Yubikeys

[Amelith Nargothrond]

Yes, if the Hello login fails them you have the option to login with a password or any other method you have configured (like PIN).

Can you expand on how you would hack my PC in 5min with a USB stick with Hello enabled/configured?

I'm interested in your approach and how I can mitigate against this kind of attack.

There are several ways...

1. Most common is to boot Linux from a stick and perform the classic hash/SAM db hacks
2. But this won't work that easily if you have a Microsoft account, still, other workarounds are available, like not attacking your MS account, but instead enabling the built-in Administrator account, from the same place, in Linux
3. All these, combined with the sticky keys hack, which gains you access to cmd right from the GINA/Lock screen.. well...

Once I have a working/usable account, I will bypass Hello by failing to authenticate with it (or by simply choosing another authentication method) and use the username/pass I "hacked".

To protect yourself, the golden and FIRST rule of anti-hacking Windows: enable Bitlocker on all your drives.

There's no way you can avoid being hacked without a domain, smart card auth, without encrypting your HDD with BitLocker and really serious policies in place. And even that, in some cases, can be circumvented (up until a certain point).

So this is why Hello is anything but safe. It is convenient and you could build some muscles in your neck while authenticating with it, but that's about it unfortunately

 

[ParaXY]

There are several ways...

1. Most common is to boot Linux from a stick and perform the classic hash/SAM db hacks
2. But this won't work that easily if you have a Microsoft account, still, other workarounds are available, like not attacking your MS account, but instead enabling the built-in Administrator account, from the same place, in Linux
3. All these, combined with the sticky keys hack, which gains you access to cmd right from the GINA/Lock screen.. well...

Once I have a working/usable account, I will bypass Hello by failing to authenticate with it and use the username/pass I "hacked".

To protect yourself, the golden and FIRST rule of anti-hacking Windows: enable Bitlocker on all your drives.

There's no way you can avoid being hacked without a domain, smart card auth, without encrypting your HDD with BitLocker and really serious policies in place. And even that, in some cases, can be circumvented (up until a certain point).

So this is why Hello is anything but safe. It is convenient and you could build some muscles in your neck while authenticating with it, but that's about it unfortunately

Aaah thanks for the reply. Luckily ALL my drives are encrypted with Bitlocker using AES-XTS 256bit encryption so this will protect me from points 1 and 2.

As for sticky keys, I have this disabled so this can't be used on my machine so that takes care of point 3.

My machines in a workgroup (despite having a domain at home) and I think for anyone to get into my machine would be very VERY difficult but this depends on whether the machine is powered on or is off.

If the machines off then you pretty much have almost zero chance of getting into the machine.

If the machines on then there is a slight chance of getting in (if you have physical access of course) by freezing the RAM and grabbing the Bitlocker keys. These are obviously sophisticated attacks.

I did use a smart card on my previous install to login to Windows and I had it setup with Bitlocker but I have stopped using it since rebuilding the machine and am using PIN and Hello for login/UAC.

I still don't understand why you think Hello is unsafe IF you have Bitlocker encrypted drives?

There's another side to this as well and that is physical security so looking at it from that point of view someone would have to have physical access to my machine to even have a chance to try and bypass Hello. And then still have enough time to hack my machine before I return home.

Although I am all for securing my desktop, there's also a practical side to this. In theory I could make my PC so locked down that it would be painful to use but it would be like Fort Knox. I guess what I am trying to say is that I think I have hit the sweet spot for having a secure machine but it is also a pleasure to use. When I last tried to setup a secure desktop on Windows 8.x I eventually gave up as it was too painful to use.

Thanks for your input

PS: Yes, Windows Hello does give the neck muscles a good workout!

 

[Myriad]

For me , these are the most dangerous threat vectors to an unattended machine .

Powered up or not , it actually makes little difference in reality ....

RubberDucky / BashBunny

Evil Maid attacks

@Amelith Nargothrond
As we touched on earlier , I'm still thinking on the Yubikey/ Stuxnet thing ....
.... and I'm still favoring a separate thread right now

 

[Amelith Nargothrond]

Aaah thanks for the reply. Luckily ALL my drives are encrypted with Bitlocker using AES-XTS 256bit encryption so this will protect me from points 1 and 2.

As for sticky keys, I have this disabled so this can't be used on my machine so that takes care of point 3.

