Windows 8 security improvements

Microsoft Windows was never meant to be an operating system dedicated to tech-savvy users, a proof of this is the lack of the processes details in the default Task Manager. We can see only the running processes including services and we have as options only to kill a certain process or to set its priority to the CPU. How many of you were able to kill a malicious process for example a computer trojan from Task Manager in the recent days? I bet nobody. That’s because the real computer trojans does not appear in the Task Manager with a name as trojan.exe allowing you to simply kill its process, instead the recent trojans are injected in other processes adress space in order to hide their presence in the system, but you won’t find any clue in the Task Manager. Therefore, many people willing to increase their knowledge and power over the running processes switched from default Task Manager to more advanced tools like Process Hacker, Security Task Manager or Sysinternals Process Explorer.

A few days ago I have tested Windows 8 Developer Preview available for downloading at Microsoft official website and I have noticed several improvements in the general security of the computer and its user. One of them was the improved Task Manager, now allowing the user to switch to Advanced level showing the parent and child processes, startup items and details about processes.

win8_task_manager_processes

And another new feature, the possibility to dump processes to files.

win8_task_manager_details

Maybe you will ask why is so useful a process memory dump file. When we write the content of a process memory space to a file, we create a memory dump file. Scanning a suspicious process dump file with an antivirus software gives much more accurate results, because in memory a supposed malware exists in its unencrypted-deobfuscated form and the chances to be recognized by a signature based scanner are greater. This is why the memory is the best place to detect a malware.

However, Windows 8 security improvements implies much more than an advanced Task Manager, such as the way it handles the online credentials. Everybody knows that remembering all the details of our online accounts is a pain especially when it is about the passwords and this is the reason why a lot of Internet users use the same password for multiple websites even if it is totally not recommended. I know somebody who uses the same password for his Facebook account and for his online banking account aswell as for his email accounts, this is crazy but he argued that in this way he has not headaches when he only needs to remember just a password. Even if security researchers advises to use strong passwords with a reasonable length and using special characters to repel the guessing attacks, people very often ignore them because a strong password is difficult to remember and to carry everywhere a piece of paper with your passwords is not an elegant solution.

It is true that browsers offer this option aswell-to save the credentials(passwords and usernames) for websites but this time Windows 8 does it itself with the Credentials Manager accessible via Control Panel > User Accounts and Family Safety > Credential Manager. where it is also provided full support for certificate-based credentials.

 

Windows 8 credential manager

The use of this Credential Manager has several huge benefits for example we are protected by phishing attacks. A phishing attack occurs when somebody is led to a malevolent website which is a clone of a legitimate website and convinced to introduce there its credentials. This way the stolen credentials are sent to the hackers. The similarity goes further, even the URL address of the malevolent website is very similar to the legitimate one for example mybank.com and mybamk.com making difficult for some users to distinguish between them but who knows better than Internet Explorer the real URL address of the open web page? The credentials fields will not be filled by Credential Manager unless the open webpage is the legitimate one.

Another side effect of Credential Manager use is that a supposedly computer infection with a key logger has no more effect upon security because the user does not need to type every time he access a website its password, therefore the key logger has nothing to intercept.

Now we can easy follow the experts advice and use unique and long passwords, another one for each website, we don’t need to remember them anymore.

Another new feature of Windows 8 is the “virtual smart card” as replacement of passwords for organizations and businesses that use smart cards, a strong authentication system that has connection with public-key cryptography.

From Wikipedia:

Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the ciphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private. If the lock/encryption key is the one published then the system enables private communication from the public to the unlocking key’s owner. If the unlock/decryption key is the one published then the system serves as a signature verifier of documents locked by the owner of the private key.

The private key must be kept secret and the best choice is to store it on a smart card but the use of it require the necessary hardware. Windows 8 includes a new Key Storage Provider (KSP), which provides the use of the Trusted Platform Module (a trusted execution environment which enables a PC to securely store cryptographic keys ) as a way of strongly protecting private keys and more, it acts like a “virtual smart card” keeping the full functionality of a physical smart card but eliminating the necessity of a physical smart card reader.

There are many other security improvements in Windows 8 you can read more about them at Microsoft blog, a last one I want to mention here. It is about the use of secure boot, an UEFI(Unified Extensible Firmware Interface) protocol that guarantee the authenticity and integrity of operating system boot loader. Therefore malware attacks targeting the boot process(the so called rootkits as TDL TDSS or bootkits as Mebromi and Popureb.E) are no longer possible. In the earlier Windows versions, these malware subvert the normal boot process, running the malicious code before the operating system starts, in order to hide their presence  and to alter the security solutions functionality now in Windows 8 we can see that Microsoft addressed all these security issues.

References:

http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx

http://blogs.msdn.com/b/b8/archive/2011/12/14/protecting-your-digital-identity.aspx

 http://blogs.msdn.com/b/b8/archive/2011/09/15/protecting-you-from-malware.aspx

Keep safe !

Posted in Thoughts.

Leave a Reply

Your email address will not be published. Required fields are marked *