Windows 8 security unshaken by antivirus vendor’s claims

Bitdefender raises worry over trusting included antivirus software, but one analyst said Windows 8’s core security picks up the slack

November 12, 2012 — CSO — Small businesses and consumers should remain confident of the significant improvements in Windows 8 security, despite the weaknesses alleged by antivirus vendors pushing new products, experts say.

Bitdefender was the latest antivirus company to release a study questioning some of the security capabilities of the new version of Microsoft’s operating system. The study, which coincided with the release of Bitdefender’s antivirus product for Windows 8, found that 15% of the most common malware bypassed Windows Defender, the software Microsoft includes with the OS.

“The conclusion is clear: Using your PC without a security solution is extremely risky,” Bitdefender chief security strategist Catalin Cosoi said in a statement.

In terms of actual numbers, Bitdefender found that Windows Defender missed 61 malware of 385 used against Windows 8. However, without knowing how the system was configured for the test, it is impossible to know if the OS would have performed any better with a third-party antivirus product.

“I would look for a more independent outfit to do such tests rather than an antivirus vendor,” Forrester Research analyst Chenxi Wang said by email on Friday.

While antivirus vendor marketing is made to cast doubt on the security in Windows 8, the fact is the new OS contains a number of technologies unseen by users that make it much more difficult for hackers to exploit Windows vulnerabilities.

[See related: Windows 8 gets first critical Patch Tuesday security bulletins]

“One of the biggest areas that Windows 8 really pushes on is implementing what is known as exploit mitigation technologies,” said Dan Rosenberg, a consultant at Virtual Security Research. “They’re technical solutions that are designed to render classes of vulnerabilities, especially memory corruption vulnerabilities, either difficult or impossible to exploit.”

Corruption of a computer’s system memory typically occurs due to programming errors. Such an event can be exploited by hackers to gain remote access to a system. Other features include Secure Boot, which makes it difficult for a class of stealthy malware called rootkits to avoid detection.

Windows Defender as a standalone antivirus product does not have all the features of third-party software, which generally protects against more threats than just viruses, such as identity theft and links in social networks that point to malicious websites. Third-party products also have parental control and anti-phishing features.

“What Microsoft has done is create a minimum bar that all paid vendors need to exceed,” IDC analyst Charles Kolodgy said by email.

Windows 8’s more powerful security features take over where antivirus products end, Rosenberg said. “Antivirus has historically performed very poorly in detecting sophisticated, targeted attacks, such as exploits targeting previously unknown vulnerabilities.”

Where products are most helpful is in warning users when they ignore obvious danger signs, such as an unknown sender in an email, and try to open a malware-carrying attachment or click on a malicious link.

“That’s the niche where antivirus is most effective,” Rosenberg said. “Preventing users from basically hurting themselves.”

Which smartphone is the most secure?

Not all mobile phone operating systems are created equal. As Spencer McIntyre of SecureState explains, there are unique differences and threats specific to each smartphone and, in the end, security is largely up to the user.

 

These days, it is almost impossible to meet someone who doesn’t own a cell phone. More specifically, smartphones, whether it be the trendy iPhone, corporate favored Blackberry or modern Windows Mobile, almost everyone has joined the smart phone frenzy — and with good reason. A smartphone offers more advanced computing ability and connectivity than a contemporary phone.

Just like a handheld computer, most of the population relies on their operating system to multitask the demands of work, personal life and finances. However, many Smartphone users forget about the risks of malware on these crucial devices. In fact, a study from Rutgers’s University disclosed that malicious software for cell phones could pose a greater risk for consumer’s personal and financial well-being than computer viruses.

[Also read about security and privacy apps for smartphones ]

Clearly, there is a need for greater protection of cell phone software and greater awareness of cell phone vulnerabilities from owners, especially when it comes to what kind of operating system you are using. There are unique differences and threats specific to each Smartphone. Here are some important key points that consumers should consider to protect their mobile operating systems.

iPhone
There is a lot to be found regarding this popular device, half of our research findings surrounded the iPhone. Malware for this device took a different approach with the release of IOS 4. The multitasking that users take part in on their systems easily goes unnoticed, allowing the presence of malware to be easier to miss and less intrusive. Malware is more commonly found on iPhones that have been jail broken.

“Jail breaking” means freeing a phone from the limitations imposed by the wireless provider and in this case, Apple. Users install a software application on their computer, and then transfer it to their iPhone, where it “breaks open” the iPhone’s file system, allowing you to modify it; however, this also opens it up to malware. By jail breaking a phone, users are possibly allowing malicious applications into their device which has access to their personal information including their bank account. These applications are not subjected to the same limitations as Apple and therefore are easier to get from a rogue reference and infect cell phone.

