535 Connecticut Ave. Suite 104
Norwalk, CT 06854
Empire State Building
350 Fifth Avenue, 59th fl.
New York City, NY 10118

Featured Article

August 12, 2016

Cyber Accident of the Year? Microsoft Leaks Secure Boot 'Golden Key' to Public

News is spreading quickly about Microsoft’s “golden key,” a vulnerability that enables hackers to bypass critical security checkpoints on certain Windows devices.

Let’s bring you up to speed on this important issue:

Back in March, a team of security researchers, who go by the names Slipstream and MY123, discovered a vulnerability on Secure Boot-enabled Microsoft devices running Windows 8.1 or later.What the researchers discovered was a “backdoor” entrance in the code which basically allows key-holders to bypass standard authentication checkpoints during startup.

The term “backdoor” entry became infamous in the months following last year’s San Bernadino, Calif. shooting. After the shooting, the FBI ordered Apple to create a backdoor entrance for the iPhone so that the FBI could break into the shooter’s device and access important information related to the case. Apple fought the order tooth and nail, based on the belief that creating a universal backdoor entrance is a dangerous idea.

Microsoft maintains that its own backdoor was created for debugging purposes only.  

As Ars Technica pointed out in a recent post, the golden key isn’t actually a typical private key, but instead a way to alter Unified Extensible Firmware Interface (UEFI) tasks during system bootups. Its purpose was to provide quick and easy access into the Windows operating system for its programmers, so that they could perform software tests.

In order to successfully use the golden key, a hacker would first require  either physical access to a machine,  or administrative privileges. He or she could, in theory, use this vulnerability to disable Secure Boot and install a malicious versions of Windows  onto a machine.

Interestingly, the golden key can also be used to “jailbreak” Windows smartphones or tablets. You could, for instance, use the golden key to run a third party operating system on your Windows hardware. We don’t recommend doing this, though.  

According to Ars Technica, Microsoft first dismissed the vulnerability, but has since changed its course of action. In June, Microsoft released two bug patches (MS16-094 and MS16-100), and has plans to release a third in the near future.

Unfortunately, neither one of these patches are able to actually close the vulnerability. In fact, the vulnerability may actually be impossible to close—meaning this could be a major cybersecurity issue for Windows users moving forward. We will keep a close watch on how this plays out. 

So, what can you do to protect your organization? While the above-mentioned patches won’t totally solve the problem, we do recommend you patch your Windows devices so your end users are at least up to date with the latest software versions. Make sure to apply the next patch when it comes out, too.  And moving forward, you need to operate under the assumption that all Windows devices using Windows 8.1 or later are in danger of being exploited with malicious Windows software.

We also recommend reinforcing your data center with strong access controls if possible, such as man traps, which can physically prevent unauthorized intruders from leaving. And take the time to update and secure your administrative privileges, so that only trusted members of your security team can make changes to your network.

A new breed of hacktrepeneurs has awoken and they have little to fear and everything to gain by infecting as many companies as possible and extorting money from them. Apex Technology Services stands ready to protect your company regardless of whether it’s located in New York CityWhite Plains, New York; Connecticut; Australia; Europe; or anywhere else. Our full suite of cybersecurity and IT support services is at your disposal, enabling you to spend less time worrying about and more time growing your business.

In addition, our new Cybersecurity Compliance Certification for law firms will help keep your legal practice from becoming the next Panama Papers victim. This baseline cybersecurity audit for the legal industry should be considered seriously by all law firms.







Related Articles