Monthly Archives: November 2016

New Mirai Worm Knocks 900K Germans Offline

More than 900,000 customers of German ISP Deutsche Telekom (DT) were knocked offline this week after their Internet routers got infected by a new variant of a computer worm known as Mirai. The malware wriggled inside the routers via a newly discovered vulnerability in a feature that allows ISPs to remotely upgrade the firmware on the devices. But the new Mirai malware turns that feature off once it infests a device, complicating DT’s cleanup and restoration efforts.

Security experts say the multi-day outage is a sign of things to come as cyber criminals continue to aggressively scour the Internet of Things (IoT) for vulnerable and poorly-secured routers, Internet-connected cameras and digital video recorders (DVRs). One enslaved, the IoT devices can be used and rented out for a variety of purposes — from conducting massive denial-of-service attacks capable of knocking large Web sites offline to helping cybercriminals stay anonymous online.

An internet-wide scan conducted by suggests there may be more than five million devices vulnerable to the exploit that caused problems for so many DT customers this week. Image:

An internet-wide scan conducted by suggests there may be as many as five million devices vulnerable to the exploit that caused problems for so many DT customers this week. Image:

This new variant of Mirai builds on malware source code released at the end of September. That leak came a little more a week after a botnet based on Mirai was used in a record-sized attack that caused KrebsOnSecurity to go offline for several days. Since then, dozens of new Mirai botnets have emerged, all competing for a finite pool of vulnerable IoT systems that can be infected.

Until this week, all Mirai botnets scanned for the same 60+ factory default usernames and passwords used by millions of IoT devices. But the criminals behind one of the larger Mirai botnets apparently decided to add a new weapon to their arsenal, incorporating exploit code published earlier this month for a security flaw in specific routers made by Zyxel and Speedport.

These companies act as original equipment manufacturers (OEMs) that specialize in building DSL modems that ISPs then ship to customers. The vulnerability exists in communications protocols supported by the devices that ISPs can use to remotely manage all of the customer-premises routers on their network.

According to, which first blogged about the emergence of the new Mirai variant, part of the problem is that Deutsche Telekom does not appear to have followed the best practice of blocking the rest of the world from remotely managing these devices as well.

“The malware itself is really friendly as it closes the vulnerability once the router is infected,” BadCyber noted. “It performs [a] command which should make the device ‘secure,’ until next reboot. The first one closes port 7547 and the second one kills the telnet service, making it really hard for the ISP to update the device remotely.” [For the Geek Factor 5 readership out there, the flaw stems from the way these routers parse incoming traffic destined for Port 7547 using communications protocols known as TR-069].

DT has been urging customers who are having trouble to briefly disconnect and then reconnect the routers, a process which wipes the malware from the device’s memory. The devices should then be able to receive a new update from DT that plugs the vulnerability.

That is, unless the new Mirai strain gets to them first. Johannes Ullrich, dean of security research at The SANS Technology Institute, said this version of Mirai aggressively scans the Internet for new victims, and that SANS’s research has shown vulnerable devices are compromised by the new Mirai variant within five to ten minutes of being plugged into the Internet.

Ullrich said the scanning activity conducted by the new Mirai variant is so aggressive that it can create hangups and crashes even for routers that are are not vulnerable to this exploit.

“Some of these devices went down because of the sheer number of incoming connections” from the new Mirai variant, Ullrich said. “They were listening on Port 7547 but were not vulnerable to this exploit and were still overloaded with the number of connections to that port.”

A Deutsche Telekom Speedport DSL modem.

A Deutsche Telekom Speedport DSL modem.


Allison Nixon, director of security research at Flashpoint, said this latest Mirai variant appears to be an attempt to feed fresh victims into one of the larger and more established Mirai botnets out there today.

Nixon said she suspects this particular botnet is being rented out in discrete chunks to other cybercriminals. Her suspicions are based in part on the fact that the malware phones home to a range of some 256 Internet addresses that for months someone has purchased for the sole purpose of hosting nothing but servers used to control multiple Mirai botnets.

