryption solutions, such as Checkpoint, rely on windows authentication to decrypt the disk. If this can be bypassed easily, it makes this disk encryption worthless.

It was obvious to crypto pros that it is theoretically worthless, but this is a practical attack against it.

Real disk encryption DOES protect them machine even with physical access. But "enterprise" software companies like Checkpoint sell snake-oil encryption quite well because engineers can "prove" it's flawed to management without a working exploit.

Re:Yes, why post this?

[greenguy]

OK, they're claiming that if they have physical access, they can take control while it boots.

Sounds like they simply waited for it to finish booting. Ta-dah! They have control of it!

Re:Yes, why post this?

Real disk encryption DOES protect them machine even with physical access. But "enterprise" software companies like Checkpoint sell snake-oil encryption quite well because engineers can't "prove" it's flawed to management without a working exploit.

A rather important 't.

Re:Yes, why post this?

[vux984]

This is a very interesting threat from a virtual infrastructure security standpoint.

Not really. *ANY* physical-attack type threat is altered in the same way by virtualization.

To obtain illicit 'physical' access to the virtual machine they have to compromise the host machine. If the host machine can't be hacked remotely, then the 'physical' virtual machine is essentially safe.

And if the host machine CAN be compromised remotely, then the guests are hosed no matter what.

Re:Yes, why post this?

[DaveV1.0]

My company and several of my friend's companies are looking into virtualized desktops by using small desktop boxes and low-end PCs to connect to PCs in the datacenter over either RDP or other proprietary protocols.

In other words, you are going back to the old terminal/server model of computing. Welcome back to the age of Jive.

Re:Yes, why post this?

[CarpetShark]

Yeah, much as I'd love to gloat, this is pretty meaningless. Even a remote rootkit wouldn't say much if they could fix it easily. Only a series of obvious flaws, negligently unpatched flaws, or fundamentally unfixable flaws are worth talking about.

Re:Yes, why post this?

[CarpetShark]

In today's Virtual world, physical access to the machine doesn't mean meatspace access.

That's a very good point. I still don't think it means much in terms of comparisons, since most other OSes are similarly vulnerable if their boot sequence is alterable or their raw drives can be accessed, but yeah, that's worth bearing in mind.

Re:Yes, why post this?

[drinkypoo]

In other words, you are going back to the old terminal/server model of computing. Welcome back to the age of Jive.

Everything old becomes new again if you wait long enough. Actually, you apparently missed it when we all went back to the old session-processed, terminal/server model of computing. It's called the World Wide Web. GP can't go BACK to the past when we're all already there.

Re:Yes, why post this?

[YesIAmAScript]

If you think accessing a machine through a browser is the same as having physical access "for all intents and purposes", then you aren't actually considering nearly enough intents and purposes.

You cannot disconnect a drive or even insert a USB key (during boot) with RDP. It's not the same at all.

Re:Yes, why post this?

[mangobrain]

Two points of note:

1. There's nothing wrong with decryption being integrated with the user authentication system *provided it requires a correct password to succeed*, not just a shell claiming it is running as a given user.

Although it isn't targetted at disk encryption, gnome-keyring can be integrated with PAM to auto-unlock a user's encrypted password storage (their "default keyring") at login time. Going further, seahorse-agent provides auto-unlocking of SSH and GPG keys (by impersonating ssh-agent and gpg-agent respectively) in similar fashion, by storing the passphrases in the user's default keyring I believe. I may just not have looked hard enough, but I haven't heard anyone slating them for being "theoretically worthless" - unless you have no password on your default keyring, not even root su'ing to impersonate a particular user will grant access to their keys.

2. On the other hand, even "real" disk encryption (as opposed to "fake" disk encryption - ROT13?) DOES NOT protect against physical access if the attacker can get a keylogger (presumably a hardware one) in place to grab the password. Same for gnome-keyring and seahorse-agent. What these systems CAN do is prevent decryption of a stolen disk/keyring when no other data is available to the attacker.

Re:Yes, why post this?

[RiotingPacifist]

The FA was lacking on details but i think that in this day and age, with unmodifiable system files, drm, copy protection simply booting into the OS gives you limited access to your machine, vbootin allows users to run applications at system level which probably defeats all of the above.

Additionally its small size and the claim that its undetectable from within windows means that if used its installed on a rooted box (the POC code can't do this but a modified version could sit in a fake bootmgr, do some tricks then run the real bootmgr), it can remain hidden indefinably.

Re:Yes, why post this?

[Lord+Ender]

Thanks. The problem with "preview" is that the brain tends to read what it thought it wrote, rather than what it actually did write. It is my hope that Slashdot would allow post-preview editing at some point. Ah, well.

Re:Yes, why post this?

[mhall119]

Web 2.0 put the computing right back onto the client in the form of Javascript. The server is only used for database and storage, both of which are now being offered by the browser on the client again.

Now the question is, if your terminal connects to a server, which loads a browser, which connects to another server for a web 2.0 app, which runs on Javascript on the first server, and displays it on the terminal, what the heck do we call that?

Re:Yes, why post this?

[Lord+Ender]

Your point 1 is VERY wrong. Cracking an 8-character password when given access to the hash is much much much much easier than cracking a 20-character encryption passphrase or a smartcard-based encryption system. Furthermore, a crypto system which relies on Windows authentication to cough up the crypto key does not even require knowledge of the password. Just bypass the authentication and you get the key. I KNOW this is the case for Checkpoint WIL disk encryption.

Your point 2: encrypted disks tend to be an issue with laptops, where they are stolen quite often. In this most common scenario, keyloggers don't enter into it.

Crypto is only as good as the weakest link.

Re:Yes, why post this?

[vux984]

You cannot disconnect a drive or even insert a USB key (during boot) with RDP. It's not the same at all.

You are thinking at the wrong level. You can't do that from inside the -guest-. But you CAN do it from the -host-. And you -can- potentially access the -host- remotely. After all, vmware server 2's administration for example is web based...

So if you hire some company to allocate you a VM and you run Windows 7 on it. And I can get remote control of the HOST, I now effectively have physical access to YOUR Windows 7 VM. Including 'inserting a disk' (by mapping your CDrom to an iso image) as it boots, inorder to use this physical-access exploit.

Re:Yes, why post this?

[TheThiefMaster]

However, having remote access to the host of a bunch of virtual machines would be the equivalent of physical access to those virtual machines. You can change the mounted media, reboot them...

Re:Yes, why post this?

In today's Virtual world, physical access to the machine doesn't mean meatspace access.

You have no clue what you are talking about.

Physical access always means "meat space" access. Always. True in today's virtual world if you remotely exploit a host machine that happens to be running a virtual machine and then infect the virtual machine so the virtual servers running on the virtual machine are now compromised, you're correct. However, that host machine you remotely exploited can't have this attack performed on it if you can't physically access it. And if your network and physical machines are hardened so remote exploits can't happen, then your virtual machine can't be compromised, meaning your virtual servers are safe as well.

Physical access is something you can only protect against with physical measures. If someone gains physical access to your machine, as the OP stated, all bets are off.

As stated in the summary this exploit cannot be performed remotely and you must have physical access to the machine, so if you can't gain physical access to the machine, you can't compromise it with this exploit.

dumbass

Re:Yes, why post this?

You cannot disconnect a drive or even insert a USB key (during boot) with RDP. It's not the same at all.

Since when is 'Insightful' moderation another word for 'Factually Incorrect'?

Of course you can with virtualization! That is the whole point.

You simply log in to the host, and either type the commands or click in the GUI to place a 'usb stick' in the guest systems USB port, and tell it to either use a real USB device on the host, a raw file, or some device over the network. The guest OS sees this as a USB drive just being inserted.
All of this is done without physically touching a computer anywhere (unless of course you had to put the USB drive in the host system before using software to hand it to the guest OS)

If inserting a USB drive is not considered physical access in the scope of an attack, then why would are you concerned about physical access at all?

Re:Yes, why post this?

[Matheus]

Not that I really like cheering for M$ BUT what I take away from this article is that if these people are resorting to "physical-access" attacks to break Windows7 then maybe it has a chance of being a decently secure OS.

I can always hope :)

Re:Yes, why post this?

[Ironica]

Thanks. The problem with "preview" is that the brain tends to read what it thought it wrote, rather than what it actually did write. It is my hope that Slashdot would allow post-preview editing at some point. Ah, well.

Or perhaps someone just needs to invent the right virus for Slashdot.

Re:Yes, why post this?

With the proliferation of cloud-based applications, it's only a matter of time before someone offers a browser-based virtual desktop in the cloud.

They already have. http://icloud.com

Re:Yes, why post this?

Well, duh! Prior to this exploit, did you really think you didn't need to trust your virtual hosting provider? If an attacker controls your VM host they can do anything, including sniffing the keys for your encrypted drives.

Don't put anything you care about on a VM hosted by someone else.

Re:Yes, why post this?

There are a number of web based tools that allow for remote connection of a floppy or usb device.

ILO management for servers from Sun, Dell, HP, etc.

VMware

3rd party services like Lindos.

This is indeed a real threat, especially when coupled with remote power management.

In this case, UNIX style kernels are frequently much more vulnerable because they allow for booting into an unprotected root shell in single user mode.

Re:Yes, why post this?

Lots of computers are exposed to physical attack but not thought about because who has the time to hack a computer in a cube in the middle of the bank. Especially since you'd be on tape.

But, Say you sit down to ask about an account... Maybe interest rates? ok, have a good day. and then leave. Unknown to the bank, you just stuck a bootable USB drive hacked up with a rootkit to boot, load the current OS in a vitual box and turn controll over to you.

It shouldn't take effect till the next time the computer is rebooted, sometimes days, could be the next or a week from now. Maybe a random count of boots? who's gonna notice and at what time do you look on the footage?

Drawback might be if they have active security watching customers on video, but my local bank seems to be run by a bunch of putz's. so really, they probably just go back to a tape deck.

Anywho... After the computer is reporting back, wait x days to review information you've ganed, maybe keys logged, etc......

Only way I could think to stop this is Epoxy the USB ports.

I've seen some USB's that look like small little nubs or plugs that a normal bank person might miss if it is in the back of the computer. And most computers are oriented back into the corner or wall so that customer cannot see screens being pulled up by operators... etc..etc..

Now, I'm gonna Post this A/C Not because I'm doing it, but just incase someone already is and I'm not looking to be snitched because "I knew too much" about the process.

Computers are inherently insecure because of the Humans that secure them. We are flawed in our trust/assumptions, therefor the security will be flawed.

---
I'd rather have a bottle in front of me...

Re:Yes, why post this?

that's still meat-presence.

someone also has to assess what should/can be stored remotely in this case (and I think you would agree)

Re:Yes, why post this?

You cannot disconnect a drive or even insert a USB key (during boot) with RDP. It's not the same at all.

You are not quite correct.

The correct way to say this is:
You cannot disconnect a physical drive or even insert a physical USB key

Imagine this setup. I run a server that hosts 12 virtual machines. If I want to "insert a USB key" into one of those 12 virtual machines, I don't plug a USB key into my server. I use the VM software to fool the virtual machine into thinking I inserted one.

Much like using a virtual CD or DVD.

The point being, if the machine is a virtual one, then "physical" access to the virtual machine can be obtained by gaining remote access to the server which hosts it.

