Chester Wisniewski’s Blog

Windows 7 security - A great leap forward or business as usual?

Congress looks to ban P2P file-sharing, will companies follow suit?

In the United States Congress yesterday, Representative Edolphus Towns of New York introduced a bill (HR 4098) to ban P2P file-sharing on US government, and government contractor computers. This bill was likely prompted by the reckless loss of sensitive government documents through P2P networks including information about the Joint Strike Fighter and Marine One.

Congressman Towns had sent a letter to the Attorney General and the CEO of Lime Corp at that time requesting information. I applaud Congressman Towns' actions and hope to see quick passage of something that seems so obvious... Computers containing sensitive government data have no need for file-sharing software, which is typically used for sharing music, movies, and pirated software. I don't wish to demonize P2P, as I use it regularly to download Linux distributions and other legitimate content, but the bill has a provision for authorized use where necessary.

What's interesting here is that by governmental standards they seem to be taking quick action to close this gaping hole in our national security. The bigger question is, what are you doing to ensure your sensitive corporate data, and the personally identifiable information of your staff and clients is protected against leakage via file-sharing networks?

In working with companies, I find that most IT departments have a policy against the use of P2P programs in the workplace. Like with many other rules though it is not monitored and there is no enforcement mechanism available to prevent their use. In addition to using the integrated application control technology in Sophos Endpoint Security and Data Protection, administrators should look to how they handle sensitive data and their firewall configurations.

With the risk of client applications sending off sensitive data, users loading more and more portable applications that do not require administrative privileges to install, and the absolutely huge risk presented by websites being compromised (3.6 per second) our firewalls should be blocking all outbound ports from within our walls.

Sending email and browsing the web are the most common applications users need to use on business networks, and that traffic should be filtered at the edge. The network edge is the most common point for both data leakage and bots sending off stolen information to criminals who prey on our users. Appliance-based or gateway DLP solutions often are unable to look for content in the fragmented packets of P2P traffic, so another approach is necessary.

Another concern is why were these sensitive documents not encrypted? At a minimum simple file-based encryption would ensure accidental sharing would not compromise the secrecy of the stolen documents. Can you say the same for your critical data? I often recommend users not only encrypt their hard disks, but also ensure that extra sensitive information like personally identifiable information be file or folder encrypted as well. This way if the file is lost or stolen, at least it is no longer accessible to third parties.

Don't let your company react to the threat of P2P file-sharing and data leakage slower than the US government. Look to the technologies available to you and find a way of giving that P2P policy some teeth.

Creative Commons image of The Pirate Bay logo courtesy of jakobinoc's flickr photostream.

Posted on November 18th, 2009 by Chester Wisniewski, Sophos
Filed under: Data Leakage, Internet, P2P

                                         

iPhone worm: There isn't an app for that

Guest blogger Michael Argast, director of global sales engineering at Sophos, wondered why there aren't any security applications for iPhone. Michael has an iPhone that is not jail broken.

---

The recent worm that is infecting jail broken iPhones is highlighting the risk of playing outside of Apple’s walled garden. Once you pwn your phone, you’re on your own from a security perspective. This is a broader problem than just jail-breaking however; Apple has yet to provide businesses tools that allow them to manage security centrally, which leaves the administrators at many Fortune 100 companies ill prepared to proactively secure or deal with threats as they arise.

As Chet mentioned to me, many with iPhones at work tend to treat the devices like personal property – even jail-breaking them. Sure, all this particular worm did was rickroll the device, but the next may well steal confidential data – and the company has no way of knowing the device was even vulnerable.

To be ready for enterprises Apple must provide a suite of tools to ensure security policies are adhered to. For example, RIM provides the ability to centrally administer, monitor, update, delete, encrypt, and configure security settings through their BlackBerry Enterprise Server software.

Mobile security is still an evolving space. Android, with a more open development platform, may allow for more traditional security offerings (although balancing security and performance on these devices will be an interesting challenge) and the ability to run multiple applications at once will allow for more real time protection against new threats. Apple, inside the walled garden is relatively secure from malware - although there have been apps which have made it through the app screening process only to steal confidential data.

