Information Security

Some of the things I worked on in Windows 7

Ryan M. Hurst — Wed, 21 Apr 2010 22:18:46 GMT

One of the things I love about working at Microsoft, and working in Windows, is your ability to influence so many areas.

This article at PC World discusses a number of areas (as you can imagine it's just a partial list) that I was able to directly influence or work on during the Windows 7 release, the mentioned ones include:

DNSSec
Extended Protection for Authentication,
Bitlocker To-Go
Better Cryptography
Direct Access

Pretty cool if you ask me!

Ryan

Generic Identity Device Specification Published

Ryan M. Hurst — Fri, 09 Apr 2010 17:21:34 GMT

In the PC ecosystem, when a new device (say mass storage) technology is introduced, commonly there is little standardization, vendors produce proprietary software stacks for interacting with that device, they have custom hardware interfaces for interacting with the device, custom software for managing those devices, etc.

As a device picks up in popularity common platform programing interfaces typically emerge, sometimes these are commercial in nature, other times they are standards based; in either case the goals of these interfaces are simple: abstract out the variety in the hardware ecosystem for the application developer allowing them to write software that can run on any machine regardless of which vendor manufactured a given device. These abstractions also commonly allow the sharing of devices so that multiple applications can use them at the same time.

The next phase in a devices maturity is normally the definition of a class interface for interacting with hardware, it’s this last phase that allows the “no driver needed” story that users like so much; we all reap the rewards of this with flash drives today, plug in the device and it just works (the same is true for display technologies like VGA).

These class drivers commonly cater to the lowest common denominator when it comes to functionality, but vendors are always able to add additional capabilities that are exposed when their drivers and custom software are present (again think about display technologies here as a good example).

There is one device in particular that has not entirely followed this flow that I wanted to talk about and that is Smart Cards; as a concept was they emerged in the 1970s, the first cards went into production in the late 70s. Here we are 40 years later and there is no clear “class driver” for these devices, that is not to say there have not been attempts, some even with success, but those that have had success have been closed system solutions, for example the PIV interfaces used within the US Federal Government.

In the commercial space however, no class specification that has been attempted really was viable, there are lots of reasons for this but I am cautiously optimistic that there is now a candidate.

One of the projects I was working on over the last few years was the specification of the Generic Identity Device Specification, this attempts to build on the success of the government based card specifications and extend it to commercial applications as well.

I had opportunities to work with some great folks on this effort, we all had the same goal make smart cards as reliable, cost effective and accessible as possible; I believe this work does just that.

This specification has now been released by Microsoft under the Microsoft Community Promise, that means it is available royalty free for anyone to adopt; this is a big win for our partners and above all the customers who will benefit the most from it.

So what does this mean for you? Well if you’re a customer looking to deploy smart cards you should seriously look for vendors who produce cards that are compliant with this specification, it means lower cost of deployment, makes it easier for you to multi-source cards and in the end it will likely reduce the overall cost of cards as volumes go up based on function of scale.

For a card manufacturer there are a number of benefits as well, it is possible to develop a GIDS card that is compatible with the PIV card-edge, this means you can develop a single card stock get it evaluated for FIPS (or whatever other standard) that can be sold into commercial or government applications (reducing cost) and these cards will have a great experience in Windows.

If you are a platform or operating system developer you now have a specification you can use as a baseline for testing card scenarios, a way to (hopefully) support a large number of “real” cards that will exist on the market (soon I hope), if this happens we can experience driver coverage numbers similar to other device classes.

For those of you not in this segment, this last point is super important, there is so much fragmentation in the market no solution has over a couple percent of card coverage in-box, if this specification gets adopted that number can start to look more like other device classes where the number is in the 90 percentile range.

In any event, I am pleased to see this out there, here’s hoping it gets adopted broadly…

Identity theft insurance, the devil is in the details

Ryan M. Hurst — Thu, 11 Mar 2010 20:25:02 GMT

In the past I wrote a blog post on how one can protect themselves from How to protect yourself from (financially related) identity theft, one of the ways I talk about protecting yourself is via identity theft insurance. I still think this is a good strategy but ran across an article today titled “LifeLock fined $12 million over lack of life-locking ability“.

