Windows 10 Security and Privacy Initial Setup

Tags

AntiVirus, Cortana, privacy, security, Sophos, Telemetry, Windows 10, Windows Defender

Recently I’ve bought my first personal Windows machine, and was a bit wary of connecting it to the Internet without first looking at the security configuration, even though Windows 10 has native memory protection features that make arbitrary code execution pretty damn difficult.
Here I’ll cover the basic steps for enhancing security further, and also a solution that might resolve the privacy issues associated with Cortana and telemetry.

Windows Defender
The first thing I’d recommend is setting up Windows Defender. This provides a basic anti-malware service, links to the local firewall configuration and parental controls. In the Update & Security menu, there’s initially a button to enable the Windows Defender service. Use this to access the Security Centre and its main options.

From what I’ve seen, most consumer-level routers don’t allow for a detailed firewall configuration. This is why it’s a good idea to check the one that’s included with the operating system. Although Windows Defender has a simplified interface for general filtering rules, I prefer to go through the entries in the ‘Windows Firewall with Advanced Security’ application.
The ‘Allow an app through the firewall‘ in the ‘Firewall & network protection‘ tab opens the Control Panel’s Windows Firewall options. Ensure the firewall is enabled for both private and public networks. Clicking ‘Allow an app through the firewall‘ link should open a menu to select and deselect application-level rules.

Application whitelisting, or ‘Default Deny’ – blocking all applications and services except those specifically allowed, is a strategy worth considering for a paranoid-level of security.

SmartScreen settings are displayed under ‘App & browser control‘. Technically SmartScreen improves security by checking the URLs of Edge browser requests against a list of malicious addresses, but it’s a trade-off between that and privacy.

The ‘Family options‘ tab contains options that are potentially useful if children are borrowing the laptop. As with Sophos Home security (which I’ll come to), the ‘Family options‘ are managed through a Web portal so it’s harder to disable without logging into the owner’s account.
Here the owner has the options to determine which sites are accessible in the Edge browser (what happens if Firefox is used?), set time limits for laptop/browsing activity and monitor online activity.

More advanced security-related configurations can be accessed in the classic Control Panel. Options to look at are User Account Control, BitLocker and Storage Spaces.

Disable Telemetry Services
Central to the privacy-related controversy around Windows 10 is the ‘telemetry’ feature. Essentially every several hours the operating system will send limited data about the usage to Microsoft. This cannot be disabled in the user-friendly Privacy settings menu, which instead only allows for Basic or Full diagnostics, but it can be disabled in Services.msc (the Services application), where it’s listed as ‘Connected User Experiences and Telemetry‘.

Some caution is needed when disabling services here, though, as many of them are for inter-process communication between critical operating system components.

Just in case the telemetry feature is re-enabled by some future update, it makes sense to configure the inbound and outbound firewall rules for ‘Connected User Experiences and Telemetry‘ in the Windows Firewall advanced settings. This might also be listed in the simplified firewall menu as ‘DiagTrack‘.

By the way, you could also do this for any applications you want to keep entirely offline.

Third-Party Protection
After the native security features are configured, the next thing to add is a dedicated third-party anti-malware product. I’ve reviewed BitDefender Total Security before, and found it an excellent product definitely worth the £30 annual subscription. I’m also thinking of giving the considerably more expensive F-Secure TOTAL a try, as I believe in supporting a company that takes a principled stand on digital rights, and the Freedome VPN service might prove very useful while travelling.

For now I’ve installed Sophos Home – I’ve followed this vendor’s work for a couple of years as a security undergraduate, and I’m very confident it provides an excellent layer of protection even though it’s a free service. Sign up for an account with Sophos on the site, and download the installer file (roughly 236MB). When launched we get a status screen when running the Sophos Home application.

What we get here is virus protection, Web protection and unwanted application detection. The latter should protect against spyware and adware.

Sophos Home installations are managed from the company’s Web dashboard, which has three configuration sections:

• Virus Protection: Seems like your typical anti-malware detection system.
• Web Category: Determine which categories of sites are allowed and which are blocked.
• Exceptions: Set filtering exceptions for files, Web sites and applications.