I will agree there are a few things that can only be done in a true physical fashion, like pulling ram sticks before they lose their memory, but those are pretty esoteric.
99% of methods that require physical access to a physical machine can be simulated perfectly if you have remote access to the underlying system running a virtual machine.

So ya, it's still a big deal.

Re:Yes, why post this?

[AI0867]

A three-tier architecture?

Re:Yes, why post this?

[TheMMaster]

"Buzzword compliant" and/or "useless"

Re:Yes, why post this?

[AniVisual]

With the proliferation of cloud-based applications, it's only a matter of time before someone offers a browser-based virtual desktop in the cloud. Once someone hacks into some server up there, they have physical access to the machines for all intents and purposes.

You're looking at G.ho.st or EyeOS.

Re:Yes, why post this?

[BunnyClaws]

How do you decrypt the disk with just Windows authentication? Even if WIL is enabled (which I don't recommend) you still have to provide 2 separate sets of checkpoint credentials to decrypt a hard disk with check point.

Re:Yes, why post this?

[Bigjeff5]

Just bypass the authentication and you get the key. I KNOW this is the case for Checkpoint WIL disk encryption.

Got any citations for this? I've tried to find cases where Checkpoint was bypassed in this manner, and failed.

I did find a case where some security professionals confused a single-boot bypass flag - which had to be set with cryptographic access to the system - with a "backdoor". It even popped up here on slashdot. In fact it is a necessary tool for remote administration of encrypted drives, and the only reason it is in place is because corporations purchasing the software demanded it. It puts the data at risk for a single boot, which means the risk of actually getting caught by this feature is absurdly low compared to the benefits. Someone would have to be sitting, waiting for the system to shut down from a remote-administration process which they knew in advance required such a reboot, then grab the system while it is powered down to take advantage of the bypass flag and access the system. Also, this bypass option can be completely disabled if that small risk is still too high.

I did a little reading on Checkpoint's WIL option (it is just an option, by the way), and as I suspected their WIL feature integrates with windows authentication, it doesn't rely on it. The disk is still encrypted 100% pre-OS boot, they simply structured the authentication in such a way that you don't have to enter your password twice. The documentation doesn't specify, but more than likely the WIL feature simply passes the Checkpoint logon information on to windows authentication (you can do that, you know).

This means that changing or bypassing the user's password is not possible without cryptographic access to the disk. If you attempt to boot to a CD to change the password, you simply won't be able to read the disk at all, let alone change anything. Changing the password would require you to have already authenticated, which means you've probably got a trojan on there, in which case why in the world are you bothering with breaking the encryption? Just move the data off over the nets! Obviously you have remote access, or there would be no trojan.

Also, Checkpoint assumes that a knowledgeable, trained security professional - who weighs the risks and rewards of each configuration option - is setting up the system. If it's just joe user configuring it, or even Bob "the IT guy", all bets are off.

Re:Yes, why post this?

Ta-dah! They have control of it!

Oh my god, not that Windows 95 login sound again...

Re:Yes, why post this?

[ToasterMonkey]

Well, for one thing, javascript isn't putting databases or storage on the client, maybe you mistyped that.
I love to pull this quote out when talking about Web 1/2/3/4/5/6 whatever.
Try to think if it applies more to Web 2.0, or whatever your idea of Web 3.0 is.

Soon every desk will have a computer on it. Software to do mundane things such as payroll, mail, and text processing exists and as a by-product produces vast quantities of on-line in-formation. Many users want to manipulate this data, often in unanticipated ways. These unexpected uses cannot justify substantial programming costs. This paper argues that the relational data model and operators combined with a screen-oriented forms design and display system answers many of the needs of such users. In such a system, all data are represented in terms of records and fields. The user defines the screens (forms) he wants to see, and then specifies the mapping between fields of these screens and fields of the data base records in terms of predicates and relational operators.

Could user defined views to remote data be our Web 3.0? Who knows.

Copyright © 1981 D. Reidel Publishing Company. Originally appeared as a chapter of "Data Base Management and Applications", Andrew Whinston Ed., D. Reidel Publishing, 1981

That's my favorite part. The Internet is such a baby. I'm way too young to know it first hand, so I read old computer literature. It's interesting how all this remote application stuff has already been done, and bugs ironed out long ago, while we basically reinvent stuff over and over.

Re:Yes, why post this?

In that case, your security problem is with the HOST, not the windows 7 VM. Right?

Re:Yes, why post this?

[vux984]

that's still meat-presence.

How so?

Re:Yes, why post this?

[vux984]

In that case, your security problem is with the HOST, not the windows 7 VM. Right?

Absolutely.

And it should be obvious that if the host is compromised remotely, than the VMs are totally and completely vulnerable, as if the attacker had physical access to the VMs.

This should be pretty obvious really if you think about it... I'm just connecting the dots for the people that haven't.

Re:Yes, why post this?

[AmiMoJo]

It is unfortunately not that simple any more. There are two attacks someone with physical access can make on a machine if it is booted up (or even in sleep mode) when they get to it.

The first attack uses Firewire to gain access to the computer's memory. Firewire allows devices to DMA data directly into and from RAM, and on Windows at least that means any Firewire device has full access to RAM. I have seen devices that make use of this being used by police to save a copy of the machine's RAM before turning a PC off and taking it away. Since the encryption key is in RAM, they have a copy of it and can decrypt the HDD. Disabling the Firewire port in the Device Manager prevents this kind of attack.

The second attack again focuses on RAM. You reboot the computer and then boot a special Linux distro which saves the contents of RAM (it is not wiped on reboot if you just hit the reset button), or you pull the power cord and physically remove the RAM to another computer (the contents will survive without power for a few minutes, especially if the RAM is cooled down with something like compressed air). The former attack can be somewhat mitigated by making the BIOS do a full RAM test on boot which will wipe it completely, but the latter is much harder to deal with.

TPM (the Trusted Computing chip) does provide safeguards against this by storing decryption keys in a secure section of RAM on the chip itself, but unfortunately it's not well supported currently.

Re:Yes, why post this?

[mangobrain]

Your point 1 is VERY wrong. Cracking an 8-character password when given access to the hash is much much much much easier than cracking a 20-character encryption passphrase or a smartcard-based encryption system.

Then the problem is that you have a sh*t user authentication system, which is something that should be fixed no matter what.

Furthermore, a crypto system which relies on Windows authentication to cough up the crypto key does not even require knowledge of the password. Just bypass the authentication and you get the key. I KNOW this is the case for Checkpoint WIL disk encryption.

Do you really? If I were to log into a Windows box as administrator and use this fact to run a shell impersonating another user, would this decrypt their stuff for me (i.e. no hacking or cracking involved), or by "bypassing" do you actually mean getting through the login process without entering the real password, e.g. replaying a previous handshake? Again, if the latter is the case, the problem is a sh*t user authentication system.

True, if you know a particular OS's authentication system uses weak hashes, or is vulnerable to replay attacks, or <insert vulnerability here> perhaps you shouldn't design crypto systems for that OS which integrate with it. But that's a problem with that OS, not with the very idea of integration.

Some disk encryption solutions, such as Checkpoint, rely on windows authentication to decrypt the disk. If this can be bypassed easily, it makes this disk encryption worthless.

To rephrase my initial point:

• If software chained on to the user authentication process doesn't require valid credentials from that process in order to decrypt, that software is crap. By "require" I mean the data is required for the cryptography to function, not just a software check that it is present.
• If the user authentication process can be subverted - i.e. you can "log in" without knowing the password in a way that still presents valid credentials to software further down the chain, or even strong passwords are easily cracked (e.g. weak hashing) - then the user authentication process is crap.

I don't know for definite that the Windows 7 authentication process satisfies these requirements, or that Checkpoint's decryption solution satisfies these requirements, because I don't have copies of them and am not a security researcher/cryptanalyst. But even if they don't, that doesn't make the whole concept bogus - it makes this particular implementation bogus. Can you provide concrete evidence that the two pieces of software in question don't satisfy these requirements?

Re:Yes, why post this?

[mangobrain]

>

Your point 2: encrypted disks tend to be an issue with laptops, where they are stolen quite often. In this most common scenario, keyloggers don't enter into it.

Crypto is only as good as the weakest link.

Physical access != stealing. The OP stated that physical access means all bets are off - I may decide to insert a hardware keylogger into your laptop and come back later, rather than run off with it there and then. AFAICS, the OP's point still stands, you just have to think beyond naive assumptions.

Re:Yes, why post this?

But you wouldn't need to, because the host can just read the entire memory content of the guest. No amount of guest OS trickery will stop that.

Re:Yes, why post this?

[jonadab]

> physical access to the machine doesn't mean meatspace access.

Actually, for security purposes, it still does. If the access is via the network, that's "remote access", and if the exploit worked under those circumstances we would classify it as a remote exploit.

> virtualized desktops by using small desktop boxes and low-end PCs
> to connect to PCs in the datacenter over either RDP or other
> proprietary protocols. With the proliferation of cloud-based
> applications, it's only a matter of time before someone offers
> a browser-based virtual desktop in the cloud. Once someone hacks
> into some server up there, they have physical access to the
> machines for all intents and purposes.

You should write movie scripts. The above paragraph sounds exactly like something a movie character would say, and then their screen would show the words "Hacking the cloud" and a progress bar.

Re:Yes, why post this?

[jonadab]

> So if you hire some company to allocate you a VM and you run Windows
> 7 on it. And I can get remote control of the HOST, I now effectively
> have physical access to YOUR Windows 7 VM.

One word: Duh.

Obviously, control of the host system implies control of any guest VMs that it hosts. This is not news.

Re:Yes, why post this?

[mhall119]

Well, for one thing, javascript isn't putting databases or storage on the client, maybe you mistyped that.

This is something introduced in Firefox 3, and I think other browsers are going to do the same.

Re:Yes, why post this?

[Lord+Ender]

Naive assumptions? Ha! You clearly have no actual experience in IT security.

Stolen laptops are the #1 cause of these incredibly expensive data breach notifications. In the real world, they are grabbed from the car and make their way to the black market. That's the primary threat being protected against with disk encryption, unless we are talking about military secrets.

Re:Yes, why post this?

[Lord+Ender]

Not with Checkpoint WIL. It's not even real encryption, just obfuscation. You press power, some little bootloader de-obfuscates the drive (with NO PASSWORD ENTRY REQUIRED!) and you get the windows login screen, which can be bypassed by fiddling with memory.

http://www.infosecblog.org/2008/03/firewire-attack-against-points.html

That doesn't stop them from selling it to PHBs as encryption, though.

Re:Yes, why post this?

[Lord+Ender]

http://www.infosecblog.org/2008/03/firewire-attack-against-points.html

WIL is snake-oil. It's not encryption. Where is the crypt key stored? That's right, on the damn hard disk, protected by nothing but the power button to kick of the decryption. 1-bit encryption. You press power and the disk decrypts with no password required. You then get the Windows login screen, which can be bypassed by memory alteration--using firewire DMA or, in this case, virtualization to breeze by.

And the salesguys sell it to management as being SO EASY for users, they don't even know it's there... then when the "trained security professional" says "this is a scam, we need real pre-boot passphrase authentication" management says "that's not what we bought, make it work how the sales guy showed us."

