14 new trusted root certificates added to Windows in unannounced update

My monitoring scripts raised an alert a few days ago: Microsoft has just quietly updated its Root CTL (Certificate Trust List), increasing its size to 356 roots.

The official channels, which normally announce and document such updates well in advance, are oddly silent about this one, and the new CTL is already being pushed to all Windows systems (including servers).

A quick RCC scan (shameless plug!) highlights the following entries as new:

1e0e56190ad18b2598b20444ff668a0417995f3f    LU    LuxTrust Global Root 2
5463283b6793ff55277cede39098e80422f912f7    CO    AC Raiz Certicamara S.A.
3143649becce27eced3a3f0b8f0de4e891ddeeca    TR    TUBITAK Kamu SM SSL Kok Sertifikasi  Surum 1
e252fa953feddb2460bd6e28f39ccccf5eb33fde    HR    SZAFIR ROOT CA2
3f0feb17a7ef5804cfd90a77b7bb021ea69c6418    GR    BYTE Root Certification Authority 001
a69e0336c4e59023ff653c71f928eb73f21c00f0    CA    Carillon Information Security Inc.
d99b104298594763f0b9a927b79269cb47dd158b    TW    ePKI Root Certification Authority - G2
81ac5de150d1b8de5d3e0e266a136b737862d322    TW    ePKI Root Certification Authority - G2
c3197c3924e654af1bc4ab20957ae2c30e13026a    US    SSL.com Root Certification Authority ECC
b7ab3308d1ea4477ba1480125a6fbda936490cbb    US    SSL.com Root Certification Authority RSA
4cdd51a3d1f5203214b0c6c532230391c746426d    US    SSL.com EV Root Certification Authority ECC
1cb7ede176bcdfef0c866f46fbf980e901e5ce35    US    SSL.com EV Root Certification Authority RSA
d3dd483e2bbf4c05e8af10f5fa7626cfd3dc3092    PL    Certum Trusted Network CA 2
d496592b305707386cc5f3cdb259ae66d7661fca    ES    ACA ROOT

Trusting new CAs is always a big deal, so advanced users and enterprise admins may use the above list to research these new roots and decide which ones they actually want to trust. And I'm currently working on a trust store hardening product, which will make it easy to drastically reduce your exposure to unnecessary CAs. Stay tuned!

Update 13-Oct-2016: Microsoft confirms the release.

Follow @hexatomium for more updates and the occasional crazy thought.

Windows 10 has an undocumented certificate pinning feature

After getting to play with Windows 10 for a few hours, something unexpected caught my attention.

Hey, there's some new stuff in there - a third, undocumented CTL!
Googling for 'PinRulesEncodedCtl' turned up nothing at all. The first few bytes of the binary data (30 82 .. .. 06 09 2a 86 48) looked familiar though: it was probably ASN.1 encoded data, just like the other two well-documented CTLs. That meant I could probably just feed the blob into my existing tools for quick and painless decoding.

Success! We get a nice list of 152 Microsoft-owned domains.

