Hackers Say Windows 8 and 10 Easiest Entry Points

Hackers Say Windows 8 and 10 Easiest Entry Points
September 19, 2018
https://www.infosecurity-magazine.com/news/hackers-say-windows-8-10-easiest/

 

This one is easy to explain.

The newer the OS is, the more unknown vulnerabilities it has. Note that I said vulnerabilities; not to be confused with how overall secure it is. So if I want to employ an exploit, my OS of choice for looking for vulnerabilities would be Win 10.

 

I highly beg to differ. Standard default, yeah there are all sorts of easy peasy ways to snake thru Windows. But Windows 10 even if it didn't even have a WD-with features and Windows 8 are not so vulnerable once systematic well placed third party security apparatus are integrated to cover vectors of all sorts. All of them!

Those reports seek to poke holes with no published notes of either platform arrayed with various security third party security software (whom some have a highly successful legacy of warding off the worse of the worse intrusion attempts) but yeah, any raw default Windows even tweaked is as helpless as a baby in bathwater.

Sorry, I just don't buy all the blackhat hype on this. And I not even touched on Commercial Security Programs. Just third-party one's alone-layered and set properly.

 

Regarding this particular article, I think this sums up well:

People who are in this kind of forum often forget the truth that tech, especially security software, is only a part of security but it seems to apply to many IT admins too. And yes, least priv is the most important way to achive real security.

 

Put SRP, job done. Users can't execute anything that is not in the policy, will drastically reduce infections.

 

Unfortunately, MS declared SRP was deprecated and are slowly removing it. It still works on my system but I have heard some ppl said it stopped working correctly (IDK what makes diff). So those who use Windows w/out DG support may need to think about alternatives in near future, if not now.

 

there is other 3rd party SRP that work even better than the MS one, and some are even free.

 

My point exactly!

It's not as dire a prediction as they make it out to be. Windows current form is and always shall be just as I called it back on Windows 98-A computer operating system FRAMEWORK/as such there are (2) symptoms which it's end user (controller) needs duty to maintain uninterrupted smooth operation. And one is already been named. For pity sakes, that's why it's hit on so often by the other side, it is a FRAMEWORK not a defensive machine/system. Although that WD in Windows 10 is coming along pretty well after all these years.

 

Native Windows SRP managed Andy Ful's Hard_Configurator tool works just fine.

The people who are having issues might be referring to OneDrive processes. As OneDrive changes and evolves, you sometimes need to adjust the exceptions for it, and you need to use real paths (with wildcards), not just environment variables.

 

What is 3rd party SRP? If you meant tools like Bouncer or ERP, they're not SRP but alternatives. If you meant Simple Software Policy or Hard_Configurator they're just a GUI front end of SRP (I know the latter do a bit more), but the problem is what MS is removing is not policy editor for SRP (GUI front end) but entire SRP itself.

 

It seems SRP so far works on all Enterprise edition, the problems I heard are from machines running v1703, v1709, & v1803 all Pro edition but only part of them (still the cause is unknown, someone suggested it may have sth to do if it is clean install or upgrade). The problem is simply the same SRP rule which correctly work on other machine doesn't block programs on these machine. I have heard nothing about Home edition but it won't harm to check if all your rules are working correctly.

Anyway, MS declared SRP was deprecated, so only reason SRP still works is probably that they're much more engaged in adding new features and less engaged in removing old feature.

[EDIT:] I'll add a bit more detail. The codeidentifies registry properly exists in those machines in which SRP doesn't work. But svchost.exe (DcomLaunch) which usually is responsible for referring the registry doesn't refer the registry on those machines.

BTW, so many comments but it seems nobody actually have read the article.

 

I am using SRP on Windows 10 pro 1803, and there does seem to be a problem with certain rules configured by environment variable. They don't always work. But the rules configured by path seem to work fine.

 

It's not about env variable as one poster said it doesn't work on "C:\Windows\System32\notepad.exe". Well, I remember notepad under System32 is tricky when it comes to SRP tho.

 

Thanks for the heads up.

 

SRP isn't the name of a Windows product, it is the name of a type of software like:
- AppGuard (what im using)
- Symantec Endpoint Protection (Application & Device Control of the Managed version)
- basically most of the Endpoint Protection software have some kind of SRP (Sophos, McAffee, etc...).

Not alternatives, they are anti-executables, totally different mechanism than SRP.