Additionally, by not changing the password on a jail broken iPhone, the SSH service, is easy for malicious attackers to create worms used to infect the users operating device. An example of how important this threat is to note was highlighted by Ike, a worm created to raise security awareness when it comes to using these jail broken devices. It illustrates how once the core app has run its route, the vulnerability can gain complete control of the system.

 

Apple is slow to pinpoint vulnerabilities, including the SMS (texting) exploit released in the summer of 2010 by Charlie Miller. This also revealed that Apple is so slow to release that third party organizations were able to produce a security patch before Apple.

 

[Check out these 5 questions to ask before creating mobile device security policy ]

 

Windows Mobile
When it comes to threats, Windows Mobile takes the cake when it comes to attracting malware via SMS. Specifically the amount of SMS malware found on Windows Mobile devices is much higher in comparison to others. An interesting facet of the Windows Mobile OS is that many of the system calls are shared with it’s full-featured desktop counterparts. This detail has contributed to many pieces of malware that have originated on the Windows OS being ported to the Windows Mobile OS. A noteworthy example of this is the Zeus botnet that in recent years has begun to appear on mobile versions of Windows.

BlackBerry
A popular alternative to the previous two mobile operating systems, the BlackBerry is also quite different from the typical smart phone. The BlackBerry uses what is arguably the most closed source of the operating systems discussed herein. Research In Motion, the developers of BlackBerry have done an excellent job of keeping the sensitive inner workings of this smart phone a secret from the public. This is a contributing factor for the relatively small number of reliable exploits for the BlackBerry smart phone.

BlackBerry also suffers from the multitasking concerns that make it easier for malware to run unnoticed. An interesting proof of concept developed for the BlackBerry is the BBProxy application that was presented at DEFCON.

Symbian
There is not a lot of information regarding malware for this operating device, although it is the oldest of the smart phones and one of the most popular outside of America. Windows, Blackberry and Symbian are malware populated and not present on Android or iPhone. Along with the Windows Mobile family of Phones, Zeus has be ported the Symbian as well. The mobile version of Zeus is being used to intercept text messages sent as the second factor of authentication in many services.

Android
The Android operating system is the only open source operating system discussed herein. Android is unique in that it is community driven. The Android operating system is not owned by an individual organization, so it is developed in the best interest of the users. However, the applications are not monitored for vulnerabilities in the marketplace, so anyone can submit applications containing malicious functions which are less likely to be caught. Essentially, it is up to the users to determine if it is a safe and reputable source from which they are getting the app.

Amazon now has a 3rd party market place, which imposes additional policies and restrictions on applications that are distributed.

Android is based on the Linux operating system. On Linux, availability on Android is unlike others and there is not much evidence of ported malware. This is not because there is not any known Linux malware out there, but because it doesn’t receive much attention.

In Conclusion
All operating systems have distinct strengths and weaknesses; however, many are the same and essentially are up to the user and the configuration of the password. Users need to remember not to install apps from unnecessary sources, especially if they are unknown. While users can’t know them all, users need to ensure that they are from a reputable source. If not, that is where malware commonly comes from, with backdoor apps masquerading as secure applications. Also, jail broken phones are at a huge risk if the user maintains the default password and an even higher risk if not used in the Apple marketplace. Instances of malware exist on all of the phones and are even more relevant on ones using untrusted app sources. Consumers can keep this research in mind when using their smartphone to best protect their valuable information.

Spencer McIntyre is a security consultant at SecureState where he focuses on penetration testing and tool development.

BYOD- Security Threats

Many companies today face serious threats due to the increase of smart phone usage by their employees. However, it is not just smart phone usage that creates the problem for employers. The BYOD trend has greatly increased serious security threats for employers as hackers found creative ways to penetrate wireless devices.

In a study conducted by Deloitte, respondents reported that the human element is among the biggest sources of information security risk (Deloitte pp.10). Respondents also identified the human element as the most difficult to control due to lack of their employees’ awareness (Deloitte pp.3). Although advances in technology have transformed our lives offering a higher level of convenience, these same technological advancements have opened up several doors for criminals that are technologically advanced. Even so, the benefits of having the new technologies outweigh the threat that it causes for some people (Deloitte pp.10).