Subject Identifier: .files-df.1drv.com
Subject Identifier: .files.1drv.com
Subject Identifier: .aadrm.com
Subject Identifier: .afx.ms
Subject Identifier: .akadns.net
Subject Identifier: .aspnetcdn.com
Subject Identifier: .azure-int.net
Subject Identifier: .azure-mobile.net
Subject Identifier: .azure.com
Subject Identifier: .cloudapp.azure.com
Subject Identifier: azure.com
Subject Identifier: .azure.net
Subject Identifier: .cloudapp.azure.net
Subject Identifier: .azureedge.net
Subject Identifier: .azurewebsites.net
Subject Identifier: .bing-exp.com
Subject Identifier: .bing-int.com
Subject Identifier: .bing.com
Subject Identifier: bing.com
Subject Identifier: download.cortana.cn.bing.com
Subject Identifier: .bing.net
Subject Identifier: .ceipmsn.com
Subject Identifier: .cloudapp.net
Subject Identifier: .codeplex.com
Subject Identifier: .discoverbing.com
Subject Identifier: .getmicrosoftkey.com
Subject Identifier: .gfx-int.ms
Subject Identifier: gfx-int.ms
Subject Identifier: .gfx.ms
Subject Identifier: .healthvault-ppe.co.uk
Subject Identifier: .healthvault-ppe.com
Subject Identifier: healthvault-ppe.com
Subject Identifier: .healthvault.co.uk
Subject Identifier: .healthvault.com
Subject Identifier: .hotmail-int.com
Subject Identifier: hotmail.co.uk
Subject Identifier: .hotmail.com
Subject Identifier: hotmail.com
Subject Identifier: iespdytst
Subject Identifier: ieta-wa-24
Subject Identifier: .live-int.com
Subject Identifier: .live-int.net
Subject Identifier: .live-partner.com
Subject Identifier: .live-ppe.net
Subject Identifier: .live.com
Subject Identifier: .live.fi
Subject Identifier: live.fi
Subject Identifier: .live.net
Subject Identifier: .livefilestore-int.com
Subject Identifier: .livefilestore.com
Subject Identifier: .livemeeting.com
Subject Identifier: .lync.com
Subject Identifier: .mesh.com
Subject Identifier: .mgmt.live
Subject Identifier: .microsoft-int.com
Subject Identifier: .microsoft.com
Subject Identifier: .redmond.corp.microsoft.com
Subject Identifier: download.microsoft.com
Subject Identifier: iespdytst.redmond.corp.microsoft.com
Subject Identifier: microsoft.com
Subject Identifier: powerusers-staging.microsoft.com
Subject Identifier: powerusers.microsoft.com
Subject Identifier: telecommand.telemetry.microsoft.com
Subject Identifier: vortex-sandbox.data.microsoft.com
Subject Identifier: watson.telemetry.microsoft.com
Subject Identifier: .microsoft.com.au
Subject Identifier: .microsoft.com.tr
Subject Identifier: .microsoft.fr
Subject Identifier: .microsoftonline-int.com
Subject Identifier: .microsoftonline-p-int.com
Subject Identifier: .microsoftonline-p.com
Subject Identifier: .microsoftonline-p.net
Subject Identifier: .microsoftonline.com
Subject Identifier: .microsoftonline.net
Subject Identifier: .microsoftprime.com
Subject Identifier: .microsoftstore.com
Subject Identifier: za.microsoftstore.com
Subject Identifier: .microsoftstore.com.br
Subject Identifier: .microsoftstore.com.cn
Subject Identifier: .microsoftstore.com.hk
Subject Identifier: .microsofttranslator.com
Subject Identifier: .microsoftvirtualacademy.com
Subject Identifier: .modern.ie
Subject Identifier: modern.ie
Subject Identifier: .msads.net
Subject Identifier: .vo.msecnd.net
Subject Identifier: .msgamestudios.com
Subject Identifier: .msn-int.com
Subject Identifier: .msn.cn
Subject Identifier: .msn.co.jp
Subject Identifier: .msn.com
Subject Identifier: .msn.com.cn
Subject Identifier: .msocdn.com
Subject Identifier: .firstpartyapps.oaspapps.com
Subject Identifier: .office-int.com
Subject Identifier: office-int.com
Subject Identifier: .office-int.net
Subject Identifier: .office.com
Subject Identifier: office.com
Subject Identifier: .office.net
Subject Identifier: .office365.com
Subject Identifier: .officeppe.com
Subject Identifier: .officeppe.net
Subject Identifier: .onedrive.com
Subject Identifier: onedrive.com
Subject Identifier: .onenote.com
Subject Identifier: onenote.com
Subject Identifier: .onenote.net
Subject Identifier: outlook-int.com
Subject Identifier: .outlook.com
Subject Identifier: 003-1-d.outlook.com
Subject Identifier: 003-1-d.prod.outlook.com
Subject Identifier: outlook.com
Subject Identifier: pod71084-pri.outlook.com
Subject Identifier: pod71084.outlook.com
Subject Identifier: .pfx.ms
Subject Identifier: .s-microsoft.com
Subject Identifier: .s-msft.com
Subject Identifier: .s-msn.com
Subject Identifier: .sfx-df.ms
Subject Identifier: .sfx-int.ms
Subject Identifier: .sfx.ms
Subject Identifier: .sharepoint.com
Subject Identifier: .sharepointonline.com
Subject Identifier: .skype.com
Subject Identifier: community-stage.skype.com
Subject Identifier: .skype.net
Subject Identifier: .skypeassets.com
Subject Identifier: .sqlazurelabs.com
Subject Identifier: .surface.com
Subject Identifier: .syncxp.net
Subject Identifier: .trouter.io
Subject Identifier: .virtualearth.net
Subject Identifier: .visualstudio.com
Subject Identifier: visualstudio.com
Subject Identifier: .windows-int.net
Subject Identifier: .windows.com
Subject Identifier: insidersurveys.windows.com
Subject Identifier: www.insidersurveys.windows.com
Subject Identifier: .windows.net
Subject Identifier: .windowsazure.com
Subject Identifier: .windowsmedia.com
Subject Identifier: .windowsphone-int.com
Subject Identifier: .windowsphone-int.net
Subject Identifier: .windowsphone.com
Subject Identifier: .windowsphone.net
Subject Identifier: .windowssearch.com
Subject Identifier: .windowsstore.com
Subject Identifier: .wlxrs.com
Subject Identifier: .xbox.com
Subject Identifier: .xboxlive.com
Subject Identifier: .zune.net