This is a rapidly evolving space, and it is critical that phone vendors work with the security community to prevent these ubiquitous devices from becoming gaping holes.

Creative Commons iPhone image courtesy of Nuels van Eck's flickr photostream.
Creative Commons unhappy Mac image courtesy of Ethan Hein's flickr photostream.

Update: It has been brought to our attention that Apple does in fact provide tools for managing iPhone usage in the enterprise. We will post a follow up article detailing the capabilities. For more information please see http://www.apple.com/support/iphone/enterprise.

Posted on November 9th, 2009 by Chester Wisniewski, Sophos
Filed under: Apple, Internet, Malware

                                         

Web filtering: How well are you really protected?

Guest blogger Richard Baldry is the product manager for the Sophos Web Appliance here at Sophos Vancouver. Richard is currently raising money to fight colon cancer as part of Movember. If you like Rich's post please consider donating to Rich's efforts.

---

As a lifelong fan of Scooby Doo cartoons, I know all about secret passages that let people enter and leave a creepy haunted house unobserved. Watching the front door is only going to help if you know there are no other exits – every kid knows that. So why does this simple rule get overlooked in the world of Web Security?

Secure Web Gateway products, like the Sophos Web Appliance, are becoming the de-facto standard to ensure safe web usage within organizations. Unlike earlier-generation URL filters, Secure Web Gateways manage the flow of web requests and the responses from sites, examining content as well as the URL itself in making decisions about whether to allow or block.

But there is a challenge – how do you ensure that all HTTP traffic within your organization gets filtered properly? Looking at every packet on the off-chance that it’s HTTP is hard work and likely to disrupt network performance.

One answer to this is to use a set of router based rules and protocols, like Cisco’s WCCP, to pre-filter web traffic. Most web servers listen on TCP port 80, so these systems create rules that say ‘filter any TCP connection from an internal address to port 80 at any external address’. Job done. Or is it?

Although port 80 is the default, a web server can in fact be hosted on any port. A URL can contain a numerical element specifying the port to connect to – for example http://www.example.com:1234/ tells the browser to connect to port 1234 rather than the normal port 80. This is certainly rare, but it is not so rare that you can just block these connections without fear of losing functionality on some web site or other.

Last week I was talking to a colleague in SophosLabs, who mentioned that he was seeing quite a large number of malicious websites hosting malware on ports other than 80. One of the most prevalent infections in recent weeks, Mal/IFrame-N, uses a non-standard port for all the links to malware download sites it drives victims to.

So if you’re using methods like WCCP to redirect content to a web gateway, the requests triggered by Mal/IFrame-N will bypass the Secure Web Gateway altogether. Because it’s not going to port 80, it will be ignored by the filter on the router and pass straight out to the malicious server.

Further investigation showed that 7 out of every 2000 malicious URLs in the SophosLabs database use non-standard ports, and with 65535 to choose from, there’s no shortage of options for the bad guys to try.

This problem is avoidable, but it requires a different approach. All browsers, and most other web-aware applications, can be configured to connect directly to an HTTP proxy. This will make them send every single request to that proxy, whatever port it is destined for.

At Sophos, we call this ‘Explicit deployment’, and it’s the way we recommend our customers deploy the Sophos Web Appliance. Because all web traffic, whatever the destination port, is going through the proxy, this approach has two significant benefits:

1. Policies and security checks can be enforced on all web traffic
2. You can impose stricter firewall rules for direct outbound connections without limiting what users can do on the web

So next time you’re reviewing your network security, think ‘What would Scooby do?’.

Creative Commons image of bookcase courtesy of Slushpup's flickr photostream.

Posted on November 5th, 2009 by Chester Wisniewski, Sophos
Filed under: Browser, Internet, Malware

                                         

Anatomy of a Twitter Attack

I was happily snacking away on my lunch break here in Vancouver when suddenly my TweetDeck Twitter client sounded the alert for incoming direct messages. If you are not a Twitter user, direct messages are private messages between Twitter accounts. You can only send a direct message to someone who is following you on Twitter, no strangers allowed.