It is essential to the companies using these new technologies that their employees receive the proper training, or that they are sufficiently made aware of the risks that are presented in today’s world with the introduction of such new technologies (Deloitte pp.10). Obviously, a company is not going to do without these new technologies or they will face other threats associated with competing in a cut throat business environment. Therefore, the companies must come up with a solution to control the threats in order to utilize the technology that will either yield a competitive advantage, or at the very least a competitive parody.

Since 70% of the TMT organizations that participated in the above mentioned study rate their employees’ lack of security awareness as an average or high vulnerability, it only makes sense that the companies start with their employees (Deloitte pp.10). Measures should be taken to ensure that employees do not talk about certain aspects of work, respond to phishing emails, let unauthorized individuals into the organization, or sell intellectual property to other companies (Deloitte pp.10).

Mobile devices such as smart phones are very convenient for today’s business environment and allow employees to work from virtually anywhere. However, these same

wireless devices also store sensitive company data. Examples include email, documents, contacts, and the company’s agendas (Deloitte pp.10). Many employees also tend to use these same devices to access their social sites such as Facebook and Twitter. This is where employees can cause several problems for the company by exposing sensitive company data. Using the same device to access social media and manage company affairs is what makes mobile devices the perfect candidate for a security breach by hackers (Deloitte pp.10). These mobile devices serve as another entry point for computer criminals to attack. Another issue with mobile devices is that “they are easily lost or stolen (Deloitte pp.10)”.  A stolen device exposes all of the company data that is on it which can include industry secrets or customer information that is meant to be protected.

The threat can be even worse when employers allow their employees to bring their own devices to work. According to the study, mobile devices are the second largest threat for TMT organizations (Deloitte pp.10). About 52% of organizations have policies that restrict the use of personal devices at the workplace, and 10% of the surveyed organizations do not even address the issue at all, making it very risky for those organizations (Deloitte pp.10).

The problem is was so big in 2012 because of the hundreds of millions of people that are using social media sites such as Facebook (Sophos pp.3). “Attackers have built creative new social engineering attacks based on key user concerns such as widespread skepticism about Facebook’s new Timeline interface, or users’ natural worries about newly posted pictures of themselves (Sophos pp.3)”. These attackers didn’t just revert to Facebook. They are now using Twitter, Pinterest, and other social platforms (Sophos pp.3).

In order to control some of these problems that can be initiated by an organizations employees, employers must put strict restrictions in place. Also, it is important to raise employee awareness through training.  The employees should be trained to understand potential security issues and risks (Deloitte pp.11).

IT and security professionals should also be trained on how to handle any threats that might come along (Deloitte pp.11). According to Deloitte, “the most common certifications for security professionals are CISSP (47%), CISA (36%), and CISM (37%) (Deloitte pp.11) ”. With all these security threats surfacing, it seems that companies would make it a priority to protect them-selves as much as possible through investing in awareness, and strict policy placement. However, only 8% of large organizations seem to be making this a priority (Deloitte pp.11).

Employees can cause some serious damage with one of these technologies. The employee can not only cause monetary damage, but also damage that can hurt the company by letting another company gain a competitive advantage if certain company secrets get leaked to a competitor. Another thing to consider is customer data. If the employee is using a company device and causes a security breach, the company’s data is exposed. If the company data includes customer information, this can cause issues such as customers’ credit or identity being stolen. It could also go in a different direction and allow a competitor to have access to the organizations contacts.

The possibilities are endless. One example of the damage that an employee can cause occurred in South Carolina. The Department of Revenue had a major security breach resulting in 3.6 million social security numbers being accessed by hackers (Trace Security, 2013). This is one of the largest data breaches data we have experienced in the United States and the results are devastating to American taxpayers that are now forced to cover this debt.

Situations like this illustrate exactly why employee awareness is an essential key to an organizations defense against computer criminals. Technology is evolving and we must evolve with it in order to survive. Mistakes like this one could wipe a whole company out. In this situation, we are discussing a government organization and therefore, the cost gets passed onto the tax payer. In other organizations the organization will have to cover the costs. It is better to invest in ways to protect the organization and spend a little bit of money than to be out on a limb later and not have an organization to invest in.

Works Cited

Deloitte. Blurring the Lines. TMT Global Security Study, 2013.

Sophos. New Platforms and Changing Threats. Security Threat Report, 2013.

Adams, T. Social Engineering Attack: Breach in South Carolina Part 1. TraceSecurity.com, 2013. http://blog.tracesecurity.com/2013/02/06/social-engineering-attack-breach-in-south-carolina/.