Vipin and Nitin Kumar have apparently released a proof of concept for their Vbootkit 2.0 attack against Win7 based machines. I’ve talke about the attack previously, as it is incorrectly labeled a Windows 7 attack- it is an attack against insecure boot process that then compromises Windows 7. Anyway, their rationale is -

The Kumars are concerned that the attack approach against Windows 7 they have unearthed might be modified by skilled miscreants to develop remote attacks, hence the decision to give white hat security researchers a leg up in developing defences. They also want to make the case to Microsoft that it ought to make improved security features available across all versions of Windows 7, not just the higher-end versions.

Apparently taking issue with the fact that BitLocker is only available on Enterprise and Ultimate versions of Windows. I’m not a huge fan of the tiered versions of Windows, but then again I have an alumni account at the MS company store so I don’t really mind paying $50 for Ultimate. At the same time, I think it is a bit crazy to expect bitlocker to be available for all users- the support costs associated with that idea are pretty high. Regardless, all of that is ignoring that a technical control is not ideal for their attack vector.

What leads to their VBootkit 2.0 being run is physical access to the machine- the ultimate enabler is that they are actually at the hardware. Technical solutions are an inherently poor mitigation to a physical problem. Physical controls are much more appropriate. In data centers simply putting the machine in a sufficiently designed locking server cabinent has neutered this attack, since the attacker would need to first break into the cabinent. For desktop users having a good locking, tamper proof case, the boot sequence set to boot from hard disk first, a BIOS password to protect the boot sequence, and a motherboard that isn’t prone to fail into bios when the keyboard buffer is full will prevent all but the most determined attackers. Physical controls for physical problems, technological controls for technological problems, and so forth.

Most of us are techies and immediately look for some nifty code that solves a problem, but enterprise security is only partially a tech problem. Some times a pad lock is better security than a strong password.

~ Joshbw