Windows 8 Tells Microsoft About Everything You Install, Not Very Secure

Discussion in 'Windows 8' started by 3xpl05iv3, Aug 24, 2012.

  1. 3xpl05iv3

    3xpl05iv3 MDL Novice

    Feb 29, 2008
    8
    20
    0
    Found this else where:

    Update: According to Microsoft, SmartScreen sends a hash of the app installer and its digital signature, if any. A combination of the hash and the user’s IP address is still enough to identify that IP address x attempted to install software y.

    I’ve recently been using the final, Released to Manufacturing version of Windows 8 on one of my computers, to much delight. I’ve been very impressed by how fast, well-designed, functional and capable this latest iteration of Windows is. However, my tinkering around from a security/privacy perspective has left me concerned.

    Windows 8 has a new featured called Windows SmartScreen, which is turned on by default. Windows SmartScreen’s purpose is to “screen” every single application you try to install from the Internet in order to inform you whether it’s safe to proceed with installing it or not. Here’s how SmartScreen works:

    You download any application from the Internet. Say, the Tor Browser Bundle.
    You open the installer. Windows SmartScreen gathers some identifying information about your application, and sends the data to Microsoft.
    If Microsoft replies saying that the application is not signed with a proper certificate, the user gets an error that looks something like this.

    There are a few serious problems here. The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install. This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users. This situation is exacerbated when Windows 8 is deployed in countries experiencing political turmoil or repressive political situations.

    This problem can however get even more serious: It may be possible to intercept SmartScreen’s communications to Microsoft and thus learn about every single application downloaded and installed by a target. Here is my analysis:

    A quick packet capture showed the following activity happening immediately when I tried to install the Tor Browser Bundle:

    Click for full size and notes.

    SmartScreen appeared to connect over HTTPS to a server in Redmond (apprep.smartscreen.microsoft.com, 65.55.184.60, run by Microsoft) in order to communicate information about the application I was trying to install.

    After running some tests on this Microsoft server, I discovered that it ran Microsoft IIS 7.5 to handle its HTTPS connections. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception. The SSL Certificate Authority chain goes down from “GTE CyberTrust Global Root” to “Microsoft Secure Server Authority.” The Certificate Authority model is itself susceptible to some serious problems.

    I haven’t checked whether Windows SmartScreen does in fact use SSLv2, but the fact that the Microsoft servers support it is concerning. Furthermore, SmartScreen is not easy to disable, and Windows will periodically warn users to re-enable it should they attempt to disable it.

    To recap, here are the concerns posed by SmartScreen in Windows 8:

    Windows 8 will, by default, inform Microsoft of every app downloaded and installed by every user. This puts Microsoft in a compromising, omniscient situation where they are capable of retaining information on the application usage of all Windows 8 users, thus posing a serious privacy concern. The user is not informed of this while installing and setting up Windows 8, even though they are given the option to disable SmartScreen (which is enabled by default.)
    Windows 8 appears to send this information to Microsoft to a server that relies on Certificate Authorities for authentication and supports an outdated and insecure method of encrypted communication. It is possible that these insecurities could allow a malicious third party to target a Windows 8 user and learn which applications they are using. This allows them to profile the user and decide how to best exploit their personal selection of applications and their computing habits.

    I find Microsoft’s decision to design SmartScreen in such a privacy-free fashion to be a very bad choice, and I really hope that these concerns regarding SmartScreen will be addressed in near-future updates.
     
  2. Daz

    Daz MDL Developer / Admin
    Staff Member

    Jul 31, 2009
    9,464
    66,504
    300
    #2 Daz, Aug 24, 2012
    Last edited: Aug 24, 2012
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. PaulDesmond

    PaulDesmond MDL Magnet

    Aug 6, 2009
    6,993
    7,140
    240
    #3 PaulDesmond, Aug 24, 2012
    Last edited by a moderator: Aug 24, 2012
    sorry DAZ, your link is not valid :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,085
    60
    #4 Mr Jinje, Aug 24, 2012
    Last edited by a moderator: Apr 20, 2017
  5. Daz

    Daz MDL Developer / Admin
    Staff Member

    Jul 31, 2009
    9,464
    66,504
    300
    Fixed. I'm not sure what happened with it's formatting, weird :g:

    @ Mr Jinje
    Hey,

    Nice tip thanks :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    6,821
    2,005
    210
    There's something more: May you guy's didn't know but if you carefully check, you'll find out that you have an special User Account with Administrator rights on you windows 8 which is setup and run by Microsoft. Even if that account is showing to be disabled, didn't mean that it didn't contact shortly to Redmond Server to send some Data! Even you didn't use an MS Account on your Windows 8, your computer could be identified over it's Mac Address!

    Such User Accounts existing since Windows ME! And we all know that Microsoft is trying to tighten the security of windows more and more, tha last example is the change of the Licensing system with Windows 8 Final. In the release and consumer preview MS were still using the Windows 7 scheme.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Rock Hunter

    Rock Hunter MDL Senior Member

    Dec 6, 2011
    407
    99
    10
    Are you talking about the Guest account?
     
  8. hbhb

    hbhb MDL Expert

    Dec 15, 2010
    1,017
    263
    60
    sneaky bastards:fuyou31: i knew they were up to some no good: :D
     
  9. Computers Plus

    Computers Plus MDL Junior Member

    Aug 16, 2012
    54
    13
    0
    Let's not forget the FBI wanting backdoors into everything nobody is safe from snooping by big brother :mad:
     
  10. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    6,821
    2,005
    210
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Rock Hunter

    Rock Hunter MDL Senior Member

    Dec 6, 2011
    407
    99
    10
    When I run lusrmgr.msc, I see my users but I do not see a Microsoft user listed there. BTW, Guest is enabled by default just like previous versions of Windows. I disabled it per past recommendations.
     
  12. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    6,821
    2,005
    210
    If that were that easy, MS were really stupid. You'll need dig a bit deeper!!:rolleyes:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,085
    60
  14. lule

    lule MDL Novice

    May 6, 2012
    8
    0
    0
    You can prove this ? Or you're a crap out miracle man. :eek:
     
  15. ! .ĐΛЄMØИ. !

    ! .ĐΛЄMØИ. ! MDL Junior Member

    Apr 19, 2010
    63
    11
    0
    You have nothing to worry about if you have a recovery account. If your main one gets hacked you can request a password change and that gets sent to your recovery email.
     
  16. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,773
    1,085
    60
    But then the people who steal your account change your recovery email address so that when you try to recover it goes to their email address instead.
     
  17. ! .ĐΛЄMØИ. !

    ! .ĐΛЄMØИ. ! MDL Junior Member

    Apr 19, 2010
    63
    11
    0
    They can't though, you can't change the recovery email without entering the password for that account too. (I think?)
     
  18. roirraW "edor" ehT

    roirraW "edor" ehT MDL Addicted

    Sep 1, 2007
    616
    215
    30
    They probably send a confirmation email to your original recovery email, so that you can challenge the change if it wasn't done by you. That's how it's normally done.

    I always turn off the SmartScreen settings, I have since Internet Explorer started including SmartScreen (IE7/Vista?).

    No, MS doesn't ask for the password for any of your accounts except for MS accounts when you use them.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. ! .ĐΛЄMØИ. !

    ! .ĐΛЄMØИ. ! MDL Junior Member

    Apr 19, 2010
    63
    11
    0
    Yeah I found that out.

    Well my recovery account isn't Hotmail, it's Yahoo.. does that make a difference ?

    Also, that Trusted PC feature.. is that like Steam guard?