Re:Yes, why post this?

[Lord+Ender]

https://secure.dshield.org/diary.html?storyid=4133

The specific implementation is: Checkpoing disk encryption with Windows Integrated Login and pre-boot authentication disabled. I know for a fact that this is widely deployed in very large organizations, and that it can be bypassed with memory alteration attack (to get around Windows login).

Re:Yes, why post this?

someone has physical control of the machine,

Yep ANY! machine can be rooted with physical access. This is why Data Centers are all locked up and guarded.

Re:Yes, why post this?

[mangobrain]

From that link:

This attack is made possible because the operating system on the computer loads and boots directly into Windows without first asking for a Pointsec âpreboot authenticationâ(TM) password. Normally, with whole disk encryption, a user is required to enter a password immediately upon turning the machine on. That password is what unlocks the decryption key and allows the rest of the operating system to load and execute. This FireWire attack would not be successful in that case, because the attack requires that Windows already be up and running. In the circumstance of a properly configured encrypted computer, a stolen system that is powered off would be well protected from unauthorized access and this type of attack.

From my previous post:

If software chained on to the user authentication process doesn't require valid credentials from that process in order to decrypt, that software is crap. By "require" I mean the data is required for the cryptography to function, not just a software check that it is present.

They are describing a gross misconfiguration here IMHO.

Re:Yes, why post this?

[BunnyClaws]

Ok, I understand where you are coming from now. When you said it decrypts, I understood it as Checkpoint relied on Windows authentication to execute the decryption. You are referring to bypassing the process completely, similar to the freezing memory hack. In that case you are correct. Which is a big reason why I would recommend not utilizing WIL.

Re:Yes, why post this?

[Lord+Ender]

They sell it with this feature/misconfiguration.

Who cares?

[Sj0]

Rule 1 of computers is, if someone has physical access to your machine, it has already been compromised. I always design my security around this fact, and if a machine needs to be secure against attack, it will be physically secure.

Re:Who cares?

[Andy+Dodd]

It is possible to design a machine that is secure even from someone who has physical access, but doing so is expensive and involves compromises in usability that normal users would never accept. (Of the "you no longer own your own machine" kind.)

Re:Who cares?

[Sj0]

Please elabourate. I can't think of any way you could use current technology to make a device that no attacker could access, given a sufficient amount of time and resources.

Re:Who cares?

[Chlorine+Trifluoride]

He was probably talking about TC.

Re:Who cares?

[immakiku]

It's also a balancing act. I don't want everyone in my household to easily have access to my computer without knowing my password. Doesn't mean I expect my computer to be 100% screwdriver proof.

Re:Who cares?

[tepples]

I can't think of any way you could use current technology to make a device that no attacker could access

The BIOS is encrypted with a key stored in a PROM on the CPU, and the BIOS checks the digital signature of each file that it loads. Any piece of code without a certificate chain leading up to the platform publisher doesn't get executed.

given a sufficient amount of time and resources.

The expenditure of time and resources indicates 1. possession of cash and 2. intent to compromise a system, both of which make you more likely to extract a large award of damages from an attacker in a court of law.

Re:Who cares?

[antifoidulus]

Not really, full disk encryption along with BIOS security does provide a pretty good defense against attackers with physical access. Now granted if they are standing in your office I guess they could just beat you over the head with your motherboard until you tell them the password but....

Re:Who cares?

[SydShamino]

Machine has only an ethernet port and a power port, no other ports exposed. Internally, machine has been potted with a material that chemically bonds to both IC plastic and soldermask, so that removing the material would physically damage both the PCB and components.

Internal battery with >20 yr life monitors integrity of case panels in multiple redundant points, and arcs and melts flash if any disturbance is noted.

So yeah, you're right. Given sufficient time and resources such a machine would be broken in a way that preserved the internal data. But "sufficient time" could be a very, very long time. It would likely be more efficient to power it up and try to hack the software through the exposed ethernet port. And that's no different whether the attacker had physical access or not.

Re:Who cares?

[RiotingPacifist]

bios password set
bios to only boot of HDD
secure OS
grenade inside case to deal with physical tampering

Alternatively FDE works well unless the computer is stolen while on (you may even be able to get some sort of card to wipe the ram using a battery when the case is opened)

Re:Who cares?

My MCSE instructor always mentioned a method that employed epoxy...

Re:Who cares?

[TheLink]

If an attacker has physical access they can plant physical keyloggers, mikes, cams, sensors, etc in so many possible places it is NOT funny.

Each key on a keyboard tends to make a distinct and different sound compared to other keys.

So you can encrypt your drive for all you want, they can just copy everything, and then get your passphrase.

Maybe if you need a hardware token, but be careful to ensure the attacker can't derive the final key used to decrypt the data e.g. if you use something on a usb drive you have to prevent the attacker from successfully tampering with your usb ports.

Re:Who cares?

[cayenne8]

"The expenditure of time and resources indicates 1. possession of cash and 2. intent to compromise a system, both of which make you more likely to extract a large award of damages from an attacker in a court of law."

Unless you are a three letter govt. agency.

Re:Who cares?

[Sj0]

Or physical keylogger, or hidden camera, or the fact that they wrote the password on a piece of paper they taped to the desk.

It's funny that everyone is telling different ways you could physically secure the machine (Except for the one guy who described the xbox).

Re:Who cares?

[Sj0]

Or a home invader wearing a mask so he's not caught.

Re:Who cares?

Rule 1 of computers is, if someone has physical access to your machine, it has already been compromised

That is Rule 1?

I always thought that Rule 1 would be "Is it plugged in?" or "have you connected the monitor and keyboard?"

Plus... all of my co-workers have physical access to my machine (I do have to go to the bathroom every now and then)... so you're saying that my machine IS definitely compromised? Great... I gotta go talk to the boss now about getting a new one.

Re:Who cares?

[chaim79]

I can think of methods using current technology, but not using current designs.

Hardware encryption chip, with the encryption key burned into the chip itself and completely internal to it. Several of these sprinkled in the cores of the CPU/North bridge/South bridge so anything not in the processor itself is encrypted (RAM, Hard Disk, etc). There will be a system slowdown due to the encryption and decryption going on, but it will be resilient to most physical access techniques. And if the hardware is integrated into the CPU chip itself taking it out and analyzing it will be almost impossible without causing physical damage.

About the only exploits you could make against such a system would be to physically dismantle the CPU in order to figure out the key/algorithm in use, or brute-force the encryption using a huge super-computer/cluster.

I wouldn't be surprised if NSA/CIA would have such laptops running around, of course, only with agents who have been trained to resist torture... (queue XKCD links).

Re:Who cares?

[Sj0]

If you don't trust your co-workers, then if they have physical access to your machine you should consider it compromised, yes.

Re:Who cares?

No, the GP said "if someone has physical access to your machine, it has already been compromised"
nothing about trusting your coworkers there... a simple IF "A" THEN "B" statement
I was just trying to poke a hole in it by saying (in a sarcastic way) "NOT B"...then it follows that "A" must be false.

Re:Who cares?

[inasity_rules]

I assume you mean servers? Putting a grenade in the case of a desktop may make your users a little nervous. In fact even in severs, your sysadmin may decide to look for greener pastures. If the grenade was small enough not to damage the people, I doubt it would be big enough to kill a hard disk beyond recovery...

Re:Who cares?

[StikyPad]

Was that comment directed at me? Are you implying you know it was me under the mask? Why would you think that?!? WTF, man, I don't know anything about your missing servers!!!

I mean, uh.. Yeah. Masks.

Re:Who cares?

[Sj0]

From a security standpoint, your system is compromised if it's not physically secure. If you trust your co-workers, then it is secure in the office. If you don't, then it's insecure in the office, and your system is compromised, the same way a computer that's been hacked into will always remain compromised until you re-install because they can always keep backdoors behind.

Re:Who cares?

Please elabourate. I can't think of any way you could use current technology to make a device that no attacker could access, given a sufficient amount of time and resources.

This technology has been around for a while.
Hell, even Home Depot has tools that can guarantee that level of security:
http://www.homedepot.com/webapp/wcs/stores/servlet/Navigation?storeId=10051&categoryID=501347&langId=-1&catalogId=10053

Re:Who cares?

[StikyPad]

Unless it was INSIDE the hard disk, with the files.

Re:Who cares?

There is never enough time and resources in the real world unless you are backed up by a organization or a powerful customer.
Especially if you have all your hard drive encrypted with AES-256

Re:Who cares?

[SL+Baur]

Are you sure? Data was recovered off a disk inside Columbia when it went into the great bit bucket in the sky. http://science.slashdot.org/article.pl?sid=08/05/07/1834224

Re:Who cares?

[SL+Baur]

It is possible to design a machine that is secure even from someone who has physical access, but doing so is expensive and involves compromises in usability that normal users would never accept.

+1

Put a substance inside that was explosive with oxygen, then vacuum seal the container or something like that as another poster mentioned. It would never fly. You'd never be able to sell those anywhere with anything remotely resembling product (or employee) safety laws. Even at the end of normal, useful life, disposal would be a nightmare.

The only safe alternative I can think of would be to always boot from an unwritable, unchangeable fixed media and keep everything in volatile RAM, but no one is going to be happy with that.

Not all that is possible is practical.

To recap...

[xmarkd400x]

You need full, physical control of a computer running Windows 7 in order to get software access to it?

Re:To recap...

[mark_hill97]

You know this just sounds like it's a rip-off of teamviewer

You mean like a bootable USB?

Just have the initial virus/exploit write onto a bootable device, like a USB key - and then force a reboot. The user will just think "aww, crap, why'd it just reboot" - and you got em.

A hack!

This is barely a hack. I can steal any car in the world. Give me the keys, some gas, and park it in my drive way. Watch me steal it with ease! HA!

Re:A hack!

[BobReturns]

technically not theft at that point though...

Re:A hack!

your forgetting if the wheel is locked or there is a steering wheel lock. But I'm paranoid so I always take the spark plugs with me too.

Re:A hack!

[MWoody]

A more appropriate metaphor is parking it in your driveway, gassed up, without keys. Yes, you can pretty much assume you'll be able to remove the security systems and hotwire the thing eventually, but that's different from knowing someone could do it quickly, easily, and with an already available skeleton key.

Boot from Live CD?

[neilobremski]

If you boot from a Live CD, since you have physical access to the machine, isn't it essentially the same thing? I'm confused about how this is a vulnerability.

Re:Boot from Live CD?

[rantingkitten]

I don't think their point was really about being able to control a machine to which you have physical access, because as you pointed out there are any number of ways to do that, on any operating system. But this is a little different -- you're not bypassing the OS somehow (as you would with a live CD, bootable USB, or whatever). Here, you're actually accessing boot files, which you shouldn't be able to do, and exploiting that. Also, they're pointing out that Microsoft makes idiotic assumptions -- like the one where the boot process itself is immune to attack. It's a dangerous and stupid assumption to make, and because of that, it looks like it was easy to take advantage of.

Anyone have a writeup of the actual exploit? I checked nvlabs and the hackinthebox conference site and didn't see anything.

Re:Boot from Live CD?

[Alsee]

It's a 'vulnerability' in the sense that the idiots at Microsoft came up with this Trusted Computing notion that the computer is supposed to be secured against the owner'.