I knew the sender, so it was clear this was a new scam in progress...

What was the purpose in luring me to click on this URL? Penis pills? Phishing Attack? Malware? I performed a quick WHOIS lookup to see what I could find out. Of course the purchaser had enabled privacy to shield their identity.

Domain Name:JFK(redacted).INFO
Created On:02-Nov-2009 08:24:44 UTC
Last Updated On:02-Nov-2009 08:47:22 UTC
Expiration Date:02-Nov-2010 08:24:44 UTC


The domain was registered yesterday morning. I visited the URL from a test computer to see what would happen. Hrmph. They either don't like security researchers, or, as usual, they simply don't want Canadians getting rich off their scam.

The site did redirect me to another domain though, which I then looked up.

Domain:ONLYFREE(redacted)ONLINE.com
Record created on: 2008-08-19 16:41:23.0
Database last updated on: 2009-08-31 10:09:56.743
Domain Expires on: 2011-08-19 16:41:23.0

This one was over a year old. This is a common tactic in social media spam: Create new domains with a clean reputation and redirect these to known dirty domains further down the chain. But I still didn't know what they were shilling, so I performed some magic, overcame my Canadian researcher problem, and finally arrived.

I dutifully registered after reading the terms and conditions and privacy policy, a must for these types of sites. After a bit of legalese, I determined that my idea of privacy was not quite compatible with theirs.

The terms and conditions state: "By submitting this form, I am ordering GoogleFortune for a 7-day bonus period for $1.97 billed to my credit Card; If you enjoy GoogleFortune, simply do nothing. On the 7th day my credit card will automatically be charged $69.97 and every month, thereafter. . ." Further along it adds some more goodies: "I also agree to the 14 day and 21 day bonus trials to Rebate Millionaire and Network Agenda (redacted) for $19.95 a month and $9.95 a month thereafter". You can also see this text in small print at the top of the billing page.

At least I know my credit card will be safe in transit, as the site is GoDaddy.com certified secure. Now I can sit back and watch as $99.87 a month starts my new career working from home. The site even points out that using Google is FREE.

Many Twitter users fell victim to this scam today, likely the result of a phishing attack against users of the service. Using sites that request your username and password for social media is never a good idea. Make sure anything requesting your Twitter credentials uses Twitter OAuth. This means your username and password are requested by Twitter and passed through to the third party application.

If you are having a hard time creating complex passwords, watch Graham Cluley make a great password from Bedrock.

Posted on November 3rd, 2009 by Chester Wisniewski, Sophos
Filed under: Internet, Phishing, Social Networking, Spam

                                         

Windows 7 vulnerable to 8 out of 10 viruses

Now that we in the northern hemisphere have had some time to digest the Windows 7 hype and settle in for the coming winter, we thought we would get some more hard data regarding Windows 7 security.

On October 22nd, we settled in at SophosLabs and loaded a full release copy of Windows 7 on a clean machine. We configured it to follow the system defaults for User Account Control (UAC) and did not load any anti-virus software.

We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up. Unfortunately, despite Microsoft's claims, Windows 7 disappointed just like earlier versions of Windows. The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7.

User Account Control did block one sample; however, its failure to block anything else just reinforces my warning prior to the Windows 7 launch that UAC's default configuration is not effective at protecting a PC from modern malware.

Lesson learned? You still need to run anti-virus on Windows 7. Microsoft, in the Microsoft Security Intelligence Report released yesterday, stated that "The infection rate of Windows Vista SP1 was 61.9 percent less than that of Windows XP SP3."

But let's not get complacent. Microsoft seems to be saying that Vista is the least ugly baby in its family. You can be sure the next report will highlight its even less ugly younger sibling, Windows 7.

Why do I say this? As of October 31st www.netmarketshare.com states that Windows Vista has a 19% market share against Windows XP's 70.5% and Windows 7's 2%. Approximately 1 in 5 Windows users is using either Vista or Windows 7. These users often have newer computers, automatic patching, and firewalls and anti-virus software in place.