“The malware points to some [Internet addresses] that are in ranges which were purchased for the express purpose of running Mirai,” Nixon said. “That range does nothing but run Mirai control servers on it, and they’ve been doing it for a while now. I would say this is probably part of a commercial service because purchasing this much infrastructure is not cheap. And you generally don’t see people doing this for kicks, you see them doing it for money.”

Nixon said the criminals behind this new Mirai variant are busy subdividing their botnet — thought to be composed of several hundred thousand hacked IoT devices — among multiple, distinct control servers. This approach, she said, addresses two major concerns among cybercriminals who specialize in building botnets that are resold for use in huge distributed denial of service (DDoS) attacks.

The first is that extended DDoS attacks which leverage firepower from more bots than are necessary to take down a target host can cause the crime machine’s overall bot count to dwindle more quickly than the botnet can replenish itself with newly infected IoT devices — greatly diminishing the crime machine’s strength and earning power.

“I’ve been watching a lot of chatter in the DDoS community, and one of the topics that frequently comes up is that there are many botnets out there where the people running them don’t know each other, they’ve just purchased time on the botnet and have been assigned specific slots on it,” Nixon said. “Long attacks would end up causing the malware or infected machines to crash, and the attack and would end up killing the botnet if it was overused. Now it looks like someone has architected a response to that concern, knowing that you have to preserve bots as much as you can and not be excessive with the DDoS traffic you’re pushing.”

Nixon said dividing the Mirai botnet into smaller sections which each answer to multiple control servers also makes the overall crime machine more resistant to takedown efforts by security firms and researchers.

“This is an interesting development because a lot of the response to Mirai lately has been to find a Mirai controller and take it down,” Nixon said. “Right now, the amount of redundant infrastructure these Mirai actors have is pretty significant, and it suggests they’re trying to make their botnets more difficult to take down.”

Nixon said she worries that the aggressive Mirai takedown efforts by the security community may soon prompt the crooks to adopt far more sophisticated and resilient methods of keeping their crime machines online.

“We have to realize that the takedown option is not going to be there forever with these IoT botnets,” she said.

This entry was posted on Wednesday, November 30th, 2016 at 5:21 pm and is filed under Other.
You can follow any comments to this entry through the RSS 2.0 feed.

You can skip to the end and leave a comment. Pinging is currently not allowed.

from Krebs on Security

In Break From Usual, Threat Actors Use RAT To Steal POS Data

In Break From Usual, Threat Actors Use RAT To Steal POS Data

New NetWire RAT version comes with keylogger for stealing a lot more than just credit and debit card data

Memory scraping tools that surreptitiously copy and export data from running processes have pretty much been the only malware that threat actors have used in recent years to steal credit and debit card data from Point-of-Sale (POS) systems. But that doesn’t mean that other options don’t exist.

Security vendor SecureWorks this week said it recently uncovered one incident of payment card theft involving the use of the NetWire Remote Access Trojan (RAT), a multi-platform remote access tool that has been around since at least 2012.

SecureWorks researchers responding to a data theft incident in September discovered the NetWire RAT variant with a built-in keylogger being used to steal not just payment card data but business credential information, network and domain login credentials, and basically all other activity on infected systems.

The malware in fact did not support specific capabilities for targeting POS systems at all but was capable of stealing data from them all the same. In addition, it had the ability to steal banking credentials, Social Security Numbers, personal and financial data, and credentials for email and other business applications.

The discovery is important because it marks one of the rare occasions when anything other than a memory scraper has been used in a payment card theft, says Arthur Petrochenko, an incident response consultant with SecureWorks.

POS screen scrapers are popular among threat actors because the malware tools typically have small footprints and are hard to detect. Even some of the largest and most sensational thefts of payment card data in recent years, including those at Target and Neiman Marcus, involved the use of memory scrapers.