Trusted Computing, Digital Rights Management, the new Windows model for the operating system, it is considered a 'vulnerability' if the owner is able to take control of his own computer. Of course the Trusted Computing party line, and the way this article was written, is to to call this anti-owner system a "security" system and to spin any attack on it as evil, but as virtually everyone here has already commented, this issue is about 'attacking' and gaining control over a computer you already physically control. And in general what 'attacker' already has physical control of the computer? The owner. An owner-attacker who wants to control his own computer, and override DRM or Trusted Computing lockouts against the owner. The entire new Windows driver model is that the owner is forbidden to run unapproved drivers, because such drivers could be used to break DRM or gain control of other Trusted Windows systems. If/when Windows does permit you to run unapproved drivers, it dumps you down into an unTrusted unprivileged state. As I recall, Windows Vista even locks you out of the entire Aero mode Aero interface if you try to load an unapproved driver.

-

Re:Boot from Live CD?

If you boot from a Live CD, since you have physical access to the machine, isn't it essentially the same thing?

No, because the HD could be encrypted and if you want to steal the data you have to decrypt it first. With this method you don't need to decrypt anything.

Re:Boot from Live CD?

I fail to see how its so idiotic. You have just pointed out how easily an almost equivalent end-product is and its not even tied to the OS. There's no way for MS to stop someone from booting from a Live CD. So, if its something they can't stop, why spend extra effort blocking another useless point of entry? If they did secure it, you can get the same end result WITHOUT HACKING it. Its *MORE* difficult to do this than it is to use a Live CD. So, in what world is this really a security threat?

Re:Boot from Live CD?

[atamido]

Exactly. In this case an administrator could have put a password on the BIOS, set to boot from harddisk, and a padlock on the case. In most circumstances a system would be perfectly safe even if rebooting it. The idea of this is having access to a USB port and power cycling the machine results in a compromised system.

That should never happen, and this is a pretty big vulnerability (despite all of the physical access == compromise comments).

Re:Boot from Live CD?

[atamido]

Or maybe not. I should probably read the article.

Re:Boot from Live CD?

[Aqualung812]

I wish mod points didn't expire. Your point is the first one that gets to the real issue here. This isn't about stealing private data from a PC, this is about allowing the PC owner to take control away from Microsoft's DRM'ed OS.

Re:Boot from Live CD?

[Ironica]

If they did secure it, you can get the same end result WITHOUT HACKING it.

No, you can't.

The end result of this attack is a machine which is booted from the regular hard drive, in the user's usual account... but is *remotely* accessible.

So, in your typical office environment with fairly pathetic physical security, you could slip in at 5:00 a.m., boot someone's computer with this doohickey, then leave. When they get to work in the morning, they thing "Huh, thought I shut my machine down last night... oh well" and go on about their day. You capture every username and password they type, all the data they access... everything they do.

It's a niche exploit, but it's not *totally* useless.

Re:Boot from Live CD?

[Hurricane78]

But why would I do that, when I can simply run a LiveCD, and change the files on the HDD?
Or add a device inside the PC.
Or just put something between his keyboard and PC, and use the gained password, to get remote access?
Or just sit outside the window/room and record the keyboard input remotely, as show in the a previous /. post.

I mean, if you have physical access and the system is not some super-secure system without input devices and a safe around it, then it's always already too easy. :)

Re:Boot from Live CD?

[Hurricane78]

I know another way of doing that: Install Linux (or BSD, or MacOS X, or whatever you like).

You know... you can still use vista/win7 on a second partition/disk, like you would use any other game system. Let it hibernate to disk, and just boot into it, when you wanna play a game (like MS Word ^^). You can also create two hardware profiles, so you can boot normally, or in a virtual machine, depending on how you need it.

In fact, I'm doing this right now. (My bank's card-reader app does not support linux yet. [But soon, will.])

Re:Boot from Live CD?

[rantingkitten]

Well, if my machine has a physically locked case, a bios password, and will only boot from the hard drive, I'm reasonably safe against people trying to do an end-run around my OS with live CDs or USB keys. But now, with this little trick, an attacker can exploit the bootup of the operating system itself, without needing to even bother with all that other stuff.

This exploit also gives them access to the encrypted contents of the drive, which a live CD or bootable USB key wouldn't.

It's just not safe to "assume" the boot process is impervious to attack and let that be your "security" -- that's why I say it was idiotic.

Re:Boot from Live CD?

[powerlord]

Because popping in a USB key and letting the system boot, and then unplugging the USB key and walking away:

  - can be done relatively unobtrusive
  - does not demand lots of attention so you can keep an eye open and stay "hidden"
  - does not leave something behind for you to "clean up" later. If you want to erase the evidence that the machine is compromised, you have it reboot.

Of course, this is just based on a guess that the system needs no user interaction to activate.

Re:Boot from Live CD?

The best crackers don't fit the stereotypical antisocial type anyway. They're as good in social engineering as they are in smashing the stack.

Re:Boot from Live CD?

[ZeroZen]

No. Windows vista does not turn off aero if you install unsigned drivers.

If you're not using WDDM video drivers, you cannot run aero.

Re:Boot from Live CD?

[ZeroZen]

To be fair, yes. Unsigned drivers will stop you from playing protected content, but you can sign these drivers yourself and then install them.

I'm pretty sure, at least. I don't have any protected content to test this out on. Any thoughts?

Critical information missing

[drsmithy]

There's a rather important aspect of this that's not discussed - how does this code get onto the computer in the first place to be executed during boot ?

Re:Critical information missing

[Sockatume]

A bootable CD-ROM that then boots the OS while performing the in-memory patching required to make the machine vulnerable.

Re:Critical information missing

[amliebsch]

Another important piece of missing information: was BitLocker turned on? Did this defeat the full-disk encryption? THAT would be a story. Otherwise, BFD.

Re:Critical information missing

[Sicarul]

If that's the case then it's as vulnerable as it would be if you let it boot any LiveCD, if booting from CD is disabled in the BIOS and it is protected by password this flaw isn't applicable... It isn't a serious flaw, how did this get to be a top story??

Re:Critical information missing

Because someone is trying to bury the story about the much more serious GNU flaw that allows ALL VM's to be compromised from a CPU hack, without physical access.

It's shit like this that makes me feel embarrassed to actually use GNU. Even for LAMPs, let alone the stupid non-productive shit like spinning Compiz-Fusion cube desktop.

OKAY, we get the fact that you LOVE GNU and you HATE WINDOWS. FFS move on with your life and stop wasting everyone's time.

Re:Critical information missing

[shutdown+-p+now]

Another important piece of missing information: was BitLocker turned on? Did this defeat the full-disk encryption?

Actually, the interesting question is: did this defeat BitLocker with TPM chip?

Without some hardware support to ensure that all code is "verified", you can hack absolutely any OS like that, if you insert your own code to run before the OS bootloader.

Re:Critical information missing

[noppy]

Social engineering. Tell him its a CD with pr0n that will show up during reboot.

Nothing to see here move along!

[140Mandak262Jamuna]

You need physical access to the machine. Cant be done remotely. So nothing new.

No big news.

If you give me physical access to a Linux machine, I can have it doing as I please faster than Vista.

Re:YOU weren't posting, ken dawson was

[negRo_slim]

Having physical access to the box kind of takes away all the fun...

sheeeet, negro. that's all you had to say!

[gandhi_2]

This is contrasted with Mac OSX which uses a combination of Gracie-style Brazilian Jiu Jitsu, Hapkido, and oratorical prowess to keep would-be haxors at bay while the police are enroute. Or the Linux lack of social skills which avoids "physical access" altogether.

Re:sheeeet, negro. that's all you had to say!

[bennomatic]

This is why I only use a punch-card-based CP/M system.

Re:sheeeet, negro. that's all you had to say!

[RoboRay]

Are you kidding? All I need to hack your system is a razor blade and a roll of masking tape!

Re:I cannot believe it...

[gnick]

OK, I'm not a Mac guy so I can say nothing about it. I've also not used Windows 7.

But, really. If you give me physical access to damned near any Windows or Linux machine, it's owned. And there are a lot of people out there a helluva lot better then me.

Sure, I won't be able to crack your encrypted archives. Nor your well-protected stored passwords. But hacking root/admin with physical access to the box isn't rocket science. Actually, it's much tougher with Vista than any Linux distro I've run into.

Mindless bashing

Im as anti-microsoft as the rest of you (at least the intelligent folk), but are you all seriously claiming that linux or unix distros are immune to tampering with the boot partition?

I would assume the only way to be immune against this type of attack would be encrypting the system partition, and a "bootkit" as they seem to be calling it that is aware of encryption may even be able to deal with that.

Whats the story here again? That booting into a secondary OS gives you full control of data on an unencrypted hard drive?

Re:Mindless bashing

[Svartalf]

Well, this one wires itself into the OS (In order to be useful, it kind of has to...)- so it'd be difficult to get a wide-spanning variant of this going, but a targeted one could actually zap any device in existence. You'd just have to target specific OSes in the x86 space, you'd have to figure out how to zap uboot and redboot stuff by remote, etc.

While I'm not going to say that it'd be impossible (It's not and it IS serious...)- only X86 systems would be easily targetable but they'd have to have 3 or so custom versions of the thing to make any impact. And, it'd be one of the only instances of something that I'd be concerning myself with on Linux. Most of the other stuff can't get good traction.

I would not say "mindless bashing"- it's just that the researchers in question did it to Vista, which is supposed to be "more secure" than this... :-D

Re:Mindless bashing

[Murpster]

are you all seriously claiming that linux or unix distros are immune to tampering with the boot partition?

Yes, of course! My Linux system achieved sentience a few kernel builds ago, and I've trained it to electrocute anybody but me who tries tampering with it.

Re:Mindless bashing

[LordLimecat]

youre missing the point, its a rootkit that requires physical (ie, above root) access to the machine in question. You could also plant a hardware keylogger, a rootkit bios, or a malicious bootloader. Is it unreasonable for windows to assume the bios and hardware are not out to get them?

Re:Mindless bashing

[Svartalf]

Excuse me...

If you can write the MBR or to BIOS, you don't need physical access.

The CURRENT PoC needs it, but the vectors to do it do NOT.

The only people that missed the point here are the people that seized on the PoC's need for physical access.

Re:Mindless bashing

[rastos1]

are you all seriously claiming that linux or unix distros are immune to tampering with the boot partition?

No. But linux or unix distros did not claim that DRM can protect against the owner. Well, MS did not claim it either (because that would be bad PR), but this is essentially what DRM is about - it should ensure, that system owner can do only approved actions with content-producer's data. That is what is MS attempting to deliver. And now it was shown, that it can't work.

Whats the story here again? That booting into a secondary OS gives you full control of data on an unencrypted hard drive?

It gives an option to plant a rootkit on system featuring Trusted Computing Platform.

Exploit that allows me control of all OSes

[krzy123]

Get physical access to computer. Take computer.

Re:YOU weren't posting, ken dawson was

[VisualD]

Also restarts kill it. This is Windows we're talking about here...

In Soviet Russa...

[XPeter]

...Windows 7 takes control of you!

pretty low on the spectrum

if it is a remote exploit that doesn't involve user interaction, I definitely want to hear about it (like homeland security's red=everybody panic)
If it is a remote exploit that requires user interaction, I still want to hear about it (condition=orange)
If it is a local exploit/privilege escalation that doesn't require root, it might be interesting (yellow)
If it is a local exploit that requires root privileges, leave it off the front page.

