Windows 8 Security in Action: Part 2

This is Part 2 of the 3 part article “Windows 8 Security in Action” featured in this month’s issue of Hakin9 Exploiting Software. Part one is available here.

Changes in Microsoft’s Password Policy

I have noticed some changes in the way Microsoft handles their different service account passwords over the past few weeks. It first started a while back when using Microsoft Live mail. One day when I typed in my legitimate password to my e-mail account, I received this error message (Figure 8):

Figure 8 – Microsoft Live Login Screen requesting Fewer Characters

“If you have been using password longer than 16 characters, please enter the first 16”?

Sure enough, I put in the first 16 characters of the password and I was in. So in effect, it looks like they just went through their password database and truncated all the passwords down to 16.

But that is not all.

Recently I went to login to my Microsoft mail and got the good old “It’s time to change your password” message. No problem!

Well, yes there was. I use several special characters and when I tried to use some of them (which were in my existing password!) I received this message (Figure 9):

Figure 9 – Microsoft Login Special Character Message

It seemed to accept some of the special characters, but didn’t like others that I have used since I created the Hotmail Live account!

I wondered what was going on, and then I remembered, Windows 8 is being released and they want you to tie it in to an email address/ Microsoft account. As you can see in the Windows 8 install screen below (Figure 10):

Figure 10 – A View of the Windows 8 install Screen requesting an E-Mail Address

Sure you can use a different e-mail account, or even log in with a local password but they still want you to connect in to a Microsoft account (Xbox, Live, etc.) for Windows 8′s other features. And of course don’t forget the new Microsoft Marketplace…

What then is the reason for shortening the passwords? Looks like Windows 8 is capped at a 16 character limit for compatibility with existing Microsoft services. But is that long enough for secured passwords?

Let’s check Microsoft’s FAQ for strong passwords1:

 “Length. Make your passwords long with eight or more characters.”

Okay, we are good there, but what should our password look like? Well, here are some of the password examples from Microsoft’s strong password FAQ (Figure 11):

Figure 11 – Microsoft’s Secure Password Examples

Wait a minute… They are all over 16 characters long!

As length increases so does the cracking time. Passwords longer than 10 characters take an exponentially longer time to crack. So in all reality, 16 really shouldn’t be a problem. But all of my passwords are longer than that. And with the decrease of the character set, by limiting special characters for compatibility with Microsoft’s other services, the passwords are less secure than they were before.

I am curious if Microsoft will change this in the future.

Microsoft trying to tie all their services together in the cloud is an interesting concept though. With doing this, no matter where you log in, you will get a consistent look and feel, with all of your data available.

All right, enough of an overview, let’s see Windows 8 security in action!

Testing Windows 8 Security

I took Windows 8 and ran a couple common security tests against it to see how well it would hold up. I used the Backtrack platform, SET and the Metasploit Framework. As a straight test from a security tester’s point of view, I did not use any modified payloads, uncommon techniques or exploits that were not included with the Metasploit platform.

My goal was to test to see how the new security features make the system more secure than previous versions of Windows.

The Windows 8 Enterprise VM was tested as installed with no additional security programs or anti-virus running except the included Microsoft Windows Defender. Also the latest version of Java was installed (version 7 update 7).

Malicious Shell Code verses Windows 8

Let’s take a look at a standard Java attack against Windows 8. I created a test page using the Social Engineering Toolkit (SET) in Backtrack 5, so that when a user connects, it displays an obviously bogus “Letter from the CEO” page, and it offers a backdoored Java applet to the visitor. If the user allows the Java app to run, we get a remote session.

Figure 12 – Malicious Java Security Warning

As you can see form the screenshot above (Figure 12), you see a security warning explaining, “This application runs with unrestricted access which may put your computer and personal information at risk.” If we click the box to accept the risks, and run the malicious Java We instantly receive a Windows Defender pop-up warning (Figure 13) that Malware was detected and it stopped the attack.

Figure 13 – “Malware Detected” by Windows Defender

Okay, that was an easy one; next I tried SET’s Alphanumeric shell code attack. This one is a little sneakier and can still bypass some AVs. When I pulled up the test CEO webpage on the SET machine, I didn’t get a Malware warning like I did with the earlier attack.

When I ran the attack, I got a shell!

Okay, just a shell notification (Figure 14) on the Backtrack side…

Figure 14 – Viewing connected session in Meterpreter

But once I tried to connect to the shell in Backtrack I couldn’t run any commands. It may have been able to create a channel to the Windows 8 machine, but the security features of 8 stopped it (Notice the Timeout errors) so I could not get a working remote shell.

