Public Computer Security Misperceptions Abound

Gmail Google Phishing Message

Generally, I try to avoid giving out unsolicited advice, but, sometimes, will reflexively do so, especially for a friend who I know encountered some kind of "Windows" security issue.

Well, a friend posted up a gmail message they had received with concern to make their circle of friends aware of.

It is of the email 'click-bait' variety.  They all work the same on legacy Windows (x86) from present 8.1 back to Windows 2000.  The commonality is that all versions share the same core WinNT design that Microsoft cannot change as it will 'break' Enterprise software badly.

No, it's more what I call "shooting fish in a barrel" or "taking candy from a baby".  The email sent to the unwary Windows user is 'socially engineered' to steer them to opening the email and/or attachment, either of which (on Windows) will spawn Javascript to download and inject DLL code and run all silently unbeknownst to the user -- until, of course, it's too late when suddenly a rogue fake security warning comes up or the dreaded CryptoLocker virus has just finished locking (encrypting hard drive) the user out of their system and very professionally offers up a screen of payment credit card options for making payment, which will unlock said PC.  CryptoLocker is becoming endemic.

So, my weak moment was to offer unsolicited advice to the poster of Drive-by threats inherent in the use of Windows.  This kind of advice was coupled to my 'standard' recommendation to the poster to consider switching to Linux which I have used since 2005.

I've been in the IT business for 20 years and ought to know something at this point in my life about issues regarding computer security, one would think.  Yet, despite offering up this kind of friendly advice, there is always the random respondent who turns up and shows his/her ignorance with great facile, I might add.  Here are their remarks:

"I hate this kind "commercial" attitude some people have. I dont like Linux. It may be the safest whatever OS and good for servers. But I don't like it. How can someone possibly even think Linux is safer when its open source for God's sake the only reason Linux is safe is  because is not as popular as windows yet. Maybe it might become that much popular and be used almost everywhere but as far as I'm concerned almost all companies and 90 % of the users worldwide are still on windows. That is why its the most vulnerable because if I was a criminal who would I attack?  A bigger area of effect obviously. 

How little people think nowadays really. Thank you for your kind offer but I'm not going to an open source program. Keep your eyes open for "these kind of threats" and alert others.
No operating system that is on the internet is safe. Not even Linux. Linux has one of the biggest issues if anything for being open source. If anything attacking the Linux website one day for example and their downloads and all other server connections they have would  compromise absolutely every single user and you do not need to be a computer tech to realize that. 

Thank you, but no. Have a wonderful day. :)"

Okay, instead of responding in my friends post, I chose to submit to her woeful ignorance and put things into perspective here point by point:

1) "I hate this kind "commercial" attitude some people have."

Commercial?  This was posted to a 'friend' for her benefit and so wasn't a commercial or if she meant an endeavor to profit, Linux is FREE.  It wasn't motivated by money.

2) "How can someone possibly even think Linux is safer when its open source for God's sake."

Huh?  The user presumably associates the word 'open' with some form of security vulnerability like 'leaving the door open'?  One of the cornerstones of Linux is its Gnu Public License for sharing the entire source code base and making changes to it freely.   Because of this, user of Linux enjoy true "Transparency", which means many eyes (more so than what Microsoft has in employee headcount), around the globe are looking at and vetting source code to ensure no rogue code insertion occurs.  Unlike Linux, Windows is proprietary and the end-user cannot see their source code, cannot copy it, and thus have NO idea whatsoever what the employees of legacy Windows did or did not do to the code base.  Being proprietary means effectively, Microsoft can write the operating system and applications however they wish, and, that includes code insertion of functionality like 'back doors'.

Yep, back doors exist in Windows for both Microsoft's use and for their partnering governmental agencies which wish to access your PC.  They come and go silently with impunity.  After you've thought about that for a minute, go find some black electric tape and place it over your Laptop's camera, mmmkay?

This doesn't even speak to the unfixed zero-day exploits present and hidden because Microsoft's code base is not viewable by anyone other than their privileged but shrinking staff of programmers most of whom didn't write the original code and might not have a clue as to how to go about changing it.  Those programmers left 5-10-15 years ago.  So, Zero-Day exploits are rampant, and, the hackers that have discovered them sell their exploits on the black market to people on the other side of the globe who want access to you, usually for money.

Microsoft code doesn't get continually refactored like Linux and vetted for safety.  It gets written and then forgotten.  Their maintainers will fix what they can if they can do so without breaking the system, but their resources are limited.

