Thursday, August 11, 2016

Biometrics – Have your fingers been pwned?


First to start with I believe biometrics are in many ways the future of authentication but sometimes people forget to think about the bad sides as well – when they get too excited. I wanted to take some time and write down my thoughts on this and related topics. I’m talking about Security Internals in Estonia this year (http://koolitus.ee/blackbelt/) and I started to gather my thoughts on current trends in security and that gave me the inspiration to write this article. One important trend in my life also changed dramatically this summer as I and my family moved to iPhones. I still think that Windows OS is the best one that there is for mobile phones but at some point the lack of stability and apps just threw me over the Edge. “Over the Edge” in this context is actually just funny if you ask me ;) The iPhone introduced me with the simplicity of using my fingerprint to authenticate to my phone and boy did I welcome this ease! After the honeymoon with my new iPhone I started to seriously consider about this. In the next few paragraphs I’m going to talk about some common questions/comments I get and some points that I don’t believe all people totally understand.

 

#1 Ease of changing a password

 

I hope all of you know the best website out there monitoring system breaches called http://haveibeenpwned.com/ It’s run by a fellow PluralSight author and highly appreciated security expert called Troy Hunt. So what if you lose a password as you just need to change it, right? Right. So now what happens if your biometrics get stolen? You change your finger? Or even worse your face or your retina? So to cut corners a bit you can only be ten times pwned when it comes to your fingerprints.

 

#2 Lack of true biometric data in Windows

 

This is what I hear quite often: “Why do we still need to use a password in Windows which is then protected by a PIN or a biometric info? Why can’t we yet in 2016 save the biometric data to Active Directory and just use that?” Think about the previous point and the bad thing about not using a password. If your fingerprint is value 400 and your password is value 400 we can calculate a value of 160000 by multiplying them. If I lose my biometric data to someone I just need to change the password to invalidate the result. So from this perspective I am happy that my true biometric data is not stored in my AD as it would make it more probable for someone to steal my true identity and a lot harder for me to recover when it happens – and it will.

 

#3 Difference between physical and mental proof of ownership

 

By law in US you can be forced to use your finger or your “face” to open your device. By law you cannot be forced to give your PIN code to open your device. I would say I have nothing to hide and I’m not a criminal so it doesn’t really matter but many people don’t like the fact that a device with a biometric protection can be used to incriminate you and one with a PIN code can’t.

 

#4 Why Windows wants me to use a 4 digit PIN code when I have a 16 character password?

 

When you install Windows 10 and start using any cloud related features it will ask you to change to using a PIN code even if your password would be a lot stronger mathematically. This is because this PIN code protects your password on that certain device. If your real password is stolen all of your physical devices can be used to access your data but with the PIN code only that one device is compromised. That is if you use a different PIN on different devices – As this has always been the suggested best practice I’m sure all of you adhere to it ;) BTW. If your computer has a TPM then that is used to store the PIN making it very secure but if you don’t have one then the PIN is actually just saved in the registry making it a lot less secure.

 

#5 How do I do it?

 

To finalize I believe it’s fair to share how I do it personally. So here are some of my best practices I know I use and I also really, I mean REALLY, have the strength to follow.

 

-          My Windows passwords are always passphrases that have at least 15 characters, have at least characters from three different character sets and have numbers in the middle. So for example Jakedrank16beers! is a very good password but easy to remember. Most people use numbers at the beginning or the end and that’s also programmatically a lot easier to break so put them in the middle. I’m not trying to play Mother Teresa here so next time Jake might have drunk 17 beers ;)

-          I protect that password with facial detection on my SurfaceBook and with different PINs on my tablets that don’t have a keyboard.

-          I will never buy a device that doesn’t have a TPM, and I’d prefer them to have an IO-MMU for future features.

-          When signing in to websites I have a strong base-password but I use the two first letters of the websites Top Level Domain name to make it more unique.

-          I always use a password manager. I prefer LastPass although I hate that they were acquired by LogMeIn and I know they have had their break ins. It is still the only tool that does everything I need.

-          I never logon as an Admin to my workstations! And my Domain Admins are always prevented by policy from logging on to any computer except Domain Controllers

-          And YES, on my iPhone I use a fingerprint – the ease of use wins in my case – at least with my personal phone.

-          If you would ask me what the secure authentication of my choice would be I would like it to be a PIN+Biometrics so I could have a strong protection, easily change the password, not forget my dongles and not too complicated a method to use.