Okay, am I impressed yet at the new security features? No, not really. A Windows 7 system running a good up to date AV/ Internet security solution will give similar results to what we have experienced so far. But for an out of the box install, it is not bad at all.

(Stay Tuned for Part 3)

Advertisements

Windows 8 Security in Action: Part 1

Below is Part 1 of the Article “Windows 8 Security in Action” featured in this month’s issue of Hakin9 Exploiting Software:

Is Windows 8 the next operating system for your enterprise? In this article, we will take a quick look at Microsoft’s new OS – Windows 8. We will see some of the new security features that make it more secure than its predecessor Windows 7. We will also run the security through the paces and see some of the possible issues that are new to the OS and some that have carried over from previous versions of Windows. From the Backtrack 5 r3 security testing platform, the author uses the Metasploit Framework and Social Engineering Toolkit to see how Windows 8 stands up to the most common internet based threats.

Introduction

The much anticipated (and debated) next version of Windows software is set to be released on October 26, 2012. Several pre-release versions were made available, and just recently Microsoft released a 90 Day Windows 8 Enterprise RTM (Release to Manufacturer) evaluation copy.

In this article we briefly cover the new look of Windows 8, which has caused some complaints from Enterprise entities and the media alike. We will then highlight some of the new security features, and finally, put them to the test.

From the Backtrack 5 r3 security testing platform, I use the Metasploit Framework and Social Engineering Toolkit to see how Windows 8 stands up to the most common internet based threats. I also cover credential harvesting, Man-in-the-Middle and physical attacks against Microsoft’s latest OS.

So let’s get to it!

Windows 8 Overview

 

Figure 1 – The new, no longer called “Metro”, desktop

The first thing you will notice is the desktop change (Figure 1), you’re not in Kansas anymore Dorothy. Catering to the mobile touchscreen users, Microsoft has switched the desktop to this new tiled interface. This has caused a split amongst enterprise users; some seem too really like it, others want the standard desktop back.

Don’t get me wrong, the desktop we know and love is still there (Figure 2):

Figure 2 – The “classic” Windows 8 desktop

But if you notice, the start button is gone. If you move the cursor to the side of the screen the new “start menu” will appear (Figure 3):

Figure 3 – The new “Start” bar

Yes, I know it looks different doesn’t it? Clicking the Start button on this menu takes you back to the Metro interface. Apparently Microsoft wanted a consistent look across their product platform. Phones, tablets and desktops would all have the same “Metro” interface.

It is nice to know though that some things still look the same in Windows 8. The Control Panel looks pretty familiar (Figure 4):

Figure 4 – The Control Panel menu

Changes have been made on the server side also. The new Server 2012 has a GUI interface, but Microsoft is really pushing the use of Server Core edition that is configured by command line only. So if you do server work, it is time to brush up on your PowerShell.

In essence, Windows 8 really seems to be an enhanced Windows 7, with a new interface. Everything that you could do in Windows 7 is there, somewhere, it is just a matter of finding its new location.

The New Security Features

Several security improvements have been made to Windows 8, a brief list of some of the new features include:

  • Windows Defender comes pre-installed
  • Application download screening with SmartScreen
  • Protection against buffer overflow and memory corruption/ modification attacks
  • UEFI / secure boot to help prevent rootkits and bootkits
  • New password options

Let’s take a closer look at the password options and some changes in the way Microsoft handles passwords.

Password Options

You now have a couple choices for login security options (Figure 5). You can use a password like always, but there are two new options, pin and picture password.

Figure 5 – Windows 8 Account Sign-in options

The PIN option is not new to some users; just select a 4 number pin and that’s it. When you go to login the next time you will now have a choice to login via PIN number (Figure 6) or your password:

Figure 6 – Login Prompt asking for PIN

The interesting one is the Picture Password (Figure 7). It requires a touchscreen interface, but with it you get to pick a picture and create a special password all your own. Once you choose the picture you want, you then record a series of finger swipes, circles and taps that make the final password.

Figure 7 – Picture Password Creation

How cool is that?

Windows 8 Security in Action Part 2

GFI Cloud Management for Antivirus, Asset Tracking & Network Management

Wouldn’t it be nice to have Anti-Virus, Network Management and Asset Tracking services via the Cloud?

Well, now you can:

GFI Cloud gives you control of your IT environment in 10 minutes or less. Whether you have 5 or 500 employees, its simple web-based interface offers integrated antivirus, asset and network management across your workstations and servers. With an expanding range of award-winning software services, GFI Cloud provides a single integrated solution to streamline IT management.”

Check out GFI Cloud!