back to article Windows 10 security question: How do miscreants use these for post-hack persistence?

Crafty infosec researchers have figured out how to remotely set answers to Windows 10’s password reset questions “without even executing code on the targeted machine”. Thanks to some alarmingly straightforward registry tweaks allied with a simple Python script, Illusive Networks’ Magal Baz and Tom Sela were not only able to …

  1. Anonymous Coward
    Anonymous Coward

    Windows 10 just gets worse with every iteration

    1. LDS Silver badge

      When your reference model is the dumbest user you can find, there are no other possible outcomes. I wonder who at Microsoft is such reference user...

      1. Charles 9 Silver badge

        You make it sound like it should require a license to use a computer: something normally used inside one's own home.

        1. Down not across Silver badge

          You make it sound like it should require a license to use a computer: something normally used inside one's own home.

          Did you read the article?

          From the article:

          As for protecting against this post-attack persistence problem? “Add additional auditing and GPO settings,” said Sela. The two also suggested that Microsoft allows custom security questions as well as the ability to disable the feature altogether in Windows 10 Enterprise. The presentation slides are available here (PDF). ®

          ...makes it quite clear it is not really about home use, but using Win 10 in corporate environment.

          The hardcoding issue applies home as well of course, but as many have said (and I presume most of us do already) there is no need to give real answers to the questions.

      2. DJV Silver badge

        "I wonder who at Microsoft is such reference user"

        I thought Steve Ballmer had left ages ago...

    2. GnuTzu Bronze badge
      Facepalm

      It's 2018, And...

      "...Windows 10’s password reset questions are in effect hard-coded; you cannot define your own questions..."

      "Hard-coded" is bad enough, but I've seen too many really lame security questions--with topics that some people chat about on social media--seriously, and that crap has to stop.

      And, it can be done by way of the registry. I... just... don't... know... what else to say.

      1. Tom 35 Silver badge

        Re: It's 2018, And...

        ""Hard-coded" is bad enough, but I've seen too many really lame security questions"

        You don't have to give the real answer. Even the bank has a fake "mother's maiden name" so if anyone digs up the info it's not going to do them any good.

        Your pet Could be Bl3gLnert7b

        1. Michael Wojcik Silver badge

          Re: It's 2018, And...

          You don't have to give the real answer

          Then your "I forgot my password" responses become another set of passwords, and you've defeated the mechanism that protects you from that failure mode.

          And that may be fine. Maybe you never experience that failure mode; maybe you have your own protection mechanism (e.g. you write those false answers down somewhere). But it does demonstrate just how feeble the entire password-reset process is. Either it turns one failure mode (forgotten password) into a worse one (password subversion by an attacker); or it turns that former failure mode into another version of itself.

  2. 2+2=5 Silver badge
    Happy

    Useful...

    “In order to prevent people from reusing their passwords, Windows stores hashes of the old passwords. They’re stored under AES in the registry. If you have access to the registry, it’s not that hard to read them. You can use an undocumented API and reinstate the hash that was active just before you changed it.

    Sounds useful - when my employer insists I change my password I can then immediately revert it back and carrying on using the old one indefinitely!

  3. Anonymous Coward
    Anonymous Coward

    Trade secret ...

    ... you NEVER actually give the true answer anyway ...

    1. Sir Runcible Spoon Silver badge
      Facepalm

      Re: Trade secret ...

      I think you may have missed the point :)

      Unless that was intended as sarcasm - hard to tell.

  4. RobinCM

    NLA

    Pretty sure that's on by default, and the machine will reject connections if the client doesn't support it or doesn't want to use it.

  5. N2 Silver badge
    Joke

    The most secure version of Windows...

    Coat.

  6. FlamingDeath Bronze badge

    I just wish software houses stopped pushing out shit untested code

    There needs to be a law and heavy fines, perhaps a fee to be paid for every patch issued.

    Maybe, just maybe, they will invest in proper testing and QA, I suggest this cost comes straight from the shareholders dividend pot

    Am I the only one who sees this for the very serious problem it is, I mean FFS we're likely to have automated cars soon, this clusterfuck in software development practice cannot continue in its current form

    Where is the accountability?

  7. zekepliskin

    Tempting fate

    Don't tell Microsoft to change anything! Based on the October 2018 update fiasco if they amended user login settings it would end up deleting the user entirely in the next update, or make it so the login button failed to work. Chaps, they released an update that can make previously working systems blue screen on next boot. Tempting fate is a bad idea...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019