Windows 10 touts enterprise- and mobile-friendly security
Microsoft has provided its latest Windows 10 operating system as a free upgrade for current Windows users, and as with most new offerings it comes standard with several security features, including ones that are aimed specifically at government and enterprise customers.
It’s not likely to mean much to agencies immediately, however, as most seem unlikely to upgrade anytime soon. If history is any guide, given the headaches past updates have posed (think Vista, Microsoft 7 and – gasp! – Windows 8), it could be much longer than the 12 months or more that some surveys have suggested.
Also bear in mind that government agencies are notoriously slow in moving to new systems, given money and mission concerns. The fact that there’s still a large number of users on the now-officially defunct Microsoft XP is testimony to that.
Microsoft itself is touting Windows 10’s “encryption containers” and two-factor authentication (using fingerprint and facial recognition biometrics) as ways to toughen access requirements and help prevent data loss even when systems are breached.
These and other security features are becoming common in new operating systems –- and are even seen as competitive necessities. For Microsoft, they should help the venerable desktop OS stay relevant. More important, given the company’s belated recognition of the mobile universe, it could buttress Microsoft’s attempt to make Windows 10 a viable, if minor, competitor to Apple’s iOS and the multiple varieties of Android.
In fact, some observers think Microsoft is deliberately trying to make Windows 10 much more like a smartphone environment from the get-go, combining the various security features with a new Windows Store for authorized and vetted applications, a la the Apple Store and Android app markets.
Microsoft’s Device Guard, for example, requires a three-way sign-off by app vendors, the Windows Store and the enterprise for any application to work -- an attempt to block zero-day attacks. And Windows Hello (how do they come up with these names?) is the biometric security feature that works with Windows 10’s new Passport to verify you actually have the device on which you are trying to access services within your possession.
Not everything appears hunky dory with Windows 10 security, however. The “next generation” OS apparently requires an opt-out statement by a user to decline a default feature that allows Windows 10 to share access to any network the user logs onto with contacts listed in both Outlook and Skype, the VoIP provider Microsoft bought several years ago.
Some people are poo-pooing the concern over this feature, saying users still must affirmatively allow this sharing. All well and good, but how many users will take the steps to actively opt out, safeguarding themselves from possibly leaking access credentials or unintentionally giving someone access to a network?
To be continued, no doubt.
Stage fright: Android’s Heartbleed moment?
On the Android front, there is apparently a bundle of vulnerabilities that some experts are saying could leave most Android phones open to attack with just a single multimedia text. It could, they warn, turn out to be the worst Android flaw ever, along the lines of the OpenSSL Heartbleed bug that caused such panic last year.
Apparently, the fault lies with remote execution bugs in Android's Stagefright media playback tool. Joshua Drake, a researcher at Zimperium zLabs who first reported the bugs in April, said the vulnerability could affect 95 percent of all Android devices -- and the exploits don’t even require the user to interact with the text.
The U.S. Computer Emergency Response Team has published a formal alert on Stagefright, with pointers to various patches and other ways to guard against possible exploits.
Posted by Brian Robinson on Jul 31, 2015 at 9:01 AM