Windows Security Blog

Dealing with Fake Tech Support & Phone Scams

Eric Foster — Thu, 16 Jun 2011 20:53:00 GMT

On this blog, we’ve discussed the ways that scammers can attack your PC, through malicious software, rogue security alerts, phishing attacks and more. But the bad guys have now devised a new vector: the phone. I first learned about this when I heard my parents had received a call that they had been identified as having rogue software on their PC. The caller, who said he was from Microsoft, needed to remote access their PC to resolve the issue. Turns out scammers like these were simply taking the time to prey on potential victims by calling them and masquerading as a representative from a trusted institution to trick them into giving up valuable and personal information. Sometimes, as in my parents’ case and others, they even advise installing a remote access code so scammers will have full access to the PC.

We’ve discovered this telephone scam is aimed at English-speaking countries, including North America and the United Kingdom. The callers pretend to be from Microsoft and try to sell the victim something, direct them to a specific website, asked for remote access, to install software, a credit card number, or run a bogus security scan that showed an infection. The Trustworthy Computing Team conducted a survey of 7,000 people, and found that more than 1,000 people had received calls. Of those 1,000 people, 22 percent of people fell for the scam (234 people total), and 184 of those lost money - on average, more than $800.

You can check out some tips for avoiding phone scams here, but we want to remind you will never receive a legitimate call from Microsoft or our partners to charge you for computer fixes. If someone does call you claiming to be from Microsoft:

Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer.
Never provide your credit card or financial information to someone claiming to be from Microsoft tech support if you did not initiate the call to Microsoft first.
Ask upfront if you are required to purchase software or pay a fee or subscription associated with the "service." If there is, hang up.
Take the caller's information down and immediately report it to your local authorities. If you think you’ve been the victim of a scam, check out these tips that can help you protect your money and identity.

It’s a jungle out there! Please remember to question any unsolicited email or call. If the email came from somebody in your contact list but it feels suspicious, here is a great article on recognizing phishing emails. Lastly, always keep your PC protected with antivirus software like Microsoft Security Essentials, which is free or software from one of our partners.

Combating social engineering tactics, like cookiejacking, to stay safer online

Brandon LeBlanc — Sat, 28 May 2011 19:02:26 GMT

You may have seen articles recently that highlight a social engineering technique called “cookiejacking” and how a particular instance may currently affect Internet Explorer.

It’s important to note that we have not seen widespread attacks related to this specific case. However we take security very seriously and to ensure customers are protected, we are working on an update to Internet Explorer.

Cookiejacking is a variant of an industry-wide attack type known as clickjacking. All Internet browsers are potentially susceptible to clickjacking which is a form of social engineering attack, so as well as talking about this issue we wanted to highlight some more general best practices for staying safe online.

We also wanted to put this specific issue in context. In order to be exposed to risk a number of things would need to happen. You’d need to be tricked into interacting with malicious content on a website. Only after this could a third party steal cookies from a website that you were previously logged into. While this threat has been demonstrated by a security researcher, to date we are not aware of any actual attacks online.

The InPrivate Browsing feature in Internet Explorer will prevent cookies from earlier browsing sessions being stored on your PC, and mean they are not vulnerable to cookiejacking even in the circumstances described.

This is a form of social engineering attack and these kinds of threats will remain a concern for Internet users on all browsers. Software vulnerabilities are not needed for these kinds of threats to be successful so it is always a good idea to follow best practices – regardless of the browser you are using - in order to stay safe..

Some social engineering scams can be easily recognized by containing any of the following:

Odd messages from friends on social networking sites to participate in games or offers you must act upon immediately.
Alarmist messages and threats of account closures.
Promises of money for little or no effort.
Deals that sound too good to be true.
Requests to donate to a charitable organization after a disaster that has been in the news.
Bad grammar and misspellings.

To learn more about identifying social engineering scams and how to protect against them, please see Microsoft’s guidance on email and web scams. One of the basic rules on the Internet, as in life, is to use common sense and be suspicious of contacts from strangers, things that don’t look quite right or offers that appear too good to be true.

