Just Set Up A Computer For Someone Who’s Never Had One

I’ve just finished setting up a computer for someone who’s only ever had a work computer, which isn’t connected to the internet. They share a laptop with someone but rarely use it.

Today I helped them pick out a system, Dell, and I got them started. One really interesting thing I saw was that Dell packaged the Java plugin… an out of date Java plugin. So right off the start my friend was running Java 7.1 (wtf?), which is something like 3 patches behind.

So, naturally, I updated it and installed EMET, which I set Java to use (and changed default Windows 7 settings for DEP Always On). The system also came with Webroot security. I actually think Webroot’s pretty good but I don’t have enough personal use with it to trust it and I’m pretty sure it isn’t free, which means it’ll bug my friend in a few months and he’ll be at risk.

So I removed Webroot and put in Microsoft Security Essentials. Why? For the low false positives and direct Microsoft support.

I also put Google Chrome on the system. I can not explain to someone that they need to use NoScript when they’ve never used a personal computer – they will hate me. Chrome is the only way I can keep him secure without ever getting in his way. The Chrome sandbox is “silent” and that’s really important as this guy is likely very vulnerable to social engineering having never been exposed to it in the past.

I think he’ll be fine. With 5 minutes I’ve set his system up in such a way as to be very difficult to exploit through the most common ways (browser, plugins) and Microsoft Security Essentials is good enough and quiet enough that he should be able to trust it.

You Don’t Need An Antivirus With Windows 8

With Windows 8 out a lot of users are wondering whether they need antivirus with Windows 8, or if they need to pay for an antivirus, or do something else entirely. In my opinion if you’ve been paying for an antivirus for Windows XP, Vista, or 7, you can consider cancelling that next subscription if you’re moving to 8. In my last post about Windows 8 security I glazed over Microsoft Security Essentials and I wouldn’t call what I said ‘positive.’ For my quick non-security oriented review of Windows 8 Release Preview click here.

This post will highlight why MSE is the type of antivirus a consumer needs and why it might be the right choice for Windows 8 users.

Microsoft Is Best Suited For The Job

The fact is that Microsoft created Windows. It’s a closed source project and antivirus companies spend a ton of money just trying to figure it out. Microsoft has a massive advantage here. They know what their code is like, they know where there’s most likely to be a hole, they have the ability to “tap” systems with crash reports or opt-in data collection on a level no antivirus company can ever match. They simply have the most data.

The fact that only Microsoft has access to the source code is one major reason why you should be trusting them to secure your system.

Years Of Practice

We’re a long way away from Windows XP. Windows is not so full of holes as it used to be, Vista brought many security mitigation techniques and a new MAC system to the operating system and Windows 8 expands further on that with new techniques and a new MAC system.

The Windows system has been hacked and torn apart for years and Microsoft has not sat idly by. The company has created new tools such as EMET, which are very effective at what they do. They’ve seriously improved their patch response time and there simply is no comparison between Windows 8 security and Windows XP.

Microsoft has seen years of malware. They know what they’re up against and at this point you’d better believe they know a few ways to fight back.

Reinforced Throughout The Operating System

Microsoft has made it clear that Microsoft Security Essentials is just one layer. Windows 8 also includes SmartScreen, a reputation based heuristics filter that acts system wide to inform and protect users from unknown files that are potentially dangerous. The focus of SmartScreen is on 0day malware and samples that an antivirus might normally not catch.

Where MSE stops SmartScreen begins, picking up slack. Antiviruses are inhibited by their inability to deal with the unknown, something that they will always struggle with. SmartScreen aims to specifically deal with the unknown using heuristics based on file reputation. File reputation essentially checks how “popular” the file is – how many systems it’s been seen on. Only a major company could pull off something like this and Microsoft is absolutely the best company for it – no antivirus can be installed on more Windows systems than exist.

Windows 8 Was Built With MSE In Mind

The fact is that Microsoft didn’t built Windows 8 thinking “let’s create a system that works great with Sophos and Mcafee” they built a system to work with MSE and they built MSE to work with the system. Layered security means understanding which layers are important and which needs to be covered, having full control over every layer leads to a potentially more secure system.

Consistent Heuristic Scores And Low False Positives

AV-comapratives.com “grades” antivirus software and Microsoft Security Essentials does fairly well. It’s not amazing but it’s not terrible, and that’s fine because it’s reinforced by other areas of Windows. What it is, consistently, is quiet. Heuristics is basically a way of “guessing” something – you use heuristics for spam filters, antivirus, language analysis, anything where you need to guess. Naturally this is going to lead to wrong guesses and in an antiviruses case that’s a false positive. MSE has very few false positives, often the lowest or second lowest compared to other antiviruses. Almost all of the antiviruses that get higher heuristic detection scores also have tons of false positives (you can see the correlation) and I think that having few false positives is just as important as having high detection rates.

If my AV is constantly telling me that files that I know are good are actually bad I won’t trust it. And when the time comes and the file I think is good is actually bad and my AV alerts me I simple won’t believe it. We’re all familiar with The Boy Who Cried Wolf, same principal here.

So Is Windows 8 Impregnable?

