Wednesday, February 1, 2017

The True Story of Windows 10 and the DMA-protection

This blog post will tell you if / how Windows 10 protects against DMA (Direct Memory Access) bases attacks used against BitLocker and other encryption mechanisms by stealing the encryption key from the memory of a running computer. The story might be long(ish) but rest assured you want to read it through.

It all actually started when I was delivering a session on Windows 8.1 in TechEd. I believed what the documentation says and told people that in Windows 8.1 never before seen DMA-enabled devices would not be usable on the logon screen. So if your computer had no one logged on or the computer was locked we would not need to worry about DMA-attacks anymore. As I soon learned this did not actually work in Windows 8.1 and Microsoft told me that it had "skipped" from the RTM build without them (that I was interacting with) knowing about it. I felt horrible as I had given misinformation but more that I had "skipped" the vital "Always test - Don't just trust" policy of mine.

Now the story continued when things like this showed up:

Quote from:

New Bitlocker features in Windows 10, version 1507

  • DMA port protection. You can use the DataProtection/AllowDirectMemoryAccess MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
So I decided that I would this time show how it finally worked at Microsoft Ignite. Nowadays the need for this is much bigger as before we could just block FireWire and ThunderBolt as no one used them - but now most of my customers have ThunderBolt 3 docking stations so we can't just disable the bus anymore. I started experimenting with this and soon found out something that I showed on my Ignite session for 3000 people ( It still didn't work! At least By default.

So the problem with Windows 10 was that Microsoft gave misinformation to my customers and on their websites that Windows 10 would now protect them from the DMA-attacks as wasn't the case by default. Now the bigger problem with this is that MS only supports settings this ON via MDM. Now honestly how many of my customers have MDM? Almost none :( There is no support to set it via SCCM (as it doesn't support custom URIs), Provisioning package or most of all Group Policy...

I got a friend of mine (thanks to Petri Paavola @petripaavola) to help me and build me a PowerShell script so I could experiment without InTune.

I set the setting but DMA still worked. I thought maybe I really need InTune so I installed InTune and set the setting from there... Still nothing... Now I got really worried. Was the setting done wrong or was this yet again a "skipped" feature. Now I needed to get and the product Group on board with this as this seemed.. well.. fishy...

I would like to thank Microsoft for working with me on this. It took a long time but now finally we have some results. First of all the DMA-protection is not FULL. Quote from MS:

This mitigation only protects PCI-based buses, for example, ExpressCard, Thunderbolt, & some docking stations (PCIe based).  Older, non-PCI busses such as 1394 and CardBus are still vulnerable.”

That is why I got it working all the time as I was using FireWire to steal the memory.

So the story continues By Microsoft providing me instructions to deal with this:

  1. Set the DMA protection on
  2. Use Group Policy to block Firewire like we have done for years: Blocking the SBP-2 driver
So I started to experiment again. Sadly this information is not complete either and I know most of my customers have them deployed incomplete as well and have had for many years :( When I used the instructions as such the TB3-devices didn't work (as I expected). When I used the recommended GP-settings to block just FireWire my TB3-devices and Dock now worked but so did PassWare Memory Imager... This is in turn because the instructions don't include all 1394 devices that you can find from here:

I have reported this to Microsoft as well and I hope the instructions are fixed soon.

Now to give you what you are probably here for :) First how to set the DMA-protection on without InTune:

  • In a few days/weeks you will get an Insider Build that has a Group Policy settings to set this! Thanks to a lot of feedback from MVPs and customers.
  • Until then the registry key you can set with any method you want is this:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\PnP\Pci
      • DisableExternalDMAUnderLock (DWORD) = 1
Second, here is recommendation from now on to my customers to block DMA but allow the use of ThunderBolt 3 devices:

    1. Have UEFI+SecureBoot+TPM+NoAdminRights
    2. Block DMA for ThunderBolt by using the registry key until we get the GPO
                                                               i.      Or MDM of course if you have one…
    1. Use Group Policy to disable FireWire
                                                               i.      See the old article:
                                                             ii.      But block these ClassIDs:
          • {7ebefbc0-3200-11d2-b4c2-00a0C9697d07}
          • {c06ff265-ae09-48f0-812c-16753d7cba83}
          • {d48179be-ec20-11d1-b6b8-00c04fa372a7}
          • {6bdd1fc1-810f-11d0-bec7-08002be2092f}
For some cases if the customer really requires it: add a PIN code protector and disable standby.

