Windows 8 security unshaken by antivirus vendor’s claims

Bitdefender raises worry over trusting included antivirus software, but one analyst said Windows 8’s core security picks up the slack

November 12, 2012 — CSO — Small businesses and consumers should remain confident of the significant improvements in Windows 8 security, despite the weaknesses alleged by antivirus vendors pushing new products, experts say.

Bitdefender was the latest antivirus company to release a study questioning some of the security capabilities of the new version of Microsoft’s operating system. The study, which coincided with the release of Bitdefender’s antivirus product for Windows 8, found that 15% of the most common malware bypassed Windows Defender, the software Microsoft includes with the OS.

“The conclusion is clear: Using your PC without a security solution is extremely risky,” Bitdefender chief security strategist Catalin Cosoi said in a statement.

In terms of actual numbers, Bitdefender found that Windows Defender missed 61 malware of 385 used against Windows 8. However, without knowing how the system was configured for the test, it is impossible to know if the OS would have performed any better with a third-party antivirus product.

“I would look for a more independent outfit to do such tests rather than an antivirus vendor,” Forrester Research analyst Chenxi Wang said by email on Friday.

While antivirus vendor marketing is made to cast doubt on the security in Windows 8, the fact is the new OS contains a number of technologies unseen by users that make it much more difficult for hackers to exploit Windows vulnerabilities.

[See related: Windows 8 gets first critical Patch Tuesday security bulletins]

“One of the biggest areas that Windows 8 really pushes on is implementing what is known as exploit mitigation technologies,” said Dan Rosenberg, a consultant at Virtual Security Research. “They’re technical solutions that are designed to render classes of vulnerabilities, especially memory corruption vulnerabilities, either difficult or impossible to exploit.”

Corruption of a computer’s system memory typically occurs due to programming errors. Such an event can be exploited by hackers to gain remote access to a system. Other features include Secure Boot, which makes it difficult for a class of stealthy malware called rootkits to avoid detection.

Windows Defender as a standalone antivirus product does not have all the features of third-party software, which generally protects against more threats than just viruses, such as identity theft and links in social networks that point to malicious websites. Third-party products also have parental control and anti-phishing features.

“What Microsoft has done is create a minimum bar that all paid vendors need to exceed,” IDC analyst Charles Kolodgy said by email.

Windows 8’s more powerful security features take over where antivirus products end, Rosenberg said. “Antivirus has historically performed very poorly in detecting sophisticated, targeted attacks, such as exploits targeting previously unknown vulnerabilities.”

Where products are most helpful is in warning users when they ignore obvious danger signs, such as an unknown sender in an email, and try to open a malware-carrying attachment or click on a malicious link.

“That’s the niche where antivirus is most effective,” Rosenberg said. “Preventing users from basically hurting themselves.”

Which smartphone is the most secure?

Not all mobile phone operating systems are created equal. As Spencer McIntyre of SecureState explains, there are unique differences and threats specific to each smartphone and, in the end, security is largely up to the user.

 

These days, it is almost impossible to meet someone who doesn’t own a cell phone. More specifically, smartphones, whether it be the trendy iPhone, corporate favored Blackberry or modern Windows Mobile, almost everyone has joined the smart phone frenzy — and with good reason. A smartphone offers more advanced computing ability and connectivity than a contemporary phone.

Just like a handheld computer, most of the population relies on their operating system to multitask the demands of work, personal life and finances. However, many Smartphone users forget about the risks of malware on these crucial devices. In fact, a study from Rutgers’s University disclosed that malicious software for cell phones could pose a greater risk for consumer’s personal and financial well-being than computer viruses.

[Also read about security and privacy apps for smartphones ]

Clearly, there is a need for greater protection of cell phone software and greater awareness of cell phone vulnerabilities from owners, especially when it comes to what kind of operating system you are using. There are unique differences and threats specific to each Smartphone. Here are some important key points that consumers should consider to protect their mobile operating systems.

iPhone
There is a lot to be found regarding this popular device, half of our research findings surrounded the iPhone. Malware for this device took a different approach with the release of IOS 4. The multitasking that users take part in on their systems easily goes unnoticed, allowing the presence of malware to be easier to miss and less intrusive. Malware is more commonly found on iPhones that have been jail broken.

“Jail breaking” means freeing a phone from the limitations imposed by the wireless provider and in this case, Apple. Users install a software application on their computer, and then transfer it to their iPhone, where it “breaks open” the iPhone’s file system, allowing you to modify it; however, this also opens it up to malware. By jail breaking a phone, users are possibly allowing malicious applications into their device which has access to their personal information including their bank account. These applications are not subjected to the same limitations as Apple and therefore are easier to get from a rogue reference and infect cell phone.

Additionally, by not changing the password on a jail broken iPhone, the SSH service, is easy for malicious attackers to create worms used to infect the users operating device. An example of how important this threat is to note was highlighted by Ike, a worm created to raise security awareness when it comes to using these jail broken devices. It illustrates how once the core app has run its route, the vulnerability can gain complete control of the system.

