Technology

Windows 10: Security, Privacy Questions

Active-by-Default Services Trigger Warnings
Windows 10: Security, Privacy Questions

Based on glowing reviews and rapid adoption, the new Windows 10 operating system may give Microsoft the market "win" that it's been desperately seeking. But whether the new OS represents a win or loss for users' privacy and security remains an open question.

See Also: Data Center Security Study - The Results

Unofficial statistics suggest that in the first 48 hours following its release on July 29, Windows 10 was installed on 67 million devices. So the Redmond, Wash.-based technology giant is apparently already well on its way to its stated goal of seeing the OS running on 1 billion devices by 2018.

Microsoft is releasing Windows 10 in phases. All versions will be free - for the next year - for anyone using Windows 7 or newer. And while no official release date has yet been set for Windows 10 Professional, which is the version pitched explicitly to enterprises, some sources suggest it will be released later this month.

As Microsoft continues to roll out Windows 10 in waves, security and privacy experts have been taking a close look at the new operating system, which is the successor to Windows 8. "Now with Windows 10 you can create and share in ways you never thought possible," a Microsoft advertisement promises.

Microsoft's Windows 10 marketing message claims that users will have to worry less about security.

But what the company does not say is that at least with the Home version of the new OS, such sharing - as well as a number of other features that have security and privacy ramifications - are enabled by default. And security experts say those defaults are not necessarily a good thing for either users or businesses, be they small, medium or large.

On the other hand, many of the pre-announced features in Windows 10 Pro - and some other versions - do have big potential enterprise security upsides, such as the new Edge browser, which was built from the ground up to be more secure. For access control, users can employ Windows Hello for biometric authentication. The OS also includes new enterprise data protection capabilities that can "automatically encrypt corporate apps, data, email, website content and other sensitive information, as it arrives on the device from corporate network locations (see Windows 10: No More Monthly Patches).

Windows 10: Different Defaults?

As for what features the enterprise-oriented version of Windows 10 will contain, "I'll be stunned if Pro's defaults are the same," says Sean Sullivan, an adviser at the security firm F-Secure.

Microsoft's head of Windows marketing, Tony Prophet says the company will offer seven versions of the new Windows 10: Home, Mobile, Pro, Enterprise, Education, Mobile Enterprise, as well as a super-thin-client version called "Windows 10 IoT Core," which is designed to power "Internet of Things" devices.

Although the Pro version could wind up with numerous services disabled by default, not every business user will be using that version. Indeed, any employee who makes a bring-your-own-device move and connects their personal Windows 10 laptop or tablet to their corporate network could pose a risk to the organization thanks to the "every service is active by default" settings.

That's why numerous security experts recommend that Microsoft and other software vendors disable potentially risky services by default. Vendors then could tell customers "if it works for you, then this is how you turn it on," says Mark James, a security specialist at the security firm ESET.

ESET's Mark James discusses the security risks posed by on-by-default services.

Microsoft's decision to activate all of the Windows 10 Home collaboration capabilities, sharing options and cloud services by default is likely an attempt to get new users hooked and drive more widespread adoption of Windows 10 by the many organizations that have not been rushing to upgrade from older versions of Windows. "Microsoft is trying to catch up at this point," Sullivan says. "But I think it will be difficult to balance consumer and enterprise needs and wants."

Close Cloud Ties - By Default

Among features enabled by default in Windows 10 are those that have ties to Microsoft's cloud services and location-based services.

"Honestly, cloud-connected makes sense in a way," but not all the time, or for every use case, F-Secure's Sullivan says. "It isn't what I want by default in my general-purpose computer. I use multiple devices; I don't want all of them so heavily tethered to cloud stuff I don't need while sitting at home. If I want to know the weather from home, I can just look out the window."

But in Windows 10 Home, every such service appears to be enabled by default, according to numerous reviews. In addition, deactivating all of those features reportedly requires navigating through more than a dozen screens and opting out of numerous options. Microsoft also has yet to issue a clear privacy policy that states exactly how it will collect and retain information collected by various parts of the operating system, including its new Edge browser, as well as its Siri-like Cortana digital assistant.

Does WiFi Sense Make Sense?

Windows 10 Home also automatically - and by default - enables a feature called WiFi Sense, which allows anyone to log into a private wireless network to which any "friend" already has access. Friends are determined by anyone who is in a user's Outlook.com, Hotmail or Skype contact list, or - if the user opts in - a Facebook friend.

Microsoft promises that any such sharing, while automatic, will be secure and limited to Internet access, rather than local area network access. "For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contacts' phone if they use WiFi Sense and they're in range of the WiFi network you shared," says Microsoft's WiFi Sense FAQ.

But the risk from these types of features, says ESET's James, is that many users will probably never deactivate any function that is turned on by default, even if it poses a security or privacy threat. That's because users either will not be aware of the function or understand it, and the risks that it might pose. "I do think that ... stuff like the WiFi Sense, things like that, it will just be on, [and] people will just leave it on," he says.

Lots of Sharing

Many security experts have questioned whether enabling easy access to otherwise private WiFi networks is a good thing. And they've also warned that data caps for some ISPs may trigger extra charges, while anyone who looks like a bandwidth hog may see their ISP downgrade - a.k.a. throttle - their Internet connection, thanks in particular to the new Windows Update Delivery Optimization. WUDO, as it's also known, allows an update to be downloaded once to the local network, then passed around via peer-to-peer sharing via the LAN as well as to the Internet at large.

"If you have a metered connection, you need to know that full-blown WUDO is on by default in Windows 10," says Paul Ducklin, a senior security advisor at security firm Sophos, in a blog post. "WUDO not only looks for other computers on your own internal network - it also tries ... to find other computers on the Internet that can help you out."

Ducklin likens the feature to the BitTorrent P2P client, only for Windows updates. But for enterprise security managers, anything that has P2P-like features and provides a way into the enterprise - or is allowed to touch Windows installations and thus potentially infect them with malicious code - is a cause for concern.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network