Internet Explorer includes some industry leading features to help protect against other forms of socially engineered attacks.

Our SmartScreen filter technology helps detect phishing websites. SmartScreen Filter can also help protect you from installing malicious software or malware, which are programs that demonstrate illegal, viral, fraudulent, or malicious behavior.

As well as the SmartScreen service, we’ve also invested in Microsoft Security Essentials, - free anti-virus software for Windows customers. In addition, we work with other anti-virus vendors around the world to share information about software security issues which allows them to develop better protections, faster, for their customers. This is what we refer to as community based defense.

Socially engineered attacks are criminal activities and Microsoft fights these battles on the legal front as well. Our Digital Crimes Unit (DCU) works with law enforcement and government agencies daily to take down major botnets that are responsible for huge amounts of spam and social engineering attacks across the Internet.

Social engineering is a threat across the industry, and at Microsoft we’re diligently working to help keep customers safe online.

Windows 7 is now Common Criteria Certified!

Eric Foster — Wed, 27 Apr 2011 16:35:01 GMT

Our friends over at the FutureFed blog reported that Windows 7 the has passed the Common Criteria (CC) certification process and achieved Evaluation Assurance Level 4 with augmentation (EAL4+). Common Criteria certification is an international standard recognized by 26 member nations including the United States and is a procurement requirement for U.S. Defense and national security customers.

With this certification, we are excited that our federal customers as well as foreign governments can feel secure in deploying Windows 7, having successfully passed the rigorous security testing protocols set forth by the National Information Assurance Partnership.

Several governments have already successfully deployed Windows 7, including the Moscow North District Prefecture in Russia, the Vernon Hills Police Department in Chicago, Illinois, the City of Miami, Florida and the City of Stockholm, Sweden.

This is exciting news, but not surprising as Windows 7 is our most secure operating system to date. In addition to enhancing existing security features in Windows, we incorporated customer feedback throughout the development process of Windows 7 to deliver innovative new security features, including Direct Access, AppLocker and BitLocker To Go.

Congratulations, Windows 7!

Security and Internet Explorer

Eric Foster — Fri, 11 Mar 2011 23:27:12 GMT

While the Internet is an amazing resource in terms of the information you can find and things you can do today, it’s important to also be smart about how you browse. A browser can be a great tool in helping you stay safe when you go online.

Most online attacks fall into one of the three situations:

1. Malware that relies on social engineering to spread

2. Attacks directed against your browser or your operating system

3. Attacks directed towards the websites you visit

Let me spend some time describing what I mean by each of these, and also how Internet Explorer can help protect you from each of these types of attacks.

Helping Protect You from Socially Engineered Attacks

A term that you may hear on occasion within the security realm is “socially engineered attacks.” What this means is an attacker uses clever techniques to get you to lower your guard and trick you into doing something that makes you vulnerable to an attack. The idea here is that they aren’t looking for weaknesses in code; rather, they’re trying to fool you into a trap.

The ways in which we see this play out are varied; it may be that you get spam – that is to say an email from a fake bank that actually takes you to a malicious site, or an email supposedly from a friend that encourages you to download a file which may contain malware. To help keep you safe from such types of attacks, Internet Explorer comes with the Smart Screen filter technology, which has been improved even more with Internet Explorer 9. SmartScreen makes it harder for someone to trick you into opening a malicious page, or con you with a phishing site. This technology checks to see if the site you’re visiting is suspected of hosting malicious code and subsequently prevents you from continuing on to that page. Internet Explorer 9 goes one step further by warning you only when you download applications that may be of higher risk.

Technologies like this can make a big difference in helping to keep you safe online. In December, NSS Labs reported that Internet Explorer offers the best protection against the spread of socially-engineered malware. As you can see in the below chart, Internet Explorer 8 (90%) and Internet Explorer 9 (99%) offer significantly more protection than other browsers.

Mitigating Attacks on Your Browser and PC

Internet Explorer also helps protect against deliberate attacks where bad code is hosted on a site that is designed to exploit weaknesses in the software on your PC. Among all the lines of code that make up software, there can be vulnerabilities. The Internet Explorer team designed its browser with security in mind, and in comparison to other browsers, Internet Explorer has fewer vulnerabilities. The chart below illustrates the number of publicly known vulnerabilities in 2010 divided by each browser, according to the National Vulnerability Database.