3) "Linux is safe is because is not as popular as windows yet."

Oh right.  The security by obscurity argument.  Alright let me explain the central security issue with Windows:

If an exploit (drive-by, email attachment same difference) on Windows is 'successful' in running, it will make its own SYSTEM call() to perform an 'Administrative' function.  It is at this point that Windows should stop to check on what that 'action' is and by what process id (parent) is making the call.  It doesn't.  Nope.  Once the exploit gets a toe hold, it proceeds to run administratively with no other cross-check security mechanism.  Got that?  Your PC is officially owned.

With Fedora Linux, you have what is called sandboxing technology.  SELinux, a Linux Security Module (LSM), binds to the kernel at bootstrap and maintains a 'hook' api in the SYSTEM kernel.  This 'hook' gets called on each granular system administrative process invoked on Linux.  SELinux (the Sandbox or Mandatory Access Control), cross-checks each discrete action against its policy group for the calling app  and if it isn't an allowed action, it on returning from the hook sends a 'deny' to the kernel.  The rogue code, exploit, is stopped cold.

It doesn't matter from whenst it came, the sandbox blocks it from getting a toe hold in Fedora Linux.

Windows Legacy users?  To you I say: Go with God.

Fedora Linux: The safest operating system on the Planet.
I stake my reputation on it.  -- Dietrich

Related articles

• Sandbox? What Sandbox? -- Fedora Has You Covered
• Microsoft Windows 8.1 Legacy (x86) - UNSAFE FOR GENERAL USE
• Microsoft Windows 8 Legacy: An Unacceptable Level of Risk

Read More

Microsoft Windows 8 Legacy: An Unacceptable Level of Risk

by Dietrich Schmitz

Microsoft Windows still dominates the U.S. business landscape.  No question there.

But on the consumer side of things, it's a different story.

Today, I discuss why it is vital for readers to understand the seriousness of the risk they assume by using Microsoft Windows.  In particular, I am referring to the 'Legacy' (x86) Windows 8 version and its predecessors. (Image credit: valuendo dot com)

If you are using Windows, please pay close attention as I show how you default to exposing yourself to a high level of risk, without even knowing it.

Legacy Windows NT Kernel

All of the bally-ho aside regarding the newest Windows 8 Modern UI, under the hood, Windows 8 still retains a WinNT kernel designed and written for Windows 2000.  That's right. Substantially, it inherits all rearward features necessarily to maintain compatibility with Enterprise and small business application needs.  And along with that inheritance comes a raft of security issues which continue to plague the operating system going forward.

Security Measures

Microsoft has seen fit to bolster their own application suite Office with their version of a protected mode sandbox.  I say 'their version' because it is mostly circumventable.  They also have 'feathered their own nest' by bolstering Internet Explorer, the default browser on Windows, with its own protected mode sandbox.  This is relying upon the same underlying technology to defeat security exploits.

The point to note here is that Microsoft has seen fit to provide security for their own suite of applications, but essentially leave third-party developers 'high and dry' to figure out how to secure their software solutions.

This is a big issue to my mind.  It should be the responsibility of the underlying operating system to provide default security measures, e.g., sandboxing to all third-party software.

Unlike Windows, Linux provides these security measures so that software vendors can focus on developing quality software.  Yet, to write for Windows, they necessarily need to become security experts.  That is just wrong.

It essentially places Microsoft's 'competition' at a distinct disadvantage as they need to allocate extra resources and 'know-how' to implement security sandboxing.  Google's Chrome for Windows does offer its own sandbox.

Despite of their best efforts, Google Engineers have documented and identified limitations on what their sandbox can do to protect you on Windows.  It is an admission to the underlying deficits in Windows' security design.  Regardless of what they do, their sandbox will still permit security exploits to escalate and gain Administrative rights to a Windows system.

When a security exploit succeeds in gaining Admin rights, it effectively can do anything it wants to a system.  The system is essentially 'owned' by the exploit and can embed itself in such a way as to 'hide' and fly 'below the radar' of Anti-Virus software going fully undetected as it executes its nefarious activities on your system.

Here is a formal statement from Google's own Engineers on the topic of security and their sandbox limitations on Windows:

Other caveats 

The operating system might have bugs. Of interest are bugs in the Windows API that allow the bypass of the regular security checks. If such a bug exists, malware will be able to bypass the sandbox restrictions and broker policy and possibly compromise the computer. Under Windows, there is no practical way to prevent code in the sandbox from calling a system service. 

