Endpoint

12/5/2018
11:30 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Windows 10 Security Questions Prove Easy for Attackers to Exploit

New research shows how attackers can abuse security questions in Windows 10 to maintain domain privileges.

Attackers targeting Windows are typically after domain admin privileges. Once they have it, researchers say, the security questions feature built into Windows can help them keep it.

In a presentation at this week's Black Hat Europe, security researchers from Illusive Networks demonstrated a new method for maintaining domain persistence by exploiting Windows 10 security questions. Despite good intentions, the feature, introduced in April, has the potential to turn into a durable, low-profile backdoor for attackers who know how to exploit it.

Windows admins are prompted to set up security questions as part of the Windows 10 account setup process. Tom Sela, head of security research at Illusive Networks, said the addition reflects a broader effort by Microsoft to build security into Windows 10. However, it also shows the delicate balance companies must strike in maintaining usability while improving protection.

"I think Microsoft also wants to introduce new usability features," Sela explained in an interview with Dark Reading. "There is a fine line with advancing security but also adding new usability features that may compromise security."

Magal Baz, security researcher at Illusive Networks, said the questions are more of a usability feature, designed for convenience, than a security mechanism. Today, if you forget your Windows login password, you're locked out of your machine and have to reinstall the operating system to regain access, he said. The questions feature lets users log back into their accounts by providing the name of their first pet, for example, in lieu of their password.

"Now in terms of security ... I don't think that it is well-protected," he explained. Because those questions and answers have the same power as a password, you'd think they would be as secure. However, unlike passwords, answers to security questions are not long and complex, they don't expire, and most of the time they don't change. "All the limitations that make passwords safer are not applied on the security questions," Baz pointed out.

In addition to having answers that can be found on social networks, the security questions "are not monitored. There are no policies around it – it's just there," he continued. "It allows you to regain access to the local administrative account." There's a reason why companies including Facebook and Google have stopped using security questions to secure accounts, Baz added.

Unlocking Admins' Answers
Before describing how this approach works, it's important to add context first. In recent years, attackers have not only sought domain access but a means of maintaining a reliable and low profile on the domain. The process of becoming a domain admin has become much easier, Baz added. "A couple of years ago, it was thought this could take months ... it has shrunk into hours," he says.

To turn the questions feature into a backdoor, an attacker must first find a way to enable and edit security questions and answers remotely, without the need to execute code on the target machine. The attacker must also find a way to use preset Q&A to gain access to a machine while leaving as few traces as possible, Baz and Sela explained in their presentation.

Windows 10 security questions and answers are stored as LSA Secrets, where Windows stores passwords and other data for everyday operations. With administrative access to the registry, one can read and write LSA Secrets. One can change a user's security questions and answers, installing a backdoor to access the same system in the future.

An attacker could remotely use this feature, for any and all of the Windows 10 machines in the domain, to control security questions and answers to be something he chooses, Baz said. The implications for someone abusing this without the account holder's knowledge are huge. Unlike passwords, which eventually expire and can be edited any time, security questions are static. The name of your first pet or mother's maiden name, for example, don't change, Baz pointed out.

Sela and Baz described use cases in which this tactic can be useful for an attacker. Someone could "spray" security questions across all Windows 10 machines and ensure a persistent hold in the network by ensuring everyone's dog is named Fluffy – and Fluffy is the name of everybody's birthplace, place where their parents met, model of their first car, etc.

What's more, security questions and answers aren't carefully protected. "The questions today are not monitored, are not changed. Probably most of IT admins are not even aware of their existence at the time being," Baz continued. "The implications ... for now [are] permanent access to all Windows 10 machines in the network quite easily and in low-profile manner."

The security questions also don't come with auditing capabilities, Sela added. "Even [for] IT administrators that would like to be aware of that, out of the box, Windows doesn't give them a way to monitor the status of those security questions."

Best Practices and Deleting Security Questions
Admins should constantly monitor security questions to make sure they are unique, or disable them by periodically changing them to random values, Baz and Sela said.

"Even before the question of security questions, it's a good practice to have as few local admins as possible on the network," Baz said.

Security admins don't feel good about the tool, the researchers said, noting how many people are looking for ways to get rid of it. As part of their presentation, Baz and Sela also shared an open-source tool they developed that can control or disable the security questions feature and mitigate the risk of questions being used as a backdoor into a Windows 10 machine.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
12/6/2018 | 9:32:39 AM
broken security
There is all this talk about multi factor authentication.  One would think someone (not me, I'm clueless) would figure out how to use MFA to address getting locked out of a system.  I know that MS and Mastercard (MC) are talking about this combination to use as MFA, but still think they need to to bring everyone else on board with this.  So back to the MFA, is it possible?
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.