OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: John Allberg, Posten (john.allbergPOSTEN.SE)
Date: Wed Feb 14 2001 - 04:42:30 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Problem: The policy "smart card removal behaviour" is not
                        enforced when screensaver has started.
    Platform: Windows 2000 SP0 and SP1
    Risk: Low
    Remote exploitable: No
    Damage: A user who know that his/hers workstation is locked
                        when the smart card is removed, can unknowingly
                        leave his/her workstation unlocked and unsecure.

    Description:
    When the following conditions is fulfilled, the workstation is not locked or
    logged off, despite the policy:
    - the policy "Smart Card Removal Behaviour" (Group Policy-> Security->) is
    set to "Lock Workstation" or "Force Logoff",
    - the screensaver kicks in without "password protected" checked and
    - the smart card is removed

    Workaround:
    Make sure "password protected" is checked. This can be done via a group
    policy, found under User Settings-> Administrative Templates-> Control
    Panel-> Display.

    Vendor status:
    Microsoft has been informed, tracking number msrc 628sc. Thanks to Russ
    Cooper.

    Comments:
    The indication of this bug was found by an accident. An administrator was on
    the phone talking, letting his mouse fall to the floor and after a while the
    screensaver kicked in, not password protected. When he finished the call, he
    removed his smart card and ran to a meeting. I picked up his mouse and put
    it on the table and the desktop came right
    up, much to my surprise.

    First, we were angry with the administrator that he hadn't removed his card,
    but when we checked, the card had in fact been removed.

    Some may be arguing that not having a password-protected screensaver and
    relying on users removing their smart cards is unsafe, since the user may
    not care to remove the smart card. We are trying to assure this by using the
    same card to operate doors in our building. Since we can't get through the
    doors without the smart card and we can't ID ourself to for
    example a guard (the smart card is our visual ID-card), we are in quite a
    bit of trouble. That way a user may forget his/her smart card once or twice,
    but then the lesson is learned.

    Oh, by the way, there has been a discussion about this being a bug or
    vulnerability. I don't know what to think, I just want it fixed, preferably
    yesterday... *grin*

    The Swedish Post:
    Posten AB, http://www.posten.se, has been involved in information delivery
    since the seventeenth century, thus being a Trusted Third Party.

    Posten AB, which became a limited liability company in March 1994, offers
    message transmission, parcel forwarding, payments transmission and various
    financial services.

    Posten AB is the largest Certification Authoritiy in Sweden and is issuering
    both physical and smart card-based electronical ID's to the Swedish market.

    This vulnerability was found and reported in a joined effort by Stefan
    Jacobsson and John Allberg, Posten AB.

    ----------------------------------------------------------------------------
    Delivery co-sponsored by BindView Corporation
    ============================================================================
    Are your security practices adequate enough to protect you from hackers and
    crackers? How do you provide remote access to your users, enable e-mail
    messaging, Internet sites and e-commerce activity, and at the same time
    maintain security? Can you implement and administer the effective security
    measures you need without doing battle with the people who need access to
    your network?

    Download FREE the latest Hurwitz Group Report, Management Controls:
    Security Impact of IT Administration at <http://www.bindview.com/hurwitz3>
    ----------------------------------------------------------------------------