Hope this clears things out and sorry it took a while but there is coordinated disclosure procedure I want to respect. If you found this helpful please enrol to my newsletter at:

And remember my training videos on PluralSight and my Dojo at


Tuesday, December 6, 2016

Every Windows 10 in-place Upgrade (even with SCCM) is a SEVERE Security risk PART II

So, 127000 blog reads and a week later I believe it's a good time to publish the episode II of this story. Please read these few points and then see how to apply this on SCCM managed machines as well.

First a few things:

  1. My bad, I used the wrong term that was used in previous Windows versions. The BitLocker is SUSPENDED not DISABLED like I said. The end result is of course the same but I do want to use the correct terms.
  2. Most comments say this is an old thing that was in Windows decades ago. Yes, the Shift+F10 feature has been there for ages and I've used it for troubleshooting for ages. That is why I knew to look for it. I found it first in the beta-version of Windows 10. After finding it I knew the first time it really was an issue was the time when people upgraded from Windows 8 to 8.1 as that was the first time the in-place upgrade was recommended and we had BitLocker. So in XP you could press Shift+F10 but so what, we didn't use it to bypass BitLocker (I actually played Solitaire with it just for fun) - so I don't think this is the same thing at all…
  3. What makes this a "bug" (again you have to give me some slack, I'm Finnish and English is not my first language. I speak a language where we log on to Windows using the local Administrator account name of JÄRJESTELMÄNVALVOJA). So let me rephrase, this is a "mistake" that Microsoft forgot this in the upgrade sequence as they know how to block it and have a feature for that.
  4. I categorize myself as a conceptual hacker. This means that I find and use holes that are not Zeroday attacks or 3rd party application issues but holes based on principles that I know to look for because I've studied the OS for over 20 years. I teach Windows Internals and always tell my students that the base knowledge on the OS is a requirement for both creative troubleshooting and taking care of security. How would you know what's bad if you don't know what's normal.
    1. You can find my training on and Let me teach you to find this stuff as well :)
  5. LTSB. You don't have to agree with me on this. This was just my personal opinion. I did offer other choices as well like the not leaving computers unattended when they are upgrading. I currently plan on staying on LTSB until 2018 and the do an easy upgrade to CBB - If things are worked out to the level I want by then.
  6. Will there be a time when this all will be put to a test? Yes, Microsoft just declared 1607 as Current Branch for Business. This means that 1507 release will be out of support in a few months and we will get to test this in action ;) You can read more about this here:
  7. I know the Immutable laws of security and I know the computer is not your computer anymore if someone has physical access to it. If it wasn't a case like this trust me I would have gotten a bounty on this from Microsoft ages ago. I still believe that this is an issue as if I don't do inplace upgrades I don't have this issue… Some people got upset that I called it "SEVERE"… Well if you ask me when a computers integrity protection and data protection fail by pressing two keys… Sorry, I just believe it's SEVERE - I will agree to disagree with you on this if you don't.
  8. I also saw some recommendations on using Linux to hack the box - Although Linux is Finnish and I like to promote it, you don't need Linux to hack Windows - It does so itself just fine as I show in the next video.

Now let's talk about the next "issue" here. My good friend Johan Arwidmark made an amazing job in building a bandage for the Shift+F10 to be blocked. It could be used by SCCM/MDT or any manual upgrade. Here is the link: This is what Microsoft will probably use to fix the hole in the first place as well.

Although this is great I guess some people didn't see the real problem in this whole issue. If the Shift+F10 is a "bug" or a "mistake" it can be easily fixed as we see. The real security issue is the suspending of BitLocker. The next video shows you how to use this against any system including SCCM/WSUS controlled machines. Again it uses the knowledge gained on Windows Internals classes. I also do Security Audits (hire me ;) ) and you can bet I will take this into my toolbox for myself when I have the next bank to break into ;) And yes it does require physical access still and yes I boot the machine from a bootable media so you can just glue the USB ports. I will then take the disk at correct point and move it to another machine or start playing with Linux. Anyway at the end of the day you are fighting against windmills.

And BTW I have a big issue to disclose that's totally unrelated to this and needs Microsoft's actions before I can talk about it so do enroll to my newsletter - like thousands of you already have:

And be sure to follow me on Twitter @samilaiho

Thanks for all the great feedback,


Monday, November 28, 2016

Every Windows 10 in-place Upgrade is a SEVERE Security risk

This is a big issue and it has been there for a long time. Just a month ago I finally got verification that the Microsoft Product Groups not only know about this but that they have begun working on a fix. As I want to be known as a white hat I had to wait for this to happen before I blog this.