Re:pretty low on the spectrum

[Svartalf]

It's actually not as low as you'd think. They only need local access for the proof of concept.

Think old-school boot-sector virus and you'd be thinking right. It's more of a new twist on that concept.

Think "yellow" to "orange" in your analogy and you'd have it pretty close.

Re:pretty low on the spectrum

[Sockatume]

Actually, it needs local access by necessity, unless you can think of a way to boot by removable media on someone else's computer remotely. A device which can network boot might be vulnerable, if the required packets could reach it.

Re:pretty low on the spectrum

Actually, it needs local access by necessity, unless you can think of a way to boot by removable media on someone else's computer remotely. A device which can network boot might be vulnerable, if the required packets could reach it.

Actually, many managed servers from Dell, HP, IBM, etc can do that kind of thing (remote boot from remote floppy or CD).

It's very handy for firmware updates and the like.

Re:pretty low on the spectrum

[SydShamino]

Actually, it needs local access by necessity, unless you can think of a way to boot by removable media on someone else's computer remotely.

Is there a way to turn this into a privilege escalation exploit? Assuming you had gained local privileges, could you then write this file to any CD burnt by the computer, or any floppy disk inserted (heh)? Then if the machine happened to boot with that in the drive, and the drive order happened to prioritize removable media first, you could gain root access.

I'm sure there are still easier methods to get root access.

Re:pretty low on the spectrum

[Svartalf]

Overwirte the MBR with your own after making a copy, placed somewhere else on the disk being attacked.

Point it to the place you copied the original on the disk.

Once done, you don't need physical access.

If you've got an exploit or a trojan, you can conceivably do those things by remote.

Re:pretty low on the spectrum

[Svartalf]

Yeah, there probably is. The big takeaway, though, is that the protections people thought we had against boot-sector attacks isn't quite what everyone thought it was.

Re:pretty low on the spectrum

[psetzer]

The term 'privilege escalation' is utterly meaningless in this context. The code is running at kernel level. It defines what the privileges are and can do whatever it wants because it IS the OS.

Re:pretty low on the spectrum

[SydShamino]

I'm talking about something different. Assuming you've compromised a user account, but did not have root, you could write CDs or floppy disks on that computer (which the user can do). Then on reboot you can use this method to become root.

The overall process would be a long, convoluted privilege escalation.

Re:YOU weren't posting, ken dawson was

[bennomatic]

I was going to say... if you have physical access, you can take out the hard drive, put it in another box, muck around with the data in any way you want and put it back. I'm an Apple fanboi at heart, but, geeze, this seems like a big, honkin' "What-ever!" to me.

nick picking

[phrostie]

i have no love of M$, but come on. if you have physcal access to a computer and at boot time no less you can do what ever the #@!! you want.

if this is the biggest flaw redmond has in W7, that's not so bad.

was news

[ohmiez]

Till i saw "physical access." if someone is _that_ determined to compromise a machine they will walk off with the HDD.

I am a world class car thief. Watch me steal.

[Bill+Zinclemyer+III]

I can steal any car in the world. Give me the keys, some gas, and park it in my drive way. Watch me steal it with ease! HA!

Heh... Nice idea, really

[Svartalf]

Intersting idea. While the current version requires physical access, it doesn't strike me that one would need all that much to make it work via remote with a trojan or similar.

Basically, it's a revisit of the boot-sector virus of old, which will prove to be an issue for just about any OS, most likely.

The Linux story the other day

[twidarkling]

What I find interesting is the people who are trumpeting this as a horrible security vulnerability, despite needing physical access to the machine, are likely to be the same ones who discounted the Intel cache overflow exploit being easier to execute on Linux than other systems, but you need to run as root on Linux as "If someone has root, it's your fault anyways." So what makes this one more egregious in their eyes? You can run root over a network. That seems worse than needing physical access to the machine, imo. It just goes to show, no OS is completely safe, no matter what, and user education is the key. Not security through obscurity.

Not broken, someone just wanted a story.

[NickW1234]

The problem goes even deeper. The bios is insecure. You can put bootable media in it and access your drives. They really should start epoxy potting the whole machine with a harddrive with windows preinstalled and no longer allowing any other bootable media.

Attack requires editing RAM contents during boot

[Sockatume]

The attack involves patching particular Windows system files in RAM during the boot process, which explains why physical access is required, and why it doesn't work after a reboot. The attacker loads an app from a CD-ROM which then itself executes the normal Windows boot process while agressively patching software in memory. This also isn't a windows-specific vulnerability: any OS which does not checksum memory contents each time they're read is vulnerable.

FCKGW

[RenHoek]

While uninteresting for worms, this is probably a nice way for pirates to hack Windows 7..

I'm not sure if they have cracked it already or not, since I'm still on XP.

imaginary trumpeting straw man

[rs232]

"What I find interesting is the people who are trumpeting this as a horrible security vulnerability"

Where did you read that, from a quick browse most/all of them mention physical access. Where are all these nay-sayer comments?

"are likely to be the same ones who discounted the Intel cache overflow exploit being easier to execute on Linux than other systems"

That's what's knows as a straw man argument. As in making up imagionary quotes on another thread and addressing them instead of the current subject, which is researchers demo proof-of-concept code to take control of a Windows 7 virtual machine while it was booting up.

Re:imaginary trumpeting straw man

[twidarkling]

http://it.slashdot.org/article.pl?sid=09/04/22/1815226 Take a look. There's a shit-ton of people going "Yeah, but you need root to do it." That exploit's in the wild, not just proof-of-concept. And people are still discounting it. That makes my argument just a bit beyond "straw man." I was pointing out that people will hold up any system as more or less secure than another, but it all comes down to the users, not the OS.
As for the nay-sayers? Look at the first comment on the article. Someone already saying "Look! A security vulnerabilty!"

For a smart guy, dumb statement

[furby076]

'There's no fix for this. It cannot be fixed. It's a design problem,

There is always a fix. Every vulnerability is a "design problem". Sometimes the code to fix it is a separate app (e.g. firewall, virus protection), and sometimes it requires modification to the code. There is always a fix in software - it's just a matter of making it.

This guy stating there is no fix, it can't be fixed is making statements about as dumb as those who say their favorite OS (e.g. OS X) is immune from any virus/worms/hacks.

Re:For a smart guy, dumb statement

Usually, I'd say you're right. In this case, it's different.

He really does mean "There's no software fix for this." - physical access kind of does that.

Re:For a smart guy, dumb statement

[JasterBobaMereel]

He is right there is no fix .... however the workarounds are pretty good ...

If you are booting, then load the boot software at a random location, like they do with other programs once the system is running, and this hack will be *much* more difficult

It's just that, as he says, Windows 7 assumes that during the boot process no user program can change things and it has complete control....

If you are running in a virtual machine you *never* have complete control and so this will always work on any OS, but you can make it difficult ....

Re:For a smart guy, dumb statement

[furby076]

Well there is a fix - but it will have some drawbacks - don't allow booting from CD, USB, Ethernet. Obviously if soemone strips out the hard drive and connects it as a slave drive to the computer there is nothing that can be done, but in terms of booting. Though I am pretty sure the boot process has to be fixed by the hardware mobo makers. Put a password on your boot setup and set it so you can't boot from CD/USB/Ethernet.

Re:For a smart guy, dumb statement

Lets try to make this clear by removing specifics.

The program assumes something it shouldn't. There's no fix.

That statement is stupid. The fix is either find a way to ensure that the program is safe to assume that certain something OR the fix is to make the program no longer assume that something.
Either way, there is always a fix.

Re:For a smart guy, dumb statement

[Just+Some+Guy]

Every vulnerability is a "design problem".

You're completely wrong on this one. A design problem is something like "give the console user root access if they click in the top-right corner of the screen". A non-design problem is something like a buffer overflow that wasn't designed into the system, but added inadvertently.

Re:For a smart guy, dumb statement

[Xuranova]

I noticed you made a point not to say:

This guy stating there is no fix, it can't be fixed is making statements about as dumb as those who say their favorite OS (e.g. Linux) is immune from any virus/worms/hacks.

Re:For a smart guy, dumb statement

[Livius]

Especially given how prompt Microsoft is at fixing security flaws.

Re:I cannot believe it...

[gnick]

But, really. If you give me physical access to damned near any Windows or Linux machine, it's owned.

OK - Sorry in advance for the self-quote and self-reply, but I thought that I would correct myself before somebody else does. Total hard-drive encryption makes taking a box over significantly harder - Well beyond anything I've actually done. I've read about techniques more sophisticated than an in-line PS/2 or USB sniffer, but I'll leave it to the experts to freeze/remove/copy live RAM. I was talking about your standard office-building desktops.

Your second option...

[its_schwim]

If you have to be present to perform the hack, then you could always just hit the PC repeatedly with a hammer if for some reason it doesn't work.

Misleading title

[tuxgeek]

At first glance at the thread title, my first thought was pop a Linux CD into the drive and reboot
Voila no more Win7

Prevention or problem.

[senorpoco]

But who would want to take control of a computer with windows 7 on it? It is like hijacking a garbage scow.

Re:Attack requires editing RAM contents during boo

Even if they do checksum/hash memory constantly, it doesn't make a damn bit of difference. If you can patch memory, you can patch the code to remove checks. In fact, the Vista/7 bootloader does not only checksums but signature checks.

Re:YOU weren't posting, ken dawson was

[quickOnTheUptake]

even worse than those gaping security holes for linux that assume the attacker has root access.
"A cracker with physical access to a machine can take control of the computer during boot. News at 11."

Re:Attack requires editing RAM contents during boo

[rs232]

"The attack involves patching particular Windows system files in RAM during the boot process, which explains why physical access is required, and why it doesn't work after a reboot"

'The latest version of VBootkit includes the ability to remotely control the victim's computer. In addition, the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user's password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected'

I thought BitLocker was supposed to defend against such exploits if the boot sequence was altered?

Re:Attack requires editing RAM contents during boo

[vux984]

This also isn't a windows-specific vulnerability: any OS which does not checksum memory contents each time they're read is vulnerable.

Even that wouldn't matter, because the first thing I'd in-memory patch is the checksum algorithm to always return 'ok'.

The only real way to resolve this would be a-la console style 'trusted computing, and digital signatures through the whole bios and bootstrap process'. Of course, even this could be 'hacked' or 'modchipped' but at least it wouldn't be as simple as just putting in a disk.

There is no security if they have enough physical access.

Just because

...someone has physical access to my computer shouldn't mean they have access to the data stored on that computer. This is NOT acceptable. Users need to adjust their expectations and DEMAND better security. Tired of this BS, "If someone has physical access..."

Computer thefts are not rare occurrence to say it is acceptable if someone already has computer they might as well have the data!

Re:Just because

[realmolo]

The only answer is to encrypt the data. Nothing else could POSSIBLY keep someone from getting at your data if they have physical access to your hardware.

Re:Just because

[daybot]

The only answer is to encrypt the data. Nothing else could POSSIBLY keep someone from getting at your data

What about an anti-tamper explosive device inside the case? Anything is possible if you put your mind to it :)

Re:Attack requires editing RAM contents during boo

[necrogram]

I thought that was part of the bitlocker boot process, that the unencrypted boot files have their checksums stored in the tpm

Re:I cannot believe it...

