Information Security

Did you know you can disable the use of USB storage devices in Windows?

Ryan M. Hurst — Thu, 13 Nov 2008 10:28:17 GMT

Well to be honest the only way to really stop the use of external storage devices is to whip out your epoxy and fill all the external ports on a machine.

Any policy that is locally enforced is a policy that can be bypassed by an attacker with local administrative privileges or physical access.

Plus if the definition of an attacker also includes the authorized user of the machine there are vectors that do not involve physical media that can *and will* be used (email, IM, web, etc.) to get the data off the machine.

With that being said it is actually possible disable the use of USB storage devices in Windows, I know a few companies who actually do this when paired with Extrusion Prevention Systems and/or Information Rights Management (IRM) systems (Its important to note such systems are best effort also, I suppose information does want to be free??).

The mechanism I am speaking about is documented in KB823732, it is supported as of XP SP2 and once is set the devices function as read-only devices only.

People should think carefully before deploying such a policy, there are plenty of legitimate reasons to use USB drives and doing this and settings like this don't differentiate by use case.

How to tell if a volume is Bitlocker protected with TPM and PIN

Ryan M. Hurst — Wed, 12 Nov 2008 10:47:57 GMT

Today I was presented with a question, how can I tell if the OS volume is protected with Bitlocker a TPM and a PIN.

Since I could not sleep (its 2:30AM right now) I figured I would throw together a quick and dirty script that checks for that, it was pretty easy to do.

I started with the documentation for Win32_EncryptableVolume which I recall seeing previously in a unrelated mail at some point, from there I discovered the GetKeyProtectors method, I then did a search on Live for GetKeyProtectors and VBSCRIPT that was scoped to Microsoft.com domains.

This got me a handful of samples, I took one hacked it up and came up with this:

' --------------------------------------------------------------------------------
' Get configuration we will need
' --------------------------------------------------------------------------------
' Get the OS System Drive
set shell = WScript.CreateObject( "WScript.Shell" )
strDriveLetter = shell.ExpandEnvironmentStrings("%SystemDrive%")

' Target computer name
' Use "." to connect to the local computer
strComputerName = "."

' --------------------------------------------------------------------------------
' Connect to the BitLocker WMI provider class
' --------------------------------------------------------------------------------

strConnectionStr = "winmgmts:" _
                 & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
                 & strComputerName _
                 & "\root\cimv2\Security\MicrosoftVolumeEncryption"
On Error Resume Next 'handle permission errors

Set objWMIService = GetObject(strConnectionStr)

If Err.Number <> 0 Then
     WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
     Wscript.Echo "Ensure that you are running with administrative privileges."
     WScript.Quit -1
End If

On Error GoTo 0

' --------------------------------------------------------------------------------
' Get a list of volumes that could be bitlocker protected.
' --------------------------------------------------------------------------------

strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
Set colTargetVolumes = objWMIService.ExecQuery(strQuery)

If colTargetVolumes.Count = 0 Then
    WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " & strDriveLetter & " on computer " & strComputerName & "."
    WScript.Quit -1
End If

' there should only be one volume found
For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
Next

' --------------------------------------------------------------------------------
' Now check if it was protected with a TPM and a PIN
' --------------------------------------------------------------------------------

nKeyProtectorTypeIn = 4 ' type associated with "TPM and Pin" protector

nRC = objVolume.GetKeyProtectors(nKeyProtectorTypeIn, aKeyProtectorIDs)

If nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If

' there should only be one volume found
For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
Next

' --------------------------------------------------------------------------------
' Now return what we found.
' --------------------------------------------------------------------------------
On Error Resume Next 'handle unitialized array

If IsNull(aKeyProtectorIDs(0)) Then
    WScript.Echo "This volume is NOT TPM and PIN protected."
Else
    WScript.Echo "This volume IS TPM and PIN protected."
End If

From the time I decided to write the script, to the time I wrote it and tested it was about 15 to 20 minutes; the samples were great, the MSDN documentation was pretty decent too; all this without ever doing anything with Bitlocker before, WMI is great stuff.

I may never use this but if nothing else it was quick and fun to throw together, maybe it will help you.

What I have been up to for the last year...

Ryan M. Hurst — Sat, 08 Nov 2008 00:47:16 GMT

A year ago I announced I took a new job back in Windows Security, I have not had much chance to blog since I took the new job but even if I did have the time I could not talk about the stuff I had been working on.

But times are a bit different now, a week ago was the Professional Developers Conference and this week was WinHEC; these were really the 1st events where Windows 7 became a public thing so now its safe for me to talk about what I have been up to.

As I said in a previous post my groups mission is to build platform technologies and solutions that enable secure password-less authentication into Windows, networks and the applications built on our platform.