I know H_C too, played little with SSRP.

 

How did you come to that conclusion when the conclusion was literally in the quote?

Ignore the clickbait title, doesn't matter what OS.

 

All right, so we used the same word with different meaning. MS' one works as anti-exe (different mechanism from Bouncer/ERP ofc) but you're right, anti-exe is only a part of access control which have to be implemented as SRP (by your def) to secure system.

What I don't like about Windows is it doesn't allow granular access control by itself - you have to use 3rd party tool like ReHIPS or Appguard (I know the former well, but no experience for the latter). Well, no, even with these tools you still don't have all the control the OS gives to programs (job objects, etc.). It's a quite contrast to Linux where you can control nearly everything via LSM.

I feel nowadays Windows is 1-step ahead in memory mitigation (except that only a few program adopt them - it's another problem of Windows) but have always been lagging in a-c despite its potential. And no real RBAC yet. But, well, unless you're fighting against govt. any proper Windows SRP will be more than enough - rather, they might be overwhelming to common ppl for whom iOS's decision which don't allow user to touch anything about security seems to be right direction.

People don't bother to read unless much interested. If read, it's clear it's not about "Win8/10 is less secure!" thing.

 

In fact what you refer as Windows SRP is named Applocker , which is indeed a real SRP; like Appguard or SEP Application & Device Control.
(don't pay too much attention of the name given by vendors, can be confusing.)

to be more precise:

- SRP: SRP (Software Restriction Policy) is a kind of software/mechanism made to Deny execution of executables/dlls/drivers based on a pre-defined policy set by the admin.
SRP policy usually function by selecting a process by path, hash or name. Once set, the policy will execute automatically without possible interaction of the users.
SRP = "What is not whitelisted is automatically denied".

- Anti-executables: is a mechanism that monitor only executables (aka .exe) and prompt the users to Allow/Deny launch of the said exes.
Unlike SRPs, anti-exes can create rules based on parent-child relations of the process.
Anti-exe = "what is not an existing rule, generates a prompt to create one"

(Some anti-exe can look like and even behave like SRPs but are not pure one. Also few anti-exe can monitor dlls and drivers, one i know is NVT Smart Object Blocker.)

So basically, SRP will auto-block what isn't whitelisted in the policy while Anti-exe will prompt the user for a decision.
SRP is made for static systems (user can't install anything) while anti-exe fit volatile systems (users can create rules "on-the-fly", for example allowing an installer to run)
SRP is obviously destined for corporate environment, while anti-exe can also be used by home-users.

Windows wasn't originally made for techies unlike Linux, unless you use the Pro or Enterprise version, shipped with Group Policy and Applocker.

ReHIPS is first a sandbox with an Application Control module on top, the module act similarly as anti-exes.

 

This has nothing to do with Application Control, it is just a restriction option. Application Control means active monitoring.
However the Corporate version of Sandboxie (ex-Invincea Endpoint) had a BB.

note: on my previous post i wanted to say "ReHIPS is a sandbox first with an Application Control module on top[...]"

 

Of course

from the article:

PEBKAC

 

Which what I experienced on Windows 10 version is pretty comprehensive enough to an extent or at least fully implemented where previous O/S users of windows (many of them, not our group per say) I have read have been reluctant to use on other versions previously. Now why that is so showed me many excuses or reasons, and you can take your choice on which it is, anything running from there's not enough time to go into all that or pure laziness and relying on commercial AV's and such to do the bulk of the dirty work. Whereby we also know on those previous versions, leaves a gaping entry for opposing forces, should they choose to do so, to elevate all around a system and introduce their wares. Responsible for many an article of hacking we continue to read about. Ugh

WD when also engaged with all guns on the ready is sufficient to a degree IMO but the granularity setting is missing whereby here again IMO, an additional preventive such as a Anti-Exe can/could establish rules for more productive-less interruptive flow of known safe processes aka: Parent-Child interactions without getting flagged by it?

 

Applocker is different from Windows' SRP. Not only their mechanism is different, but also AL was removed from Pro edition long ago (actually what was removed is its interface, AL itself still run on Pro/Home ed.) while SRP is still available.

I think what you wrote is more of what you understand them rather than widely accepted or standard def. I have searched for "software restriction policy" with 3 search engines and almost all of links in first 1-2 pages use the word as my understanding which is MS' functionality. But there should be 2 uses of the word SRP, one is proper-noun and the other is general. So it's all right you understand them in a way you described, I respect it. But if you insist they are established consensus in security community (not Wilders nor MT alone ofc) and we have to use the word in that way, pls show the source.

