Microsoft has developed a 'forensics tool' named COFEE (Computer Online Forensic Evidence Extractor), with some interesting capabilities:
The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer.
The article itself is not terribly interesting, spending most of its word count discussing the terrible dangers of "anonymous predators or those with false identities" on social networks - something which COFEE seems completely unrelated to. But I did find it interesting, because the existence of COFEE raises the question: did Microsoft intentionally backdoor their own systems, or is the authentication and authorization model in Windows so weak that anyone else could do the same thing without special privileges? Given the existence of USB autorun hacks, and that most users still run as full-rights Administrators, I lean towards the latter.
But the ability to decrypt passwords seems curious. While both the LM and NTLM password hashing schemes are pretty terrible, I don't see how they could be easily decryptable without a fairly huge back door (or unless they somehow managed to fit a Rainbow table on the flash drive). However since the article never states explicitly what sorts of passwords are under discussion, it's possible COFEE only attacks IE passwords or something like that. But, again, this implies that either Microsoft left themselves a backdoor, or that the password hashing scheme used in IE (or whatever it is COFEE can recover passwords from) is quite fatally weak.
Meandering somewhat off the main topic - while writing this, I came across an article on Microsoft's TechNet magazine that set off a lot of red flags for me. If a "senior security strategist in the Microsoft Security Technology Unit", who has access to the source code, spent years not understanding how Microsoft's authentication systems work (versus how they are documented to work), and finally had to go read Samba documentation to figure it out, what hope is there for anybody else? I'm pretty convinced that nobody really understands Windows; even the best Windows sysadmins I've known, and indeed several Microsoft system engineers I've met, really had very little insight into how the whole thing works, but still... damn. I suspect this effect is partially due to their strongly silo'd development and security review model.
Posted 2008/05/01 in security; no comments
< Book meme | Cleaning out their houses >