*Data source: National Vulnerability Database. Data is based upon the most recently shipped versions available during this time period. In the case of Chrome, versions 5, 6, 7, & 8 were all released during this time period.

At Microsoft, products are built with a secure-by-design approach, where security is designed into the product from the ground up. The result of this effort is a browser that includes specific features to help people stay secure and technologies that help insulate the browser against exploits. In addition to Microsoft’s security processes, which includes the Security Development Lifecycle, Software Security Incident Response Process (SSIRP), and monthly security bulletins, some ways in which you might see this at a product level include features such as Protected Mode, Data Execution Prevention, and many others, both in Internet Explorer 8, and the soon to be released Internet Explorer 9.

Protecting Against the Compromised Websites

This last scenario is when an attacker that has compromised a site that you visit in a way that interferes with how your browser relates to the site. This type of an attack is called a cross-site scripting attack. In this instance, an attacker gets an unsuspecting server to load special code on your browser that allows the attacker to do anything from monitoring your keystrokes to performing actions on your behalf on the site. Internet Explorer has built in a Cross-Site Script Filter that makes such attacks more difficult and helps protect you.

The upcoming release of Internet Explorer 9 contains even more features designed to help keep you safer such as ActiveX Filtering and Application Reputation. More information on how Microsoft technologies can keep you secure can be found here.

Fake Microsoft Security Essentials software on the loose. Don’t be fooled by it!

Eric Foster — Mon, 25 Oct 2010 22:17:01 GMT

Last week, we saw the re-emergence of another new trojan that is disguising itself as Microsoft’s no-cost antimalware program Microsoft Security Essentials. This imposter is known in the technical world of antimalware combat as “Win32/FakePAV”. FakePAV is a rogue that displays messages that imitate Microsoft Security Essentials threat reports in order to entice the user into downloading and paying for a rogue security scanner. The rogue persistently terminates numerous processes such as Windows Registry Editor, Internet Explorer, Windows Restore and other utilities and applications.

This fake software is distributed by a tactic commonly described as a “drive-by download” and shows up as a hotfix.exe or as an mstsc.exe file. Additionally, after the fake Microsoft Security Essentials software reports it cannot clean the claimed malware infection, it offers to install additional antimalware rogues (with names such as AntiSpySafeguard, Major Defense Kit, Peak Protection, Pest Detector and Red Cross). Lastly, this fake program will try to scare you into purchasing a product.

Before we get to the detailed view of how this trojan works, we want the message to be very clear: This software is a fake. Do not be fooled by this scam. This malware can potentially cause consumers and small business owners harm. Microsoft Security Essentials can be downloaded and used at no cost by users running genuine Windows (Download here: http://www.microsoft.com/security_essentials/). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly up to no good.

If you have not already updated your security software please do so. Making sure your security software is up-to-date and has the latest definitions is the best way to prevent infections.

And now onto a detailed look at FakePAV. While different FakePAV distributions have different payloads, here is how the current one imitating Microsoft Security Essentials works:

1. It modifies the system so that it runs when Windows starts

2. When you go to execute something it’s watching for, it opens the alert window claiming the program is infected and blocks it from running.

3. You can expand it out for “additional details”

4. If you click “Clean computer” or “Apply actions”, it simulates an attempt to clean the claimed infection

5. You’ll then get an ‘unable to clean’ alert and be instructed to click ‘Scan Online’

6. Clicking this, a list of antimalware programs appears, including several fake removal tools, and you’d need to click Start Scan

7. Once the simulated scan completes, it will claim a solution was found and list products that can ‘clean’ the system (the listed products are fake removal tools).

8. Clicking ‘Free install’ on one of those downloads will download its installer and start installing

If you believe your machine has become infected, we encourage you to use Microsoft Security Essentials to check your PC for malware and to help remove them from your system. You can also find out how to get virus-related assistance at no charge from Microsoft here: http://www.microsoft.com/protect/support/default.mspx.

