top of page
  • Tracy Camp

Data Protection API or "Now you have two problems"

I've long thought that cryptography generally works a bit like the famous quote from the great JWZ...


"Some people, when confronted with a problem, think 'I know, I'll use regular expressions.' Now they have two problems."

Don't get me wrong, cryptography is a powerful tool and can be used to solve really complicated problems. But much like regex... most of the time you now have two problems on your hands. With that set... Let's have a look at the Windows Data Protection API which is frequently used by applications to encrypt account credentials to protect them from snoopers. [spoiler! it's not really protecting anything - install UpSight Security!]


The Data Protection API (DPAPI) debuted in Microsoft Windows 2000 (yes in the year 2000!). It basically provides two very simple APIs for applications to use: 'Encrypt' and 'Decrypt'. Typically, encrypted data is stored in a file someplace to be read back and decrypted later. For instance, every time you allow a web browser to save your username and password for some random web site - it will encrypt that data using DPAPI. This is really easy to use and works pretty well. However, you should ask yourself - from who or what is the data being protected? The honest answer has to be:


"People with screwdrivers"

DPAPI's Second Problem


DPAPI can only protect you from people with screwdrivers because it has created a 'second problem'. That problem is where to store the key that it just used to encrypt your data? The answer DPAPI's designers came up with was to encrypt that key with your local account credentials. As such when you sign in, you are also unlocking all of the data protected by DPAPI. Technically each application can provide an additional "secret" to keep its data private from other applications (or malware). However, where is this second secret going to be stored? Yes, you guessed it - the secret is either a fixed value or stored in an unencrypted configuration file someplace. Encryption is almost always a shell-game of shuffling what must be protected around, DPAPI is no different. Which is why I'm often reminded of the JWZ quote above.







DPAPI solves a problem from the year 2000 - specifically computers of the era were not generally fast enough to support full disk encryption. So instead of encrypting all of the data on your computer, only the really important parts where... via DPAPI. Windows 10 and 11, for I'd imagine export and revenue reasons still does not include Bitlocker full disk encryption in 'home' versions... but I digress. The main purpose of encrypting this data is literally to prevent somebody from stealing your computer, removing the hard disk (with a screwdriver!) and then reading it from another computer. Um, I guess that probably happens? (As an aside; it is entirely possible to crack your windows password 'offline' because windows credentials also have a 'second problem'. Use full disk encryption like Bitlocker if you care about people with screwdrivers!)


But here in the year 2023, you are FAR, FAR, FAR more likely to have some bit of cyber-nasty spying on you while your computer is powered on, fully assembled and you are using it. Basically, if you can read your data (is your email/password filled in correctly? then - yes!), an attacker can read your data. An attacker, if they can get you to execute some code for them, that code is running on your behalf and has full unfettered access to the data protected by DPAPI.


In the over two decades since the release of Windows 2000 the security needs of modern applications have changed radically from just needing to be protected from people with screwdrivers. Applications now rely entirely on being able to store 'secrets' on your computer and keep them secret. There is an easily exploited gap between what DPAPI (or Bitlocker even) can deliver and what the application requires to keep you safe! This is where UpSight Security comes in!


UpSight Protects You


DPAPI is fine and has you mostly covered against people with screw drivers, but what we really want is data to be readable only by the application that stored the data (your browser, Steam, Discord, Exodus etc.). In part, this is how UpSight Security protects your accounts. UpSight knows where your browser, Steam, Discord, Exodus and so on store your important account data, and UpSight knows what applications need access to that data (almost none!), and something like "Redline Stealer" certainly is not on the list.


We at UpSight Security have been following a specific cyber-nasty called 'Redline Stealer' around. Redline searches through your browser files, your Steam and Discord credentials (which are "protected' with DPAPI!) and looks to see if you have any Exodus branded crypto wallets lying about. Many of those items are "protected from people with screwdrivers" by DPAPI, but Redline is not even slowed down by DPAPI. Redline is implemented in Microsoft's .Net language and Microsoft has gone out of their way to make sure that it is easy to use DPAPI from .Net applications. All Redline has to do is roll up and ask for the data to be given to it 'decrypted'... and then it sends it off to the remote attacker who will convert your data into their profit.


Call to Action!

  • Install UpSight Security!

  • If you have a professional SKU of Windows - use Bitlocker to protect your computer from people with screwdrivers.

  • Enable secure boot in your bios (or leave it enabled if your system came with it enabled). This prevents somebody from 'dual booting' your system from a USB drive loaded with linux and windows password cracking tools. In this case they really would need to get out a screwdriver!

What about Antivirus?


If you use an Anti-virus, it may detect Redline Stealer for what it is and put a stop to it (about 50% of the AV vendors in Virus Total detected a modified sample of Redline Stealer that we created), however Redline Stealer isn't magic, the fundamental actions its taking could be expressed in any number of ways. UpSight protects you from behaviors that will harm you regardless of the form they manifest, AV protects you from specific programs that will harm you.


References:

Windows Data Protection | Microsoft Learn

54 views0 comments

Recent Posts

See All

Happy New Year! With the new year a refresh to the UpSight Client is now posted! Your UpSight Security client should update automatically to version 1734. Exception rules work! The toggle in the UI

bottom of page