To that end over the last year we have defined and delivered a platform for Biometric Devices in Windows, the "Windows Biometric Framework", this has been one of the best projects I have worked on at Microsoft.

Its just amazing that a year ago we had a whiteboard drawing and now we have a full platform and solutions built on that platform with support from great partners like Upek and Authentec (there are others too but I can't name them yet).

The cool bits of this project are in the platform, not in the user interface but the part people get to see is always a good place to start, in the "Hardware and Sound" control panel you now see a Biometric Devices control panel applet:

It exposes a set of common tasks related to Biometric devices, these of course include "Use your fingerprint to log on to Windows".

The control panel applet itself includes a list of Biometric Units that are registered on the machine, this machine (my Lenovo X61) has a Upek based Biometric Unit, you can see it bellow:

From this location you can "Remove your fingerprint data" if you do not feel comfortable with this data being persisted on the machine, or you can manage/enroll fingers.

Currently the platform only supports fingerprint readers, but its designed to support other concepts like facial recognition, vein recognition, geometry, iris and more.

In future versions of Windows, as these technologies become more common I hope to see it expanded to include native support for them as well.

So far the feedback has been great, the solution is the fastest we have tested and it allows for these solutions to co-exist, so you can buy a laptop with a built in fingerprint sensor from one manufacturer and a mouse with a sensor from another and they can both work on the same machine, unfortunately today that's not normally the the case.

There is lots more in store for Strong Authentication in Windows 7 also, I will try to write more about this and other features in this area in the future.

Hah, this reminds me of some usability tests I have seen...

Ryan M. Hurst — Sun, 22 Jun 2008 06:06:03 GMT

Have you ever used Live? As a stock holder I hope so, when you register a Live ID or when you change your Live account password you are given a Password Quality Feedback Indicator, a couple friends of mine worked on this, feedback indicators are not new, but the Live one is the first one I had a chance to hear 1st hand about the design process used and how well such systems fair with users in usability tests.

In any event I ran across a blog post/cartoon on password validation that reminded me of this and made me chuckle, as such I decided it was worth sharing with you.

Cem has a interesting post on LifeLock

Ryan M. Hurst — Thu, 19 Jun 2008 05:58:21 GMT

My friend Cem over at Random Oracle has written a interesting post on LifeLock, I have written about these Identity Theft insurance companies before here.

I am personally signed up with Debix, I recently financed a car and it was awkward to get the financing setup because of the approval process compared to what it would be otherwise, that's really the point though, isn't it?

In any event, I can say at least in my case, I can see how the Debix brokering of the fraud alert provides a level of protection that I think is worth having, though in name of full disclosure I did not have to pay for the service and I have not gone through the personal evaluation process to determine what the cash value to me is as of yet.

I guess the real proof of value comes in when you have to claim the insurance and you see how awkward that process is.

In general though as you can see in my prior post on this topic I am a fan of such programs being underwritten by a company you know and trust, and LifeLock is self insured .

That being said there are many types of Identity Theft, and these services don't help protect you from all of them, though they do help in the case of financially oriented threats.

Check out Cem's post though, its worth a read.

Did you ever wonder who contributes to Internet standards?

Ryan M. Hurst — Thu, 19 Jun 2008 05:25:52 GMT

I stopped by the Malt and Vine tonight and picked up some interesting dark beers (I am a huge fan of stouts, porters and dark ales), and while sitting here enjoying a Dogfish Head World Wide Stout I figured I would look at IETF statistics (I am a wild one!).

Jari Arkko runs a great website that tracks this, its worth checking out some of the more interesting charts he has are the affiliation chart, the historical affiliation and of course there is me.

The author stats dont show contributions to specifications where a individual or company is not listed as a explicit author, and there are general (unpublished?) rules around how many authors can/should be listed so contributors often are relegated to a un-tracked acknowledgement sections or no reference at all (one can check news group archives to find many of these folks, they do matter).

So, like all statistics take these numbers with a grain of salt; don't get me wrong they do provide value, with that being said some things are so exaggerated you can't help but notice.

For example, look at the author distribution for CISCO relative to their closest peer (its 2.5 times!!); this is no surprise to anyone who has participated in the IETF, its pretty common to go into a hum (a consensus process in the IETF) and see a room with a bunch of CISCO people in it.

Another interesting thing to notice is the number of authors in a given company, Microsoft has 65 (making them/us #5) while CISCO has 255 (They are #1 in participation); that's not to say that more authors is better or worse, like all things the devil is in the details.

A couple statistics I think would be interesting, probably more interesting IMHO, would be a historical trend of standard velocity (how long standards take to get completed in the IETF over time) another would be some metric that showed specification vs. deployment on the internet.

Well back to my beer.

MSNBC publishes 10 worst jobs in science...

