User Account Controls and False Security

It’s true that our friends at Microsoft have come a long way toward implementing good security. No, really.  Adobe and Oracle/Java have become the big targets of cyberthieves.  MS operating systems no longer regularly cause the Blue Screen of Death. And, ta-da, we have User Activation Controls to protect us.

UAC, as it is called, is that annoying feature that asks if you are really sure if you want to perform an action as an Administrator, like change your settings or install new programs.  It is best epitomized by the great Apple commercial, where the dumpy PC guy and the cool Apple dude are trying to talk and a secret service-looking guy pesters the PC to death.  Please watch the video before proceeding:
[youtube http://www.youtube.com/watch?v=80sWifG40B0&w=420&h=315]

So, why annoy the customer base?  It’s an attempt to run with least privileges, an important aspect of security. The theory is that if you are compromised running as the Administrator or root accounts, the scope of damage is endless.  On the other hand, if you are warned before running a dangerous program or are a lowly unprivileged user, then the damage will be limited.  UAC can stop an attacker from some pillaging and plundering.

Display of User Account Controls prompt

Let’s say UAC is enabled.  You get warned when really important things are happening, like administrative actions or an attack that is escalating privileges.  But, does that mean attackers are out of luck when they compromise your system? Absolutely not.  Consider this analogy.  If robbers enter a bank and find the vault locked, should they apologize and go home empty handed?  No.  There are still teller drawers full of loot.

The Value of Data on a Hard Drive

The Scream by Edvard Munch
The Scream by Edvard Munch best displays the state of a person when their PC has been successfully attacked.

We can classify the stuff stored on a PC in a few ways. Let’s review three categories and then rate their loss or compromise on the scream-scale.

A rating of 1 Scream is what you’d let out, if you stubbed your toe.  The 5-scream level is achieved by surgery without anesthesia.

  1. System files.  This category mainly concerns the operating system. It’s Windows, some of the settings/configurations and all the patches we’ve accumulated. Good old UAC can prevent most unwanted access. The OS files and patches are of low value to an attacker. Some of the settings and configurations have hack-value. I’m thinking passwords and such. While it would also be great for an attacker to be able to modify these files to embed some spyware for ongoing pillaging, the truth is that you could replace all this, if lost.  Sure it would take time, but with your license and install disk, Windows could be back up and running in an hour. They really want your personal data.
    Loss rating 2 1/2 Screams  The Scream by Edvard Munch The Scream by Edvard Munch Half-sized Scream by Edvard Munch
  2. Applications. How many do you have?  I’ve got a few hundred.  There are about 20 that I use all the time.  We’re talking about your home banking application, MS Office, Firefox, Safari, Wireshark, iTunes and everything else you run.  What is the hack-value?  Again, rather little.  No one is going to attack you, just to get your copy of Excel. You may have some proprietary applications that bad guys want, but those are the exception. Again, UAC will prevent or warn about access to these applications. Replacement cost (if you have your licenses and CDs) is next to zero.  But, it’s going to take a day or two to get all the apps back.
    Loss rating: 3 Screams  The Scream by Edvard Munch The Scream by Edvard Munch The Scream by Edvard Munch

  3. User data. Now we’re talking about damage. It’s your banking data, all the spreadsheets and Word documents.  It includes Social Security numbers, credit cards, and everything else you’ve created.  Let’s not forget that Photoshopped picture of your boss in Cabo San Lucas. It’s priceless and you created it!  Some information, like SSN and credit card numbers have their value as only as long as they are not openly shared. All this has the least protection.  If an intruder gains access to your PC, it’s there for the taking.  UAC will not alert or help you. Your files do not require administrative- or SYSTEM-level access.
    Loss rating: 5 Screams  The Scream by Edvard Munch The Scream by Edvard Munch The Scream by Edvard Munch The Scream by Edvard Munch The Scream by Edvard Munch

Perhaps the title of this blog article makes more sense now.  User Account Controls are not bad. They do offer some protection to your files.  But, it would be wrong to believe it effectively safeguards your most important assets: user data. That is up to you.  More on defenses and some UAC bypass techniques are coming later.

If you are interested in this antivirus testing and hacking, the course Penetration Testing: Tools and Techniques includes this topic.

Randy W. Williams

not

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.