Will Corporations Skip Windows 8?

Windows 8 should be released within a year, but will users flock to it as Microsoft is hoping? Honestly, probably not.

A lot of corporations recently (read FINALLY) switched to Windows 7, but Windows XP still has a huge install base. Last year, 74% of business computers still ran Windows XP. From a mix of polls for this year, it looks like Windows XP still has the edge, but in some, Windows 7 had a slight advantage.

Other reports seem to point out that numerous companies are planning to switch to Windows 7, but not for a few more years.

Windows 8 is an interesting creature. It will come with two interfaces. One is a traditional Windows type interface, but the second screams “iPhone”.  The touch based interface looks like a direct port of the iPhone.

But with many corporations planning to switch to Windows 7 in a couple years, Windows 8 could be bypassed all together. Why would businesses take a gamble on a new operating system when Windows 7 has a solid install based and is a proven operating system?

Time will tell, but Windows 8 may not make as big a splash as Microsoft is anticipating.

And by the way, if you haven’t switched to Windows 7 yet and are still hesitant, try it! Windows 7 is very stable and much more secure than Windows XP.

Drive Encryption Useless against Online Attacks?

When securing your system, drive encryption is heavily recommended, and it works very well. But just how well will it protect you from online attacks? Well, truth be told, in some situations it may not help you at all.

I wanted to see how well drive encryption would protect a Windows XP SP3 machine from a common online Java based attack. So I installed the latest version of TrueCrypt (a popular open source encryption program) on a test system. I encrypted the whole drive just to be safe:

 

I then rebooted to verify that the system would not boot without the TrueCrypt password:

 

But let’s take this one step further. One level of encryption is good, but I have a very important file that I do not want read by others. And I definetly do not want someone else to be able to copy this to a different system. I encrypted the “Super Secret” folder and the goldmine file “Secret.txt” on the victims machine with Windows built in Encrypting File System (EFS):

All right, green means encrypted, we are good to go. The whole drive is encrypted with one level of encryption and the target file itself is encrypted with another encryption technique.

To see how well the encryption would stand up to an online attack, I used a Linux system running Backtrack 4’s Social Engineering Toolkit, and set up a simulated malicious Java Attack. On the target machine, once I clicked on and allowed the malicious Java file to run, I received a remote shell to the victim machine. Issuing a directory command on the attacker machine’s remote shell I received this:

 

A full directory of the victims encrypted root drive. Well, that is not good. The “Super Secret” directory shows up in the list, I wonder if I can access it:

Absolutely, not only could I read the directory and it’s contents remotely, I was able to view the contents of the encrypted file itself. Well, that is not a fair test. I could read it, but would I be able to copy that double encrypted file to a different computer?

 

Okay, it copied without error, but being encrypted, there is no way I should be able to read it on a different machine…

 

This is a picture of the file in Ubuntu’s Kate Text Editor. After copying the “secret” text file to my remote Linux attacking machine, it opened with no issues and was completely readable. The secret message now unencrypted and on a remote machine says:

Super Secret Insider Tip:
Sell all stocks and buy Tacos.

“Buy Tacos”, that’s a good tip, and it didn’t even come from Wikileaks. Well maybe it will be in the next release.

Okay, how was this possible? Encryption works very good when your machine is off and someone is trying to access it. Or if another user on the local machine or LAN is trying to read it. But since this online attack dropped the attacker into the current logged in user session, the attacker could read all of the encrypted information. The encryption system could not tell that the attacker was a remote attacker, but thought it was the local user.

* Side note – if your laptop is encrypted, and is stolen while it is turned on, even though it might be locked, it could be vulnerable to a cold boot attack.

What do you do to defend yourself against this type of online attack? Do not surf the web from secure systems. Use a virtual machine or a different machine altogether. If you must surf from your encrypted machine, do not allow online programs to run on it. Java applets, online “free” virus scanners, many “free” games, and even the bogus “you need to install this missing video codex” driver install are all things to avoid.

