Crackers: no need to install keylogger in W10 preview

[prehistoric]

I was only a little surprised to read that the Windows 10 preview monitors keystrokes, and sends unspecified text to M$ for purposes of "product improvement".

Now, we all know just how far we can trust M$, right?

My current concern is with the security of this preinstalled pot of gold for system crackers. Anyone see evidence of security guarantees for safe operation of this "feature"?

Do such hypothetical assurances also apply to attacks from North Korea?

[Burn_IT]

That was the free preview if I recall and users were warned.

And that is the purpose of testing/market research
You can't see what went wrong and you can't tell what people are using it for if you don't know what was being done.

Stop knocking things when you don't know what you are talking about!

[bark_bark_bark]

does it really need ALL that information for fixing bugs. I don't think so.

[prehistoric]

Ah yes, users were warned, and how many of them read the EULA and privacy policies?

My point is not that M$ is collecting this information, right down to individual keystrokes, it is that nobody should expect this to be secure from attack. This is an especially high-value target for system crackers.

Even if M$ carefully removes such things as credit card information and passwords when it transmits information for debugging purposes, these routines will do most of the work for system crackers, all they have to do is tap in at the right point in the pipeline.

The best advice for those participating in this effort is to avoid doing anything on a computer running W10 preview you do not want broadcast all over the world.

There is also a great deal of amusement to be had when you read various legal agreements about what companies can legally do with information they collect and how they can use software they install on a machine. You might check out such things as Fun Moods or any of the companies associated with ClickBank which are clearly banking money from software and services of very dubious value.

I also have my doubts as to whether or not any M$ product is ever debugged, so I suspect this innovation concerning privacy will be carried over into the final product and associated user agreements. Even at present, I'm not sure how you would mount a legal challenge against M$ if your personal and financial information ends up in the hands of people who are out to rape and pillage you.

Before you accuse me of being completely one-sided, I want to add that I'm now investigating similar problems in the popular tablets and mobile phones running Android.

To prevent panic I will reassure the public they are all every bit as secure as celebrities and large corporations like Sony Pictures.

[amigo]

I'm sure there are those on the forum who must be thinking: If only Sony Corp had been running Puppy, they would not have been hacked. Or at least, they could have restored their 'savefile' from backup and and that would fix it all...

[Burn_IT]

Well if you insist on using a beta or user test version to do highly sensitive transactions, you deserve to get hacked. Those hooks for keystroke and strings are removed from the RC versions that are sent out to testers.
I would argue about it being a high value target since it is only released to chosen people (if you get it illegally that is your look out)

You cannot install a real version of Windows over a Beta version. A full disk format is needed. And MS do advise people to not have any other disks in the machine that are not going to be formatted after beta testing.


How many people read ANY EULA.
I'd like to bet there is not a single user on this forum that has read every EULA for every Puppy version they have used.

Unlike in the Linux environment, MS do actually invite their official beta testers and they do provide (well they did when I did it) special reporting software.

[prehistoric]

As for removing those hooks, etc. It looks to me that M$ is more likely to leave all kinds of switches in released software with the idea that nobody else will be able to do what they can do when they turn them back on for remote assistance.

That idea of "security through obscurity" really worked wonders with restore points. I've spent weeks out of the last 6 months digging out malware installed in them. (Not talking about my own systems, I only keep a Windows installation around to be able to reproduce problems experienced by others.)

I've also found malware inserted in "hidden" partitions. ("Gosh! Who would have guessed anyone would figure out how to change hidden attributes.")

The latest call for help came from a person in a nursing home whose computer had become unusable. A scan of the hard drive (started from a standalone program which did not use Windows, then continued inside Windows after minimal security was obtained) took 12 hours and showed nothing. The performance problem, (aside from running W8,) came from a battle between browser helper objects doing their best to redirect the user in three different directions. These also send information back to the companies which developed them. I consider these major security weaknesses.

If you feel like finding out what happens to data collected below your awareness you can feed those companies a "barium meal". This means you create a fake identity with attributes you can detect when the information is used. This causes information leaks to stand out from the background of spam like an image of barium on an abdomenal X-ray.

Most of these uses are not actually illegal, though you have to be suspicious when you start getting calls from "Microsoft Support" about a problem with your computer. The last personal report of that scam I had is less than a week old.

Finally, I have to ask what you consider sensitive information. I would be cautious about entering router passwords just for example. It is all too easy to turn a LAN inside out by changing the settings on routers and hardware firewalls. We are still learning about new loopholes opened by "the Internet of Things" almost daily.