In this case it is likely the threat actors discovered an opportunity to capture not just the Track 1 and Track 2 data on the back of payment cards, but a lot of other sensitive data via the same workstation. “In SecureWorks’ extensive incident response experience, the majority of the incidents we have responded to involving the theft of payment card data, has involved memory scraping malware and not a RAT with a built-in keylogger,” Petrochenko says. 

Such malware allow attackers to steal potentially a lot more than just credit and debit card data and therefore pose a bigger threat to organizations than memory scrapers, he says.

For instance, a threat actor could install the NetWire variant or similar malware on a POS system that is also being used to conduct email, process customer data or support some similar dual functionality and steal all data from the system.

“The takeaway for businesses is that by using this RAT and similar ones, there is the potential for the threat actors to cause more damage,” he said.

Ironically, NetWire’s developer, World Wired Labs, markets the software as a legitimate remote administration tool, SecureWorks said. Currently, only six of 54 antivirus and anti-malware software vendors detect the variant. So, somewhat unsurprisingly the RAT was present in the victim organization for several months before it was discovered, the security vendor said.

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

from Dark Reading – All Stories

Cybersecurity User Training That Sticks: 3 Steps

Cybersecurity User Training that Sticks: 3 Steps

People are eager for common-sense advice that gives them control over their environment and helps them stay safe online.

Imagine yourself at a street corner with your preschool-aged child. Knowing that we all want our children to be able to cross the street on their own someday, what do you say to help educate and prepare them? We want to explain it thoroughly, so that they can move safely through the world, right?

How about: “Hey honey, do you see that car? It weighs approximately two tons, and is traveling at a speed of 36 miles per hour. Given that the average human walking speed is about 3 miles per hour, and the braking time for a car that size traveling that speed…”

Well, okay, maybe that’s a bit too much for a toddler. 

Or perhaps we should start with “Sweetheart, if you aren’t careful when you cross the street, you could be seriously injured or killed by cars. There were 347 pedestrians killed in traffic in California last year!”

While this is true, it’s liable to leave them feeling terrified, overwhelmed and powerless.

There are ways to train –  even the most novice individuals – to pilot their way competently through a high-risk and complex scenario without overloading or traumatizing them. With simple instructions like “look both ways before crossing,” most of us manage to exit childhood with a solid understanding of how to safely navigate an intersection.

Why can’t we do the same thing for something as broad and technically challenging as computer security? The solution is to start simple, then break down the message into more complex instructions:

Start with aspirational advice
Stop, drop, and roll.” “Give a hoot – don’t pollute.” “Take a bite out of crime.” These slogans are intended to motivate people to change their behavior and to anchor actions to a simple, positive and memorable phrase. A group led by the National Cyber Security Alliance (NCSA) and the APWG has been creating a list of slogans intended to help people take control of their computer security, for instance: “Keep a clean machine,” “Share with care,” and “Lock down your login.”

Expand advice with tips
The crucial part of looking both ways before crossing is not so much the looking, but in pausing to observe hazards. So the next step in educating people is to give a little more information.

Tips should help clarify the slogans to explain succinctly what people should be doing to protect themselves. In the case of street crossing, this generally includes instructions about where it is safe to cross, looking and listening for hazards, and then finally crossing quickly and safely when the way is clear. In the case of computer safety advice, this should also include a list of actions they should take to identify and avoid hazards.

Using logins as an example, this should include tips for creating a strong password or passphrase, using unique passwords for each account, and enabling multi-factor authentication when possible. Here’s a list of resources for other online security topics.

Finally, specific technical steps
It’s natural that people will have questions about specific situations that you may want to answer proactively, or there may be certain caveats or nuances that need clarification. After introducing the advice and then clarifying it briefly, you can provide more detailed technical information for those who want or need it.