In addition, third party software, particularly anti-malware solutions, can create new attack vectors. The most troublesome are applications that inject dlls in order to enable some (usually unwanted) capability. These dlls will also get injected in the sandbox process. In the best case they will malfunction, and in the worst case can create backdoors to other processes or to the file system itself, enabling specially crafted malware to escape the sandbox. 

I've highlighted in red the text which you should be concerned about--very concerned.

Security Ramifications

What does this mean?

Well, from the standpoint of what an operating system should do, once the exploit 'succeeds' in escalating to Administrative privileges, there are no other 'cross-checks' which will occur on Windows to policy check the SYSTEM calls made by the exploit.  It now has unfettered access and can do what it will with your system.

Unlike Windows, with Linux you have, for example, in the case of Fedora Linux, SELinux which if enabled will apply a policy to the Application in question to effectively 'police' all of its activities, including on the kernel (SYSTEM) level.  This is the needed cross-check which Windows x86 Legacy sorely lacks and is the ongoing source of attacks that will continue to provide a 'shooting fish in a barrel' environment.

In lieu of a solution, world-wide criminal activity that exploits Windows Legacy continues to grow unabated.

It is a most serious situation for both businesses and consumers.  Often the user visiting a compromised website won't even know their system has been compromised by a Drive By as it silently burrows into their system.

Lack of a Repository System

Windows Legacy applications are not protected by a repository system.  The purpose of the Linux repository is to house all vetted software applications and binary drivers and provide a GnuPG keyring secured 'fingerprint' of their authenticity and to assure that they have not been tampered with.

One of the many long-standing issues with Microsoft Windows has been the lack of a repository-based system, which opens up the possibility for users to venture 'into the wild' of the Internet to find various software.  When a user accepts and downloads one of these applications from the Internet, they are making an implicit decision to 'trust' that application.

When a user downloads, for example, a game, which in this example happens to be laden with an exploit which will spawn when the application starts, unbeknownst to the user, it is referred to as a Trojan Horse application.  It runs under various pretexts, including offering a game, a utility of some kind, even rogue security software pretending to protect your system.  They all include  a 'payload' which deploys on your system.

The point of a repository and one of the key benefits of open source is that 'many eyes' vet and review software for approval to be included in the repository, deemed safe to use and devoid of any malware or virus code.  This has been one of the corner stones of using Linux open source software.

Pwn2Own/Pwnium 2013

This year's CanSecWest Pwn2Own challenge drew more 'shooting fish in a barrel' so-called security experts to yet another annual challenge to attempt to compromise a Windows Legacy based system running with various browsers.  The results are here. Suffice it to say, it wasn't difficult for the challengers to exploit Windows, even Chrome with its sandboxing technology was fully compromised.

In a separate hall of the same CanSecWest convention was held Pwnium 2013, sponsored by Google and with a configured stock Chromebook.  The goal was to have security experts attempt to exploit the Chromebook system running ChromeOS, a Linux kernel based operating system written by Google for the Chromebook.

In stark contrast to Pwn2Own, there was no successful attempt to fully compromise the operating system.

This is quite emblematic of just how safe Linux truly is while Microsoft Windows security continues to leak like a colander.

Today, if you are using a Linux Distro with a kernel equal to or newer than version 3.5, you can run Google's Chrome browser and be assured that it will run in its own sandbox provided by the underlying operating system, Linux.  Chrome in this context uses not SELinux, but seccomp-bpf to provide the sandbox to your browser session.

Rest assured your Internet activities will be safe with seccomp-bpf and if you want to confirm that it is running, type into your Chrome browser bar this url:

chrome://sandbox

You should see this information:

Free Software Foundation Campaign

The Free Software Foundation has taken recently to running a rather aggressive campaign.
Go to the website and judge for yourself.  I hope the information helps you to make an informed decision that includes switching away from Windows to Linux.

FSF's Upgrade from Windows 8 Campaign

Conclusion

I hope at this point that you have gotten a better sense for the level of concern I have for using Windows 8 Legacy.  The risk is simply unacceptable on so many levels.

Please give Linux a try today and discover a whole new world of truly secure, sharing and openness.

This is what humans do best.  So, do the right thing.

-- Dietrich

Related articles

• Should Microsoft Kill Windows 8 Immediately?
• Microsoft partners say Windows 8 caused 'millions of customers' to switch to Apple
• 3 Ways Microsoft Can Save Windows 8
• BlackHat EU'13: Are You Playing Sandbox Roulette?

Read More