My colleague Feliciano Intini (Chief Security Advisor here at Microsoft Italy) just pointed me to his post were he comments about a news which is (re)spreading across the web about a security hole in the recovery console in Windows Vista: if you can read Italian here is the post, otherwise go on an ready my translation.
Third episode of my anti-FUD column. True story (unfortunately): a few days ago someone has stolen the motorbike of a colleague of mine whom was working at a customer's site.How was the bike protected? With that special padlock which locks the front wheel, without any sort of chain to fasten to a physical stand. How did they stole the bike? They arrived with a truck, a few guys got off it and they loaded the bike by sheer force in less than 5 minutes! What do I want to say? Here is a fundamental concept in security field: physical security is the basis for all security. False fact: I'm reading in various posts which quote an article by Finnish Kimmo Rousku, which Windows Vista apparently has a security hole which "allows to gain unlimited access to anyone who has physical access to the pc, even if he does not know the password to log.in". Security experts will be already smiling reading the sentence in quotation marks above and I don't think they need further explanations, but they'll forgive me if I'll now spend some more words for the benefit of everyone, aiming to improve the so called "informatics (IT) security culture". This is NOT a security bug, if you have physical access to the machine you already won the game as already stated in the 10 immutable Laws of security: if a bad guy has unrestricted physical access to your computer, it's not your computer anymore. The protection of your data on the hard disk must necessarily rely on information encryption: this is the reason why BitLocker and EFS have been added to Windows Vista. And I also remind that they robustness of the ciphering is due to the robustness of the algorithm used and not to the availability of the keys; this is why in Vista: EFS has been improved to allow keeping private keys on smart cards more strong ciphering algorithms have been implemented With BitLocker the most secure combination requires to use the TPM chip and a USB pen (not to store together with the pc!) To complete what just said you can read the article 818200, which further explains those considerations about data protection on hard disks. Just a legitimate doubt remains, which also I thought about: if on Windows XP there was a password to protect access to the recovery mode, why that has been removed from Vista, thus generating the (wrong) perception of decreased security or even a bug?? Here is why: Repair Mode/Recovery Console are used exactly when we have troubles starting our pc. Since it has been verified that the majority of the problems starting Windows XP were due to file system and registry corruptions, it made no sense to force authentication to allow access to the disk, since that authentication precisely requires to read the registry or the file system to verify that the password entered was correct.Since that password was not adding a security layer in respect of an average technical competency (seen the physical security consideration I discussed above, and the general availability on the Internet of tools to run offline security attacks), on the contrary it was making harder the recovery activities, it has been chosen to remove it. So, I understand that a password gives a certain sense of security, but if that is just a false perception and just hurts the recovery functionality, then I agree the design choice to remove it: so, I clinch, this is NOT a security bug and Microsoft does not have anything to fix here...
Third episode of my anti-FUD column. True story (unfortunately): a few days ago someone has stolen the motorbike of a colleague of mine whom was working at a customer's site.How was the bike protected? With that special padlock which locks the front wheel, without any sort of chain to fasten to a physical stand. How did they stole the bike? They arrived with a truck, a few guys got off it and they loaded the bike by sheer force in less than 5 minutes! What do I want to say?
Here is a fundamental concept in security field: physical security is the basis for all security.
False fact: I'm reading in various posts which quote an article by Finnish Kimmo Rousku, which Windows Vista apparently has a security hole which "allows to gain unlimited access to anyone who has physical access to the pc, even if he does not know the password to log.in".
Security experts will be already smiling reading the sentence in quotation marks above and I don't think they need further explanations, but they'll forgive me if I'll now spend some more words for the benefit of everyone, aiming to improve the so called "informatics (IT) security culture".
This is NOT a security bug, if you have physical access to the machine you already won the game as already stated in the 10 immutable Laws of security: if a bad guy has unrestricted physical access to your computer, it's not your computer anymore. The protection of your data on the hard disk must necessarily rely on information encryption: this is the reason why BitLocker and EFS have been added to Windows Vista. And I also remind that they robustness of the ciphering is due to the robustness of the algorithm used and not to the availability of the keys; this is why in Vista:
To complete what just said you can read the article 818200, which further explains those considerations about data protection on hard disks.
Just a legitimate doubt remains, which also I thought about: if on Windows XP there was a password to protect access to the recovery mode, why that has been removed from Vista, thus generating the (wrong) perception of decreased security or even a bug?? Here is why: Repair Mode/Recovery Console are used exactly when we have troubles starting our pc. Since it has been verified that the majority of the problems starting Windows XP were due to file system and registry corruptions, it made no sense to force authentication to allow access to the disk, since that authentication precisely requires to read the registry or the file system to verify that the password entered was correct.Since that password was not adding a security layer in respect of an average technical competency (seen the physical security consideration I discussed above, and the general availability on the Internet of tools to run offline security attacks), on the contrary it was making harder the recovery activities, it has been chosen to remove it.
So, I understand that a password gives a certain sense of security, but if that is just a false perception and just hurts the recovery functionality, then I agree the design choice to remove it: so, I clinch, this is NOT a security bug and Microsoft does not have anything to fix here...
Of course feel free to comment both here and on Feliciano's blog, if you wish
Carlo
What if say the user has a none Vista Ultimate edition, which as i recall don't include EFS or Bitlocker. How are these users to protect there systems? What if in buying a consumer grade machine they are not able to use smartcards? Without these that pretty much leaves peoples computers open to the world. All of their tax information, credit card numbers that they store in browsers cache. Real smart, leave a gaping hole in the back so any joe thief can get my info. But thanks for making my life easier on the off chance i have to recover from an damaged file system.
@Aaron Fraser... did u read the post at all????
the whole point is if joe thief has physical access to your computer he can get your info ANYWAY, regardless of ANYTHING that microsoft or ANYONE ELSE does, unless you encrypt your data.
Sure I read your comment, and in fact you are confirming what Feliciano wrote in his post: if someone gains physical access to your pc he also owns your data, unless you encrypted them, I think this is explained quite clearly.
But if Joe thief gains physical access to your pc, that can't be considered a bug in Vista, but rather a bug in your physical security... don't you agree?
What Aaron is trying to say is Bitlocker, EFS is available only in Vista Ultimate, Business and Enterprise. Average home user who buys HP, DELL laptop off-the-self would get only Vista Home Basic, which neither has BitLocker nor EFS. So, his data is in trouble.
Microsoft should really have included BitLocker in other editions too.