There is a small but CRAZY bug in the way the "Feature Update" (previously known as "Upgrade") is installed. The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment). This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker. I demonstrate this in the following video. This would take place when you take the following update paths:

  • Windows 10 RTM --> 1511 or 1607 release (November Update or Anniversary Update)
  • Any build to a newer Insider Build (up to end of October 2016 at least)

The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine. And of course that this doesn't require any external hardware or additional software. It's just a crazy bug I would say :(

Here's the video:

Why would a bad guy do this:

  1. An internal threat who wants to get admin access just has to wait for the next upgrade or convince it's OK for him to be an insider
  2. An external threat having access to a computer waits for it to start an upgrade to get into the system

I sadly can't offer solutions better than:

  • Don't allow unattended upgrades
  • Keep very tight watch on the Insiders
  • Stick to LTSB version of Windows 10 for now

(Update 6.12.2016: Read the next blog as well: )

I am known to share how I do things myself and I'm happy to say I have instructed my customers to stay on the Long Time Servicing Branch for now. At least they can wait until this is fixed and move to a more current branch then. I meet people all the time who say that LTSB is a legacy way but when I say I'm going to wait a year or two to get the worst bugs out of this new "Just upgrade" model - this is what I meant…

Remember to subscribe to my newsletter as I will disclose more like this very soon! Subscribe here!
And you can learn how to find these by yourself by letting me teach you some Windows Internals!

Wednesday, November 2, 2016

We have a winner - Bye Bye SurfaceBook!

So it's time to talk about my new best friend :) I wanted to wait a month to write this so I've had the opportunity to try the new device in all environments and tasks that I actually need. The new Best Friend, my company, my everything in business life, is now the Lenovo X1 Yoga. And I have to start by saying that I almost couldn't be happier with a laptop. In the last month I've done:

  • Microsoft Ignite - Demos for thousands of attendees
  • Consulting - Smaller part of my business
  • Taught many classes - 75% of my business
  • Broken into a few banks - My pentest business
  • Flown 22 flights - My life
So now I feel like I'm ready to give some sort of a verdict on this machine: IT'S AWESOME!!
Let's talk more specific. I have the i7 with 16GB of RAM and 512GB SSD (I'm waiting for my 1TB NVMe disk as we speak). As before remember this is only my personal opinion based on what I do. I need 4 VM's, that's it, and I need to present and travel a lot.

Now let's do this the other way than usual and let me start by the cons:
  • Fn-button is in the totally wrong place for me as I've never had a Lenovo before
  • Battery life wasn't that good first but reverting to an older version of the graphics driver fixed it
    • With the newest Microsoft provided driver the screen wouldn't change brightness at all but was stuck on max setting
    • Now I'm mostly getting around 6h of battery life which could be better as I fly so much
  • The Pen is small and not good for serious artists but works for me well enough
  • I can't seem to flip it to tablet mode and have the flight attendants believe it's a tablet.. They ask me to put it away when landing as my SurfaceBook was allowed without the keyboard. Well, I watch videos mainly from my iPhone 6s Plus anyway.
  • The worst is easy... My device has totally lost its sex appeal and hotness :( I'm not kidding.. With my SurfaceBook I would sit in the airport lounge and Mac-people would talk to me... They would ask questions and mostly wonder how it was possible that my device cost more than their Macbook... But that's not the point - we were communicating for the first time in this way that they made the first move. Now with the X1 I'm all alone again - No one asks anything about my laptop :( It's a dull business machine with nothing of interest to Cool people... Lenovo X1 works like a perfect 100% proof contraception...

But now for the GREAT stuff:
  • It just works! With the year with SurfaceBook I had almost forgotten how it feels when everytime you plug your laptop in to the docking station you actually get a working mouse and bigger screen. USB3-disks works like their supposed to, as does Wifi not to mention 2.4GHz powerpoint clickers! When you close the lid the computer actually goes to sleep - after SB it's actually really hard to believe so I still check many times if the computer actually stopped humming by placing it next to my ear.
  • The Pen is tucked into the laptop and charges automatically. This is Great! Now it's always ready and available. Although not as good as SB's Pen I'd still choose this.
  • The size is a lot better than SurfaceBook. More sleek and lighter.
    • On the plane it fits on my lap even when in economy and the guy in front of has reclined to max settings and his head is against my X1
    • The screen allows for minimal backlight on so it's good for the battery
    • The touchpad could be better but when things get really tight on a plane I actually like the small nob on the keyboard although I really thought I would never use it for anything - I was wondering why Lenovo still has two different mouse replacements but now I'm happy they do.
  • Keyboard is a lot better than SB's (except the Fn-key placement)
  • The screen is phenomenal!! As I've now learned you haven't seen black as black on a laptop before you get an OLED screen! It's crazy how black can get
    • This is not a joke.. The battery lasts longer when you have no content for the pixels so your screen background is better as black than anything else. I thought it was funny when I did my first demos on Dark Web as surfing there would save me battery life for the first time ;)
  • I have enough ports :) Full HDMI and three USB3 ports which is just perfect for me. I realized I've been carrying a hub with me all the time but haven't used it at all.
  • The killer feature compared to SB is the mechanism so traditional to the Yoga lineup that it seems so BORING compared to the cool hinge of the Book. But it works. It just works. When I need to draw I can without breaking the connection to my devices and my Skype session. It works for all situations and never fails!
So while all sexiness from my laptop is gone and I still have to say SurfaceBook is the most beautiful and coolest device I've ever owned it's time to admit that a working device might still be more important to me. But hey, that's just me.