[MyLongNickName]

Hi. I see you are making fun of a "security vulnerability". This vulnerability involves being physically present at a PC and being able to boot it. This is a security vulnerability in the same way that my house is insecure to folks who I invite over for dinner.

You obviously have no clue, and I would recommend not posting in security vulnerabilities discussions any more.

kthxbai.

Why you are posting this

[DaveV1.0]

Because you are a Microsoft hating troll

Re:Why you are posting this

[PJ1216]

As the stories that get posted are submitted on a voted on by users, he's right in asking why he posted it. He has no control over what the users choose. He's just stating he's surprised that people found this to be important because as a lot of people have stated, this is a non-story.

The reason

[kenp2002]

... the reason you are posting this article is to spread anti-microsoft hate and FUD for no reason.

Why not post:

With a gentoo install CD you can gain control of any linux system by overwriting key /etc/ files to give yourself root access unless you use encrypted drives...

More useless propaganda from an MS-hater. I mean seriously, this is news? Next thing you'll post is the Windows 7 has a horrible exploit that crashes it every time you shoot the PC with a shot gun.

Don't we have a NO FUD policy for articles?

"Everyone is entitled to be stupid, but some abuse the privilege", as a result of this abuse, your Stupid License has been suspended for 60 days.

Re:The reason

[DaveV1.0]

I prefer my version of this sentiment. Yours is too wordy.

Re:The reason

[pseudonomous]

It's not clear from the article whether encrypting your hard drives prevent this attack from working or not, probably not, becuase I would think they would mention it if encryption didn't help; other than that it's just another rootkit that's virtually impossible to detect. But hey, wasn't there just a story about a rootkit using cache poisoning on intel motherboards in Linux to install an impossible to detect rootkit when you ALREADY have root access? This isn't really that different.

Re:The reason

[daybot]

Windows 7 has a horrible exploit that crashes it every time you shoot the PC with a shot gun.

Try that with a BSD box. The shards would ricochet off the case and hit you in the face!

Re:Heh... Nice idea, really

[DaveV1.0]

Please explain in detail how one would make this work without physical access to the box.

Unfixable!!!

Reminds me of the Shatter attack, which was also "unfixable" until Vista fixed it.

But unlike the Shatter attack, we don't even have to wait for a fix. Just turn on Bitlocker. There, fixed that unfixable problem for ya. With a security feature already present in the OS. Kinda makes you wonder what their definition of "unfixable" is...

Jeeze, hyperbole much?

Re:I cannot believe it...

[DavidChristopher]

In the absence of physical security, taking over a vista, linux, mac os x or (insert vendor here) UNIX system is not difficult, providing you know the platform. No, the 'average gramma' can't do it, but most of us most likely can - with not much more than a google search and a quick download.

I'm not a microsoft (or apple, or linux) fanboi by any means, but a system is only as secure as you actually make it. Disk encryption helps - it's a great idea - so I've honestly never met anyone who's used it.

While this is certainly an interesting exploit, I doubt highly that many systems will be compromised in the wild with it.

Re:Attack requires editing RAM contents during boo

[Sockatume]

The remote access and priviledge level exploits are only possible after VBootkit has been patched into memory. Bitlocker protects against patching the OS on the disk but I don't think it offers any protection against changing the OS contents, beyond the "user input" requirement for boot (either a PIN or a physical device, which this software may or may not be able to bypass).

Captain Obvious, AWAY!

[rezalas]

Oh my god, windows can be hacked! With physical access! THIS IS HUGE! WINDOWS SUCKS MICROFOSFT IS TEH DEVAL OOH NOES!!1!one
Linux... Mac OS, Windows, ANYTHING... can be hacked with physical access. Period. If you have the time and the access there is no security beyond encryption and even that can eventually be defeated. This seems like just another lame "bash microsoft" post. Yeah you hate them, sure we know it. Get over it. They didn't become one of the largest software providers on earth by use of magic and lolly pops (though it did take a few suckers here and there).

The worst part is that its a bunch of security researchers that blew time on this bullshit and then in the end said "but don't worry it doesn't matter." Then why the fuck did you bother with it? Congratulations for proving what the whole fucking security industry already knew captain obvious! Whats next, going to tell us that wireless routers have a physical switch vulnerability when the default password is used? Do us all a favor and fly out that window and save the world buddy.

Not necessarily

[SpooForBrains]

The standard method of securing the data on your machine, which is what's important, is to encrypt it. So even if someone rips open the box, takes out the disk and puts it in another machine, the data should be safe, assuming the encryption algorithm and the user authentication processes are secure.

However, if this exploit allows them access to the operating system on the disk, and allows them to subvert the user authentication process to grant themselves access to a user's account, then the data is compromised.

So this exploit may have an application, not as an attack vector for writing a propagating worm or virus, but as a means to gain access to otherwise secure data.

Re:Attack requires editing RAM contents during boo

[Sockatume]

I overlooked it, it's explained well below.

Re:I cannot believe it...

[Sir_Lewk]

much tougher with Vista than any Linux distro I've run into.

And us linux users consider that a feature.

Missing the point folks...

[minsk]

Everyone talking about this being irrelevant is missing the point. This attack does not make users significantly more vulnerable. Instead, it makes Windows more vulnerable to users.

Hacking your own machine sounds laughable. But as long as vendors restrict usage, we need to keep reminding them that DRM is a fool's quest.

Re:Attack requires editing RAM contents during boo

[Sockatume]

If that's so then I imagine it would be a protection from this, assuming Windows is assiduous about checking those files' checksums. It's implied in the article that it is not, but I'm not sure if the exploit was tested against a system with a TPM.

How about we stop lending fame to these clowns

[billcopc]

So these guys came up with a bootloader that screws with its child process (the OS), and they're calling that an exploit ? I guess "grub" would be considered an exploit too, by their chicken-little standards.

These two Kumar clowns are really just shills for Trusted Computing, fear-mongering in exchange for a little kickback from the related fascist orgs.

Nonsense

This article is nonsense.

Which makes me wonder why I'm posting this?

Yes, why? Makes me wonder why I'm reading this :(

Time to dust off the ol' Atari 800XL...

[tlinget]

No one will want or remember how to hack this old one...

I'll be safe in my cubie now.

drm

Maybe someone can shed some more light on this, but I'd imagine this could be used to insert your own kernel-mode code, without the kernel detecting it. So how hard would it be to patch ati's driver to dump every frame to the hard drive, without any of their shit detecting you (since you already own kernel mode). You'd be able to dump the video off bluray/wmv easily (although you would just have video, none of the extra features/java menus). I'd imagine that ati's driver isn't obfuscated. The path between user space (Win dvd) and the kernel is obfuscated, and the path between kernel mode/ram and the pci card/pci bus is encrypted, but at some point in the kernel its going to be decrypted and easily accessible. Anyone able to share their thoughts on this?

Re:I cannot believe it...

[Aladrin]

Not all of us. Speak for yourself.

Well ...

[nitroyogi]

Would someone really so smart please take proper control of Windows 7's development?
That would be of greatest help!

Mindless claims that someone bashed

Im as anti-microsoft as the rest of you (at least the intelligent folk), but are you all seriously claiming that linux or unix distros are immune to tampering with the boot partition?

Actually, I read the summary over and over, and I didn't see anything about linux or unix. I read again, and didn't see any microsoft bashing, either.

What makes you think someone made a claim about linux or unix, or that someone bashed microsoft? You might as well say, "I'm as anti-octopus as the rest of you, but are you all seriously claiming Jupiter orbits Venus?" and it wouldn't be any less of a nonsequiter.

Re:Mindless claims that someone bashed

[ClosedSource]

On Slashdot you have to say you're against MS or you won't be taken seriously by a lot of readers. Saying "I only use Windows because my employer forces me to" is acceptable too.

Re:I cannot believe it...

[pseudonomous]

Were you thinking of doing something more sophisticated then booting w/ a live CD to change the root password (or just work on the hard drive as root)? Becuase you could guard against that by setting passwords for your BIOS, which most BIOSes seem to support. Also, I don't see why Vista or a Macintosh wouldn't be vulnerable to this, but I haven't really used either much.

Just Change The BIOS Settings, Already

[Java+Commando]

Given that this appears to be loaded via internal optical drive, I'm not completely understanding why this is such a threat. Discounting the fact mentioned by many others that if you're physically compromised you're already hosed (they can pull the hard drive, etc.), all BIOS renditions I've ever seen allow you to select which device the machine first uses to boot. So, set it to your hard drive. Machine boots from hard drive, doesn't boot from bad CD/DVD. Password protecting your BIOS access (which many, if not most, offer) prevents malicious user from setting the machine back to CD/DVD boot. Some BIOS flavors allow you to turn off CD/DVD boot all together, even.

End of "problem".

I mean really-- This is so simple I fear I must be missing something about this story... ?

Re:Just Change The BIOS Settings, Already

[DaveV1.0]

That works really well, except that the person who has physical access to the computer can open it up and change the jumpers to clear the BIOS password.

Re:Just Change The BIOS Settings, Already

[Java+Commando]

Ah yes-- Excellent point (and one I should have thought of, I say embarrassed). I suppose this further demonstrates the reality: If someone has physical access to your machine, Game over, man!

From TFA....

[jackchance]

" the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user's password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected."

So this is basically great if you want to break into your girlfriends laptop to check her email?

Can someone knowledgeable explain why this is news?

Re:I cannot believe it...

[gnick]

Yes - My first system breach (not counting MS systems that were completely unsecured - I mean actually circumventing security) in the wild was back in the early 90's - A university *nix system. The thing that made (makes) *nix such an easy target is that you can actually understand how it works. Windows is full of holes, but it's so frigging weird and hard to wrap your head around the bizarre OS that the casual cracker won't bother learning what's going on. If your only goal is to satisfy some childish desire to breach security and smugly toss your hands in the air and declare yourself an 31337 hacker (as was my case), Linux is the way to go.

Agreed - Being able to understand your OS is indeed a feature for people living in Linux world.

have to be physically there?

[floatingrunner]

Relax Luther, it's much worse than you think. The only certified technician has to pass a series of security scans. First one is voice activated. Then, he has to put in a 6 digit code. That only gets him into the outer room. In order to get in the vault, he first has to pass a retina scan. Then, the door will unlock by only by two electronic keycards, which we won't have. In the vault, there are three security sensors that will activate at anytime the technician is out of the room. First is voice sensitive, anything above a whisper, will set it off. The second one senses the temperature even the body heat of an unauthorized person in the room can set it off if the temperature rises by a single degree. The temperature is controlled by an air duct system 30 feet above the floor. The vent is guarded by a laser net. The third one is on the floor, and it's pressure sensitive. Just the slightest increase in weight will set it off. If any of these 3 sensors are set off will trigger an automatic lockdown. Let me tell you, gentlemen, that all three systems, are state of the art.

Re:I cannot believe it...

[Krneki]

Actually, it's much tougher with Vista than any Linux distro I've run into.

First time I didn't had the password for the Vista Admin account it took me 2 min to reset the password to blank. Including the minute and half to find Hiren's boot CD.

