April 29th, 2008

Sorry, conspiracy buffs, there's no Windows "back door"

Posted by Ed Bott @ 4:53 pm

Categories: Microsoft, Security

Tags: Security, Password, Microsoft Windows, Microsoft Corp., USB, Tool, Computer, CrunchGear, USB Switchblade, Productivity

Techdirt’s Mike Masnick is usually pretty reliable, but he completely blew it today, hitting the publish button on one of the sloppiest, most inflammatory stories I’ve seen in a long time:

Microsoft Gives Vista Backdoor Keys To The Police

It’s long been assumed that Microsoft has built in various “backdoors” for law enforcement to get around its own security, but now reader Kevin Stapp writes in to let us know that the company has also been literally handing out the keys to law enforcement. Apparently, they’re giving out special USB keys that simply get around Microsoft’s security, allowing the holder of the key to very quickly get forensic information (including internet surfing history), passwords and supposedly encrypted data off of a laptop. While you can understand why police like this, the very fact that the backdoor is there and that a bunch of these USB keys are out there pretty much guarantees that those with nefarious intent also have such keys.

OK, now go read the linked story from the Seattle Times. There’s not a word - not one word - about back doors or encryption. Sadly, the usual suspects in the Techmeme echo chamber are whipping the inaccuracy around the infield at major league speeds. CrunchGear says Microsoft has “developed a thumb drive that helps Johnny Law quickly extract information, encrypted or otherwise, from computers.” And Valleywag talks about “a USB dongle that plugs into a computer, bypasses any Windows passwords or encryption, and quickly downloads sensitive data such as your Web browsing history.”

I’ve heard of jumping to conclusions, but these are some truly giant leaps.

All three stories reference the same Seattle Times story, which never says or even implies that the tools on this USB drive could break any sort of encryption, including Microsoft’s BitLocker Drive Encryption. In fact, these tools have been distributed since last June and were actually discussed three weeks ago in a Microsoft press release published April 8:

At LE Tech today, we will also be talking about the tools we are providing to law enforcement. For example, our security team in the Asia-Pacific region, led by senior investigator Anthony Fung, developed the Computer Online Forensic Evidence Extractor, or “COFEE.” The tool provides investigators with a means to easily and quickly extract “live” data from a suspect’s computer at the point of seizure, before turning it off.

COFEE, a preconfigured, automated tool fits on a USB thumb drive. Prior to COFEE the equivalent work would require a computer forensics expert to enter 150 complex commands manually through a process that could take three to four hours. With COFEE, you simply plug into a running computer to extract the data with the click of one button –completing the work in about 20 minutes.

What Microsoft has done, according to this story, is to repackage some of the standard tools used by computer forensics experts when they seize a computer as evidence. So instead of a computer forensic technician having to perform a bunch of time-consuming tests manually, he or she can use these automated tools to capture information in a few minutes.

For anyone who is ill-informed enough to think that these tools are going to land in the hands of bad guys, I have some bad news. They’re way ahead of you. The community-developed USB Switchblade has been around since at least September 2006. And as security expert Jesper Johansson points out, it has an impressive feature set:

Basically, these tools make it really easy for just about anyone to exploit people who leave their USB ports unprotected. For example, Switchblade can dump the following:

• System information
• All network services
• A list of ports that are listening
• All product keys for Microsoft products on the computer
• The local password database
• The password of any wireless networks the computer uses
• All network passwords the currently logged on user has stored on the computer
• Internet Explorer®, Messenger, Firefox, and e-mail passwords
• The Local Security Authority (LSA) secrets, which contain all service account passwords in clear text
• A list of installed patches
• A recent browsing history

All of this goes into a log file on the flash drive, and takes about 45 seconds.

Forensic technicians working for law enforcement are simply hackers with white hats. They know, just as the bad guys do, that if you have physical possession of a computer, you can pull the data off the hard drive and you can decrypt local passwords. There’s nothing new involved in the story that’s getting all the publicity today, and there is certainly nothing to suggest that there’s a “back door” involved.

In fact, if this rather unremarkable collection of Microsoft-developed hacker tools actually did contain anything new, I would certainly expect that the highly vocal security community would have said something. If there turned out to be a back door in BitLocker or any other form of encryption, the real experts would be publishing the results. But they haven’t said a thing, because there isn’t a story here.

Let’s see how long it takes for the corrections to begin appearing. I’m not holding my breath.

Update: Ben Romano of the Seattle Times, who wrote the original story, has published an updated post (Looking for answers on Microsoft’s COFEE device) that also tries to clear away some of the FUD. Ben’s whole post is worth reading, but if you’re too busy, here’s the conclusion: “It sounds to me like the device doesn’t do anything that a trained computer forensics expert can’t already do. This just automates the execution of the commands for data extraction.” In a later update, he adds: “Via email, a Microsoft spokeswoman said COFEE is a compilation of publicly available forensics tools, such as ‘password security auditing technologies’ used to access information ‘on a live Windows system.’ It ‘does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret “backdoors” or other undocumented means.’”

Exactly.