Advertisements

A Short Guide to Going Dark on the Move (Part II)

Tags

android, openvpn, vpn

OpenVPN is a flexible VPN client that tunnels network traffic between the local system and a proxy/gateway server, so that nobody between those two endpoints should be able to determine the metadata or the content of your communications. While there are multiple posts on the UWN Thesis blog that deals with setting up OpenVPN on Windows and Linux, I’ve recently managed to get it working again on an Android device.
Of course, you’d need to find a VPN service that appears sufficiently trustworthy, and it’s important to check the session being tunnelled hasn’t been compromised (check the TLS/SSL certificate) once the VPN connection’s established. Remember that service providers are subject to the laws and constraints of whichever countries they’re operating in, and might be required to provide information about their users to The Powers That Be. The best you can do is read the terms of service and privacy statements very carefully.

The application I installed was OpenVPN Connect, which is available in the Play store. After installation, there are a few configuration options to look at.

• Seamless Tunnel: Defintely check this option. The last thing we’d want is the browser to fallback to the default network interface, exposing sensitive data, without us knowing if the VPN service drops the connection.
• Reconnect on reboot: Disabled this, just to be polite and reduce demand on the VPN servers.
• Connection Timeout: Sometimes it takes a while to establish a connection, so this is set to 1 minute.
• Force AES-CBC: Depends. AES-CBC could be better or worse than what’s being provided.
• Minimum TLS: Could set the latest as default, but shouldn’t matter so much.
• DNS Fallback: Even if you dislike Google, this is only a fallback option, and there’s no way to set an alternative.

Once the client configuration is sorted, the connection settings for a VPN service are required. For this demo I’ll fetch and load a connection profile for a service called ‘VPNBook’, which is distributed as a .zip archive of .ovpn files. I have downloaded and extracted these on my mobile device.

In the OpenVPN Connect menu, select ‘Import‘ and ‘Import Profile from SD Card‘. Next find and select the .ovpn file that contains the desired connection settings. Since TCP over 443 seems to work best for my Android device, I’ve loaded the tcp443.ovpn file.

Next you’ll need to enter the username and password, again available on VPNBook’s site. Now the client should establish a tunnel connection.

Once the ‘OpenVPN: Connected‘ message is displayed, I normally navigate the browser to InfoSniper or whatismyipaddress.com, just to ascertain that the browser traffic’s going through one of the VPN servers.

A Short Guide to Going Dark on the Move (Part I)

Tags

android, darknet, firefox, onion, Orbot, tor

I’m probably going to repeating things I posted for the Tor on Linux setup, but I think the Android version of the Tor client deserves a post of its own. The setup I’m using has Firefox (the browser) and Orbot (Tor client and local proxy) installed separately, but it’s possible to install Orfox, which combines the browser and client.

I don’t make any guarantees about the safety here, for obvious reasons – developers are humans, and humans make mistakes when developing software, and few of us have the discipline to be consistent with our OPSEC and tradecraft – Tor on its own masks only IP addresses and I haven’t found a Privoxy equivalent for Android that strips identifying information from the browser traffic payload. You might need to analyse the traffic with Wireshark and work around that.

After launching Orbot, enable the ‘Apps VPN Mode‘, and check the boxes for applications you want routing their traffic through Tor. For example, if you want browser traffic going through Tor, enable Firefox or Chrome (or both). If you want the Android device to route all its network traffic through Tor, enable all the applications in the list.

Pressing the ‘Browse‘ button should launch Firefox, and if the browser traffic’s being routed through the proxy a success message is displayed.

This is enough to get most people started, to claw back some of that pseudonymity, that separation between our online and real-world identities.

Accessing .onion Sites
What about the Onion, or the ‘Dark Web’ (or whatever ominous name the press is calling it these days)? First you need a directory or list of hidden services with .onion addresses. Save or bookmark https://thehiddenwiki.org, and try the Tor search engines to get started – at least some of the links work, but others are a little temperamental.

The next thing you’d need to do is configure Firefox to use Tor servers to resolve .onion addresses, which is something the conventional DNS won’t do. Installing Orbot seems to configure this automatically, but sets .onion blocking by default to precent users accessing the Darknet accidentally. Enter ‘about:config‘ in the browser’s address field, and set ‘network.dns.blockDotOnion‘ to ‘false‘.

Make a note of that, if there might be a need to undo this change. Links and URLs with the .onion suffix should now be resolved and the hidden services made accessible in Firefox.

