Wi-Fi (non)Sense

Ever told someone a secret only to find out later that they blabbed it to everyone they knew? Irritating, huh?

Ever let someone on your home wireless network only to find out later that all their friends now have access as well whenever they get within range? Not yet, but you will … 

… unless Microsoft rethinks a new feature they included in the latest and greatest release of their flagship OS — Windows 10. 

Generally speaking, the early reviews for Win 10 have been mostly positive. However, there’s one addition that might sound like a good idea on the surface, but once you think it through (which it seems the designers didn’t do), you quickly realize it’s a security nightmare.

The feature is called Wi-Fi Sense and it’s intended to help you overcome the complexity of letting visitors onto your home wireless network by automating the process of sharing the complex, hard to remember, even harder to enter encryption key that grants access. (You do have a complex, hard to remember, even harder to remember key protecting your Wi-Fi, right? Please say “yes.” Good.)

The problem is that it breaks the bounds of any sort of reasonable security standard by oversharing that key with all sorts of people you may not even know — many of whom you would never allow on your private home network.

Graham Cluely has a great description of the problem on his blog that I highly recommend that you read so you will have the details in a clear, understandable way that I couldn’t improve on (so I won’t even try).

Before you dismiss this as something you don’t have to care about because you don’t use Windows 10, think again. All it takes is for you to share your Wi-Fi key with any Windows 10 user who happens to have this (over)sharing feature turned on for them to automatically pass it along to all their friends even without their knowledge.

That’s right. You and all your family could run nothing but Macs or Linux but it only takes one visitor running Win 10 that you give the Wi-Fi key to before you unknowingly have shared this with all of your visitor’s Skype contacts, Outlook contacts, Hotmail contacts and Facebook friends. 

I’m not ready to go so far as to say “friends don’t let friends use Win 10,” but I will say you should think twice — make it three times — before you share you home Wi-Fi with them.

Advertisement

What is the most secure OS?

Want to start an endless debate with a room full of techies? Assert that a particular operating system — pick any — is more secure than all the rest then sit back and watch the factions form. Some will argue that Mac OS X wins because of the relatively small number of known malware exploits as contrasted with Windows. Others will point to Linux’s built-in security model as superior to the competition. Windows fans will point to a vastly improved track record in the security area over the past decade. Still others will say that the mainframe’s z/OS and it’s related predecessors have proven their strength over the long haul running many of the world’s most critical transactions since the 1960’s.

Who’s right? Answer: I’ve used them all and I would say it’s none of them and all of them. Macs aren’t immune to malware as Apple’s own employees found out — the hard way.  Windows wears the largest bull eye by virtue of its pervasive presence in the market so it will always victimized by bad guys. Linux’s strong security features may be beyond the grasp of casual users. z/OS has benefitted from something of a “security by obscurity” position, which means latent vulnerabilities could be there for the taking.

Not a very satisfying answer is it? Maybe a better way to rephrase the question would be not “which is the most secure?” but rather “which is the most securable?”  The latter takes into account a larger understanding of the role of the user/administrator in the security ecosystem. In other words, it’s not just about technology but also people and process as well.

Yet another way to look at it is to say that the most secure OS is the one that you configure and use properly. The fact is that any of these options can be good or bad depending on how they are deployed and executed. That’s my answer. Now I’ll sit back and watch the various OS fanboys fight it out …

 

P.S. Here’s a nice write up on “Four easy ways to protect your Mac from malware,” which is a question I get from time to time.

Nowhere to run to…

If you thought your choice of operating system, hardware platform, middleware stack or applications would shield you from malware, think again. If it’s operational, it can be hacked. Period. Certainly some configurations are more vulnerable than others but there’s no such thing as a “secure” system — just varying degrees of INsecurity.

I remember a protracted email debate I had with a colleague many years ago on this subject. His claim, essentially, was that the security model of Linux made it immune to malware. As a security guy, I knew better.

At the time Windows was being ravaged by viruses and Linux was emerging as a more stable, secure alternative. Some were speculating that it would supplant Windows as the leading desktop OS within a few years. Of course, that didn’t happen — at least not yet. Linux has some very clear advantages. Some derive from a kernel for which secure design was not an afterthought and yet others from the collective talents and contributions of the open source community.

Still it isn’t perfect as this story from PCWorld shows. In what is just the latest development in the never ending malware saga, the “Hand of Thief” Trojan, which specifically targets Linux, is starting to pop up. As the article says…

Hand of Thief operates a lot like similar malware that targets Windows machines—once installed, it steals information from web forms, even if they’re using HTTPS, creates a backdoor access point into the infected machine, and attempts to block off access to antivirus update servers, virtual machines, and other potential methods of detection.

Clearly, there are far more instances of malware for Windows than Linux — far more — but equally clearly, Linux is not immune. Neither is Mac OX nor Android nor iOS nor any other OS you’d like to name. In fact, the first malware I personally ran across infected the VM operating system on mainframes back in 1987. Yes, 1987. Years before the press would start reporting on the latest virus scare and long before commercial anti-virus tools even existed and all of this on a platform that was considered quite secure and unlikely to be compromised easily.

The article goes on to say…

Historically, desktop Linux users have been more or less isolated from the constant malware scares that plague Windows, which is at least partially a function of the fact that their numbers represent a tiny fraction of the Windows installed base.

That last phrase is important. It basically is saying that part of the reason Linux hasn’t had a lot of malware really has nothing to do with the merits of it’s innate security capabilities, but rather, due to the fact that it simply hasn’t had as big of a bull’s eye painted on it. Mac OS has historically benefitted from the same “security by obscurity” model but it’s not one you want to bank on. Not surprisingly as Mac’s have become more popular in the marketplace, they have also become more popular in the malware threatspace. Ditto for Linux. Ditto for iOS and Android.

Call it the price of success. If a platform becomes popular it can’t hide from hackers as easily. So, the best thing to do is to take prudent precautions regardless of what OS you’re running on because, as Motown figured out a long time ago,  there really is “nowhere to run to, nowhere to hide…”