My machines in a workgroup (despite having a domain at home) and I think for anyone to get into my machine would be very VERY difficult but this depends on whether the machine is powered on or is off.

If the machines off then you pretty much have almost zero chance of getting into the machine.

If the machines on then there is a slight chance of getting in (if you have physical access of course) by freezing the RAM and grabbing the Bitlocker keys. These are obviously sophisticated attacks.

I did use a smart card on my previous install to login to Windows and I had it setup with Bitlocker but I have stopped using it since rebuilding the machine and am using PIN and Hello for login/UAC.

I still don't understand why you think Hello is unsafe IF you have Bitlocker encrypted drives?

There's another side to this as well and that is physical security so looking at it from that point of view someone would have to have physical access to my machine to even have a chance to try and bypass Hello. And then still have enough time to hack my machine before I return home.

Although I am all for securing my desktop, there's also a practical side to this. In theory I could make my PC so locked down that it would be painful to use but it would be like Fort Knox. I guess what I am trying to say is that I think I have hit the sweet spot for having a secure machine but it is also a pleasure to use. When I last tried to setup a secure desktop on Windows 8.x I eventually gave up as it was too painful to use.

Thanks for your input

PS: Yes, Windows Hello does give the neck muscles a good workout!

Hello is not safe, because authentication cannot be enforced (user/pass + hello). Once somebody/something, anybody manages to get you account details, in any way, he's in. Hello is not protecting RDP for example at all, so here's a way you can circumvent it (as far as I remember).

Feel free to laugh at it, but here's another scenario (also imagine that your drives are Bitlocker protected):
It may sound as a sci fi movie scenario, but doable and documented, is to use VR technology to simulate a 3D model or your face or to build a mask after a picture of you, and he's in. He needs a mask because a 3D model of your face is required, it won't work with pictures. Same goes to fingerprints or iris scanners, these can be relatively easy to forge. Many of these info are easily available on the internet, as they are public information (photos of you, from Facebook or other social media accounts). You get the picture... Yes, you really need to have a friend with an imagination, knowledge and craftsmanship, access to technologies or materials and tools, but... doable. Not to mention the difficulties facial recognition has if twins are involved.

With a smart card, which is anything but public information, if you enforce the use of one, you can't elevate anything without one, you can't RDP without one, you can't login locally without one, any interactive logon is protected, even if they manage to get you account details.

Nice article about this (really the first link after a Google search): Hackers Trick Facial-Recognition Logins With Photos From Facebook (What Else?)

So, as I said, Hello is convenient, might be suitable for regular home users, but there's a reason the "home version" Hello is not used to "secure", but to "facilitate" local authentication, and never used in something even related to "business" environment.

 

[Amelith Nargothrond]

@Amelith Nargothrond
As we touched on earlier , I'm still thinking on the Yubikey/ Stuxnet thing ....
.... and I'm still favoring a separate thread right now

Please do, there's nothing/nobody here to tell you otherwise
It was a suggestion to continue here, as it involves Yubikeys and the thread is a general one which can accept (and hopefully it will) Yubikey challenges and cons as well, not just pros, in a centralized thread.

P.S. Btw, if there is an exploit, most probably it will not target the Yubikey itself, but the smart card auth mechanism. Yubikey is just a means to an end in this case (the smart card).

 

[Amelith Nargothrond]

If anyone is interested on a quick guide on how to set-up the smart card authentication with the Yubikey: How-to Guide - How to protect your head-less home server with smart card authentication and a Yubikey

Enjoy

 

[SHvFl]

Honestly never even seen one before and was wondering if it work if i plug it in on a usb extension/hub.

 

[ParaXY]

@amelith-nargothrond: Have to say, you've got me thinking about how I can use a Yubikey in my environment at home.

So I run a home lab at home with about 25 virtual servers. I use RDP to access them from my management server. I run a domain and a couple servers in a DMZ that are in a workgroup. Most VMs are running Windows Server 2016 Datacenter and a couple WIndows 10 Enterprise clients.

So I was wondering, what options do I have using a Yubikey to secure this setup? I'm quite keen on 2FA for RDP, OWA, Windows Login, Bitlocker, etc. I also use vSphere 6.5 so can the Yubikey be used to secure vCenter web access? I also run Citrix, 2FA for accessing my desktop would be nice too!