Ryan M. Hurst — Thu, 29 May 2008 21:56:21 GMT

MSNBC just published its 10 worst jobs in science "Microsoft security grunt" made number 6 on this list; for me that is weird for a few reasons:

I think of software and security as more art than science.
The description of the role is one that if stretched a bit (ok maybe more than a bit) it would include me and my job isnt so bad.

I just thought this was worth sharing,

OK, I admit it, I am twisted...

Ryan M. Hurst — Sun, 23 Mar 2008 01:22:27 GMT

I was catching up on reading blogs and such and ran across this post from Bruce Schneier over at Wired titled "Inside the Twisted Mind of the Security Professional".

The premise of this so aptly titled post is that security professional's just think differently, and that this difference is a trait that might just be innate in certain individuals; I have to agree.

I got into electronics (including computers) as a child as a means to figure out how they worked, it started by taking them apart and putting them back together; though in many cases I ended up with extra parts most of the time they went back together just fine .

I quickly learned that this was mostly a mechanical exercise, and that no amount of assembly and re-assembly would really tech me how these things worked; so I started looking at the software.

The interest in software was really again trying to understand how these magnificent boxes worked, I recall looking at the files that made up programs trying to understand their role and ultimately realizing for me to really understand how things worked I had to be able to re-produce approximations of them and so I taught my-self to program (Basic, Pascal, C, and c64 and x86 assembly).

Once I mastered the basics I came back to looking at these programs, trying to understand them and utilizing the basic understanding of computer architecture and programming I had amassed, from there I started trying to see how I could bypass the copy protections on games; it's really this that got me into computer security.

Here there was this commercial software developed by a mass of professionals designed to prevent me, a punk kid from doing something and I was able to by-pass it; I recall how proud I was of myself at first but this quickly lapsed as I realized problems like this were impassable, I was 10.

My friend Josh and I started fumbling around on bulletin boards across the nation, It remember going into a chat room with Josh and some guy offered us a step-by-step guide of sorts to log in and control phone switches as a means to make free international calls; he had written this guide based on a manual he stolen out of the back of a telephone operators truck, the inside cover of the manual included the default password for this switch.

I remember this guy telling us how he went about it, and how amazed he was when he found that most of the switches out there were based on this same system and no one changed the default password; this guy was not much older than us, maybe 15 or 16 but again clearly pleased with how he was able to figure this all out.

For me this was the beginning of understanding social and computer networking, and the beginning of me seeing myself as a "hacker".

As a "hacker", I prided my myself in my common sense and the lack of common sense in others; every where I went I was looking for flaws, things that other people missed.

I remember when we moved to our new house, my mom called the power and phone companies to have our service transferred, I listened to her side of the phone call and she never had to give them any private information; I was amazed. Several months later some kid picked on me at school so I called the phone and power company to have their service disconnected, it worked.

This view on life has continued to this day, I have of course grown up and no longer use my insights for evil (at least intentionally) but I thank my lucky stars I see the world the way I do.

As for this view of life being innate in some, as I said. I believe it is; however I also believe it can be learned though I don't know if it can be taught. As a "hacker" when I watch movies I look for the mistakes, the things that were of such a small detail that they were missed by the production staff, when I got married I started to share these findings with my wife who was always surprised I noticed such things.

However at one point in our marriage she started finding these flaws before I did and when we discuss strategy on issues she also now finds angles I may have missed; she tells me that this is something she has learned from me, all I can say is I certainly didn't mean to teach it as now she can use it against me

RFC 5216 is published!

Ryan M. Hurst — Sat, 22 Mar 2008 19:33:05 GMT

Previously I mentioned I was working on an update to RFC 2716 that process is now complete, the RFC number for this new work is 5216.

This update was really about adding clarifying text address common implementation issues, better aligning the specification with its dependent RFCs (like RFC 4346, RFC 3280, etc), updating to specification to represent actual implementation practices to aid in interoperability and of course improving security guidance for implementers.

To be clear, no new capabilities were added to this RFC; despite that the document increased 35.9934% in size (from 50.2 KB to 71.7 KB); larger doesn't always mean better but in this case I think it does.

Book: The New School of Information Security

Ryan M. Hurst — Sun, 09 Mar 2008 22:35:17 GMT

OK, so I was not a reviewer or contributor to this new title but I do know the author and he is a bright guy, Adam Shostack is about to release his new book "The New School of Information Security"; when I first met Adam he was with Zero-Knowledge Systems as their Most Evil Genius, who could forget a title like that?

So whats the new book about? In Adam's own words its:

The New School is a systemic look at dysfunction within information security, and a look at some of the ways people are looking to make things better. We think there's an emerging way of approaching the world, which we call the New School.

This is a concept I know I beleive in, one I have discussed numerous times with folks over beer; with that being said I can't wait to get my copy to see what the Most Evil Genious thinks.