Waiting to see what SurfaceBook 2 brings to the picture and what they've done with the hinge.



Friday, August 26, 2016

SurfaceBook's 1st Birthday approaching - How's it Really Been?

Hi all,

I've has lots of requests to update my judgement on the SurfaceBook. In this short update I try to go through my experiences and thoughts about the future.

In the beginning of November my 1 year guarantee will end and before that I'm luckily going to US as I have to return the device. The thing that amazed me the most is (not that surprisingly now that I think about it) actually the reason to take it back: The Hinge. Since a few months now the problem has been that when I crab the tablet part of the Book the connection between the tablet and the keyboard breaks. At home this means that for an annoyingly long 1 minute or so I lose my external monitor, LAN, keyboard and mouse. While training on Skype for Business or doing some webinars this much more dramatic as I lose the connection to my headset which then disconnects me from the call. If I'm presenting in a big conference I lose my connection to the projector so this is one of the biggest game stoppers for me.

Now a hinge can probably be repaired but now it's time to think about what I really need from the Book and why would I keep using it. This is not to include the reason of paying crazy amount of money for it of course.

What I need or don't need from the Book compared to others:

  • The Pen. This is what made me choose it over the Dell XPS 13.
  • The camera
    • I just can't live with the XPS's camera pointing at my fatter and fatter chin... That's just a looks issue but the technical is more important which is the compatibility with the Windows Hello facial recognition. Now I just realized I really need it only maybe four times a year as a fingerprint reader is more convenient for my use anyway. I now have an Intel RealSense R200 for my demos which is a lot smaller than the previous one I had which was the F200. The feature is FUN that's for sure but when thinking about my primary machine - not a game stopper anymore.
  • The Tablettability (I just came up with the term)
    • Adults honestly?? I only detach the tablet from the keyboard for the short amount of time when my plane takes off or lands. The time when you need to put your laptop away. Now with the iPhone 6s Plus I actually use that to watch videos for that short time so for the past two months I haven't detached it once except to brag to friends about the cool mechanics (that don't work anymore...). When I detach I lose all connections to projectors, all USB-devices, more than half of my battery, my external SSD and all the juice of the GPU in the keyboard base. The connection-thingy looks very neat but when I need to fold my laptop to a tent to draw for my students I need to detach and turn the tablet around which again means I lose all the connections for a while. So if you compare this to HP's devices or Lenovo's Yoga series, this is a really big disadvantage :(
So from the previous perspective I can probably live without the Book. Now what's still wrong with the Book after almost a year of ownership:

  • The USB-issue is still there :( So after every build upgrade of Windows 10 I need to install a false USB Controller and a USB Hub driver. That is to keep my external SSD's working.
  • The wireless issue is still there. SurfaceBook is still the only one of my machines that doesn't work with my wireless presenter from Logitech. That's not a game stopper as I have the Kensington BlueTooth one that works perfectly.
What do I now want:

  1. I still believe that the Book has huge potential and it is easily the coolest and best device from Microsoft that I have ever had. I can't wait to get the next one (I guesstimate it's 2017 spring) to see how it will be and will it make me a SurfaceBook lover again.
  2. I am going to buy something else.. If not before then at least after writing all down to this blog post do I realize I can make my life easier. I need a higly portable UltraBook with i7, 16GB or RAM, 8 hours of batterylife, 1TB SSD, a normal camera and at least a DisplayPort connection and a USB3 or 3.1 port. I don't need a tablet, I don't need a pen or a touch screen, I don't need a Windows Hello Camera, I don't need a USB-C only option for network/screens and I absolutely don't need a US keyboard...
  3. I think I'm going to get my hands on a Lenovo X1 Carbon and an X1 Yoga to start testing how my relationship after the honeymoon will be with either one.


Thursday, August 11, 2016

Biometrics – Have your fingers been pwned?