My advice for that person in a nursing home is to use a rather dumb phone to make calls and send messages, and use a device which has Netflix in firmware to watch movies. They simply can't cope with the mess a Windows machine has become. I'm working on a way to allow them to deal with email.

Meanwhile, concerning the warnings in EULAs and privacy policies, (which are always subject to change,) I can't top Tom Scott's classic vision of the future.

[Burn_IT]

I didn't say they might remove them, I said they DO remove them.
I have been a beta tester for MS.
I've also been a software engineer since 1976 which is just about when when Windows first came out.

[Flash]

How many people read ANY EULA.
I'd like to bet there is not a single user on this forum that has read every EULA for every Puppy version they have used.

Puppy has a EULA?

[Burn_IT]

I don't know; I've never looked!!

OOHLALA??

[tlchost]

I didn't say they might remove them, I said they DO remove them.
I have been a beta tester for MS.
I've also been a software engineer since 1976 which is just about when when Windows first came out.

Buried somewhere in the rules is a statement: Thou shalt not say anything remotely positive about Microsoft and/or Windows.

This obviously trumps any real world professional experience you may have aquired.

[prehistoric]

Actually, I was a software engineer and worked with BASIC before MS BASIC destroyed the preexisting de facto standard. I also worked with windows before M$ realized the term was not trademarked, and promptly grabbed it. My experience with DOS preceded the existence of M$ DOS. (This was another generic term for a disk operating system used in the minicomputer business.) I was also an owner of an early Mac.

My experience with microprocessors goes back to the Intel 4004. I was using the Internet before the World-Wide Web existed. I was using the term "browser" before the late lamented Netscape produced a commercial product, for which M$ "cut off their air supply" to destroy competition. (The quote is in M$ documents which came out in the legal dispute.)

Since you state categorically that they "do remove" the hooks used in debugging before they release products, I have to assume you have seen the source code. This means you have signed a non-disclosure agreement which basically says you can't say much of anything about the code M$ doesn't like. So the claim comes down to "I have inside knowledge, but I can't tell you anything about it you can check."

What I can check are security problems, and I can tell you a significant number of them can be traced to things it was OK for M$ to use, but were intended to remain forever secret from others. There is no question some of these were intended as aids to debugging. Examples in notorious .NET code You don't have to change any code at all, only configuration files. How is this possible if the vulnerable code was removed?

Instead of building systems with any pretense of secure operation, M$ has concentrated on placing legal restraints on anyone honest who knows about problems in order to enforce a monopoly. This has been no restraint at all on system crackers.

[Burn_IT]

Yes there are NDAs

.NET is pretty much an OS in itself.

You don't need hooks if you know the offset in the load module you want and can branch to it.

Buried somewhere in the rules is a statement: Thou shalt not say anything remotely positive about Microsoft and/or Windows.

Damn I forgot that.

I first started coding in 1968 whilst doing a Summer job before going to college.

[prehistoric]

...
You don't need hooks if you know the offset in the load module you want and can branch to it...

Which anyone with the preview version should be able to find easily. After that the only problem is creating an entry with regedit or an installation program. If the code itself has not been removed this is not much protection.

The example of exploiting a built-in keylogger doesn't really require coding skills. You only need to do two things: change the way the information is transmitted, or the address to which it is transmitted; enable the debugging feature used in development. This is similar to the way script kiddies have been causing all kinds of trouble for ages. M$ claims to be defending people from these, but actually benefits when infestations lead to junking old machines and buying new ones. (One M$ employee told me to format the drive and reinstall everything every 6 months, like he did. Unfortunately, I was not getting paid for time spent in such activities.)

As an example of the failure of "security through obscurity" I will present the following story.

I routinely run scans by standalone programs which do not depend on Windoze. I don't automatically assume a machine is clean unless it can pass several from different suppliers. In one case I found and removed several pieces of malware the installed security had missed, including rootkits, and reinstalled some corrupted system components and applications from separate media. After this the machine tested clean. It became infected almost immediately after it was returned.

This led to a complete backup of user files, formatting the main OS partitions, and another reinstallation. Again, the machine tested clean. It was returned the following day with a new infestation.

After some tests I decided there was something wrong with the TrustedInstaller, and even copied the file from an identical system. (This is used when you run "sfc /scannow" to replace corrupted system files.) This did not change anything.