I think...

you posted it because you were pissed about the Intel CPU hack for Linux that allows one to compromise ALL virtual machines on that server.

I would say, if you have physical access to my VM's host and you can't "hack" a rootkit into a VM, that you sir, suck.

Re:I cannot believe it...

[perryizgr8]

bios passwords are a joke. on my hp pavillion, if i slide open the side cover and shake up the cell on the mobo, it forgets all bios settings and the password too.

Physical access?

[FineWolf]

Or the attacker just needs to distribute a warez copy of Windows 7 with the exploit code slipstreamed... Oh the irony!

Re:I cannot believe it...

[gnick]

If you're going to be brazen enough to change the root password with a live CD, why not take the extra step of cracking open the case and resetting the BIOS? It might raise a couple of more eye-brows in an office environment, but a stranger sitting at a PC may even be less suspicious when he cracks the case open because he's "repairing" it for the regular user.

Re:Heh... Nice idea, really

[Svartalf]

How did a boot-sector virus work?

Re:YOU weren't posting, ken dawson was

[mhall119]

Physical access may not be necessary, they may be able to have the computer boot to an alternative media, which will in turn boot Windows with this hack. So, if you leave your USB stick or external storage drive connected, and they have a user-space attack that lets them put this exploit on that and force a reboot, you get the idea.

Agent Phil has something to say...

[geekmux]

If someone has physical control of the machine, all bets are off.

Ah, apparently you've never heard of Phil Zimmerman or have ever seen a James Bond movie, have you?

Point here is there is quite a bit that has and can be done even at the physical layer. Drive Encryption (PGP) is but one option, and given the track record of PGP, I'd say a pretty damn good one. TrueCrypt is a great free alternative too.

And I for one am glad this was posted. Just helps enlighten everyone on the importance of good security practice regardless of how shiny and new the OS is.

There are no foolproof Operating Systems out there, just fools who think there are.

Re:Agent Phil has something to say...

Drive Encryption (PGP) is but one option, and given the track record of PGP, I'd say a pretty damn good one.

Personally I don't like the concept of PGP's subscription model - at least not for FDE and NetShare is a bit worrying:

From: https://pgp.custhelp.com/cgi-bin/pgp.cfg/php/enduser/std_adp.php?p_faqid=747

Whole Disk Encryption: Drives encrypted with PGP Whole Disk Encryption will decrypt 90 days after the subscription license has expired. If the license is Trialware, the drive will be decrypted after the 30 day evaluation period has ended.

PGP Netshare: PGP Netshare-encrypted files and folders will remain encrypted after the license has expired so the data will still be secured and accessible, however if new files or folders are moved to the PGP Netshare-encrypted folder no encryption will occur.

Obviously you'd have to enter your passphrase normally before FDE could decrypt your drive anyway. I hope you get adequate warning using an expired Netshare though.

For me TrueCrypt is the better alternative. You don't pay an arm and a leg for it, it's open-source, and it's never going to decrypt (or fail to encrypt) your data when you don't intend it to. It lacks centralized management, but if someone really needs that they can add it!

Re:YOU weren't posting, ken dawson was

[Computershack]

How is it any different to shoving in a Linux Live CD, running BartPE or running Windows setup, doing a repair install and sticking your own account on?

Re:I cannot believe it...

[lethargic8]

BIOS passwords are in no way secure. Resetting bios passwords is as easy as taking the backup battery off the motherboard, and unplugging it long enough to reset to its factory state. To prevent this you have to lock the hardware up from physical access.

No fix, eh? I got your fix right here...

[skathe]

...it's called a "locked room" with "security cameras". Deny physical access = deny vbookit 2.0. "Design problem" solved.

Re:No fix, eh? I got your fix right here...

[argent]

Don't forget the armed guards.

They were pretty cool the first time I visited a customer who took security THAT seriously.

Re:No fix, eh? I got your fix right here...

Like that stopped Ethan Hunt...

Re:Heh... Nice idea, really

No. It CAN'T be done remotely, as is mentioned below the exploit is done by patching startup files in RAM as the machine boots.

There is no way to do this other than through a boot-CD... (or some other type of boot-able physically attached storage medium)

Re:I cannot believe it...

[Sir_Lewk]

My thoughts exactly. People look at me weird when I say I prefer linux to windows because windows is far to complicated. What they don't understand is that there are more kinds of 'complicated' than just "what icon do I click to get internet?".

Useful for anti-DRM?

[SignalFreq]

This should allow bypassing *some* of the Windows7 DRM features since it seems to be a way around part of the "trusted computing chain".

Re:In Soviet Russia...

[ausekilis]

Your 'i' key is broken. ;-)

Re:I cannot believe it...

[dov_0]

The thing that made (makes) *nix such an easy target is that you can actually understand how it works. Windows is full of holes, but it's so frigging weird and hard to wrap your head around the bizarre OS that the casual cracker won't bother learning what's going on.

What I find really strange is that a 'mixed bag' like a Linux distro with software from all over the place hodge-podged together actually does often make a lot more sense functionally than a complete in-house setup like Windows. I can understand my Linux box. Windows drives me freaking insane!

Duh....

[RoboRay]

If "Step 1" of your method of taking control of someone else's computer is "Gain physical access to the hardware," there's no reason for you to even talk about it.

Re:I cannot believe it...

[JeffSpudrinski]

I was personally very suprised at how easy it was for me to reset a password in Ubuntu.

My linux juju was pretty dusty at the time (I manage a Windows network, which takes all the fun out of playing with computers in my spare time). But a friend of mine brought me a Ubuntu computer that was property of a deceased relative and asked me to reset the password so he could get his relative's data off. I was able to boot to a Live CD, mount the hard drive into a temp folder, use "chroot" to change my root folder to the one on the hard drive, use "passwd" to reset their password. Done deal. Took me 10 minutes and again I reference that my Linux juju was very dusty.

I'm not bragging...there's tons of users (most of them here, probably) better at Linux than me. But having physical access to the system made it no problem.

With Windows, you just get a copy of "Ultimate Boot CD" and use the password reset utility.

As noted previously, though, changing password won't get you access to encrypted data.

Sorry...I just feel that this is a "non-story". More stuff to try and bash on Microsoft unreasonably. There's plenty of things you can beat up Microsoft over without having to make some more up.

Later,
-JJS

Nothing new.

[WhitePanther5000]

With physical access to any standard desktop machine, you can easily get into Windows, Linux, or Mac OS. This comes in very handy with an IT environment where there is no central authentication server of sorts, or when people bring PC's to your computer shop with forgotten passwords. I'm not sure about Mac OS, but for Windows or Linux, if you don't want their password changed... just back up the file before you change it, then copy it back when you're done. Encrypted hard drives is a different ballpark though... never messed with those.

Re:I cannot believe it...

[DMUTPeregrine]

Whereas with Linux you just boot into single user mode & use passwd to set the root password.

What about HP iLO or Dell DRAC?

If you are able to gain access to the iLO card on an HP server that is remote... one can mount ISOs and remote console etc. Don't need to be in front of the machine at all.

A MUCH Easier Way To Take Control

Don't install it.

Hacking conference in Dubai?

Geeze these guys really are on the mainstream conference ciruit

Re:I cannot believe it...

[SanityInAnarchy]

I'll correct you a bit further -- there are different kinds of physical access. For instance, a public computer lab might have machines which have their case locked, both to prevent it from being opened and to prevent it from being locked down, BIOS locked and configured to boot only from hard disk, bootloader locked, etc.

On such a machine, there's really not a lot you can do to compromise it without some sort of actual software vulnerability or misconfiguration. You might be able to add a physical keylogger -- maybe -- depends how kiosk-ified it is.

However, this does not appear to be such an attack. Rather, it seems this is an attack which requires you to boot the machine off of some other media. Most machines are wide open to this in many ways -- the more frightening one was PXE; just plug a laptop into the same network and own every machine as it boots.

But Vista is not unique in this respect, and I cannot imagine how an OS could protect itself against such an attack. And even network boots can be secured, if you can add just a kernel and initrd to local storage.

Re:I cannot believe it...

[tixxit]

Unless, of course, the admin has set the box up to require a password for single user mode as well.

Linux Live CD will do this on ANY computer.

This is a rather stupid article. You can boot ANY computer with a Linux live CD and take control of someones computer and/or access unencrypted files/folders. Fail..

Re:I cannot believe it...

[V!NCENT]

You can hackz0rs the lock with a credit card and a knife. The bios lock isn't going to do any good either because you could humanly brute force it with manufacturer mother passwords.

Re:I cannot believe it...

[Ironica]

If you're going to be brazen enough to change the root password with a live CD, why not take the extra step of cracking open the case and resetting the BIOS?

A lot of cases support an external physical lock, and for those that don't, there's aftermarket products available.

Again, though, it gets back to making the computer physically secure.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I cannot believe it...

[V!NCENT]

Depends how well you know Vista when you are running Linux daily... but if he knows Vista as much as his Linux distro's, then that is defenately a feature, hands down.

Re:I cannot believe it...

[Jurily]

Actually, it's much tougher with Vista than any Linux distro I've run into.

If you can change the boot device, you pop in your favorite LiveCD and you don't even need to know what you just broke. If not, a passworded GRUB is as good as it gets.

I'm seriously wondering what you meant by that.

Re:I cannot believe it...

[hannson]

Actually, it's much tougher with Vista than any Linux distro I've run into.

Well, this does Vista in a split second although encrypted files remain protected until you "remember" the old password.
 
I'm confused, did they take control of Windows 7 running in a VM or did they take control of the VM that runs in Windows 7 (the one that handles UAC)? I'm obviously not an expert in Windows' security model so I could be misunderstanding
 

Re:I cannot believe it...

[wh1pp3t]

A boot CD (Hirens or Windows) wont do you any good if there is no local administrator account on the system.

Re:YOU weren't posting, ken dawson was

[mhall119]

You'd have root on the box, but not necessarily root on the OS. This could theoretically defeat Bitlocker, though I'm no expert on that and the article doesn't specify.

Re:I cannot believe it...

[mjeffers]

My case came with one of those case locks. The manufacturer forgot to ship the key. Turned out the key to my luggage is about the same size and I was able to get into it in a few minutes. While there are probably more secure solutions than the one on my PC, picking a lock isn't much of a roadblock.

Re:I cannot believe it...

[Creepy]

Most Windows and Mac machines (I've never checked Linux, but probably there, too) can be booted to a USB drive and with the right configuration, pretty much full access to the drive unless it's encrypted. Sometimes this can be disabled in firmware (e.g. BIOS, EFI, etc), however.

The exploit you're describing is the same kind I used to get past Foolproof on the mac with a zip (and later jaz) drive 15+ years ago. It can be beaten partially by encrypted drives (you can still erase the drive and install your own OS, but you can't steal data or use programs).

This is a bit different - if I read it correctly, it may even work on a hardware encrypted drive because it is a runtime exploit and doesn't require admin. That is a bit more akin to a non-root exploit on *nix - the user that is infected has to do the bidding of the master program, but a reboot clears it up. Just because it is memory resident in user-space doesn't mean it isn't dangerous - it could, say, rewrite the startup part of any user-space applications with malicious code and always start when that user runs that program, or infect something like Word macros by identifying them and injecting code.