With millions of hosts still infected with Conficker, ZBot and Bredo, it is obvious a lot of unprotected machines are still out there, and it is no surprise that most of those are XP.

As the chart above shows, Windows 7 users need not feel left out. They can still participate in the ZBot botnet with a side of fake anti-virus. Windows 7 is no cure for the virus blues, so be sure to bring your protection when you boot up.

Posted on November 3rd, 2009 by Chester Wisniewski, Sophos
Filed under: Malware, Microsoft, Windows 7

                                         

Microsoft releases patch for Oct's patch Tuesday

Today Microsoft released an out of band fix for MS09-054 from last month's patch Tuesday. Microsoft says that the fix is not security related, yet users should apply it immediately to prevent difficulties browsing some web sites.

MS09-054 from October's release was rated critical, and Microsoft's description reads "Browse and own through all supported OS's. Easy to achieve reliable exploit. One vuln disclosed publicly." So I would not advise rolling back the previous patch as a resolution. In today's bulletin Microsoft softballs the issue by saying "Also, we’re not currently aware of any attempts to attack the vulnerabilities."

What concerns me about this is it may make people more hesitant to deploy patch Tuesday fixes with urgency. Many of our customers have strict change control policies and are hesitant to run out and deploy fixes on Tuesday afternoon following Microsoft's release. As a security advisor I emphasize how important it is to deploy the fixes quickly, and the impact of not doing so could be far worse than any minor issues that result from patching.

The problem being fixed simply causes some pages to not render properly in Internet Explorer. Microsoft stating that they are not aware of any attacks against MS09-054 is a bit misleading as to the danger of having not rolled out the patch. In their own assessment they state "One vuln disclosed publicly." Administrators should not conclude that their original rating of critical is hyperbole.

Considering we are approaching another patch Tuesday a week from tomorrow, we need to consider our plans for rolling out another batch of updates. Fortunately if you are looking for third party verification of the risk posed by the various vulnerabilities SophosLabs publishes our analysis every month to help you create your patch plan. They also provide a post with a general summary on the SophosLabs blog.

As for KB 976749, it's not too important. If your users have not encountered a problem you can probably wait until next Tuesday to roll it out. Of course Google has an app for that... Yet I doubt this is the solution you are looking for.

Posted on November 2nd, 2009 by Chester Wisniewski, Sophos
Filed under: Browser, Microsoft

                                         

Barack's donor data may be safe, but site was not properly secured

On Monday this week I reported on donate.barackobama.com being hacked. While Blue State Digital and the Democratic Nationinal Committee may disagree, I stand by the statement. It was clear that something was incorrectly configured, whether the data that was exposed belonged to Obama's team or not.

In his report for the Washington Post, Brian Krebs called the hack a "hoax". The best analysis I can find on what Unu encountered when he stumbled upon Roosevelt University's calendar database was posted at the Praetorian Prefect blog.

So what actually happened? It appears that the secure areas of barackobama.com (those that use HTTPS:/) had an open redirector that could be used to proxy all traffic through the Obama website. While the site's data itself may not have been compromised, the site was still not properly secured. As the folks at Praetorian pointed out, there are several ways to exploit this flaw that could affect the security of my.barackobama.com users.

Web browsers protect cookies by allowing only the originating domain to read those cookies later. When you log in to my.barackobama.com, the site sets a cookie to remember who you are as you blog, plan fundraisers, and plan events.

The proxy capability provided by the smartproxy functionality that was left open could allow an attacker to direct you to a link that appears to be part of barackobama.com, yet leads you to their website proxied by the Obama server. Your browser would then allow the third party site to read any cookies set and allow the attacker to impersonate you on the barackobama.com website.

Fortunately, Obama's site did not store logins for the donation area, and it appears only my.barackobama.com was vulnerable to being hijacked. Obama's team and Blue State Digital went to great lengths to downplay this issue, but the fact remains that the insecure practice of allowing unfettered proxy traffic could pose a real risk.