After more adventures than I care to mention I determined that the hidden partition used for factory restore had been altered. Again, TrustedInstaller looked good, but something was wrong with the way it worked. This was traced to the code that checks certificates before installing modules. For the most part this also seemed good.

The dropper for malware was actually in the uninstall program for stupid games from WildTangent which I would call crapware. As soon as I returned the machine the user uninstalled things he didn't need or want, which installed new malware. Why didn't the built-in protection prevent this? Because the modified WildTangent program was on a list of components the OEM trusted.

New computers from just about anyone come with a number of things which benefit vendors far more than buyers. (If you don't like the term crapware you can call them adware.) Many have Norton security products or Skype preinstalled. Both Symantec and Skype are now owned by M$, so the logic seems to be you can trust them implicitly. OEMs can add all kinds of dubious things. If they are producing revenue for M$ don't expect any objections from that quarter. These attackers simply found a way to tell the OS that it should trust the binary they replaced in the hidden restore partition. The theory that these acceptable extensions to trust would only be used by M$ or people equally trustworthy didn't work at all.

I still don't know if the malware was missed simply because there was no specific signature at that time, or if it was merely dumb code containing a vulnerability which opened the system to external attack.

There are many ways to defeat signature-based scans. Behavior-based malware detection runs afoul of the fact that any number of things from suppliers like M$ have precisely the forbidden behavior. (The BHO used to implement Skype Click-to-Call is one of my pet peeves.) With updates daily, if not hourly, any antivirus program which is aggressive in reporting anomalous behavior will produce a stream of false positives.

M$ always insists the problem is simply that they don't control everything in the whole world. If you believe this you ought to check on problems they've had with Windows RT and the Surface machines.

You might also check on the sophistication of such malware as Regin, Flame, Duqu or Chthonic.

DUQU arrives as a Microsoft Word document that initiates a zero-day kernel exploit.

The idea that most of us are safe because these required the resources of nation states to develop runs into problems with the simple fact that the code is out there "in the wild" being analyzed by many people. (I strongly suspect the reason Regin was announced to the world at large was that people with opposing interests to those who created it were beginning to exploit the techniques.) Internal evidence in these systems of programs strongly suggests they were developed with sophisticated tools which can mix and match components to generate huge numbers of variants. Such tool kits are already known to be circulating on the "dark web".

We really don't need preinstalled keyloggers.

[Ted Dog]

like that guy who shows up with a 300M pet "game" no thanks, we had malicious code posted in a script HERE of all places. It lasted about 20 minutes. Me and another got clobbered by it, Techosaur explained how it functioned ( simple looking but packed a punch )an some MOD nuked it shortly after.

[bark_bark_bark]

Anyone with a brain knows that Norton is absolute trash.

[prehistoric]

Latest adventure in the world of windoze malware: a "potentially unwanted program" that redirects all searches to www1.dlinksearch.com. (Results appear on a page with address www1.search-results.com, if you pay attention to URLs.)

I cleaned out various versions of this on one machine on a network, but the misbehavior reappeared after I returned the machine. System now has up-to-date malware protection, so that is not the cause. Get my own laptop out of car, and connect directly to router. Searches are still redirected. Get similar router, which I set up myself, out of car, and connect this. Problem goes away. Carry compromised router off as evidence. Check with ISP. No, they do not normally redirect searches.

This is no longer restricted to Dlink routers. The compromised router was a Linksys WRT54G, which did not have up-to-date firmware installed. The IP addresses used do not match a previously reported 208.67.216.148 address. These troublemakers have broadened their range of targets, and moved.

The compromise now involves everything from browser helper objects, to modified browsers (like the version of Firefox used by Yahoo!), to OS networking tables, to routers that have not been set up securely. Not all "potentially unwanted programs" are reported by malware scanners because their behavior is very similar to a wide range of legitimate add-on toolbars, etc.

How do you tell such malware from customary business practices which only expose users to rape and pillage by a select group of companies?

[Scooby]

Get similar router, which I set up myself, out of car, and connect this. Problem goes away. Carry compromised router off as evidence. Check with ISP. No, they do not normally redirect searches.

This is no longer restricted to Dlink routers. The compromised router was a Linksys WRT54G, which did not have up-to-date firmware installed.

were you able to login in web-panel of compromised router?

What was the attack vector?

[8Geee]

Anyone with a brain knows that Norton is absolute trash.

As soon as Sygate's rather nice Personal Firewall program got bought out, and nuked, that was it for me. Version 5.6.2808 is still floating around.

[Burn_IT]

That does not sound like a Windows problem!! as you stated.