Network Admin Nightmare #5 - Unprotected Laptops

With so many staff working at home one or two days a week and everyone wanting connectivity from anywhere in the world, laptops have become very important tools.

Pretty much every organisation now has a VPN to give staff remote access across the Internet, yet a tiny minority understand how much at risk they are from laptops. If an attacker were able to gain control of a lost or stolen laptop, they would have access to all the information stored on it plus the opportunity to connect to the corporate network via the VPN.

From time to time we are asked to test the security of a laptop build - perhaps the organisation is intending to migrate to a new version of Windows or has simply designed a new “build” - in any event we are asked to test the security of their standard laptop configuration.

Our first check is to see whether a BIOS password has been set. This poses a small hurdle to the would-be attacker, one that is usually overcome fairly simply by a bit of jiggery-pokery on the motherboard or by removing the hard disk and putting it in a another system. A hard-disk password is a different problem, which often requires specialist assistance, and is therefore considerably more effective.

Unless that is, the hard disk password is the same as the BIOS password in which case the problem is solved. However we have yet to find a corporate laptop utilising either form of power-on password, probably because of the anticipated support costs of all those forgotten passwords!

Assuming that there are no BIOS passwords, all we need is a Windows username and password. Since we have physical access to the machine, that is very easy to achieve. Software such as Petter Nordahl-Hagen’s Offline NT Password and Registry Editor is free and available for download on the web. This software creates a bootable CD or floppy disk which can be used to reset the administrator’s password without ever starting Windows.

Once done, you reboot the laptop and login as Administrator with full access to everything, including any dial-up or VPN connections of course. However, if your laptop’s owner has used Microsoft’s encrypting file system (EFS) on XP, then you will not be able to recover those files, which could be very irritating!

An alternative approach is to use a program like NTFS Reader for DOS, which will allow you to make a copy of the Windows SAM file containing the usernames and passwords, again without running Windows. Once you have a copy of the SAM file, you can run a password cracking program to discover all the passwords on the laptop, and then logon with the Administrator’s legitimate credentials.

This is slightly more time consuming but leaves no evidence of tampering and preserves the EFS files intact. In case you are wondering, a sure-fire way to crack the passwords is to use rainbow tables with a tool such as Cain and Abel. The rainbow tables are pre-computed password hashes for almost every combination of letter, number and punctuation character for passwords up to 14 characters in length, making the job of finding the passwords just a matter of time.

Although they are very large (many gigabytes in size) Windows rainbow tables are available for free download from the Internet or can be purchased online for delivery on a set of CDs or DVDs.

There is one simple solution to Unprotected Laptops: encryption. This provides the laptop user with the facility to protect everything with one easily remembered passphrase (much simpler to manage and remember than a complex password) whilst providing the IT support people with a legitimate “backdoor” into the laptop if the user’s passphrase is forgotten or if the member of staff leaves the organisation under a cloud.

Products such as PGP’s Whole Disk Encryption for Enterprises locks down the entire contents of a laptop, desktop, external drive, or USB flash drive, including boot sectors, system files, and swap files. Encryption runs as a background process that is transparent to the user, automatically protecting valuable data without requiring the user to take additional steps.

Peter Wood, Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK, will be speaking at FIRST Security Conference in Sevilla. FIRST is the premier organization and recognized global leader in incident response. For more info, visit FIRST's website at http://www.first.org.