 

Stay safe,

 

Sami

Wednesday, April 6, 2016

First PluralSight Course Published!

I am so proud/happy/excited to tell you that my first ever PluralSight course was published today!

You can find it here: https://www.pluralsight.com/courses/windows-how-its-hacked-how-to-protect

It's about how to hack the OS so my favorite topic :)

Hope you have already gotten your license to PluralSight as it is the Best VOD training site out there with thousands of courses at an easy to handle price!

Hope you can view and enjoy my video.

Sami

Wednesday, February 17, 2016

Best Speaker at Nordic Infrastructure Conference 2016! YES!!

Today Nicconf organizers had this to say:

We are proud to announce Best Speaker of NIC 2016:

Congratulations to SAMI LAIHO for outstanding feedback and performance! Your sessions rated extremely high with a large number of votes, and you also manage to combine a great sense of humor with deep technical and practical knowledge, which make your sessions highly appreciated.


YES, YES, YES - I'm super happy about this because I was in a crowd of so many of the Best speakers in the world and even honored to just get invited :) 

Here are the results (censored other than mine):

Tuesday, February 16, 2016

Sysinternals 20th Birthday Party this summer in Helsinki!

This is a short one I know but I need you to be in the front row to get this news! I have been given the permission from Mark Russinovich himself to host the SYSINTERNALS 20th BIRTHDAY PARTY in Helsinki this Summer! Seats are limited and there's an EarlyBird price so head to: http://www.sysinternals20.com/ We'll update the speaker list asap but already now we have both of the official Sysinternals Admin Guide authors:

WelcomeNote by Mark Russinovich

Keynote by Aaron Margosis
Session on Sysmon by Paula Januszkiewicz


I have never been this honored and excited to host an event :) JIIHAA!!!

Sami
Twitter: @samilaiho

Wednesday, February 10, 2016

Quick and Dirty Reinstall of Windows 10 on XPS 13

I just wanted to share this super easy and dirty way to do a clean reinstall on an OEM-installed XPS 13 (in this case it was the XPS but can be any OEM Windows 10).

  1. Use Johan's instructions on creating a fresh ISO of newest Windows 10: http://deploymentresearch.com/Research/Post/399/How-to-REALLY-create-a-Windows-10-ISO-no-3rd-party-tools-needed
  2. Create a bootable USB key
    1. Diskpart
      1. list disk
      2. select disk 1
      3. clean
      4. cre part pri
      5. format fs=fat32 quick
      6. assign
      7. active
    2. Mount the ISO (in this case shows up as e:\)
    3. xcopy e:\*.* f:\ /cherkyi
  3. On the OEM-installed XPS 13Run in PowerShell "Export-WindowsDriver -Online -Destination d:\drivers" while you have the USB key as D:\ on it
    1. This exports all 3rd party drivers to the USB
  4. Mount the install.wim with dism to add the drivers to the Windows image itself
    1. copy d:\install.wim c:\temp
    2. dism /mount-wim /wimfile:install.wim /index:1 /mountdir:mount
    3. Dism /Image:C:\temp\mount /Add-Driver /Driver:d:\drivers /Recurse
    4. dism /unmount-wim /mountdir:mount /commit
    5. copy /y install.wim d:\sources\ (or replace with other means)
  5. (You can repeat the previous for the D:\Sources\Boot.wim if you want to skip steps 7 & 8) 
  6. Boot the new machine with the USB
  7. If you can't find the disk so do the following
    1. Hit Shift+F10 to get to the command prompt
    2. Change to your drivers folder like c:\Drivers
    3. Run "for /r %i in (*.inf) do drvload "%i"
  8. Refresh the disk view
  9. Clean the disks and install Windows 10
So what this does is takes all needed drivers from the preinstalled OS and makes sure your new OS (and WinPE if you did the step 5) has the same drivers :) Your Device Manager should look quite nice without any additional steps!

Cheers,

Sami

Judgement day: SurfaceBook vs Dell XPS 13

Now it's time for the verdict :) Remember this is purely from my point of view as someone who travels 200 days a year and does presentations for living. This is just my opinion.

I'm trying to review features that really matter to me. It's easy to say that both are superb devices compared to many others as the 3000$ price tag would suggest.

For more specific figures and values read this: http://www.notebookcheck.net/Dell-XPS-13-9350-InfinityEdge-Ultrabook-Review.153376.0.html

I totally agree with it and it gives the common performance numbers that I've verified with the great (Finnish) PCMark tests.

