Endpoint

12/5/2018
11:30 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Windows 10 Security Questions Prove Easy for Attackers to Exploit

New research shows how attackers can abuse security questions in Windows 10 to maintain domain privileges.

Attackers targeting Windows are typically after domain admin privileges. Once they have it, researchers say, the security questions feature built into Windows can help them keep it.

In a presentation at this week's Black Hat Europe, security researchers from Illusive Networks demonstrated a new method for maintaining domain persistence by exploiting Windows 10 security questions. Despite good intentions, the feature, introduced in April, has the potential to turn into a durable, low-profile backdoor for attackers who know how to exploit it.

Windows admins are prompted to set up security questions as part of the Windows 10 account setup process. Tom Sela, head of security research at Illusive Networks, said the addition reflects a broader effort by Microsoft to build security into Windows 10. However, it also shows the delicate balance companies must strike in maintaining usability while improving protection.

"I think Microsoft also wants to introduce new usability features," Sela explained in an interview with Dark Reading. "There is a fine line with advancing security but also adding new usability features that may compromise security."

Magal Baz, security researcher at Illusive Networks, said the questions are more of a usability feature, designed for convenience, than a security mechanism. Today, if you forget your Windows login password, you're locked out of your machine and have to reinstall the operating system to regain access, he said. The questions feature lets users log back into their accounts by providing the name of their first pet, for example, in lieu of their password.

"Now in terms of security ... I don't think that it is well-protected," he explained. Because those questions and answers have the same power as a password, you'd think they would be as secure. However, unlike passwords, answers to security questions are not long and complex, they don't expire, and most of the time they don't change. "All the limitations that make passwords safer are not applied on the security questions," Baz pointed out.

In addition to having answers that can be found on social networks, the security questions "are not monitored. There are no policies around it – it's just there," he continued. "It allows you to regain access to the local administrative account." There's a reason why companies including Facebook and Google have stopped using security questions to secure accounts, Baz added.

Unlocking Admins' Answers
Before describing how this approach works, it's important to add context first. In recent years, attackers have not only sought domain access but a means of maintaining a reliable and low profile on the domain. The process of becoming a domain admin has become much easier, Baz added. "A couple of years ago, it was thought this could take months ... it has shrunk into hours," he says.

To turn the questions feature into a backdoor, an attacker must first find a way to enable and edit security questions and answers remotely, without the need to execute code on the target machine. The attacker must also find a way to use preset Q&A to gain access to a machine while leaving as few traces as possible, Baz and Sela explained in their presentation.

Windows 10 security questions and answers are stored as LSA Secrets, where Windows stores passwords and other data for everyday operations. With administrative access to the registry, one can read and write LSA Secrets. One can change a user's security questions and answers, installing a backdoor to access the same system in the future.

An attacker could remotely use this feature, for any and all of the Windows 10 machines in the domain, to control security questions and answers to be something he chooses, Baz said. The implications for someone abusing this without the account holder's knowledge are huge. Unlike passwords, which eventually expire and can be edited any time, security questions are static. The name of your first pet or mother's maiden name, for example, don't change, Baz pointed out.

Sela and Baz described use cases in which this tactic can be useful for an attacker. Someone could "spray" security questions across all Windows 10 machines and ensure a persistent hold in the network by ensuring everyone's dog is named Fluffy – and Fluffy is the name of everybody's birthplace, place where their parents met, model of their first car, etc.

What's more, security questions and answers aren't carefully protected. "The questions today are not monitored, are not changed. Probably most of IT admins are not even aware of their existence at the time being," Baz continued. "The implications ... for now [are] permanent access to all Windows 10 machines in the network quite easily and in low-profile manner."

The security questions also don't come with auditing capabilities, Sela added. "Even [for] IT administrators that would like to be aware of that, out of the box, Windows doesn't give them a way to monitor the status of those security questions."

Best Practices and Deleting Security Questions
Admins should constantly monitor security questions to make sure they are unique, or disable them by periodically changing them to random values, Baz and Sela said.

"Even before the question of security questions, it's a good practice to have as few local admins as possible on the network," Baz said.

Security admins don't feel good about the tool, the researchers said, noting how many people are looking for ways to get rid of it. As part of their presentation, Baz and Sela also shared an open-source tool they developed that can control or disable the security questions feature and mitigate the risk of questions being used as a backdoor into a Windows 10 machine.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
michaelmaloney
50%
50%
michaelmaloney,
User Rank: Apprentice
12/18/2018 | 10:50:41 PM
Companies improve too
Well, users have no control in the security measures being put in place by the various companies. If it is known that security questions serve no purpose in preventing threats from attacking, then it is entirely up to the companies to do their part and improve. This is for their own customers' sake and for their business to continue receiving support without fail.
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
12/6/2018 | 9:32:39 AM
broken security
There is all this talk about multi factor authentication.  One would think someone (not me, I'm clueless) would figure out how to use MFA to address getting locked out of a system.  I know that MS and Mastercard (MC) are talking about this combination to use as MFA, but still think they need to to bring everyone else on board with this.  So back to the MFA, is it possible?
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.