In the case of logins, for example, you might want to explain that there may be additional hazards like shoulder-surfing and phishing where you need to be more cautious about inputting your credentials. Or, you may want to give more clarification about how to enable multi-factor authentication, or what to expect when it’s in place. 

The world is not short of scary stories about the dangers lurking online, and this is leading people to feel like there is little they can do to mitigate risk. People are eager for common-sense cybersecurity advice that gives them control and helps keep them stay safer online. No one expects that we can completely eliminate accidents or online crime overnight, but we can all sleep a little easier if we know that we’re doing our best to observe and control our environment.

Related Content:

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all … View Full Bio

More Insights

from Dark Reading – All Stories

Microsoft Silently Fixes Kernel Bug That Led to Chrome Sandbox Bypass

Microsoft appears to have silently fixed a two-year-old bug in in Windows Kernel Object Manager that could have allowed for the bypass of privileges in Google’s Chrome browser.

James Forshaw, a researcher with Google’s Project Zero first reported the issue in December 2014. Microsoft responded to Google a month later saying it didn’t consider the issue worthy of a fix. Forshaw and Google marked the issue as “WontFix” and removed the view restriction on the disclosure. It’s been more or less on ice since then.

Microsoft’s stance changed at some point over the past 23 months however; Forshaw acknowledged in a post on the Project Zero Google Group early Wednesday morning that Microsoft has fixed the issue in a recent Windows 10 fix. It’s unclear whether Microsoft addressed the issue in a hotfix or via a silently issued patch but according to Forshaw, it has been reflected in the “latest few major builds of Windows 10 (10586+)”

The issue, a limited bypass of traverse permissions, affected the Kernel Object Manager in Windows 7 (32/64 bit) and 8+. In 2014, Forshaw warned it could be possible for low privilege code to “access some device objects where it shouldn’t be possible [to] even determine they exist” in Chrome.

Chrome’s sandbox token is fortified – its traverse permission is heavily enforced, according to Forshaw – but this issue slightly diminished that.

Forshaw called the issue a “limitation” for Chrome when he originally highlighted the issue and admitted he didn’t expect it would ever become a “bulletin class issue, if it’s considered an issue at all.” If anything, he said it could result in a “minor security impact for Chrome.”

Forshaw wrote Wednesday that he wasn’t sure what led Microsoft to fix the issue.

Microsoft, for its part, did not immediately respond to a request for comment on Wednesday.

Forshaw couldn’t speak directly to the issue when reached on Wednesday but pointed Threatpost to an updated post he had made on the issue tracker:

“For anyone who’s wondering if this is unusual for Microsoft that they fixed it so long after reporting, not really. If MSRC and by inference the product team do not consider the issue to meet their bar for a security bulletin (as mentioned in comment #2) then they’ll tend to not fix it in a patch. However they do leave themselves open to fixing it a later update of the platform, which for Win10 is becoming more frequent.”

Forshaw adds that the fix may have been pushed inadvertently as other users of the function in question, SeCreateAccessState, may have been affected.

“The trouble with this approach is there’s never any credit or notification for the fix and so I was under the impression that this issue still existed,” Forshaw said.

from Threatpost – English – Global – thr…

Cybercriminals’ Next Target: Short-Term Dangers (Part 1 of 2)

Cybercriminals’ Next Target: Short-Term Dangers (Part 1 of 2)

With the holidays approaching, the focus will be on lucrative online shopping, email ransomware, phishing for credentials, and infection by holiday-lurking malware.

Knowing what cybercriminals are targeting today is easy. Their attacks are loud, impactful, and have the elegance of a herd of bulls crashing through a glassware shop. The tougher challenge is figuring out where they will take aim tomorrow. Knowing where cyberthreats will attack in the future gives the necessary insights to be one step ahead of their mayhem. 

The Short Term

With the holidays approaching, the focus will be on lucrative online shopping, email ransomware, phishing for credentials, and infection by holiday-lurking malware. It is also a time for dark markets to thrive, selling unmentionables to those looking for illegal items for holiday celebrations. 

