My colleague Feliciano Intini (Chief Security Advisor here at Microsoft Italy) just pointed me to his post were he comments about a news which is (re)spreading across the web about a security hole in the recovery console in Windows Vista: if you can read Italian here is the post, otherwise go on an ready my translation.
Third episode of my anti-FUD column. True story (unfortunately): a few days ago someone has stolen the motorbike of a colleague of mine whom was working at a customer’s site.How was the bike protected? With that special padlock which locks the front wheel, without any sort of chain to fasten to a physical stand. How did they stole the bike? They arrived with a truck, a few guys got off it and they loaded the bike by sheer force in less than 5 minutes! What do I want to say?
Here is a fundamental concept in security field: physical security is the basis for all security.
False fact: I’m reading in various posts which quote an article by Finnish Kimmo Rousku, which Windows Vista apparently has a security hole which “allows to gain unlimited access to anyone who has physical access to the pc, even if he does not know the password to log.in”.
Security experts will be already smiling reading the sentence in quotation marks above and I don’t think they need further explanations, but they’ll forgive me if I’ll now spend some more words for the benefit of everyone, aiming to improve the so called “informatics (IT) security culture”.
This is NOT a security bug, if you have physical access to the machine you already won the game as already stated in the 10 immutable Laws of security: if a bad guy has unrestricted physical access to your computer, it’s not your computer anymore. The protection of your data on the hard disk must necessarily rely on information encryption: this is the reason why BitLocker and EFS have been added to Windows Vista. And I also remind that they robustness of the ciphering is due to the robustness of the algorithm used and not to the availability of the keys; this is why in Vista:
- EFS has been improved to allow keeping private keys on smart cards
- more strong ciphering algorithms have been implemented
- With BitLocker the most secure combination requires to use the TPM chip and a USB pen (not to store together with the pc!)
To complete what just said you can read the article 818200, which further explains those considerations about data protection on hard disks.
Just a legitimate doubt remains, which also I thought about: if on Windows XP there was a password to protect access to the recovery mode, why that has been removed from Vista, thus generating the (wrong) perception of decreased security or even a bug?? Here is why: Repair Mode/Recovery Console are used exactly when we have troubles starting our pc. Since it has been verified that the majority of the problems starting Windows XP were due to file system and registry corruptions, it made no sense to force authentication to allow access to the disk, since that authentication precisely requires to read the registry or the file system to verify that the password entered was correct.Since that password was not adding a security layer in respect of an average technical competency (seen the physical security consideration I discussed above, and the general availability on the Internet of tools to run offline security attacks), on the contrary it was making harder the recovery activities, it has been chosen to remove it.
So, I understand that a password gives a certain sense of security, but if that is just a false perception and just hurts the recovery functionality, then I agree the design choice to remove it: so, I clinch, this is NOT a security bug and Microsoft does not have anything to fix here…
Of course feel free to comment both here and on Feliciano’s blog, if you wish 😊
Carlo