Other Configuration Options
Because Tor is a shared service with limited capacity, I think it’s only polite to limit my usage of it, so I’ve disabled ‘Start Orbot on Boot‘ and ‘Allow Background Starts‘.

The ‘Request Root Access‘ and ‘Transparent Proxying‘ options are loosely related. One configures Orbot to run the proxy server with root access if possible, and to control the network interface. The Transparent Proxying option should set the Tor proxy as the default virtual network interface for all network traffic being sent and received across all applications running on the device.

There are a set of options under Relaying that enables users to contribute local resources. There should be very little or no risk associated with running a non-exit relay, so it’s a matter of choice whether you’d want to add your device to the Tor network as a resource.

Counterpoints to the RFID Implant Snake Oil

Tags

32M, Implant, RFID, Three Square Market, TurnKey Corrections

When I read the opinion piece in The Independent, titled ‘A US company has microchipped its employees – we should welcome this as progress and get involved‘, I noticed so much vagueness and inaccuracy in Ab Banerjee’s evangelism of RFID implants that I just needed to post a counterpoint. He may be a CEO of a software company, but he seems to have weighed in without knowing anything about the technology itself or the risks of applying it in the way he advocates. If you want a more balanced and factual digest on this, I recommend the INFOSEC Institute’s ‘Human-implanted RFID Chips‘.

The first thing to know about the technology is it was originally developed for tagging and tracking objects for inventory control, and the tracking of livestock was an early application. However, the idea of implanting RFID chips into humans isn’t new – it’s said that Professor Kevn Warwick was the first person to receive an implant in 1998, and six years later VeriChip was approved by the FDA in the United States.
An RFID tag serves pretty much the same purpose as a barcode, but provides the ability to scan items in batches instead of individually, and probably much faster also. The security application of RFID is a sort of gray area: it’s useful as a blunt tool for identification and access control to low-security environments, but not advisable for authentication. You wouldn’t, for example, use RFID alone to authorise large payments or log into a corporate network, because not even an implanted tag could provide the same level of assurance as a Chip-and-PIN system, or some other 2FA thing that involves more elaborate hardware that was refined to deal with real-world threats. In fact, I’ve visited government facilities that are protected by several layers of three-factor authentication system.

Admittedly I do have a somewhat less rational dislike of RFID implants, and not just because I find it astonishing that a group of adults could peer-pressure themselves into doing stupid shit like this just to use a ‘micro-market’ freaking vending machine. By the way, it’s actually not the future. One thing I’ve learned from last year’s Microsoft marketing events staff conferences is that things are going the way of biometrics, voice recognition and ‘convergence’. Gradually the smartphone will become the ‘hub’ for everything in our digital lives, even authentication with corporate networks. Ergo, I figure the RFID implant would become just as obsolete as the stand-alone MP3 player.

I can’t help but feel there’s something fundamentally dehumanising about the idea of ‘chipping’ people as if they were livestock, and I don’t feel the ubiquity of such implants could bring anything other than a world of societal consequences. My fears aren’t without some foundation.
Several things stood out immediately when first skimming through Banerjee’s opinion piece: He shows a pattern of viewing people in terms of performance metrics and other quantifiables, and his advocacy of the implants is solely in terms of how people are managed. I also think that his dismissal of our objections as irrational actually masks his inability to address the more humanistic questions. Also, what he’s describing, in his ‘vision’, is a workplace environment that most people would find psychologically unhealthy. The opinion piece was actually more about this than RFID technology.

Limits and Capabilities of RFID Implants
It seems a common misconception, one that Banerjee shares, that RFID chips store subjects’ records. They don’t. Instead they typically store an identification number, which usually refers to a database record – in other words it does the same thing as an RFID chip within an ID card. If you look on SmartCard Focus, an RFID tag ~3-4cm diameter stores ~200 bytes. An Ultralight tag has 64 bytes of ROM. For an implant, the ROM size would be much smaller – the VeriChip (which was easily cloned), according to the INFOSEC Institute article, stored a 16-digit number. The chip I think 32M is implanting into its employees (the ATA5577C) could store a 45-digit identifier.

