Windows systems are harder to hack than portrayed?

Tuesday, May 31, 2011

I came across this article and I would completely agree with what the author has written.. Windows if hardened and patched properly with some kind of user awareness can reduce the chances of break-ins drastically. 

Over the past few weeks, I've been putting together test hacking scenarios for a customer. They wanted to see copies of the RSA attack [1], the Google attack [2], advanced persistent threat (APT) [3] simulations, social engineered Trojans, worms, remote buffer overflows, and more. The objective: to test what they could do to prevent all of those assaults on their predominately Microsoft Windows environment.

I put the customer's environment through its paces, and as expected, it was great fun. It certainly beats filling out paperwork and reading security policies. But something unexpected happened along the way, although I shouldn't have been surprised as I am a full-time principal security architect at Microsoft: I found that Windows 7 and other Microsoft programs were significantly harder to hack than most anyone would believe. It was difficult to perform almost any hack without disabling multiple default defenses and ignoring one or more additional warnings.  
Now, many readers will paint me as a shill for Microsoft, but if you don't believe me, try it yourself. Until then, please don't waste my time and yours reading me the Riot Act diatribe. I've walked the walk, and the results were surprising.

For example, simulating the RSA and Google attacks only worked if I was using software many years old; neither of them worked if I was using Microsoft software built in the past three to four years. In the RSA attack, employees were sent a spam email claiming to be a recruitment list. It contained an Excel spreadsheet with a link that opened a malicious zero-day Flash file (containing vulnerability CVE 20110609 [7]). The zero-day vulnerability could grant a hacker remote access, and the rest would be history.

First, as with the real attack on RSA, all spam emails were caught and placed in spam folders. Thus, employees had to first leap that small hurdle, which they willingly did. When the Excel file was opened in almost any version of Microsoft Office made in the past 10 years, the user was given a warning that the file contains a macro or script and, depending on the version, a link to an external file. The user was warned that the file may contain a malicious item. A user would have to ignore all of that to even give the malware a chance to launch. Microsoft Office 2010 opened the file in its new Protection Mode, which automatically disables the malicious code, by default.

In order to get the exploit to work, I had to disable most of the protections that Office gives, or I had to act -- as is very reasonable -- like an employee who ignores multiple warnings on purpose. In nearly every exploit, I had to disable User Account Control (UAC) and Data Execution Prevention (DEP) in Windows, Office, and Internet Explorer. Most of the exploits did not work with Internet Explorer 7 or 8.

Even when I disabled all the memory protections, application protections, and so on, warnings continued to pop up. I've always known that a fully patched Windows system was a tough opponent, but I'm here to tell you it's much more resilient than it used to be.

It's not just my lack of leet skillz. I worked with several vulnerability testing vendors, and they all grudgingly agreed it's difficult to hack Windows these days.
Microsoft's own Security Intelligence reports [8] say the same thing: The latest versions of Microsoft Windows are harder to hack than their predecessors (see page four of the Key Findings Summary [9]). To be honest, I never trust those sorts of self-serving statements. But having done the tests myself, I'm a converted believer: The software is getting harder and harder to break.

This is not to say that Microsoft software is impossible to hack. Of course not. Further, zero-day exploits are appearing more frequently, and nearly everyone continues to have unpatched software. But it's more obvious than ever that the biggest threat to any environment is the end-user [10]. Users installing socially engineered Trojans have long been the No. 1 vulnerability in today's computer security policy.

Even the Mac Defender scareware problem [11] affecting Mac users wouldn't be a huge problem if people simply didn't install questionable items. In the course of a given year, a normal installation of OS X will have hundreds of vulnerabilities patched. But none of those matter in this instance.

Software and antimalware vendors need to do a better job of preventing users from shooting themselves in the foot. Internet Explorer 9's improved Smartscreen Filter feature is a fantastic step in the right direction, and I assume other browsers have followed suit or will do so in the near future. Smartscreen Filter has an Application Reputation feature that works fairly well. It looks at files being downloaded; for those that are recognized as popular and legitimate, it removes additional warnings (if so configured). If it finds a high-risk application, it warns the user.

This is a great service, as Microsoft is detecting [12] that one in every 14 Internet downloads is malicious. Better yet, 90 percent of users who get a warning from IE9 don't run those high-risk programs. I had to turn off IE9's Smartscreen Filter feature to get any of the exploits to work.
The list of computer defenses I had to disable to get a working exploit demo working numbered more than 10, and that, my friends, is progress. [infoworld]


  © Blogger templates Newspaper by 2008

Back to TOP