Also, the lastsync timestamp (2016-09-24 14:22:44 UTC) shows that this list is being regularly updated.

So this very much looks like evidence of an active system-wide certificate pinning mechanism protecting against MITM attacks on high-value Microsoft domains. Which, per se, is a good thing! Some official documentation would be nice, though.

Edit 1 (2016-09-24): This seems to be - at least partially - related to Telemetry, as briefly mentioned at the only page I could find: https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization

Edit 2 (2016-09-27): After some more decoding: here's the list of root CAs the above domains are pinned to:

Baltimore CyberTrust Root
DigiCert High Assurance EV Root CA
Entrust Root Certification Authority - G2
Entrust.net Certification Authority (2048)
GeoTrust Global CA
GlobalSign Root CA
GTE CyberTrust Global Root
Microsoft Root Certificate Authority
Microsoft Root Certificate Authority 2011
thawte Primary Root CA - G3
VeriSign Class 3 Public Primary Certification Authority
VeriSign Class 3 Public Primary Certification Authority - G5

LastPass' password meter is broken

Password strength meters are notoriously unreliable and LastPass is unfortunately no exception. Depending on what options are configured, the password strength meter both in the Chrome browser plugin, and at lastpass.com will give completely ridiculous estimates, providing a false sense of security and putting users at risk.

Example 1
Generating a purely numeric 14-digit password results in a green strength bar, although such a password is in fact extremely weak: at just 46 bits of entropy, it would be bruteforced in minutes by even a modest cracking rig.

dict size: 10   length: 14  ->  46.50 bits of entropy  ->  bruteforce difficulty: trivial (minutes)


Example 2

This password is shorter (10 characters) but results in an even longer and greener strength meter.

dict size: 18   length: 10  ->  41.69 bits of entropy  ->  bruteforce difficulty: trivial (seconds)



Bottom line is, don't use LastPass to generate your passwords. At least not until their fix (or remove) their password meter. Don't get burned. Just use a proper, native password manager.

PS. I had a rather bad experience reporting a previous (more serious) vulnerability to LastPass, so I'm not sure I want to go through that again.

Follow @hexatomium

GoGoogle - A strange Firefox address bar behavior

Try this in Firefox: Open a new tab and type goo%67 in the address bar. Assuming you have visited Google.com recently, here's what you will get:

Looks like a weird autocomplete bug. No time to investigate in depth, though it does not seem to be exploitable at first sight.

Follow @hexatomium

Cheatsheet - The powers of "limited" Windows accounts

While using a non-admin account for everyday tasks is a sound and highly recommended security measure, it is important to keep in mind that it should only be one layer of your security posture.

It is easy to underestimate the amount of damage that can be done by malware running as a "limited" Windows user, even without resorting to privilege escalation. Here is a quick roundup:

  1. keylogging / password stealing
  2. file encryption (e.g. Cryptowall)
  3. silently recording audio/video
  4. banking trojan infections (e.g. Dridex)
  5. persistence (surviving reboots)
  6. formatting external FAT drives
  7. infecting USB sticks
  8. sending out any data (outbound FW rules typically won't help much)
  9. browser hijacking
  10. joining a botnet
  11. hosting content
  12. reading memory of other processes (e.g. Keepass)
  13. serving a remote console (e.g. VNC)
  14. port scanning / network recon
  15. Active Directory enumeration

Did you know you all of the above could be done with a regular account?

Follow @hexatomium

View my LinkedIn page (Firas Salem)