First to start with I believe biometrics are in many ways the future of authentication but sometimes people forget to think about the bad sides as well – when they get too excited. I wanted to take some time and write down my thoughts on this and related topics. I’m talking about Security Internals in Estonia this year ( and I started to gather my thoughts on current trends in security and that gave me the inspiration to write this article. One important trend in my life also changed dramatically this summer as I and my family moved to iPhones. I still think that Windows OS is the best one that there is for mobile phones but at some point the lack of stability and apps just threw me over the Edge. “Over the Edge” in this context is actually just funny if you ask me ;) The iPhone introduced me with the simplicity of using my fingerprint to authenticate to my phone and boy did I welcome this ease! After the honeymoon with my new iPhone I started to seriously consider about this. In the next few paragraphs I’m going to talk about some common questions/comments I get and some points that I don’t believe all people totally understand.


#1 Ease of changing a password


I hope all of you know the best website out there monitoring system breaches called It’s run by a fellow PluralSight author and highly appreciated security expert called Troy Hunt. So what if you lose a password as you just need to change it, right? Right. So now what happens if your biometrics get stolen? You change your finger? Or even worse your face or your retina? So to cut corners a bit you can only be ten times pwned when it comes to your fingerprints.


#2 Lack of true biometric data in Windows


This is what I hear quite often: “Why do we still need to use a password in Windows which is then protected by a PIN or a biometric info? Why can’t we yet in 2016 save the biometric data to Active Directory and just use that?” Think about the previous point and the bad thing about not using a password. If your fingerprint is value 400 and your password is value 400 we can calculate a value of 160000 by multiplying them. If I lose my biometric data to someone I just need to change the password to invalidate the result. So from this perspective I am happy that my true biometric data is not stored in my AD as it would make it more probable for someone to steal my true identity and a lot harder for me to recover when it happens – and it will.


#3 Difference between physical and mental proof of ownership


By law in US you can be forced to use your finger or your “face” to open your device. By law you cannot be forced to give your PIN code to open your device. I would say I have nothing to hide and I’m not a criminal so it doesn’t really matter but many people don’t like the fact that a device with a biometric protection can be used to incriminate you and one with a PIN code can’t.


#4 Why Windows wants me to use a 4 digit PIN code when I have a 16 character password?


When you install Windows 10 and start using any cloud related features it will ask you to change to using a PIN code even if your password would be a lot stronger mathematically. This is because this PIN code protects your password on that certain device. If your real password is stolen all of your physical devices can be used to access your data but with the PIN code only that one device is compromised. That is if you use a different PIN on different devices – As this has always been the suggested best practice I’m sure all of you adhere to it ;) BTW. If your computer has a TPM then that is used to store the PIN making it very secure but if you don’t have one then the PIN is actually just saved in the registry making it a lot less secure.


#5 How do I do it?


To finalize I believe it’s fair to share how I do it personally. So here are some of my best practices I know I use and I also really, I mean REALLY, have the strength to follow.


-          My Windows passwords are always passphrases that have at least 15 characters, have at least characters from three different character sets and have numbers in the middle. So for example Jakedrank16beers! is a very good password but easy to remember. Most people use numbers at the beginning or the end and that’s also programmatically a lot easier to break so put them in the middle. I’m not trying to play Mother Teresa here so next time Jake might have drunk 17 beers ;)

-          I protect that password with facial detection on my SurfaceBook and with different PINs on my tablets that don’t have a keyboard.

-          I will never buy a device that doesn’t have a TPM, and I’d prefer them to have an IO-MMU for future features.

-          When signing in to websites I have a strong base-password but I use the two first letters of the websites Top Level Domain name to make it more unique.

-          I always use a password manager. I prefer LastPass although I hate that they were acquired by LogMeIn and I know they have had their break ins. It is still the only tool that does everything I need.

-          I never logon as an Admin to my workstations! And my Domain Admins are always prevented by policy from logging on to any computer except Domain Controllers

-          And YES, on my iPhone I use a fingerprint – the ease of use wins in my case – at least with my personal phone.

-          If you would ask me what the secure authentication of my choice would be I would like it to be a PIN+Biometrics so I could have a strong protection, easily change the password, not forget my dongles and not too complicated a method to use.


Stay safe,



Wednesday, April 6, 2016

First PluralSight Course Published!

I am so proud/happy/excited to tell you that my first ever PluralSight course was published today!

You can find it here:

It's about how to hack the OS so my favorite topic :)

Hope you have already gotten your license to PluralSight as it is the Best VOD training site out there with thousands of courses at an easy to handle price!

Hope you can view and enjoy my video.