For more information on this FakePAV please visit our encyclopedia entry at http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakePAV. It contains a lot of information that may help answer questions about this rogue.

And remember: Microsoft does not charge for Microsoft Security Essentials. You can find the legitimate version of Microsoft Security Essentials at http://www.microsoft.com/security_essentials.

Microsoft Security Essentials available to Small Businesses on October 7

Eric Foster — Wed, 06 Oct 2010 16:20:10 GMT

We announced back in September that Microsoft Security Essentials would be changing its licensing terms and would soon become available to small business on up to 10 PCs. We are happy to announce that beginning tomorrow, October 7, the change will go into effect and small business owners will be able to download and install Microsoft Security Essentials. This new availability will allow small businesses that operate outside of the home to take advantage of Microsoft’s no-cost antimalware service that will help them save time, save money and remain productive while protecting them from viruses, spyware and other malicious threats. If you operate a small business with more than 10 PCs, we do recommend that you consider using the Forefront line products to address your security needs.

In just one year on the market, more than 30 million customers are now enjoying the quiet protection Microsoft Security Essentials provides, and Microsoft is excited to now offer Microsoft Security Essentials to the small business community.

For more information about this new availability, check out the Microsoft SMB Community blog and the feature story on Microsoft.com.

Microsoft Security Essentials Celebrates First Birthday with 30 Million Customers!

Eric Foster — Wed, 29 Sep 2010 21:23:00 GMT

It has been one year since Microsoft Security Essentials was made generally available to the public and to celebrate, we are pleased to share that there are now over 30 million customers in 74 different countries around the world enjoying the trusted security and quiet protection that Microsoft Security Essentials provides.

In addition, we are also pleased to share that Microsoft Security Essentials will now come pre-installed on the HP ENVY 14 series and HP ENVY 14 Beats™ edition series PCs starting today. But we’ll talk more about that in a minute.

First, let’s talk about the impact Microsoft Security Essentials is having on the Windows ecosystem.

Making an Impact with Microsoft Security Essentials

When we announced Microsoft Security Essentials last year, we said, “Making Microsoft Security Essentials broadly available as a free consumer download for genuine Windows-based PCs is part of Microsoft’s ongoing commitment to provide a more trustworthy computing experience for all customers. By making Microsoft Security Essentials easy to get and easy to use, Microsoft hopes to encourage broader adoption of antivirus protection across the consumer audience, which in turn will help increase security across the entire Windows ecosystem.”

And today, helping increase security across the Windows ecosystem is exactly what we are doing.

According to the Microsoft Malware Protection Center (MMPC), in addition to providing a no-cost security solution to tens of millions of customers that may not have been actively protected before, Microsoft Security Essentials detected nearly 400 million threats over the past year, with customers choosing to remove more than 366 million of those threats. For more information about the specific threat breakdown, please visit the MMPC Blog.

Other highlights from this past year include:

· Originally introduced in 8 languages and 19 countries around the world, Microsoft Security Essentials is currently available and supported in 25 languages and 74 countries globally.

· Microsoft Security Essentials is certified by two of the industry’s leading independent certification authorities: International Computer Security Association Labs (ICSA) and West Coast Labs. It also received the most recent VB100 Award and as well as certification from AV-Test.

· Beginning in October Microsoft Security Essentials will be made available to small businesses on up to 10 PCs for free.

· Microsoft Security Essentials was made available for online partner distribution, as a pre-install on OEM PCs and for distribution by publications as covermount software.

· Microsoft Security Essentials received the PC Advisor Awards 2010 - Best Free Software award and is rated by Consumer Reports as a “Best Buy”.

As you can see, it’s been a pretty exciting year for Microsoft Security Essentials! And the fun doesn’t stop here…

Microsoft Security Essentials Coming Pre-installed on HP Envy Notebooks

Microsoft Security Essentials is currently available to consumers, and soon to small businesses on up to 10 PCs, as a download directly from Microsoft. But today we are thrilled to let you know that HP will be pre-installing Microsoft Security Essentials on the HP ENVY 14 series and the HP ENVY 14 Beats™ edition series PCs beginning today, so be sure to go check these out.