A user of pastebin discovered through a simple Google search that many sites that are hosted by Blue State Digital contain the same unrestricted proxy code. At the time of writing, the code on Blue State Digital's servers appears to be restricted to a limited number of authorized domains.

Spammers have used redirectors like the one found on Blue State's sites to scam users for many years now. It allows them to send out URLs that are arguably legitimate to an innocent surfer and still redirect them to something that is malicious and may steal data from the intermediate website.

People also use unauthenticated proxies to subvert corporate or school proxy systems that block sites based upon their reputation or content. By manipulating the URL, you could surf anything on the web through an HTTPS session that is unlikely to be blocked by any web filtering solutions.

If you host or design your own websites, be sure to restrict any code you use to redirect users to other sites to prevent these type of attacks. The cost to you may be more than your cookies, not to mention the bandwidth consumed by people who may use your site as a free proxy service.

To prevent your users from accidentally being redirected to malicious content through a URL that appears to be from a safe and reputable web destination, be sure you have web filtering technology that can look into HTTPS traffic, and perform proper malware filtering that is not just reputation-based. It's never fun to lose your cookies.

(CC)Plate with crumbs image from Michale's flickr photostream.
Screenshot of Google result from www.praetorianprefect.com.

Posted on October 31st, 2009 by Chester Wisniewski, Sophos
Filed under: Browser, Data Leakage, SQL Injection, Vulnerabilities

                                         

Easy as pie: Apple anti-virus is a peach at detecting infected BlackBerries

Guest blogger Tony Ross is our Global Sales Trainer at Sophos Vancouver. Tony had a friend recently discover the virtues of running anti-virus on his Mac and thought he would share his story with us today.

---

A friend of mine recently connected his BlackBerry to his Macintosh to transfer music for a new ringtone. I must admit, every time I hear that fake bell ring, I see 5 people reach for their BlackBerries, so it's logical to want to be different.

When the BlackBerry prompted him to enable USB storage mode, he dutifully accepted the connection. Immediately Sophos Anti-Virus on his Mac generated an alert "Mal/Ambler-A detected in BLACKBERRY1:RECYCLER:recycld.exe".

Good thing that my friend's computer was a Mac running Sophos Anti-Virus. He has been listening to me for years ramble on about the risk of viruses regardless of the platform. In this case his Mac detected a Windows Autorun virus on his BlackBerry.

His BlackBerry was configured in paranoid mode, which only enables USB storage mode when
his password is entered. Many people configure this to be automatic; however, this could make it that much easier to transport a spare copy of Conficker onto the next USB port you use to charge. I recommend disabling USB storage mode from your BlackBerry Enterprise Server if you don't have a business need to transfer files, photos, and music to your BlackBerry devices. Most companies manage their BlackBerries "over the air" anyhow, so this might just be a good time to review your BES policies.

Now, the threat itself. I spoke with Boris Lau in SophosLabs Vancouver and asked him to do a bit of analysis on this Mal/Ambler-A sample. Boris got back to me with some interesting information.

Mal/Ambler-A drops two files upon execution. The first is a Browser Helper Object(BHO) for Internet Explorer called fagw32.dll, which it puts into your system folder. We detected the BHO as W32/Autorun-AON. The helper object seems to be designed to help the bad guys make off with your usernames, passwords, information stored in AutoComplete, and other sensitive data you may have entered into Internet Explorer.

It also steals your credentials from Outlook Express if it's configured, and is capable of bundling up this treasure chest and shipping it off to a website. The second file it drops is inform.dat, also in your system folder. This is used by the worm to spread itself to removable media when the time comes. It is simply an XOR'd copy of itself with the first 2 bytes missing to evade detection. Then to ensure that it propagates, as all good worms do, it will drop an autorun.inf on any removable media inserted into your PC and copy itself onto the removable media as Drive:\Recycled\recycld.exe.