You’re perhaps now asking why anyone would have a thick needle inserted deep into their right hand, between the dermis and fascia, as a delivery method for an RFID chip, when ID cards are substantially cheaper and technically more suited to what Banerjee was trying to describe? Hell if I know, which is why I’ve put ‘Snake Oil’ in the title of this post. But I’ve already answered his first question, and refuted his dismissal of our concerns as ‘predictably hysterical’, ‘scaremongering’ and ‘puff about nothing’. He states:

‘At the moment this data is stored on companies’ tech systems. But why couldn’t it be stored locally on employee microchips? It would be more accessible, and might even give employees better ownership over the data.’

All three sentences are incorrect. The first is that many (maybe even most) companies nowadays use a third-party service for data storage, and that brings a whole different set of issues related to security and trust – I’m surprised he isn’t already aware of this. Since we’ve established that an employee’s record would still exist in a database and not the RFID chip, it would still be just as inaccessible to the employee and vulnerable to being stolen, misused and falsified, and there’s nothing to suggest an employee could do anything whatsoever about it. Now, that alone isn’t better or worse than where we’re at now, per se, but if people received the implant and multiple databases were tied to it (because people aren’t going to have multiple implants), that would pave the way for data mining, egregious privacy violations and all manner of abuses. A future government could also use this, if politicians jumped in, to control the purchasing and movement of individuals. I played my part in the NO2ID campaign against the National Identity Register many years ago precisely for these reasons.

Banerjee’s answer for this is just wishful thinking:

‘make sure the software the chips are paired up with have strong privacy protections. For example, employees should be able to log into their microchip and control whether the data it holds is public or private. This could even be monitored and regulated by the Government.’

No, you cannot ‘log into’ an RFID chip, for reasons that are obvious to anyone who knows what an RFID chip is, and you cannot control whether the information is private since it exists elsewhere. And who exactly would implement and enforce strong privacy protections? There have been countless data breaches and privacy violations involving systems that should have been highly secure, and I can’t think of a case in which it was followed by someone being properly held to account by the government.

So, the moral of the story is that technology should serve people and improve our quality of life as humans. Don’t blindly embrace a bad idea just because someone tells you it’s ‘the future’.

The Vault 7 Release

Tags

CIA, hacking, malware, Vault 7

A price of having an overgrown surveillance industry and routine violations of the US Constitution the inevitability of classified material being exposed. There are too many former CIA hackers with sins to confess, but I wonder about the motives behind this leak. Certainly last week’s Vault 7 release is voluminous and shows that a comprehensive range of things has been compromised, but surprisingly little has been exposed so far relating to violations of their Constitution. What kind of intelligence service doesn’t develop tools and methods for targeted surveillance?
However, there’s a lot that hasn’t been revealed. Wikileaks’ Twitter post claims it’s less than 1% of the material they might publish. The CIA has close ties to Silicon Valley, a data collection budget over four times that of the NSA’s and a comparable allocation for data analysis. The budget for Computer Network Operations (basically what the Wikileaks material exposes), though, is much smaller. According to the press release, the CIA’s Center for Cyber Intelligence had over 5,000 users. It’s therefore a safe bet the CIA does have its own mass surveillance programmes, and anyone of interest to the CIA could have their devices hacked by the Center for Cyber Intelligence.

The consequences of weaponised malware aren’t only domestic. Weaponised malware set a precedent for state-sponsored malicious hacking, and undermined the moral standing and credibility of the US government. When there is a malicious attack on a given state’s network, there’s no telling who was responsible, now we know the CIA was developing methods of implicating other states. Therefore it becomes ludicrous to blame an adversary without very compelling evidence. For example, could we still be so certain the Russian government was responsible for the alleged hacking of the DNC servers, which I believe was unrelated to the published DNC emails?

Things of interest
* Much of the material under the Operational Support Branch section contains useful literature for developers and hackers. There you’ll find tutorials, product documentation, tips, coding practices, links, etc.

* I found a reference to something called ‘Palantir’ in the docs, which appears to be a reference to a testing tool. This caused a bit of fuss when that name appeared in the Snowden material, as it was assumed to be a reference to the company of that name that sells OSINT software.

* Some material deals with defeating ‘personal security products’ – anti-malware that the average home user would have installed. So far, they seemed to have broken past AVG, F-Secure, Comodo and Bitdefender, usually through DLL injection/hijacking.