back to article Windows 10 security question: How do miscreants use these for post-hack persistence?

Crafty infosec researchers have figured out how to remotely set answers to Windows 10’s password reset questions “without even executing code on the targeted machine”. Thanks to some alarmingly straightforward registry tweaks allied with a simple Python script, Illusive Networks’ Magal Baz and Tom Sela were not only able to …

Anonymous Coward

Windows 10 just gets worse with every iteration

8
0
LDS
Silver badge

When your reference model is the dumbest user you can find, there are no other possible outcomes. I wonder who at Microsoft is such reference user...

3
0
Silver badge

You make it sound like it should require a license to use a computer: something normally used inside one's own home.

0
0
Bronze badge
Facepalm

It's 2018, And...

"...Windows 10’s password reset questions are in effect hard-coded; you cannot define your own questions..."

"Hard-coded" is bad enough, but I've seen too many really lame security questions--with topics that some people chat about on social media--seriously, and that crap has to stop.

And, it can be done by way of the registry. I... just... don't... know... what else to say.

6
0
Silver badge

Re: It's 2018, And...

""Hard-coded" is bad enough, but I've seen too many really lame security questions"

You don't have to give the real answer. Even the bank has a fake "mother's maiden name" so if anyone digs up the info it's not going to do them any good.

Your pet Could be Bl3gLnert7b

2
0
DJV
Silver badge

"I wonder who at Microsoft is such reference user"

I thought Steve Ballmer had left ages ago...

0
0

You make it sound like it should require a license to use a computer: something normally used inside one's own home.

Did you read the article?

From the article:

As for protecting against this post-attack persistence problem? “Add additional auditing and GPO settings,” said Sela. The two also suggested that Microsoft allows custom security questions as well as the ability to disable the feature altogether in Windows 10 Enterprise. The presentation slides are available here (PDF). ®

...makes it quite clear it is not really about home use, but using Win 10 in corporate environment.

The hardcoding issue applies home as well of course, but as many have said (and I presume most of us do already) there is no need to give real answers to the questions.

0
0
Silver badge
Happy

Useful...

“In order to prevent people from reusing their passwords, Windows stores hashes of the old passwords. They’re stored under AES in the registry. If you have access to the registry, it’s not that hard to read them. You can use an undocumented API and reinstate the hash that was active just before you changed it.

Sounds useful - when my employer insists I change my password I can then immediately revert it back and carrying on using the old one indefinitely!

5
0
Anonymous Coward

Trade secret ...

... you NEVER actually give the true answer anyway ...

1
0
Silver badge
Facepalm

Re: Trade secret ...

I think you may have missed the point :)

Unless that was intended as sarcasm - hard to tell.

0
0

NLA

Pretty sure that's on by default, and the machine will reject connections if the client doesn't support it or doesn't want to use it.

1
0
N2
Silver badge
Joke

The most secure version of Windows...

Coat.

0
0
Bronze badge

I just wish software houses stopped pushing out shit untested code

There needs to be a law and heavy fines, perhaps a fee to be paid for every patch issued.

Maybe, just maybe, they will invest in proper testing and QA, I suggest this cost comes straight from the shareholders dividend pot

Am I the only one who sees this for the very serious problem it is, I mean FFS we're likely to have automated cars soon, this clusterfuck in software development practice cannot continue in its current form

Where is the accountability?

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018