We must all expect malware-ridden holiday sale emails and websites. Be on the lookout for fake shipping invoices or urgent messages from merchants. Shady ecommerce sites advertising insane deals as bait will look to harvest credit card accounts, emails, and maybe convince you to install some “helpful” software. Phishing will increase a notch, and look for a new wave of ransomware to hold family pictures, personal files, and entire systems for extortion. Identity theft will add to the rise of new credit card applications to do some unauthorized shopping. In the next couple of months, all these financially motivated threats will increase, so now is the time to be on your guard.

Businesses Beware

Businesses must worry about the increased amount of ecommerce fraud, ransomware that extorts money to unlock important files, and the ever present risk of data breaches. Healthcare, retail, and financial sectors will be targeted the most, but all businesses are in jeopardy. Social media will be targeted as a springboard to reach more potential victims and influence them to download or visit sites containing malware. For some larger companies, who rely on heavy Web traffic, there will be Distributed Denial of Service (DDoS) extortion attempts. The threat: Pay or be unavailable to your customers. As always, cash is king and credit is queen.

More ATM attacks are in our future. Europe will be the hotbed, given its machine density and proximity to current thieving bands that are becoming more proficient at these attacks. The US will suffer from more credit card and debit card fraud — some in-store, but more shifting toward online sites as the chip-on-card initiative forces thieves to adapt.

Exploiting IoT Devices

Hacking home Internet of Things (IoT) devices — the ones always connected to the Internet — is easy for botnet herders looking to amass an army to conduct DDoS attacks. But there is little money in attacking. Some will adjust to provide “protection” extortion schemes. Others will move into using those simple devices to create social media accounts which can “follow” or “like” in mass for a fee. Early signs are already present as buying followers/likes is lucrative business in the ego-markets of social media.

Looking down the road a bit, we will actually see fewer random attacks against IoT devices. Two factors are at play here. First, IoT device manufacturers and consumers will shift to close the basic weakness: the use of default passwords. The second change will be when professional hackers, likely organized criminals and nation states, take over the market with more professional hacking capabilities. They tend not to play nice with others. Upon compromising an IoT device, they will immediately close the vulnerability so they are not displaced by another hacker. This ensures they keep control of their victim.  

We will see more creative ways for attackers to monetize this resource by coupling with ransomware, DDoS attacks, data leakage, creation of mass accounts to facilitate fraud, and perhaps even creating specialty routing networks to obfuscate traffic. The result is more devices exploited, but in a more organized manner, until such time as the IoT industry becomes more secure overall.

In my next blog, I will share what cybercriminals will target in the long term. There are many opportunities for them to choose from that could reap big payouts. They are a greedy lot, and I expect them to make bold moves.

Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

Matthew Rosenquist is a cybersecurity strategist for Intel and benefits from 25 years in the field of security. He specializes in strategy, measuring value, and developing cost-effective capabilities and organizations that deliver optimal levels of security. Matthew helped … View Full Bio

More Insights

from Dark Reading – All Stories

Androids Under Attack: 1 Million Google Accounts Hijacked

Androids Under Attack: 1 Million Google Accounts Hijacked

Two separate attack campaigns were discovered targeting Androids – one that roots them and gains access to Google Gmail, Docs, Drive, accounts and another that steals information and intercepts and sends messages.

Android devices are in the crosshairs with two separate but deadly attack campaigns that wrest control of the devices and include clues that suggest links to China.

Researchers at Check Point Software Technologies say they have uncovered a new malware variant called Gooligan that to date has hacked one million Google accounts worldwide by rooting the user’s Android device, at an alarming rate of some 13,000 devices per day. Among Gooligan’s victims are hundreds of email addresses tied to enterprise accounts.

The malware, a new version of the SnapPea downloader discovered in 2015, attacks Android 4 (Jelly Bean, KitKat) and Android 5 (Lollipop) devices, which make up nearly three quarters of all Androids in use today. Once installed on the victim’s device, the malware steals email addresses and stored authentication tokens, giving the attackers access to the user’s Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite accounts and information.