BlackBerries, iPhones, USB sticks, digital cameras… All these devices are vulnerable to this type of malware, and if you are not a Windows user you may just be the next Typhoid Mary. We have become casual about plugging in these tools to charge when visiting a friend, in a conference room for a presentation, etc. Simply giving some permission for a quick power top-up is enough to get you infected.

My friend doesn't recall ever having connected his BlackBerry to a Windows machine, yet it had a Windows virus. The scary part is how many computers might have been infected by his BlackBerry before he ran across one with up-to-date anti-virus. We all have to plug in occasionally, so to you, my Mac-owning brothers… Please run anti-virus on your Macs. Even if it's just to help us poor fools who think Windows 7 is cool.

Posted on October 30th, 2009 by Chester Wisniewski, Sophos
Filed under: Apple, Data Leakage, Malware

                                         

Barack Obama hacked by SQL injection

This story has been updated with content that supersedes much of the original content. Updates are found at the bottom of the story

Hackers disclosed this morning that they have been able to compromise BarackObama.com through a SQL injection attack.

The English of the post is quite poor; however, the researcher makes a very valid point. Shouldn't the most powerful, well-protected man in the world have a website that is at least reasonably secure? Storing credentials in plain text is even more embarrassing than being vulnerable to SQL injection. Sometimes passwords must be stored in a reversible manner, but you should make the attacker at least work at it a bit.

More concerning is the screenshot that shows the URL as donate.barackobama.com. What other unencrypted information about donors might be stored in this database? If passwords haven’t been encrypted, it doesn’t take much imagination to figure out that other sensitive data is unencrypted as well.

On the bright side, it does appear that the staffers who log in to this site have somewhat secure passwords. The lengths are not impressive, but most show the recommended mix of letters, numbers, and capitalization and are not based on obvious dictionary words.

I deliver a seminar entitled "Anatomy of an Attack: How Hackers Threaten Your Security," in which I discuss how SQL injection attacks work and demonstrate an actual attack to show how simple it can be for even someone unskilled to perform this type of reconnaissance. Another point that is often difficult to explain is that there is no such thing as “safe surfing.”

As administrators, we are often our most dangerous users. Time and again, when asked, administrators will say their scariest surfer is an executive, the sales guy, or the mail clerk. The bigger danger is having administrative privilege and not realizing how pervasive the threat on the web is. When the NY Times, Google, and BarackObama.com are hosting malware, there are no safe websites despite the false confidence gained by not surfing porn.

What can you do to avoid becoming the next victim of this type of compromise? One piece of advice I give in “Anatomy of an Attack” is to approach inputs on your website from a whitelisting angle, rather than trying to blacklist every possible way you think someone could enter malicious input. There are many ways to encode SQL commands to bypass filtering, so it is best to only accept characters that should be valid input.

Sensitive data should always be encrypted regardless of where it resides. Many companies are beginning to encrypt laptop hard disks, but this is just the beginning. Desktops and servers are as likely as anything else to contain personally identifiable information and should be treated with the same caution as laptops. Sensitive data must be tracked and secure practices applied whether that data is in a database, on a backup tape, or being transported on a USB key or smart phone.

Our recent introduction of DLP into Sophos Anti-Virus helps administrators discover this data when it is being transferred, and can also help identify endpoints that may contain data that needs protection. The extent to which this data is spread throughout your organization may surprise you.

I invite anyone in the Atlanta or Chicago areas to join me for my next two “Anatomy of an Attack” seminars. The presentation is purely informational, and not focused on our products or a sales pitch. In addition to providing information on all the latest threats, who is behind them, and how to defend yourself, I demonstrate some live malware and how criminals are distributing it through the web, giving insight into how you can better defend your networks.

Update: The Tech Herald is reporting that they have spoken to the Democratic National Committee who deny Obama's site was hacked. This is not surprising, and I believe is also incorrect. The usernames all match up with Obama staffers and campaign staff, which if the screenshot posted by Unu was mocked up would be a lot more work than most scammers would bother with.

Additionally my wife brought to my attention that several of the passwords are in fact based upon the names of the users and are of far poorer quality than I originally had posted. Just another reason to choose a good password... You never know when someone who stores it insecurely will leak it, and potentially make you look quite foolish.