 

Apple is slow to pinpoint vulnerabilities, including the SMS (texting) exploit released in the summer of 2010 by Charlie Miller. This also revealed that Apple is so slow to release that third party organizations were able to produce a security patch before Apple.

 

[Check out these 5 questions to ask before creating mobile device security policy ]

 

Windows Mobile
When it comes to threats, Windows Mobile takes the cake when it comes to attracting malware via SMS. Specifically the amount of SMS malware found on Windows Mobile devices is much higher in comparison to others. An interesting facet of the Windows Mobile OS is that many of the system calls are shared with it’s full-featured desktop counterparts. This detail has contributed to many pieces of malware that have originated on the Windows OS being ported to the Windows Mobile OS. A noteworthy example of this is the Zeus botnet that in recent years has begun to appear on mobile versions of Windows.

BlackBerry
A popular alternative to the previous two mobile operating systems, the BlackBerry is also quite different from the typical smart phone. The BlackBerry uses what is arguably the most closed source of the operating systems discussed herein. Research In Motion, the developers of BlackBerry have done an excellent job of keeping the sensitive inner workings of this smart phone a secret from the public. This is a contributing factor for the relatively small number of reliable exploits for the BlackBerry smart phone.

BlackBerry also suffers from the multitasking concerns that make it easier for malware to run unnoticed. An interesting proof of concept developed for the BlackBerry is the BBProxy application that was presented at DEFCON.

Symbian
There is not a lot of information regarding malware for this operating device, although it is the oldest of the smart phones and one of the most popular outside of America. Windows, Blackberry and Symbian are malware populated and not present on Android or iPhone. Along with the Windows Mobile family of Phones, Zeus has be ported the Symbian as well. The mobile version of Zeus is being used to intercept text messages sent as the second factor of authentication in many services.

Android
The Android operating system is the only open source operating system discussed herein. Android is unique in that it is community driven. The Android operating system is not owned by an individual organization, so it is developed in the best interest of the users. However, the applications are not monitored for vulnerabilities in the marketplace, so anyone can submit applications containing malicious functions which are less likely to be caught. Essentially, it is up to the users to determine if it is a safe and reputable source from which they are getting the app.

Amazon now has a 3rd party market place, which imposes additional policies and restrictions on applications that are distributed.

Android is based on the Linux operating system. On Linux, availability on Android is unlike others and there is not much evidence of ported malware. This is not because there is not any known Linux malware out there, but because it doesn’t receive much attention.

In Conclusion
All operating systems have distinct strengths and weaknesses; however, many are the same and essentially are up to the user and the configuration of the password. Users need to remember not to install apps from unnecessary sources, especially if they are unknown. While users can’t know them all, users need to ensure that they are from a reputable source. If not, that is where malware commonly comes from, with backdoor apps masquerading as secure applications. Also, jail broken phones are at a huge risk if the user maintains the default password and an even higher risk if not used in the Apple marketplace. Instances of malware exist on all of the phones and are even more relevant on ones using untrusted app sources. Consumers can keep this research in mind when using their smartphone to best protect their valuable information.

Spencer McIntyre is a security consultant at SecureState where he focuses on penetration testing and tool development.

Documents leaked by Edward Snowden indicate that the NSA can read certain BES communications

The U.S. National Security Agency is able to read messages sent via a corporate BlackBerry Enterprise Server (BES), according to a report by German news magazine Der Spiegel. The purpose of this spying is economic or political, and not to counter terrorism, the magazine hints.

The report, published in English on Monday, cites internal documents leaked by former NSA contractor Edward Snowden.

Governments have long demanded that BlackBerry provide access to encrypted messages carried by its email and BlackBerry Messenger (BBM) services, to allow them to monitor for terrorist activity.

BlackBerry has complied in the case of its consumer-grade BlackBerry Internet Service (BIS), notably providing the Indian government with access to consumer messages. Indeed, Der Spiegel cited NSA documents claiming that since 2009, analysts have been able to see and read text messages sent from BlackBerrys, and to collect and process BIS mails.

However, the company has always maintained that it cannot provide access to messages sent through its offering for corporate customers, BES, saying the encryption keys are known only to the company operating the BES.

However, among the documents leaked by Snowden are some that indicate the NSA, and its U.K. counterpart, the Government Communications Headquarters (GCHQ), can access text messages and emails sent between BES users, Der Spiegel said.

The two agencies have been targeting messages sent via BlackBerry’s platform since before May 2009, when they ran into temporary difficulties that U.K. analysts later traced to a change in BlackBerry’s messaging protocol following its acquisition of a smaller company. By March 2010, they were once again able to access the information, Der Spiegel said, citing GCHQ documents marked “UK Secret.”

The leaked documents seen by Der Spiegel contain no indications of large-scale spying on smartphone users, but “If the intelligence service defines a smartphone as a target, it will find a way to gain access to its information,” the magazine reported.