Size with Accessories = What I need to carry

The Dell XPS is way more beautiful and compact. Seeing them next to each other I would easily choose Dell. That's not the whole story anyway when it comes to what I need to carry with me. I sit in the airplane and I'm usually first in the plane because I'm a priority passenger and I want get a place for my trolley. This means I sit in the airplane more than others and have more time to watch series before the seat belt light goes off. This time I need a tablet and Dell XPS won't do. This means it doesn't work by itself but I need to carry my Surface 3 etc. with me to be able to use it while the flight ascends or descends. With the SurfaceBook I'm good. I'll turn the keyboard under the screen and if someone still complains I just put the keyboard away. It's a very big screen so I am missing my kickstand to be honest. That's something I'll live with or buy a kickstand.

That's for the device itself but that's not all. I need a USB hub and wired network. That goes for both and the external devices for this are the same sized. I need DisplayPort adapter for the SurfaceBook. The one I have is from StarTech with VGA,DVI and HDMI. With Dell I need the USB 3.1 extender but it has VGA, HDMI and Ethernet. It only has one USB port so I need the Hub anyway. So both require two devices which are of equal size and weight in total.

I need Biometric readers to authenticate. With the Dell XPS this only means a thumb size USB fingerprint reader for my personal use. It doesn't take space but looks ugly. And it only allows me to authenticate but not to demo Windows Hello's Facial Detection. For this I need an external camera. With the SurfaceBook I'm good to go as it has the needed camera for both my personal use and demos. SurfaceBooks battery lasts twice as long for me as the XPS does. With the XPS I can get through flights but only with the Power Companion from Dell. So SurfaceBook is bigger but with Dell I need these extra things to carry with me: Powerbank, RealSense Camera, Fingerprint reader. The ones that I need to carry for both or are of equal size are not listed, like external SSD, power supply, mouse and a wireless presenter.

Working with the computer = What can I do with it and how well

Keyboard and touchpad on both are good. The only problem I have is the US keyboard on the Surface which really does heavily bug me. Performance is good enough on both though SurfaceBook beats basically every aspect and the SSD and GPU performance is WAY better on the Book. Now when it comes to presenting there are a few things that differ. SurfaceBook with the DisplayPort adapter has never failed me - it just works. Only thing I need to do sometimes is to change resolutions. XPS on the other hand only fails me :( The HDMI-adapter hasn't worked on any of my external screens without using Intel's application to set frequencies etc... The VGA I haven't tried on either one. For me the quick and easy use of external monitors and projectors is of huge importance. The next thing I need to do is draw on the screen while presenting. I bought this to work with the touch screen of the XPS at all: http://www.adonit.net/jot/pro/ I highly recommend it if you don't have an active digitizer - it's very good compared to any other I've tried. Now I can't rest my hand on the screen, I can't erase, I can't select and I don't get pressure sensitivity. All of these I get with the SurfaceBook. This is honestly one of the biggest differences for me between these two. To do my work I like to do it I need the Surface 3 as a companion for my Dell. Well I need it for the travelling time as well on the other hand. But getting that picture to show from two devices during a presentation - that's not always that easy. Next I need to run VMs. If you've read my previous blog you know how it works on SurfaceBook as well and I can say both run just as fine with nice SSDs and 16GB of RAM.

Fun and spare time = Which one I like if I don't need to worry about work

The Dell is awesome on the lap! Both have equally good speakers and screens. I'd rather have the XPS on my lap but honestly the battery runs out too soon for my liking... I like to sketch and draw sometimes so Dell won't do it for that either. And OH BOY do I hate the webcam placement on the XPS!! I knew I wasn't in perfect shape and have gained a few pounds but the XPS really makes sure I understand the seriousness of the situation... The webcam is situated in the lower left corner of the screen so it looks up to you below your chin and you have no contact what so ever with your family while on Skype...

The verdict

I know SurfaceBook has it's faults and I do hate the wrong keyboard layout but for my work the choice is actually quite easy at the end of the day: The XPS has to go! SurfaceBook is a keeper :)

Cheers,

Sami

Wednesday, January 27, 2016

Review #2 of the SurfaceBook - The Honeymoon is Over

It's now been about two months of full workdays with my SurfaceBook. It's taken me this long to write this blog post as I strongly believe in this product and I want to keep using it so much that I wanted to give Microsoft some heads up and time to figure out if they can fix the biggest problems I've faced. Trust me, I'll tell you the whole story and everything there is to it. Sometimes it's just more important for the big picture to help rather than creating headlines. We all know this from the security vulnerabilities point of view.