These PCs are stylish and feature powerful Intel® Core™ processors designed to fit the needs of a variety of consumers. In fact, Ben Rudolph (aka “Ben the PC Guy”) has taken the HP ENVY 14 Beats™ edition series for a test drive. For more details on that please visit the Windows Experience Blog.

To learn more about Microsoft Security Essentials, please visit the Microsoft Security Essentials Web site.

So, Happy Birthday Microsoft Security Essentials! And thank you to our valued customers and partners for a very exciting year.

Cheers!

Eric and the entire Microsoft Security Essentials product team

Microsoft Security Essentials now available for Small Businesses

Eric Foster — Wed, 22 Sep 2010 16:18:00 GMT

As we continue to evolve security and privacy at Microsoft, we are doing more than securing our own products and refining our own processes – we are continually responding to the growing and changing threat landscape. Despite the proliferation and increasing impact of threats in the environment, many consumers and small businesses, both in mature and emerging markets remain unprotected. There are several reasons for this:

Performance Concerns: Customers worry that antimalware software can impact the performance of their machines and degrade their computing experience.
Customer Confusion: Many customers are confused by trials and annual subscription renewals, in many cases believing their PCs are covered when in fact their subscriptions have expired and they are at risk.
Payment Method Barriers: Traditional online subscription and payment models do not work in emerging markets where customer and small business credit is not always readily available.
Cost: Many consumers and an increasing number of small businesses are either unwilling or unable to pay the ongoing subscription costs for the security suite solutions that come on their PCs.

It is for these reasons that we are announcing that in early October Microsoft will make Microsoft Security Essentials available to small businesses for download and installation on up to 10 PCs. This new availability will allow small businesses to take advantage of Microsoft’s no-cost antimalware service that will help them save time, save money and remain productive while protecting them from viruses, spyware and other malicious threats. With Microsoft Security Essentials, small businesses with less than 10 PCs can feel safe knowing they are using an industry certified antimalware that utilizes the same core malware protection engine that drives Microsoft’s enterprise solutions solution and is backed by Microsoft’s leading Security Response resources.

For more information on the news, check out the Microsoft SMB Community blog and the feature story on Microsoft.com

Microsoft Security Essentials Receives AV-Test Certificate

Eric Foster — Wed, 18 Aug 2010 16:17:37 GMT

Anti-virus research and data security organization AV-Test recently spent three months testing 19 security products in the areas of protection, repair and usability. On Monday, August 16th they released the test results, and we’re excited that Microsoft Security Essentials has received another certification, this time from AV-Test.org.

According to the AV-Test Product Review and Certification Report, the "Protection" category covers static and dynamic malware detection, including testing for real-world 0-Day attacks. "Repair" evaluates the system disinfection and rootkit removal in detail, which is critical for ensuring AV solutions effectively clean malware off of consumers’ computers. The "Usability" testing criteria includes the amount of system slow-down caused by the tools and the number of false positives. You can read the full set of test reports here.

As we mentioned last week, the most important validation of AV quality comes from independent certification organizations like VB100, AV-Test and others. With the current version of Microsoft Security Essentials and the new version now available in beta, our commitment remains constant: to provide security you can trust that is easy to use and provides protection that runs quietly and efficiently in the background, ensuring a great Windows user experience.

You can get the current version of Microsoft Security Essentials at no cost by visiting the Microsoft Security Essentials website here.

Microsoft Security Essentials Earns August VB100 certification

Eric Foster — Thu, 12 Aug 2010 19:02:56 GMT

By way of introduction, I’m Eric Foster and have recently joined my colleagues on The Windows Blog to write on ‘all things’ security. I thought it only fitting that my first blog be about one of my favorite personal product recommendations, Microsoft Security Essentials.

Not sure how many of you know about the VB100 award but it’s a public test conducted by Virus Bulletin, a highly reputable testing organization in the industry, designed to measure the detection effectiveness and quality of antivirus (AV) products. The most important validation of AV quality comes from independent certification organizations like Virus Bulletin.