Update 2: Upon doing further research it would appear the users viewed in the screenshot may in fact be related to Roosevelt University. The Tech Herald has updated their post above confirming that information. A source aware of the events has informed me that the barackobama.com site may have been used as a proxy in accessing the Roosevelt University MS Access database. No data collected nor used by barackobama.com or the DNC was compromised. By Googling for some of the names provided in the screenshot it is quite easy to confirm that they are associated with Roosevelt University.
The more interesting part is the statement from Blue State Digital that the database that was compromised is not hosted by them. They stated that they do not use Access databases, and do not host any content associated with barackobama.com. Whether this is an elaborate hoax, or a yet to be found hole that allowed someone to proxy from the Obama site is yet to be determined.

Posted on October 26th, 2009 by Chester Wisniewski, Sophos
Filed under: Data Leakage, Internet, SQL Injection, Vulnerabilities

                                         

Is Windows 7 safe? Sophos is ready, are you?

October 22nd, 2009 is the official public launch of Microsoft Windows 7. Those of us in the software development, hardware, and large enterprise space have had access to it for a few months now. We have been working to put the final polish on our compatibility, look and feel, and quality assurance testing.

We officially support Windows 7 as part of Enterprise Security and Control 9, which was released to the public on October 14th. We also provide a Knowledgebase article with best practices regarding Windows 7 deployments.

In talking with the press there has been a lot of interest as to how secure Windows 7 is, what improvements there are, and what Microsoft might have missed.

One thing I have not mentioned here previously that I think Microsoft missed is the default behavior of hiding extensions in Windows Explorer and file selection dialogs. Microsoft has defended this decision as intentional and designed to simplify the Windows experience. They believe that legacy file extensions are confusing to the average customer.

I'm not sure about your users, but the PC users I know think of things as being a PDF, Doc, etc. They don't pay much attention to things like the icon Windows presents to them. They have been taught not to open files with extensions like .exe, .scr, and .bat that are known to be potentially dangerous.

This leaves the door open for nasty malware to masquerade as .txt files in users' email and dupes them into opening malicious files. In an enterprise environment, I would recommend using GPOs to change this setting to always show extensions.

I have posted several articles detailing changes made to security in Windows 7, which you can find listed below:

• Windows 7 security - 5 things you can do to secure XP mode
• Windows 7 security - Myths, by Wired.com
• Windows 7 security - Microsoft DirectAccess
• Windows 7 security - Close, but still room for improvement

Sophos CTO Richard Jacobs started a rather interesting debate with some representatives from Microsoft this August with his guest blog "XP mode - demonstrating security is never Microsoft's first priority". This prompted a response from Microsoft's Roger Halbheer pointing out the continued need for Windows XP compatibility. In reply Richard Jacobs provides more details concerning XP mode's manageability and resource consumption.

James Lyne and Carole Theriault put Windows 7 in the security spotlight in their podcast at the end of August. I also published a more in-depth paper on Windows 7 security issues last month titled "Windows 7 security: A great leap forward or business as usual?"

In summary, I would like to remind users of Windows 7 that, as for users who have chosen OS X, Linux, or even Blackberries, much of the risk on the internet today is not OS-targeted malware. Sure, there have been outbreaks of things like Conficker, Virtumundo, and JSRedir (Gumblar) that exploit flaws in Windows, but many attacks are focused on social engineering.

Many users have already decided to move away from Microsoft based on previous bad experiences. This is leading criminals to take new approaches to compromising your data, identity, and finances.

As Graham pointed out in his video, people readily share their personal details without having been compromised by viruses. Using multiple techniques, scammers were able to steal tens of thousands of Hotmail and other online service passwords through fake websites, malware, and possibly other nefarious techniques.

Microsoft has closed and locked the windows. You must educate your users, Windows 7 or not, because your data, identity, and money are up for grabs.

Posted on October 21st, 2009 by Chester Wisniewski, Sophos
Filed under: Microsoft, Windows 7