Tuesday, 1 January 2008

Unprotected laptops

With so many staff working at home one or two days a week and everyone wanting connectivity from anywhere in the world, laptops have become very important tools. Pretty much every organisation now has a VPN to give staff remote access across the Internet, yet a tiny minority understand how much at risk they are from laptops. If an attacker were able to gain control of a lost or stolen laptop, they would have access to all the information stored on it plus the opportunity to connect to the corporate network via the VPN.

From time to time we are asked to test the security of a laptop build - perhaps the organisation is intending to migrate to a new version of Windows or has simply designed a new “build” - in any event we are asked to test the security of their standard laptop configuration.

Our first check is to see whether a BIOS password has been set. This poses a small hurdle to the would-be attacker, one that is usually overcome fairly simply by a bit of jiggery-pokery on the motherboard or by removing the hard disk and putting it in a another system. A hard-disk password is a different problem, which often requires specialist assistance, and is therefore considerably more effective. Unless that is, the hard disk password is the same as the BIOS password in which case the problem is solved. However we have yet to find a corporate laptop utilising either form of power-on password, probably because of the anticipated support costs of all those forgotten passwords!

Assuming that there are no BIOS passwords, all we need is a Windows username and password. Since we have physical access to the machine, that is very easy to achieve. Software such as Petter Nordahl-Hagen’s Offline NT Password and Registry Editor is free and available for download on the web. This software creates a bootable CD or floppy disk which can be used to reset the administrator’s password without ever starting Windows.

Once done, you reboot the laptop and login as Administrator with full access to everything, including any dial-up or VPN connections of course. However, if your laptop’s owner has used Microsoft’s encrypting file system (EFS) on XP, then you will not be able to recover those files, which could be very irritating!

An alternative approach is to use a program like NTFS Reader for DOS, which will allow you to make a copy of the Windows SAM file containing the usernames and passwords, again without running Windows. Once you have a copy of the SAM file, you can run a password cracking program to discover all the passwords on the laptop, and then logon with the Administrator’s legitimate credentials.

This is slightly more time consuming but leaves no evidence of tampering and preserves the EFS files intact. In case you are wondering, a sure-fire way to crack the passwords is to use rainbow tables with a tool such as Cain and Abel. The rainbow tables are pre-computed password hashes for almost every combination of letter, number and punctuation character for passwords up to 14 characters in length, making the job of finding the passwords just a matter of time. Although they are very large (many gigabytes in size) Windows rainbow tables are available for free download from the Internet or can be purchased online for delivery on a set of CDs or DVDs.

There is one simple solution to Unprotected Laptops: full disk encryption. This provides the laptop user with the facility to protect everything with one easily remembered passphrase (much simpler to manage and remember than a complex password) whilst providing the IT support people with a legitimate “backdoor” into the laptop if the user’s passphrase is forgotten or if the member of staff leaves the organisation under a cloud.


John said...

Great piece Peter - as ever run the risk of telling the bad guys how to do it, but you make it dead clear to your average IT manager how wide open he is.

Shame you don't go on a bit more and talk about the VPN password and the fact that this should be different to the Windows password, and then maybe even touch on the use of two-factor authentication :-)

If we can encourage the user to carry a combined USB/OTP token device (which s/he keeps separate from the laptop,) and that device carries the user's complex disk encryption password, the Windows digital cert for smartcard login, and provides an OTP for the occasions that the user wants to make a secure Web SSL connection from a different PC,
then we can achieve high levels of authentication security without the user having to remember two or three different passwords/phrases.

Maybe the subject of your next blog?

John Stewart

Peter Wood said...

Thanks for your comment John. As you know, I'm a big fan of two-factor authentication, and your suggestion of a combined USB/OTP token seems excellent. I'm not sure that PGP Whole Disk Encrption currently supports anything other than passphrases however. Still, the point of passphrases is that they can be memorable, so maybe that's less of an issue?

Brian Honan said...


Great to see you have started Blogging.

Excellent summary of the security issues regarding laptops.

Full disk encryption is one way of securing the data on the laptop. However, this is only effective when the disk is encryted. As soon as the system is decrypted then the user can access the data. This also means though that anyone else with realtime access to the laptop either physicaly or remotely via a trojan or spyware, can also access that data.

So we need to figure out what data needs to be on the laptops in the first place. Given the proliferation of Wifi and mobile broadband solutions perhaps one answer is to have all data remain on the company's network with users accessing it via thin clients such as Citrix. So if the laptop gets stolen then all you have to disable remote access from that device/user and fill in your insurance claim form for the laptop.

Have you seen any similar solutions in your testing or am I being too simplistic?


Peter Wood said...

Thanks for the positive feedback, Brian.

You're right of course. Our most security-literate clients do exactly as you suggest - remote access (often to Citrix) and all sensitive data stored remotely. Combine this with 2-factor authentication as John says and you have a reasonably secure solution.


huvanile said...

Great post Pete. Dan from Texas USA told me about your site, and I'll be following your posts from now on. Keep 'em coming!