“Putting Android aside, from what we have been able to search [and research], this is probably the biggest compromise of Google accounts, mobile or non-mobile,” says Michael Shaulov, head of mobile products at Check Point. “Clearly, this is an escalation” of attacks against mobile devices as well, he adds.

While 57% of the infections are in Asia, there’s a conspicuous lack of any infections in China, he notes. The attackers make money via click-fraud, according to Check Point’s findings.

“After rooting the device and stealing the user’s Google account email and authentication token, Gooligan is capable of mimicking user behavior to tap on ads for legitimate applications on Google Play. Once the app is installed, the attacker is paid by the ad service for the successful installation,” Shaulov says.

The second attack campaign, which was discovered by Palo Alto Networks Unit 42 research team, exploits Android’s plug-in technology by camouflaging its elements as plugin apps, which don’t require actual installation on the device. The so-called PluginPhantom Trojan pilfers files, location data, contacts, and WiFi information from the device, and can also take pictures, capture screenshots, record audio, intercept and send SMS messages, and act as a keylogger.

Ryan Olson, intelligence director of Unit 42, says his team doesn’t know how many Androids have fallen victim to PluginPhantom nor their geographic locations, but there is a China connection of sorts. “The location information being translated to coordinate systems used by Baidu Maps and Amap Maps, the top two navigation apps in China, is highly suggestive of China connection,” Olson says. “But our focus in this posting is on the ways in which this malware shows malware authors using current development methods and technologies to ‘improve’ their malware.”

While mobile vulnerabilities and malware – mainly for Android – have been rampant in recent years, actual widespread attacks haven’t been a reality for enterprises. Desktop and office endpoints are still too easy a target in many cases. But these latest Android attacks are significant in their size and scope of compromise.

“This thing [Gooligan] both infects a mass amount of users and actually steals the crown jewels to the accounts to compromise their Google services: email, photos, documents,” for example, Check Point’s Shaulov says.

“I that this in terms of in the wild [attacks] is something we’ve never seen before,” he says.

Mobile devices are just one of an increasing number of Internet things that can be used as a stepping-stone to attacking businesses and others, says Dimitri Sirota, CEO of BigID. “There are just so many places of exploit where information is getting collected. I think there’s going to be a lot more opportunity for hijacked [devices] to capture personal information. Mobile devices are just one of those places.”

Some 60% of employees use at least one personal mobile device to access corporate data, according to new data from Ovum that demonstrates the difficulty in reining in corporate data access via mobile.

What Google Said

Meanwhile, Google said that it has been beefing up the Android environment and had worked with Check Point on responding to Gooligan. “We appreciate Check Point’s partnership as we’ve worked together to understand and take action on these issues. As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall,” Adrian Ludwig, director of Android security at Google said in a statement.

Check Point’s Shaulov says it’s unclear and unnerving as to why the Gooligan attackers are storing so much personal data in their databases. The malware installs some 30,000 apps daily on infected devices, which comes to about 2 million apps total to date. Victims are infected when they download and install a malicious app from a third-party Google app store or click an infected link in an email message.

PluginPhantom, meanwhile, is a new variant of Android.Trojan.Ihide. “In the new architecture, the original malware app is divided into multiple apps (plugin apps) and a single app (a host app). The host app embeds all plugin apps in resources, which implement different functional modules,” Unit 42 said in blog post today. “After victims install the host app, it can directly load and launch plugin apps without installing plugin apps, by abusing the legitimate open source plugin framework – DroidPlugin [2].”

Unit 42’s Olson says his team isn’t sure of the ultimate goal of the attack. “We can’t know the attackers’ intentions for certain, but the broad capability of the samples we’ve analyzed show how the lines between cybercrime and spying continue to blur. For example, being able to secretly record conversations using the camera and microphone like this has application for both realms.”