Is this even a Windows 7 specific problem

Sounds like the attack could be used to subvert just about any operating system if it can modify files as the OS is booting.

Re:Attack requires editing RAM contents during boo

[necrogram]

try leaving a bootable cd in a bitlockered system. vista wont boot with it in the drive. bitlocker is pretty tough

Re:Attack requires editing RAM contents during boo

[owlstead]

Thank you. That saved me reading the article. Nowadays, when in a hurry, I read Slashdot comments backwards :) Saves me reading the initial thread (which always becomes too long) and the funny comments.

Re:I cannot believe it...

[mjm1231]

Of course, almost everything is much tougher with Vista than any Linux distro I've run into.

In all seriousness, resetting the root password is trivial on most desktop type linux distros, but it really isn't all that hard to find ones where this isn't the case. Or at least is harder than resetting the administrator password in XP. I haven't had to look into how to do so in Vista yet.

(Also, in all seriousness, I do find most every task I use a computer for easier with linux than windows. YMMV.)

Re:YOU weren't posting, ken dawson was

[sexconker]

Uh no.

Re:I cannot believe it...

Being a Mac guy, I can own a Mac box with physical access as well. Now you can too, here's how:
1. Boot up Mac OS X into single user mode (root prompt): Hold down Command-S while booting.
2. If there's a firmware password set, opening up the box and changing the RAM will clear it.
That's it.

Duh?

[GottliebPins]

If I have the machine in my hands I can do worse things than corrupt the boot process. I can take the damn hard drive out and do whatever the hell I want with it. Not much of a hack.

Re:I cannot believe it...

[sexconker]

In the labs I used to work at:

You need to get to the motherboard to reset the password. No master password for you.

You need a hackz0rs saw to get through the locks we use in order to open the case or remove the machine.

Have fun under that desk for 20 minutes.

Re:I cannot believe it...

[sexconker]

Windows 7 lets you run without an account with admin access? What?

Re:I cannot believe it...

[Vu1turEMaN]

I think the main thing that made this news is that it is apparently "unfixable". And the way that it is completely undetectable makes it more troublesome. I'd rather know that MS is looking at some sort of way to counter this issue.

Re:I cannot believe it...

[wh1pp3t]

If attached to AD...

Re:Heh... Nice idea, really

[DaveV1.0]

They are spread through ... wait for it ... the use of infected removable media which requires physical access to the machine.

Linux used to have a similar problem

I used to hack Linux boxes thanks to a flaw in Lilo back in the day. You could locally get root with a 1 line command through the bootloader. It freaked the hell out of this one CS professor I had...good times.

Re:YOU weren't posting, ken dawson was

[CBravo]

This is a great problem if you cannot open the box (because of locks on the housing) but have access otherwise. Situations like you have in enterprises, government or banks.

Avoiding detection of such a crack is important. TFA is not explicit about the prerequisites of the attack though.

Missing the duh tag

[csartanis]

nt

Physical access not neccesarily required

[Todd+Knarr]

I can think of several ways around the PoC's physical-access requirement. If the boot loader can be modified by malware, then the malware can drop the neccesary code into the boot loader and force a reboot of the machine. If the BIOS is in flash and can be modified, then malware can re-flash the BIOS to include the neccesary code. And I'm remembering an old BIOS soft-boot option that did not clear RAM before rebooting, leaving a way for malware to leave parts of itself in memory across a reboot. I'm not too worried about anything that requires physical access, but this thing looks like it could be extended to not require physical access as long as there's another vector available to bootstrap the infection through.

I'd note that it's not just Windows 7 that's vulnerable to this, any OS is theoretically vulnerable to in-memory patching during the boot process. But OSes other than Windows have far fewer other vectors available to bootstrap the initial infection through, so would be harder to attack this way.

it still has some uses

[goombah99]

One could still seem some uses for this. For example consider some bios based infection. While it theoretically could do a lot of harm, in practice it is going to be really hard to implement a lot of things from the bios. So why not infect the OS itself on every boot? In principle no new capabilities in theory, but it might still be a really convenient vector for an attack.

One might also use this to hack systems that one nominally has physcial access to but no actual control. For example if some future Xbox 420 is running a windows 7 kernel, maybe you could use this as a way to bust in to the locked down device in a generic way.

Re:I cannot believe it...

[djespino133]

Why would any of these said places of PXE boot enabled, and not have the BIOS locked, and the boot order properly configured? This seems to be another instance where if you have a less than capable user, they will be in trouble. 95% of machines built do not come with PXE enabled, or as the first boot preference. If you have to get to the orginal box to edit the VM who cares. Lock it up.

Why you are posting this

[daybot]

Because you are troll hating Microsoft

Re:Attack requires editing RAM contents during boo

"The attack involves patching particular Windows system files in RAM during the boot process, which explains why physical access is required, and why it doesn't work after a reboot"

'The latest version of VBootkit includes the ability to remotely control the victim's computer. In addition, the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user's password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected'

I thought BitLocker was supposed to defend against such exploits if the boot sequence was altered?

BitLocker plus TPM plus PIN should stop this attack as the system takes "measurements" (SHA hashes) of each boot component before it runs it starting from the BIOS. These measurements are passed to the TPM which releases the disk encryption keys if all measurements are correct out. If someone modifies a boot file then the boot fails.

Re:I cannot believe it...

[Krneki]

It gives you the full list of all the user and you select which one do you want to reset.

Re:I cannot believe it...

[UncleTogie]

Actually, it's much tougher with Vista than any Linux distro I've run into.

Actually, there are a number of Linux-based recovery disks that can null or change a Vista password easily within 3-5 minutes.... but as pointed out, with physical access, all bets are off.

Re:YOU weren't posting, ken dawson was

oblig xkcd reference

Re:YOU weren't posting, ken dawson was

[home-electro.com]

This is a very old news. A similar article was posted about a year ago. New guy - same shit. The attacker needs a physical access to the PC, which is absolute no-fair. Why the fukc you need to fuss around, when you just can take the whole thing home?

The same can be said about any OS -- if you allowed to mess with its files, you can make a rootkit. How dumb one have to be to make a story out of this nonsense?

OMG, "There is no fix for this, it is a design problem". You damn right, it is a design problem. IN YOUR HEAD.

Re:I cannot believe it...

[sexconker]

XP + AD doesn't let you do that (without a bunch of hacking that breaks stuff ). And you can always get the account back easily.

Re:Attack requires editing RAM contents during boo

[Z80xxc!]

Remotely control the machine once the rootkit is in place, yes, but it can't remotely install itself. The process requires booting off of a CD to modify the contents of the RAM while the OS is booting. So, if you disable booting from CD in the BIOS and require a supervisor password, then problem solved.

Idiots

If some idiot runs an executable for you, you might as well have physical access to the machine.

Re:YOU weren't posting, ken dawson was

[innocence18]

You've confused me. How do you leave your USB stick or external drive connected to a box you DON'T have physical access too?

Re:YOU weren't posting, ken dawson was

[mhall119]

If the box owner leave's his own USB drive connected, and a remote attacker gains user-level access to his box, he can write to that drive and force a reboot. If the user's system is configured to boot from USB, then the remote attack might be able to use this exploit, no physical access was necessary.

Re:I cannot believe it...

[Kalriath]

Except that it cannot reset Domain accounts. If you haven't got any local accounts (not recommended) there's not much you can do.

Re:I cannot believe it...

[Kalriath]

Dude, it's "unfixable" for ALL operating systems. Linux. Mac OS. Windows. Unix. Solaris. Novell. ALL. This isn't news in any sense of the term.

Re:YOU weren't posting, ken dawson was

[thebigbadme]

You damn right, it is a design problem. IN YOUR HEAD.

Thanks. Made me shoot beer out of my nose.

Re:I cannot believe it...

[V!NCENT]

If you don't have Coreboot then you have a master password. What's the manufacturor of that motherboard?

Since the lock can be opened with a key, you can open it with an identical key. You can make an identical key with a credit card and a knife.

There are lockpicking hobbyists who do it just for fun of it and not for criminal intent. I remember reading an article (I thought it was on /. but I'm not sure) that there was only one lock in the world that these guys could not open. You could buy it somehere in Denmark or Sweden if I am not mistaking. In any case it was in some European country.

7000 Mhz?

Call me when it gets OVER 9000 Mhz

It can also be installed without physical access

[ens0niq]

From an interview with authors:

http://www.securityfocus.com/columnists/442/2

"How can an attacker deploy it?

Nitin & Vipin: An attacker doesn't need to install, that's the way it has been designed. Just boot the system by placing the vbootkit media (containing vbootkit in bootsectors) in the drive, and start booting. After Vista boots, you can verify that you are running vbootkit, by checking the privilege of any running cmd.exe, the sample converts all low-privileged cmd.exe process to SYSTEM privileges. It also supports system compromise via PXE booting.

It doesn't need any privileges only physical access to the machine. It can also be installed to a remote system under some conditions (without physical access)."

how I take control of windows 7....

I like to use a mouse.

Re:I cannot believe it...

[sexconker]

They're mostly Dells bought in large quantities, and the master passwords either do not exist, or are not universal to a model/motherboard.

They can be obtained (if they exist) only by calling Dell with a service tag, and possibly reading off a stamp on the BIOS chip. Oh, you'll have to prove you're the owner of the machine as well.

There are various other machines as well - some you would have to open the case to find out the motherboard, and some are Macs.

You can't make an identical key without seeing the original, can you? If you have the original, you have no need to make a copy. Credit cards are the wrong thickness anyway. We're not talking about shitty bike-lock style "keys".

Yeah, because they've opened EVERY OTHER LOCK in the world? I have no doubt the locks are easy to pick. I have no doubt that anyone trying to do so would be caught, as they are visually monitored, and would be seen crawling under desks and getting in the way of other people using the labs.

I have no doubt that the magic lock you speak of can be picked as well.

The building is locked and alarmed at night. The police arrive quickly, with guns drawn. Each machine bought has it's serial numbers recorded and the machines are physically engraved with the serial number and name of the labs, as soon as they are received.

Yes, you could get around all of those things.
No, no one has ever deemed it worth the risk.

Re:I cannot believe it...

[Kingrames]

Fuck that, even the most experienced programmers will give you the keys to their system if you fucking ask nicely.
Helps if you delegate the task to one of your lady assistants though.

Sometimes they just start spewing binary.

Replace the SAM

[MEK_LoveBug]

I haven't had to look into how to do so in Vista yet.

by mjm1231 (751545) Alter Relationship on Thursday April 23, @03:28PM (#27692705) I know that replacing the SAM file under %windir%\system32\config with a SAM that has no password assigned is a way to blow by the password security in Windows NT variants. SysInternals NT locksmith (or their graphical bootup recovery disk) pretty much do the same thing but make it simpler in that you don't need a bootable Linux or DOS Operating System to do it from (which also means they would need an ntfs filesystem read/write capable driver also in order to do so). Hope I am correct on this, as it has been years since I read of and tried some of these things.

Take Computershack's advice @ your own risk

See subject line & this url http://it.slashdot.org/comments.pl?sid=1198841&cid=27622135 because as you can see at that url? He is just a noob that operates only on the surface of things, but has little to no understanding of what is really going on in Windows (or any other Operating System).

Re:I cannot believe it...

[Krneki]

I have no experience with Win7.