Der Spiegel said that to acquire BES data involves a sustained effort on the part of the NSA’s Office of Tailored Access Operations, a specialized hacking team based in Forte Meade, Maryland.

An NSA presentation entitled “Your target is using a BlackBerry? Now what?” seen by the magazine shows what can be achieved. It contained an image of a Mexican government email, the plain text of which appears in a slide under the title “Post Processed BES collection.”

Such cases raise questions for other states. As the magazine noted, the German federal government recently awarded a contract to BlackBerry for secure communications between federal agencies.

Ironically, though, other documents show the NSA is concerned about the effects on national security of BlackBerry’s declining popularity among U.S. government employees. Between August 2009 and May 2012, the “only certified government smartphone” saw its share of the U.S. government smartphone market fall from 77 percent to 50 percent, the documents said.

The Mexican email, and the agency’s concern for the security of government communications, are just some of the indications that the NSA’s focus on BlackBerry may not just be about the war on terrorism.

While BlackBerry devices are common in government and in corporate management, they are only the ninth-most-popular among users of extremist online forums, according to leaked NSA documents seen by Der Spiegel. The most popular phones in such circles are Nokia devices, with Apple iPhones in third place.

Der Spiegel also said that the NSA has in the past been able to obtain data from targets’ Apple iPhones, although the methods detailed are unlikely to scare most users. The allegations concerned only iOS versions 3 and 4, and Der Spiegel said data was obtained principally by hacking a target’s computer and downloading the backup copy of data such as photos and contacts synchronized with the iPhone. At one time this also allowed the NSA to obtain a log of locations visited by the iPhone in the seven days preceding the last data synchronization, but Apple ceased storing this log as of iOS version 4.3.3, Der Spiegel noted.

Windows 8 OS is the Safest Out-of-Box

Windows XP

• Security issues (OS receives regular patches until 14 April 2014).
• Missing Vista’s reassuring security developments resulting in it being less safe for online usage than it once was in the past.
• Less irritating to use because UAC does not prompt user when user initiates system changes.
• Encryption not available.

Windows Vista

• UAC considered irritating due to prompting users when initiating system changes.
• Limits what malware can do.
• UAC makes user safer on the web.
• UAC will keep your system secure although some users find it irritating.
• UAC acts as foundation for other useful features, including IE’s protected mode placing strict limits on what IE can do.
• Prevents IE from writing to most of your hard drive or the Registry without your permission.
• ActiveX controls, toolbars and other add-ons inherit the same high level of security ensuring that any malware encounter will be prevented from installing further threats.
•  BitLocker delivers full volume protection (only available on high end editions).

Windows 7

• Features a much more customizable UAC that is noticeably less irritating.
• UAC acts as foundation for other useful features, including IE’s protected mode placing strict limits on what IE can do.
• Prevents IE from writing to most of your hard drive or the Registry without your permission.
• ActiveX controls, toolbars and other add-ons inherit the same high level of security ensuring that any malware encounter will be prevented from installing further threats.
• Multiple security levels allowing user to choose how many alerts are visible.
• Encryption.
• BitLocker full volume protection extended to removable devices (only available on high end editions).
• System services are more isolated and run with fewer privileges, reducing the damage that malicious code can do.
• New TCP/IP stack offers improved encryption and authentication options.
• Address Space Layout Randomization loads system files as random memory addresses, making it far harder for basic malware to exploit key system functions.

Windows 8

• Early launch Anti-malware
• Integrated Antivirus
• SmartScreen Filter
• Secure Boot
• Memory management improvements
• Sandboxed apps

 

                                                                                             Recommendations

 

Based on an analysis of the information available regarding the different Windows Operating Systems, my recommendation is for the company to install Windows 8 OS. Windows XP should not be considered as an option due to the fact that it would be extremely easy to breach. With no security features such as the UAC and encryption available, it is a very vulnerable OS to consider.

Both Windows Vista and 7 are much better options for a company. They have many more security features that place a limit on the damage that IE can do. The UAC and encryption help protect the system better the system in both operating systems. However, Windows 7 is clearly the better choice between the two because the user does not have to deal with being irritated by the UAC, but can rest assured, that the system is still protected. Furthermore, Windows 7 extends BitLocker protection to removable devices, and offers other new features to make it a better choice.

However, when Windows 8 comes into the picture, it blows Windows 7 out of the water.  Windows 8 includes Microsoft’s Security Essentials program, now named Defender, which is an integrated antivirus ensuring that Windows 8 users will have antivirus protection out-the-box.  Also, with SmartScreen ,  secure boot, and improvements to memory management, W8 is hard to beat. Windows 8 apps are sandboxed which means that they function more like web pages and have limited access as to what they can do on your machine. With all of these new and improved features, Windows 8 by itself without a third-party security suite, is the safest choice for a company.  My recommendation is for Windows 8 to be used with Bitdefender Internet Security suite. Bitdefender scored 17 out of 18 when tested by AV-Test.org which puts it above BullGuard 13.0 and Kapersky, making it the best choice to combine with Windows 8 OS.