The first month with my SurfaceBook I call the "Honeymoon". I was so happy and amazed about the product that I could spend my nights at the hotel just Attaching and Detaching the screen from the base and marveling the engineering behind that mechanism.

Now the Honeymoon is over and it's time to give an update how we're doing together today. Yesterday was a breaking point in some way. Next week I need to have a working demo machine to present at NIC in Oslo so I decided to call a friend of mine to fix me a Dell XPS 13 for Friday - Just in case. So as one can imagine the SurfaceBook hobby of mine and its cost to me is starting to make me a bit sad. I wish we were back at the Honeymoon paradise. By Murphy's law last night, after making the plan B, I finally fixed the biggest issue.

There are two major issues for me that are deal breakers. I speak at Big events and I need to have Hyper-V machines running on my local box as I can't put my machines on Azure. I need to be able to boot my demo machines with ISO-images and I can't trust the Internet. In TechEd EU 2012 the Internet connection was down for 36 hours and even at Ignite the connections were down all the time. If you want to be in the top positions as a speaker YOU DO NOT HAVE YOUR VMs BEHIND THE INTERNET CONNECTION without a backup at least - My rule for success #1. I don't want to show screenshots like the Azure demoing speakers need to or be left without working demos at all. So now back to the SurfaceBook.

ISSUE 1: Wireless presenters don't work

There's some sort of a shielding issue with the Books USB 3. This only happens on the Book and not on any other laptops I have. None of my 2.4GHz presenters work properly when there is a USB 3 device plugged in next to the receiver. I thought it was because of the magnesium shell but it's not. USB 3 uses frequencies that collide with the 2.4GHz range. People are experiencing bad Wireless performance because of this as well. Intel actually has a document on this that everyone should take a look at: http://www.intel.it/content/dam/www/public/us/en/documents/white-papers/usb3-frequency-interference-paper.pdf The reason why your home wireless is bad might be because you plugged a USB 3 disk or printer to your access point. I've uploaded a video showing this: https://youtu.be/lHA-QAjNZfs

I've fixed this in two ways. I have a BlueTooth device that works quite well - Again 100$ more spent on this project. And I have a fix which is cheaper but looks unprofessional as you can see below:



Microsoft is aware and I hope there is something they can do about it. It might a physical issue so if not fixed for my Surface I hope it will be for future patches.

ISSUE 2: USB 3 external disks work only for a few minutes

This is biggest one and the one I fixed yesterday. When ever my USB 3 devices are under load they get to 100% usage level and then they just disappear! I can't run Hyper-V and I can't for example create Windows To Go -sticks. I've tried this with many external enclosures, USB keys and now latest with Samsungs AWESOME 1TB External SSD (size of a credit card!!). 500$ more on the project as I thought I had a broken disk :( I struggled with this and spend time almost every day trying to troubleshoot this for two months. I can't use the book if I can't run Hyper-V with an external SSD - That's just it! I tried different cables, different powered USB hubs, USB2, all the possible power management settings... No success. Yesterday I finally went to measures I don't recommend anyone. I figured out the Intel devices that are used, tweaked the INF-files to cheat Windows it's OK to use them, digitally signed the drivers myself and cheated the Book to trust my signatures. To get this working I needed help from another famous Finn called Kim Dot Com. He runs the Mega download site in New Zealand where I found the first hacked Intel drivers for experimenting with before creating my own. Last night I finally got the tweaked USB drivers installed for the USB 3 controller and the internal hub. And to my amaze.. IT WORKS!! Now Hyper-V is running with multiple VMs and has been stable for hours and hours! Not only does it run but it's actually lightning fast :)

So I'm going to NIC with my SurfaceBook that finally does what I need! :) I couldn't be happier! The ISSUE 1 still exists and ISSUE 2 is only a temporary fix by me so I hope Microsoft reacts fast and gets me permanent solutions :)

I have some issues with the tablet disconnecting from time to time from the base and from the docking station but even these seem to fixed now. That kind of adds up as the "Power/Dock connector" of the Book is just a weird shaped USB3-connection. 

I love the design, keyboard, performance, battery life, screen, airplane usability and the Pen - So don't get me wrong, this product is awesome in so many ways and with these "minor" issues fixed it will hopefully become the Best.

And... I guess in a few weeks you'll get to read an "XPS 13 vs SurfaceBook" blog post ;)

Cheers,

Sami and the Book