As I said in my last post the devil is in the details, as with all insurance policies you need to understand what promises are actually being made and who is it that will stand behind those promises…

PB-TNC: A Posture Broker Protocol (PB) Compatible with TNC to be published tomorrow

Ryan M. Hurst — Wed, 03 Mar 2010 23:42:45 GMT

This week is RSA, the largest security conference in the world; this is the 1st year in a very long time I won’t be there but, this year Scott Charney included a focus on the Isolation of Infected Machines in his keynote.

The timing of this is excellent (for me) because a specification I worked on in the IETF around standardizing an evolution of one of the core protocols used in the Network Access Protection (NAP), the Microsoft uses in its product (and its own Networks) to isolate infected hosts on the network will be published tomorrow, in the meantime the final draft is here.

White Paper Published: Introduction to the Windows Biometric Framework

Ryan M. Hurst — Tue, 23 Dec 2008 18:39:41 GMT

We just recently published a new White Paper that provides a great Introduction to the Windows Biometric Framework.

Thinking outside-the-box, or loosing your privacy little by little

Ryan M. Hurst — Sun, 30 Nov 2008 07:31:04 GMT

I ran across a neat article on using Javascript and default CSS behaviors to infer what sites you frequent, this is not new, the earliest reference I could find of this was from 2006 but I bet this has been going on for much longer.

An example of analytics that can be applied to this data is that one follow is using your URL history to infer gender.

These are great examples of thinking outside the box and how privacy is an illusion (especially on the web).

Did you know you can disable the use of USB storage devices in Windows?

Ryan M. Hurst — Thu, 13 Nov 2008 10:28:17 GMT

Well to be honest the only way to really stop the use of external storage devices is to whip out your epoxy and fill all the external ports on a machine.

Any policy that is locally enforced is a policy that can be bypassed by an attacker with local administrative privileges or physical access.

Plus if the definition of an attacker also includes the authorized user of the machine there are vectors that do not involve physical media that can *and will* be used (email, IM, web, etc.) to get the data off the machine.

With that being said it is actually possible disable the use of USB storage devices in Windows, I know a few companies who actually do this when paired with Extrusion Prevention Systems and/or Information Rights Management (IRM) systems (Its important to note such systems are best effort also, I suppose information does want to be free??).

The mechanism I am speaking about is documented in KB823732, it is supported as of XP SP2 and once is set the devices function as read-only devices only.

People should think carefully before deploying such a policy, there are plenty of legitimate reasons to use USB drives and doing this and settings like this don't differentiate by use case.

How to tell if a volume is Bitlocker protected with TPM and PIN

Ryan M. Hurst — Wed, 12 Nov 2008 10:47:57 GMT

Today I was presented with a question, how can I tell if the OS volume is protected with Bitlocker a TPM and a PIN.

Since I could not sleep (its 2:30AM right now) I figured I would throw together a quick and dirty script that checks for that, it was pretty easy to do.

I started with the documentation for Win32_EncryptableVolume which I recall seeing previously in a unrelated mail at some point, from there I discovered the GetKeyProtectors method, I then did a search on Live for GetKeyProtectors and VBSCRIPT that was scoped to Microsoft.com domains.

This got me a handful of samples, I took one hacked it up and came up with this:

' --------------------------------------------------------------------------------
' Get configuration we will need
' --------------------------------------------------------------------------------
' Get the OS System Drive
set shell = WScript.CreateObject( "WScript.Shell" )
strDriveLetter = shell.ExpandEnvironmentStrings("%SystemDrive%")

' Target computer name
' Use "." to connect to the local computer
strComputerName = "."