Related Content:

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

More Insights

from Dark Reading – All Stories

Bypassing BitLocker during an upgrade

If you’ve got an iPhone, or an Android, or a Mac, or a Windows 10 computer, then you’ll know that when you do an upgrade, the device almost always reboots during the process, sometimes more than once.

You can see why that’s a good idea: if you want to update critical system files, it’s much easier if you can be sure they aren’t in use at the time.

And if you have update B that depends on update A having gone through correctly first, it’s often very handy if you can reboot once to get A sorted out, and then reboot again to deal with B.

So, for all that we often gripe about reboots, because you can’t use your computer (or your phone, or whateveritis) while it’s restarting, they do help to make the complex process of upgrades more reliable, especially on devices that we’ve customised extensively with our own array of interdependent apps and services.

One thing that makes today’s typical upgrades much more palatable is that, even if they take a long time to complete, you rarely need to do anything along the way.

You won’t get asked an interminable and apparently unrelated series of questions at randomly-spaced intervals during the process, as happened in the old days when you installed Windows 95.

In fact, you can go off and do something else, and when you come back, it’ll be just as if you turned your computer off for a bit and have now turned it back on.

Windows 10 even lets you choose your active hours, and will do the work for you automatically outside those times if you aren’t using your computer.

Why does this matter?

Well, if you use full disk encryption – BitLocker on Windows or FileVault on macOS, or the built-in device encryption on iPhones and modern Androids – you have probably already noticed that you don’t have to enter your password during the upgrade process, even if the computer reboots along the way.

To complete the process when you aren’t around, or when you are around but would like to focus your attention on something else, the updater needs to keep your encrypted volumes unlocked during the upgrade, by some means or other.

Strictly speaking, that’s not much more of a security risk than at any other time that your computer is up and running.

When an encrypted drive is mounted and in use, the system needs access to the disk decryption key, and that’s the way it’s supposed to be.

In theory, a crook can’t get at your data using your computer, encrypted or not, as long as you lock your screen (and there aren’t any lockscreen bugs, of course).

But if he powers down your computer to go off and crack it somewhere else, he’ll need to know your password to remount the encrypted volume.

Note that having access to the disk decryption key isn’t the same as having access to your password, which is typically used just to decrypt the disk key, not to decrypt the disk itself. That’s why you can change your password without re-encrypting the whole disk: only the password protected disk key needs to be re-encrypted. It’s also why, if your password is stolen, you can quickly zap your disk just by wiping the encrypted disk key. Once the disk key is gone, your password no longer has any cryptographic connection with the data on the disk.

Unfortunately, it seems that on Windows 10, at least, there’s a brief period, when your computer reboots for an upgrade, during which you can press Shift + F10 to drop into a recovery console.

You can see where this is going: if you can get into the recovery shell at just the right point in an upgrade, the encrypted volume will still be mounted.

In other words, you just bypassed the BitLocker password prompt, and you can get at data you’re not supposed to see.

What to do?

If you’re at home, the chances are your Windows version doesn’t include Bitlocker, so unless you paid extra for the privilege, this doesn’t apply to you.

A crook with physical access to your computer could just boot it off USB and read your disk anyway.

If you’re at work, or at home with Bitlocker running, you can avoid this issue by not leaving your computer unattended during an upgrade.

Some reports suggest that, on computers managed by Microsoft’s System Center Configuration Manager (SCCM), you can turn off the recovery console altogether by creating a file called:


(Change the Windows directory name to match your local installation.)

We don’t know whether this works, or even if it’s still officially supported – we can’t find a recent mention of this tweak on any of Microsoft’s technical pages – but there doesn’t seem to be any harm in creating this file if you do use SCCM.

We’re also betting that Microsoft will soon make “no recovery console” the default…

…so by the time you next do an upgrade, this whole issue might well be moot.

from Naked Security – Sophos