-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At some point hitherto, David Kramer hath spake thusly: > > http://security.tombom.co.uk/shatter.html > > I read this in detail, and I hate to admit that I agree with Microsoft. > Once bad people are sitting logged onto your machine, you should already > considered it compromised, regardless of what techniques the bad person > has at their disposal. Right. So every computer in Corporate America is compromised. In principle, I agree with what you're saying, but in practice there are a variety of barriers that typically prevent this from actually being true. Also, what you said is not exactly what Microsoft said; the distinction is subtle but important. Specifically: Law #3 -- "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore." In and of itself, this statement is true. But what constitutes "unrestricted physical access" in such circumstances? Ordinarily, what we are speaking of when we say this is sufficient access to cause the computer to be booted into a different operating system, or to circumvent BIOS passwords, etc. In an environment where security is required, there are generally actions taken to prevent access to computers that could result in these types of problems. BIOSes are configured not to boot from anything but the hard drive, and a BIOS password is installed to prevent that from being changed. Generally speaking, under such circumstances, an assailant would need to physically open up the machine in order to make the necessary modifications to allow that sort of access. Additionally, in environments where security is an issue, (hopefully) company policies that prohibit tampering with the property of the business or agency. The most sensitive systems are placed in a locked room, specifically to prevent the sort of tampering we're talking about. Additionally, there's a certain amount of surveillance that goes on, such that if such tampering were to occur, there is at least some likelihood that it would be noticed. Such places also often have "spy on your neighbor" policy, making it rewarding for employees to report tampering or other apparently suspicious behavior on the part of their coworkers. Different environments will also have other restrictions on how property can and can't be used, as well as different enforcement policies and techniques. Do these circumstances actually constitute "unrestricted physical access" according to Microsoft's law? I really don't think that they do. The author of the white paper makes an important point, which you may have missed. Now, many such environments also use an OS such as Windows 2000, because it forces the user to log in with their own account and password. These workstations will (theoretically) be locked down by the IT staff, so that users can't gain access to things they're not supposed to have access to. This is, by and large, the point. Where this new attack is different from other attacks involving physical access to a machine, is that a) it allows privilege escalation to localsystem simply by running a program, which is a very inobtrusive action; and b) IT CAN NOT BE PATCHED (or so it is currently believed). N.B. because of this fundamental flaw in the design of the operating system, user authentication on Windows machines is effectively pointless. Any user can unobtrusively gain localsystem priviledge, and there's little you can do, now or ever, to stop them. There may be more bad news, which the author didn't touch upon in his white paper. Microsoft also mentions this immutable law: Law #1 -- "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore," However, as we all have seen, Microsoft products are riddled with methods for an attacker to force you to run his code, simply by sending you an e-mail. In the past, if you were on WinNT/2k machines, the damage that could be done was limited to the access of the user who was logged in reading e-mail. However, it may be possible now for a malicious e-mail to allow the attacker to do great damage as localsystem, making such an attack have unprecedented damage potential. Thusfar, the attack outlined requires intervention of the user at the console (or the console of a Citrix client), and the above is not currently known to be possible. However, I would be very surprised if someone did not reveal a way to do this in the near future... - -- Derek Martin ddm@pizzashack.org - --------------------------------------------- I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9UChgdjdlQoHP510RAi3rAJ40M2Y6g9CsiONnRdt1UyMHzehgPACdG2do khvJupnOwYQQjjVnWOdjdoA= =rUlF -----END PGP SIGNATURE-----