And so it is no surprise that we are very excited to share that Microsoft Security Essentials, our no-cost anti-malware service for consumers, achieved the VB100 award for the August 2010 Edition of Virus Bulletin.

There are a number of different methodologies that can be used to test the effectiveness of an anti-virus solution. In order for a product to be awarded the VB100 certification, it needs to detect 100% of the WildList malware samples (a prevalent malware subset contributed by a group of researchers in AV community) and must not have any false positives (FP or incorrect detections) on the Virus Bulletin clean file collection. According to Virus Bulletin, “Detection rates were strong as ever...with no problems in the WildList or clean sets, Microsoft earns another VB100 award with ease.” [Page 50, Virus Bulletin August 2010 Edition]

Microsoft products including Microsoft Security Essentials and Forefront Client Security, have received VB100 awards since June 2007, demonstrating Microsoft’s dedication to quality and our commitment to providing effective anti-malware protection to consumers and enterprise customers alike.

If you don’t already have an AV solution installed on your PC – and its estimated that over 80% of consumers report having up-to-date AV installed but market data shows that less than 50% of consumers actually do – you can get Microsoft Security Essentials at no cost by visiting the Microsoft Security Essentials website here .

Protecting Browsers with Defense In Depth Techniques

Paul Cooke — Fri, 26 Mar 2010 15:00:00 GMT

Posted on half of Pete LePage on the Internet Explorer team.

Protecting Windows customers is an absolute priority for the Internet Explorer engineering team. That's why we work hard to make sure our browser has some of the best safety and privacy features available today. We've spent a lot of time talking about some of the more visible safety and privacy features like our SmartScreen Filter, that protects users from socially engineered malware and phishing attacks; or the InPrivate features that put you in control of how you share your information.

But there are a number of other features that aren't as visible and help prevent vulnerabilities from being exploited, though some are only available on newer platforms like Windows Vista or Windows 7. For example, Protected Mode helps ensure exploited code cannot access system or other resources. Address Space Layout Randomization (ASLR)helps prevent attackers from getting memory addresses to use in buffer overflow situations. Data Execution Prevention (DEP) helps to foil attacks by preventing code from running in memory that is marked non-executable. These defense in depth protections are designed to make it significantly harder for attackers to exploit vulnerabilities.

One way to think about what defense in depth techniques do is similar to the features offered by fire-proof safes that make them last longer in a fire. Without defense in depth techniques, a fire-proof safe may only protect its contents for an hour or two. A stronger fire-proof safe with several defense in depth features still won't guarantee the valuables forever, but adds significant time and protection to how long the contents will last.

Recently, there has been some news from some security researchers about how they've managed to bypass DEP or ASLR in Internet Explorer (and Firefox as well). But like the fire-proof safe example above, defense in depth techniques aren't designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability. Defense in depth features, including DEP and ASLR continue to be highly effective protection mechanisms.

Internet Explorer 8 on Windows 7 helps protect users with all of these defense in depth features, and there is nothing that you have to do to enable them - they're on by default. That's one of the reasons why we encourage users to make sure they're running the latest and most up-to-date software.

Vulnerability in Virtual PC?

Paul Cooke — Wed, 17 Mar 2010 02:27:00 GMT

Earlier today, Core Security Technologies issued a security advisory for our Virtual PC (VPC) software. The advisory calls out a proof of concept where the virtual machine monitor allows memory pages above the 2GB level to be read from or written to by user-space programs running within a guest operating system. The advisory explicitly calls into question the effectiveness of many of the security hardening features of Windows, including DEP, SafeSEH, and ASLR. Folks are already starting to ask questions about this advisory, so I thought it would be best to answer them here.

First and foremost, customers should rest assured that this advisory does not affect the security of Windows 7 systems directly. The security safeguards (DEP, ASLR, SafeSEH, etc.) that are in place remain effective at helping protect users from malware on that system. In addition, Our Windows Server virtualization technology, Hyper-V, is also not affected by this advisory. Applications running inside a Hyper-V guest continue to benefit from these same security safeguards.