' --------------------------------------------------------------------------------
' Connect to the BitLocker WMI provider class
' --------------------------------------------------------------------------------

strConnectionStr = "winmgmts:" _
                 & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
                 & strComputerName _
                 & "\root\cimv2\Security\MicrosoftVolumeEncryption"
On Error Resume Next 'handle permission errors

Set objWMIService = GetObject(strConnectionStr)

If Err.Number <> 0 Then
     WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
     Wscript.Echo "Ensure that you are running with administrative privileges."
     WScript.Quit -1
End If

On Error GoTo 0

' --------------------------------------------------------------------------------
' Get a list of volumes that could be bitlocker protected.
' --------------------------------------------------------------------------------

strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
Set colTargetVolumes = objWMIService.ExecQuery(strQuery)

If colTargetVolumes.Count = 0 Then
    WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " & strDriveLetter & " on computer " & strComputerName & "."
    WScript.Quit -1
End If

' there should only be one volume found
For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
Next

' --------------------------------------------------------------------------------
' Now check if it was protected with a TPM and a PIN
' --------------------------------------------------------------------------------

nKeyProtectorTypeIn = 4 ' type associated with "TPM and Pin" protector

nRC = objVolume.GetKeyProtectors(nKeyProtectorTypeIn, aKeyProtectorIDs)

If nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If

' there should only be one volume found
For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
Next

' --------------------------------------------------------------------------------
' Now return what we found.
' --------------------------------------------------------------------------------
On Error Resume Next 'handle unitialized array

If IsNull(aKeyProtectorIDs(0)) Then
    WScript.Echo "This volume is NOT TPM and PIN protected."
Else
    WScript.Echo "This volume IS TPM and PIN protected."
End If

From the time I decided to write the script, to the time I wrote it and tested it was about 15 to 20 minutes; the samples were great, the MSDN documentation was pretty decent too; all this without ever doing anything with Bitlocker before, WMI is great stuff.

I may never use this but if nothing else it was quick and fun to throw together, maybe it will help you.

What I have been up to for the last year...

Ryan M. Hurst — Sat, 08 Nov 2008 00:47:16 GMT

A year ago I announced I took a new job back in Windows Security, I have not had much chance to blog since I took the new job but even if I did have the time I could not talk about the stuff I had been working on.

But times are a bit different now, a week ago was the Professional Developers Conference and this week was WinHEC; these were really the 1st events where Windows 7 became a public thing so now its safe for me to talk about what I have been up to.

As I said in a previous post my groups mission is to build platform technologies and solutions that enable secure password-less authentication into Windows, networks and the applications built on our platform.

To that end over the last year we have defined and delivered a platform for Biometric Devices in Windows, the "Windows Biometric Framework", this has been one of the best projects I have worked on at Microsoft.

Its just amazing that a year ago we had a whiteboard drawing and now we have a full platform and solutions built on that platform with support from great partners like Upek and Authentec (there are others too but I can't name them yet).

The cool bits of this project are in the platform, not in the user interface but the part people get to see is always a good place to start, in the "Hardware and Sound" control panel you now see a Biometric Devices control panel applet:

It exposes a set of common tasks related to Biometric devices, these of course include "Use your fingerprint to log on to Windows".

The control panel applet itself includes a list of Biometric Units that are registered on the machine, this machine (my Lenovo X61) has a Upek based Biometric Unit, you can see it bellow:

From this location you can "Remove your fingerprint data" if you do not feel comfortable with this data being persisted on the machine, or you can manage/enroll fingers.

Currently the platform only supports fingerprint readers, but its designed to support other concepts like facial recognition, vein recognition, geometry, iris and more.

In future versions of Windows, as these technologies become more common I hope to see it expanded to include native support for them as well.

So far the feedback has been great, the solution is the fastest we have tested and it allows for these solutions to co-exist, so you can buy a laptop with a built in fingerprint sensor from one manufacturer and a mouse with a sensor from another and they can both work on the same machine, unfortunately today that's not normally the the case.

There is lots more in store for Strong Authentication in Windows 7 also, I will try to write more about this and other features in this area in the future.

Hah, this reminds me of some usability tests I have seen...

Ryan M. Hurst — Sun, 22 Jun 2008 06:06:03 GMT

Have you ever used Live? As a stock holder I hope so, when you register a Live ID or when you change your Live account password you are given a Password Quality Feedback Indicator, a couple friends of mine worked on this, feedback indicators are not new, but the Live one is the first one I had a chance to hear 1st hand about the design process used and how well such systems fair with users in usability tests.

In any event I ran across a blog post/cartoon on password validation that reminded me of this and made me chuckle, as such I decided it was worth sharing with you.