Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/5/2018
11:30 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Windows 10 Security Questions Prove Easy for Attackers to Exploit

New research shows how attackers can abuse security questions in Windows 10 to maintain domain privileges.

Attackers targeting Windows are typically after domain admin privileges. Once they have it, researchers say, the security questions feature built into Windows can help them keep it.

In a presentation at this week's Black Hat Europe, security researchers from Illusive Networks demonstrated a new method for maintaining domain persistence by exploiting Windows 10 security questions. Despite good intentions, the feature, introduced in April, has the potential to turn into a durable, low-profile backdoor for attackers who know how to exploit it.

Windows admins are prompted to set up security questions as part of the Windows 10 account setup process. Tom Sela, head of security research at Illusive Networks, said the addition reflects a broader effort by Microsoft to build security into Windows 10. However, it also shows the delicate balance companies must strike in maintaining usability while improving protection.

"I think Microsoft also wants to introduce new usability features," Sela explained in an interview with Dark Reading. "There is a fine line with advancing security but also adding new usability features that may compromise security."

Magal Baz, security researcher at Illusive Networks, said the questions are more of a usability feature, designed for convenience, than a security mechanism. Today, if you forget your Windows login password, you're locked out of your machine and have to reinstall the operating system to regain access, he said. The questions feature lets users log back into their accounts by providing the name of their first pet, for example, in lieu of their password.

"Now in terms of security ... I don't think that it is well-protected," he explained. Because those questions and answers have the same power as a password, you'd think they would be as secure. However, unlike passwords, answers to security questions are not long and complex, they don't expire, and most of the time they don't change. "All the limitations that make passwords safer are not applied on the security questions," Baz pointed out.

In addition to having answers that can be found on social networks, the security questions "are not monitored. There are no policies around it – it's just there," he continued. "It allows you to regain access to the local administrative account." There's a reason why companies including Facebook and Google have stopped using security questions to secure accounts, Baz added.

Unlocking Admins' Answers
Before describing how this approach works, it's important to add context first. In recent years, attackers have not only sought domain access but a means of maintaining a reliable and low profile on the domain. The process of becoming a domain admin has become much easier, Baz added. "A couple of years ago, it was thought this could take months ... it has shrunk into hours," he says.

To turn the questions feature into a backdoor, an attacker must first find a way to enable and edit security questions and answers remotely, without the need to execute code on the target machine. The attacker must also find a way to use preset Q&A to gain access to a machine while leaving as few traces as possible, Baz and Sela explained in their presentation.

Windows 10 security questions and answers are stored as LSA Secrets, where Windows stores passwords and other data for everyday operations. With administrative access to the registry, one can read and write LSA Secrets. One can change a user's security questions and answers, installing a backdoor to access the same system in the future.

An attacker could remotely use this feature, for any and all of the Windows 10 machines in the domain, to control security questions and answers to be something he chooses, Baz said. The implications for someone abusing this without the account holder's knowledge are huge. Unlike passwords, which eventually expire and can be edited any time, security questions are static. The name of your first pet or mother's maiden name, for example, don't change, Baz pointed out.

Sela and Baz described use cases in which this tactic can be useful for an attacker. Someone could "spray" security questions across all Windows 10 machines and ensure a persistent hold in the network by ensuring everyone's dog is named Fluffy – and Fluffy is the name of everybody's birthplace, place where their parents met, model of their first car, etc.

What's more, security questions and answers aren't carefully protected. "The questions today are not monitored, are not changed. Probably most of IT admins are not even aware of their existence at the time being," Baz continued. "The implications ... for now [are] permanent access to all Windows 10 machines in the network quite easily and in low-profile manner."

The security questions also don't come with auditing capabilities, Sela added. "Even [for] IT administrators that would like to be aware of that, out of the box, Windows doesn't give them a way to monitor the status of those security questions."

Best Practices and Deleting Security Questions
Admins should constantly monitor security questions to make sure they are unique, or disable them by periodically changing them to random values, Baz and Sela said.

"Even before the question of security questions, it's a good practice to have as few local admins as possible on the network," Baz said.

Security admins don't feel good about the tool, the researchers said, noting how many people are looking for ways to get rid of it. As part of their presentation, Baz and Sela also shared an open-source tool they developed that can control or disable the security questions feature and mitigate the risk of questions being used as a backdoor into a Windows 10 machine.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CameronRobertson
50%
50%
CameronRobertson,
User Rank: Moderator
12/22/2018 | 6:42:38 AM
Cost to security balance
I've always thought security questions are a little silly because it's just some random question that comes for a pre-existing drop down list. You only need to do a little bit of digging to find out that kind of information I reckon? Surely with blockchain and all that sort of thing, security issues might be better managed? Otherwise companies are surely able to come up with a better way to protect our personal information somehow as long as it helps them to manage costs! 
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
12/19/2018 | 6:30:43 AM
Re: Companies improve too
I completely agree with you that it's each company's responsibility to implement end user security. I'm just thinking that the technology that MS and MC are developing may work.  I for example refuse to get a MC.  So then what?
michaelmaloney
50%
50%
michaelmaloney,
User Rank: Apprentice
12/18/2018 | 10:50:41 PM
Companies improve too
Well, users have no control in the security measures being put in place by the various companies. If it is known that security questions serve no purpose in preventing threats from attacking, then it is entirely up to the companies to do their part and improve. This is for their own customers' sake and for their business to continue receiving support without fail.
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
12/6/2018 | 9:32:39 AM
broken security
There is all this talk about multi factor authentication.  One would think someone (not me, I'm clueless) would figure out how to use MFA to address getting locked out of a system.  I know that MS and Mastercard (MC) are talking about this combination to use as MFA, but still think they need to to bring everyone else on board with this.  So back to the MFA, is it possible?
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10763
PUBLISHED: 2019-11-18
pimcore/pimcore before 6.3.0 is vulnerable to SQL Injection. An attacker with limited privileges (classes permission) can achieve a SQL injection that can lead in data leakage. The vulnerability can be exploited via 'id', 'storeId', 'pageSize' and 'tables' parameters, using a payload for trigger a t...
CVE-2019-18215
PUBLISHED: 2019-11-18
An issue was discovered in signmgr.dll 6.5.0.819 in Comodo Internet Security through 12.0. A DLL Preloading vulnerability allows an attacker to implant an unsigned DLL named iLog.dll in a partially unprotected product directory. This DLL is then loaded into a high-privileged service before the binar...
CVE-2019-3423
PUBLISHED: 2019-11-18
permission and access control vulnerability, which exists in V2.1.14 and below versions of C520V21 smart camera devices. An attacker can construct a URL for directory traversal and access to other unauthorized files or resources.
CVE-2019-3424
PUBLISHED: 2019-11-18
authentication issues vulnerability, which exists in V2.1.14 and below versions of C520V21 smart camera devices. An attacker can automatically obtain access to web services from the authorized browser of the same computer and perform operations.
CVE-2018-20687
PUBLISHED: 2019-11-18
An XML external entity (XXE) vulnerability in CommandCenterWebServices/.*?wsdl in Raritan CommandCenter Secure Gateway 5.4.0 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.