The functionality that Core calls out is not an actual vulnerability per se. Instead, they are describing a way for an attacker to more easily exploit security vulnerabilities that must already be present on the system. It's a subtle point, but one that folks should really understand. The protection mechanisms that are present in the Windows kernel are rendered less effective inside of a virtual machine as opposed to a physical machine. There is no vulnerability introduced, just a loss of certain security protection mechanisms.

The functionality described only affects the guest operating system that is running within a Virtual PC environment. In practice, the guest operating system in a Virtual PC environment is typically Windows XP as part of Windows XP Mode. Of the safeguards Core calls out, it should be noted that only DEP is available in Windows XP SP3; Windows XP doesn't contain ASLR. The net result? An attacker can only exploit a vulnerable application running "inside" the guest virtual machine on Windows XP, rather than Windows 7!

We believe that Windows XP Mode and Windows Virtual PC are great bridging strategies to help customers who have legacy applications get up and running on Windows 7. For those customers who need Windows XP Mode, they should look to install only the required subset of applications that need Windows XP in order to function properly while planning to move those applications to Windows 7 in the future.

One final point, whether the version of Windows you are running is virtualized or running physically on a computer, it's equally important to follow sound security practices. You should make sure your firewall is enabled, that you have anti-virus software installed, and that you keep your software up to date through automatic updates. For more information on how to protect your PC, visit http://www.microsoft.com/protect/.

Creating a Safer, More Trusted Internet

Paul Cooke — Wed, 03 Mar 2010 18:35:00 GMT

The RSA Security Conference is underway this week in San Francisco and Microsoft's own Scott Charney, Corporate Vice President Trustworthy Computing, delivered one of yesterday's keynote addresses: Creating a Safer, More Trusted Internet. The keynote centered on Microsoft's Trustworthy Computing initiative, our End to End Trust vision, and how we have been working to further protect the security and privacy of for all the users of the Internet.

The End to End Trust vision has not changed over the last couple of years and we don't anticipate it changing for some time. We continue to make progress along this vision and Scott outlined many areas where we are actively engaged and providing thought leadership. The keynote showcased how our vision for End to End Trust applies to cloud computing, detailed progress toward a claims-based identity meta-system, and called for public and private organizations alike to prevent and disrupt cybercrime.

One of the most interesting aspects from my perspective was the notion of creating a "World Health Organization" model for the Internet. We are calling on the governments and industry to creatively help prevent cybercrime by implementing technology and policy models that assess PC health before connecting the machine to the Internet. This is an ambitious vision and one I am proud to support.

If you want to know more about the things Scott talked about in his keynote and our End To End vision, I encourage you to visit the newly revamped End To End Trust website for more details.

Black Hat TPM Hack and BitLocker

Paul Cooke — Wed, 10 Feb 2010 19:08:00 GMT

Last week at the Black Hat DC conference a presenter showed how one manufacturer's Trusted Platform Module (TPM) could be physically compromised to gain access to the secrets stored inside. Since that presentation, I have had plenty of questions from customers wanting to know how this might affect Windows. The answer? We believe that using a TPM is still an effective means to help protect sensitive information and accordingly take advantage of a TPM (if available) with our BitLocker Drive Encryption feature in Windows 7.

The attack shown requires physical possession of the PC and requires someone with specialized equipment, intimate knowledge of semiconductor design, and advanced skills. While this attack is certainly interesting, these methods are difficult to duplicate, and as such, pose a very low risk in practice. Furthermore, it is possible to configure BitLocker in a way that mitigates this unlikely attack.

With our design for BitLocker in Windows 7, we took into account the theoretical possibility that a TPM might become compromised due to advanced attacks like this one, or because of poor designs and implementations. The engineering team changed the cryptographic structure for BitLocker when configured to use enhanced pin technology, discussed in the BitLocker Drive Encryption in Windows 7: Frequently Asked Questions. As a result, an attacker must not only be able to retrieve the appropriate secret from the TPM, they must also find the user-configured PIN. If the PIN is sufficiently complex, this poses a hard, if not infeasible, problem to solve in order to obtain the required key to unlock the BitLocker protected disk volume.