Encryption works very well at what it does, but it can be vulnerable to some online attacks.

Computer Repair: Help! My Computer is Running Slow!

Probably the #1 complaint I receive from PC owners is that their computer is running slower and slower every day.

So, before you throw the computer out the window (seen that), beat it with a hammer (yeah, seen that too) or drag it out back and shoot it (need I say more?), there may be hope for it yet.

If your computer has been getting progressively slower, here are some things you can try before throwing it out the window or dragging it into a repair shop.

Malware

The #1 cause of computers running slow is adware, spyware, viruses and trojans. Malware goes by several different names, but they are all bad news for your computer. Many of these malware programs run in the background eating up your systems resources. Even though you have been religious about updating your anti-virus, and have Windows Updates set to install automatically (you do right?), viruses can still get through.

When I worked in the corporate IT world, I was stunned at how many times computers got infected with viruses, even though they were protected by one of the big two anti-virus/anti-spyware programs. And, when the infection got through, the “big name” virus protection programs just could not remove most of the infections when we were trying to clean them up. After trying several different cleanup programs, I found that PCTools Spyware doctor with Anti-Virus was very effective.

Continue reading “Computer Repair: Help! My Computer is Running Slow!”

Windows Backdoor: System Level Access via Hot Keys

 

You hear it all the time in the support forums, “I lost my administrator password, what do I do?” Honestly, it makes you wonder how many times the request is really legit.

But, what if you were having a really bad day and you forgot your password. I mean the world ran out of coffee and your car radio got stuck on a country station on the way in to work. Yes, that kind of bad day. You arrive late to your office; well you did stop at every coffee place on the way in to make sure they were out, what did you expect? You rush to your desk, sit down at your keyboard to login and… nothing. It’s gone, you can’t remember it. You wrote your password on a sticky note on your monitor (of course), but wouldn’t you know, this was the day the cleaning crew actually visited your office, and threw it away. You could call IT support, but that would be you. What do you do? Better yet, how much time would you need? 

60 Seconds. This is how long it takes (minus boot times) to get a command prompt in the latest version of Windows, from the main login screen, with all of the security patches updated and an anti-virus program installed. That is, if you have physical access to the system and can reboot it. And this is not any old command prompt; this is a command prompt as the user “System”. If you know windows security, then you know that the “System” user is the highest level of authority that you can have. The operating system thinks you are the internal “system”. 

This hack requires physical access to the system and access to a DVD or USB drive. It is obtained by the manipulation of the Windows Hot-Keys “utilman.exe” file. This hack has been around (and known) since Windows XP and still works in the latest release of Windows 7. Because it is a manipulation of a windows service, it has never been patched. And actually, it is used as a solution, with instructions, on Microsoft’s Technet forum. 

After manipulation, once the hotkey is pressed, it instantly opens a command prompt window as the user “System” at the login screen. Typing “explorer.exe” in the command prompt gives you a desktop with the password prompt still visible in the background (See picture). From here, many of the features of windows are functional. In the following picture you can see the open “Start Bar” & “Internet Explorer” window, along with the login prompt in the background:

 

Amazingly, this works in Windows Server products as well. If someone had access to your computer and manipulated the hot-keys, they could get system level access to your server at a later date via the hot-key without rebooting your system. Therefore, it is imperative to keep physical security as a top concern in your business. Make sure that your server is in an area that is not available to public traffic and preferably in a locked room. Take extra care with your laptops. Do not leave them in areas that are unattended. 

It is always a good idea to disable services that are not needed. Also, disable booting to external devices and using boot passwords helps. Unfortunately, disabling the Windows hot-keys is not well documented. With Windows 7, Microsoft recommends a third-party program to tweak these settings. Supposedly you can also do this with a Windows policy edit, but I have not seen this documented either. I have also seen some sites recommend renaming the “utilman.exe” file to something else if not needed. But the best defense is strong physical security.