Can the Yubikey be used to secure all of these services?

 

[Amelith Nargothrond]

@amelith-nargothrond: Have to say, you've got me thinking about how I can use a Yubikey in my environment at home.

So I run a home lab at home with about 25 virtual servers. I use RDP to access them from my management server. I run a domain and a couple servers in a DMZ that are in a workgroup. Most VMs are running Windows Server 2016 Datacenter and a couple WIndows 10 Enterprise clients.

So I was wondering, what options do I have using a Yubikey to secure this setup? I'm quite keen on 2FA for RDP, OWA, Windows Login, Bitlocker, etc. I also use vSphere 6.5 so can the Yubikey be used to secure vCenter web access? I also run Citrix, 2FA for accessing my desktop would be nice too!

Can the Yubikey be used to secure all of these services?

Yes to all, you can use smart card auth (with Yubikey as the smart card) to secure all these you mentioned. My advice would be to secure just the internet exposed services to lower your maintenance/implementation overhead. You may need multiple Yubikeys as well.

 

[ParaXY]

Thanks!

Any particular reason to go with one Yubikey model over the other? NFC? Or not?

 

[Amelith Nargothrond]

Yubikey 4 supports RSA 4096 and ECC p384, whereas the NFC version does not. If you need these, go with v4 without NFC. If you have services requiring exclusively FIPS 140 certification (I doubt it), you will also need the v4. Otherwise, go with the NFC version, as it is also an excellent replacement for soft tokens which can be used with your phone.

I would consider purchasing both, just to be on the safe side of things. There are broken USB ports out there, which can burn-out your Yubikey. I would not use the NFC version in USB ports often, to limit the risk of damaging the Yubikey which stores my 2FA accounts, unless absolutely necessary, especially when using the Yubikey with unknown machines.
I would enroll both though for all my services, in my environment with known machines, one of them to serve as a backup key.

 

[ParaXY]

Thanks for the help, I'm going to do some more reading on the Yubikey!

 

[Amelith Nargothrond]

Another reason to use Yubikeys for 2FA when possible: Thieves drain 2fa-protected bank accounts by abusing SS7 routing protocol – Ars Technica

 

[askmark]

So I run a home lab at home with about 25 virtual servers. I use RDP to access them from my management server. I run a domain and a couple servers in a DMZ that are in a workgroup. Most VMs are running Windows Server 2016 Datacenter and a couple WIndows 10 Enterprise clients.

I know it's OT but do you mind if I ask you what hardware you are using to run so many virtual servers?

 

[ParaXY]

I know it's OT but do you mind if I ask you what hardware you are using to run so many virtual servers?

Sure. Besides security related topics, virtualisation is a keen interest of mine.

For compute I use the Supermicro 5028D-TN4T which has 8 cores and 128GB of memory. I really like Supermicro, it's stable and datacentre class hardware. IPMI is great too!

I plan on rolling out AppLocker, 2FA and many other GPO tweaks to harden/lockdown the VMs...time permitting of course!

I'm going to spend some time this weekend (hopefully) looking into Yubikey and Hello for Business too.

 

[askmark]

Sure. Besides security related topics, virtualisation is a keen interest of mine.

For compute I use the Supermicro 5028D-TN4T which has 8 cores and 128GB of memory. I really like Supermicro, it's stable and datacentre class hardware. IPMI is great too!

I plan on rolling out AppLocker, 2FA and many other GPO tweaks to harden/lockdown the VMs...time permitting of course!

I'm going to spend some time this weekend (hopefully) looking into Yubikey and Hello for Business too.

A nice little box you have there. Presumably you're running VMware?

 

[ParaXY]

A nice little box you have there. Presumably you're running VMware?

Yeah, vSphere 6.5d currently.

 

[Amelith Nargothrond]

Supermicro 5028D-TN4T

This is an awesome little server, although quite expensive, but as you said, it's powerful.
128GB ECC is also impressive for a home lab, you have quite a nice setup!

 

[ParaXY]

This is an awesome little server, although quite expensive, but as you said, it's powerful.
128GB ECC is also impressive for a home lab, you have quite a nice setup!

Thanks! I spent ages researching (and saving) to purchase the setup I have now. Has been great for my studies/career.

I bought mine in October last year and I can't believe how the prices have gone UP since then. The RAM prices alone have almost doubled!