Actually I don't think the wording is much important in this context. As you wrote in parentheses, many programs do not strictly fit into either of your criteria. E.g. Bouncer works on pre-defined rule, doesn't make prompt. But if you combine an optional companion app, it can make a prompt so you can dynamically make rules. And it can create parent rules. But then, ReHIPS can create parent rules, so ReHIPS is anti-exe? MS' SRP & Applocker also usually follow pre-difined rule, but they prompt so if you have admin right you can dynamically create rules. You might say it is requirement one can directly make a rule from the prompt, then I'll never understand why the diff btwn 1-step & 2-step is so important. What you call anti-exe should have its policy saved anywhere and policy change via prompt is just an usability enhancement, and there's a way to disable direct allowing or entire prompt in most anti-exes. I can continue for what you wrote beneath the parentheses but I'll omit the argument.

You have bolded "monitor" but actually both group of programs monitor execution and w/out monitoring what you call SRP can't block policy violation. But again, I think we use the word "monitor" in diff meaning, maybe. Also I think we might differ in understanding of "executable", as it appears you think executables is ".exe", but to me what matters is not the file type but func call and file permission (not necessarily DACL). I'll be surprised if any of these program make a decision by solely looking at file types but not APIs such as ShellExecute etc. An advantage of this method is you don't need to care about, say, if .dll is executable? .bat? .js? etc. But well, this is the real world where ppl use common language while having diff idea, isn't it?

I use both Pro & Enterprise, but the situation is the same. I don't have granular ctrl unless I use ReHIPS, and even ReHIPS doesn't give me AppArmor like control. I once thought WD-APT might fill the gap, but apparently no, it's more of an IDS. I omit the argument about sandbox and app ctrl by the same reason above.

Well, today it is "iOS wasn't made for techies unlike Windows"...seriously, these days young guys and dolls don't know how to use Windows. So given iOS' success in security (in quite relative & limited meaning), it seems the right way for majority is "Do not allow them to touch anything about security, but never harm usability". Now comes to the articles' conclusion. Indeed, just putting SRP is never enough. What makes real security is ppl's knowledge & behavior, not tools nor OS. Not only education, but understanding of the field and communication w/ them is needed, but it seems to be underestimated. If the policy is too strict, users always find a way to go around it. The PC is malware-free, but the data was leaked - then it doesn't make sense that PC is malware-free and I have heard there're plenty of real cases for that (e.g. password was on sticky notes thanks to too stringent policy).

My apology for too long read.

 

@142395
You focused a lot on the terms i used, which i can understand but we are not in some developer forum where exact terminology, definitions and details are used; which may overwhelm most of members here or at MT.

In forums like MT or Wilders, we try to make Average Joe understand security in a simple way (at least it is what i believe), after if they really want to dig into it, they have to take some Infosec courses or do some deeper research by themselves, i'm not a teacher or researcher trying to establish anything, far from me.
I just explain in the simplest way i can, so Average Joe can grasp the idea.
For example, we can say with 100% accuracy that everything we talk are anti-malware and stop here, fortunately we create "categories" to narrow or define software and make explanations simpler.
Those definitions i gave earlier is how most people i talk with would understand them, maybe not 100% the correct definitions but good enough for them to get it.

Apparmor is another beast that need quite a good knowledge of Linux.
Linux = security and stability
Windows = usability & versatility.
this is my interpretation after using them. i don't expect Windows to be the spear-head of security, i rather go with Qubes then.

Security, like everything is both knowledge and tools, but my first step is to lock their system, then i explain why. If you just explain, some may not even care, other will forget.
believe me i tried, wasn't a big success...
Humans aren't reasonable, if they were, we would live in a better world. Sometimes the stick gives more results than the carrot.

No problemo.

 

@guest
I now understand your point.
Pls understand my intention was not to nitpick your terminology, but it seems who misunderstood was me, I though you said my terminology was simply wrong. Sincere apology for it.

Also agreed for the last part. But in these forum often human part are forgotten or undervalued (I mean, just saying "no to be click happy!" is not very helpful but often that's all), at least that's my impression and it seems the article suggests that's also true to IT admins in corp. We need both a sword and shield when available.