BitLocker remains an effective solution to help safeguard personal and private data on mobile computers. For more information on BitLocker best practices, we have published guidance in The Data Encryption Toolkit for Mobile PCs. This toolkit discusses the balance of security and usability and details that the most secure method to use BitLocker in hibernate mode and a TPM+PIN configuration. With the advancements in Windows 7, users that are worries about potential attacks such as this one should also enable the Allow enhanced PINs for startup group policy setting for their environment.

Windows BitLocker Claims

Paul Cooke — Mon, 07 Dec 2009 16:00:00 GMT

Windows 7 is seeing success in the marketplace which I am very happy about from a security perspective. The Microsoft Security Intelligence Report has shown us again and again that the more up-to-date a PC is, the less likely it is to be infected by malware and other potentially dangerous software. So Windows 7 making strides is helpful to the ecosystem overall from a security standpoint. Success comes at a price though, through greater scrutiny and misinterpretation of some of the technologies. One of those technologies is BitLocker.

I've seen numerous claims the past few weeks about weaknesses in BitLocker and even claims of commercial software that "breaks" BitLocker. One claim is from a product that "allows bypassing BitLocker encryption for seized computers." This claim is for a forensics product and has legitimate uses; however, to say it "breaks" BitLocker is a bit of a misnomer. The tool "recovers encryption keys for hard drives" which relies on the assumption that a physical image of memory is accessible, which is not the case if you follow BitLocker's best practices guidance. The product, like others used legitimately for data recovery and digital forensics analysis, requires "a physical memory image file of the target computer" to extract the encryption keys for a BitLocker disk. Our discussions of Windows BitLocker have always been to communicate that it is intended to help protect data at rest (e.g. when the machine is powered off). If a forensics analyst or thief/adversary has physical access to a running system, it may be possible to make a copy of the computer's memory contents by using an administrative account on the system, or potentially through hardware-based methods such as direct memory access (DMA).

Another report discusses targeted attack vectors where the attacker must gain physical access to the computer, multiple times I might add. This research is similar to other published attacks where the owner leaves a computer unattended in a hotel room and anyone with access to the room could tamper with this computer. This sort of targeted attack poses a relatively low risk to folks who use BitLocker in the real world. Even with BitLocker's multi-authentication configurations, an attacker could spoof the pre-OS collection of the user's PIN, store this PIN for later retrieval, and then reboot into the authentic collection of the user's PIN. The attacker would then be required to gain physical access to the laptop for a second time in order to retrieve the user's PIN and complete the attack scheme. These sorts of targeted threats are not new and are something we've addressed in the past; in 2006 we discussed similar attacks, where we've been straightforward with customers and partners that BitLocker does not protect against these unlikely, targeted attacks.

Our customers are confronted with a wide spectrum of data security threats that are specific to their environment and we work hard to provide capabilities and information to help the customer achieve the right balance of security, manageability, and ease-of-use for their specific circumstances. BitLocker is an effective solution to help safeguard personal and private data on mobile PCs and provides a number of protection options that meet different end-user needs. Like most full volume encryption products on the market, BitLocker uses a key-in memory when the system is running in order to encrypt/decrypt data on the fly for the drives in use. Also like other encryption products, a determined adversary has significant advantages when they have physical access to a computer.

We recognize users want advice with regards to BitLocker and have published best practice guidance in The Data Encryption Toolkit for Mobile PCs. In the toolkit, we discuss the balance of security and usability and detail that the most secure method to use BitLocker in hibernate mode and a TPM+PIN configuration. Using this method, a machine that is powered off or hibernated will protect users from the ability to extract a physical memory image of the computer.

Windows 7 BitLocker continues to be a foundational component adding to any defense in depth strategy for securing systems, and specifically laptops. Even with the great enhancements made in Windows 7 such as BitLocker To Go, it still remains that BitLocker alone is not a complete security solution. IT professionals as well as users must be diligent when protecting IT resources and the best protection against these sorts of targeted attacks requires more than just technology: it requires end user education and physical security also play important roles.