Common Microsoft security tool can be disabled in seconds

Common Microsoft security tool can be disabled in seconds

BitLocker protects some but not all attempts to hack into stolen laptops.

Many businesses use a common Microsoft security tool to protect company secrets and their employees and customers’ data. But last week, a security researcher found a flaw in the system that could lead to the tool being disabled within a matter of seconds.

The researcher, Ian Haken from the software security testing company Synopsys, exposed the problem last week at the Black Hat cybersecurity conference in Amsterdam, according to Computerworld. The flaw involves Microsoft BitLocker, a tool many businesses use to encrypt their employees’ computers and protect proprietary and personal data.

By hacking a common Windows authentication bypass, Haken found that BitLocker protected files could be at risk. Microsoft has released an MS15-122 security bulletin with a security patch, so Haken suggests that BitLocker users should install it immediately.

Many businesses use domain-based authentication, meaning a user’s password is checked against the domain controller. But outside of the office, when the domain controller is our of reach, authentication may rely only on local credentials stored on each laptop.

To prevent access on machines that are lost or stolen, authentication systems also verify that the machine is registered on the domain controller with a different password. But outside the office, when the controller can’t be reached, the second password check is not activated, since the assumption is that a thief will not be able to change and thus bypass the user’s locally stored password.

However, Haken found a flaw that could allow thieves to do just that. By seting up a mock domain controller with the same name as the one a user normally connects to, a thief can then create the same user account with a new password, dating it far back in time to make it appear as an expired password.

When the hacker then tries to login with that password, the system will prompt the user to update the password, before verifying that the machine is registered on the controller.

Creating the new password will replace the original one, including on the local credentials stored on the machine. The hacker can then disconnect from the network and login successfully to the laptop using the unconnected local authentication.

Haken says the flaw has been in the authentication process since Windows 2000. When Microsoft introduced Vista, it also launched BitLocker specifically to portect machines that are lost or stolen. BitLocker successfully blocked hackers from getting in to systems by using alternative operating systems to read the device’s drives, but it failed to address the flaw exposed by Haken.

Be social, please share!