Well, while I’m very pleased that Microsoft has stepped up its security I think there is still need for some set up to get the system closer to where it should be. I still don’t consider Windows 8 to be as secure as my own configured Linux system but there are significant improvements and for the average user I think we can expect things to go smoothly.

Much of what’s in Windows 8 is untested and may not work out well in the real world. I’m optimistic about some features and not so much about others. Time will tell. I’ve had the Windows 8 Developer Preview, Consumer Preview, and now Release Preview all installed so I have a fair bit of experience with it though.

And, of course, as Windows 8 popularity rises so will hackers interest in bypassing its features so it’s still important to take the extra measures and to keep up with patches. MSE has consistently had decent heuristics with low false positives, which I think is very important.

Is Ubuntu Really More Secure Than Windows 7?

Is Ubuntu Really More Secure Than Windows 7?

A lot of people look at Linux because they hear that it’s more secure, among other things. Is there truth to this? In my opinion, yes, and it’s a very complicated subject. I’m only going to touch on a few aspects of operating systems here but you should walk a way with a good idea about whether or not Linux is more secure than Windows.

Ubuntu is one of, if not the most used user-oriented Linux distros. The comparison to Windows 7 (the most widely used user Windows OS) is inevitable. While most of this applies to Linux in general I’m singling out Ubuntu specifically due to market share, userbase, and a particular feature I talk about shortly at the end.

Why Windows 7 Is Secure
I’m not going to go into why Windows XP is insecure but I’ll explain how Vista and 7 improved security. There are definitely a few significant changes that should be noted so that we can compare those changes to Linux implementations.

The first really big change in Windows 7 is ASLR and SEHOP. ASLR is Address Space Layout Randomization and it essentially makes it difficult for an attacker to use a programs own code to execute what they want. SEHOP is a technique that specifically deals with SEH overwrites ie: a specific type of overflow that targets the Structured Exception Handler. SEH overwrites made up 20% of the exploits in the Metasploit Framework at one point. These two techniques directly address highly exploitable features of the OS.

The next change is adding a Windows Update that doesn’t completely suck. XP made you go through IE, it was awful and (I don’t know about you guys) it never worked well for me. The new updater is simple, independent, and far less buggy in my experience.

And then there’s the change in Microsoft. They realized people didn’t like getting infections and they’ve made a huge shift from being insanely slow to patch to being pretty proactive about it. This newfound ability to get patches out quickly combined with an updater that isn’t completely awful is really great for users and is probably one of the largest reasons why we’ve started to see OS exploits drop and 3rd party exploits rise.

Lastly there is the under-appreciated Mandatory Integrity Access Control. Windows 7 has segregated the file system into layers primarily consisting of “Low”, “Medium”, and “High”, integrity files and folders. Programs running at low can’t write to medium/ high, programs running at medium can’t write to high, and programs running at high can write anywhere. It’s very powerful and it’s the basis of the Chrome and IE9 sandboxes.

Why Ubuntu Does It Better
I won’t go into OSS vs CSS in this post. Maybe if I get really really bored some day if anyone actually ever reads this thing. I also will not go into “security through obscurity” as it’s not actually a real thing. I’m going to focus on some other points, which are more easily substantiated.

The first real boon to Ubuntu’s security is package management. Probably my favorite part about running Linux is that I don’t have to do a thing to keep the system up to date. On Windows it’s “Run Flash Updater… ok done… run Java updater… ok done… run Windows updater… etc” but on Linux it’s all handled in one place. I click “Update” (or nothing at all, it’ll do it on its own eventually) and my browser, plugins, IM client, IRC client, and operating system (and anything else) are all patched up. Consider the significance of this – the Flashback trojan infected 700,000 OSX systems using a vulnerability that had been patched *months* before.

Where Windows has Mandatory Integrity Access Control (MIAC) Ubuntu has Apparmor. Well, sorta. Ubuntu has a set of permissions that follow DAC policies. What Ubuntu also has is a MAC implementation that allows for incredibly finely grained access control. On Windows there are very few programs that actually run at low integrity, on Linux virtually every application can run with Apparmor and there are a few that do by default – specifically system services. Apparmor is incredibly powerful because almost anyone can learn to use it – creating a profile takes minutes in most cases and it reinforces the already fair access control. MIAC can’t touch Apparmor – it’s not even close.

Ubuntu is actually fairly unique among distros as it’s one of the first to implement the new Mode 2 Seccomp Filters. A new way to limit visible kernel attack surface by only allowing syscalls on a whitelist basis. This is a new feature so it’s not easy to gauge but, judging by the principal, it should pair incredibly well with other security mechanisms like Apparmor by preventing privilege escalation.

So there you have it. Why Ubuntu is more secure than Windows 7.

What Needs To Be Said

There’s no actual way to say X is more secure than Y. I know, I just typed this whole thing out but we can only make a best guess; there is no objective measure of security. I can’t say that powerful ASLR is more important than strong malicious file detection without significant research to back that up, and even then it’s limited. What I can do is use my own judgement to take the above information (among other things) to come to a conclusion and do my best to present this to you.

There’s a lot more to all of this than what I’ve posted and there are a lot of opinions about it. This isn’t some huge research paper attempting to provide definitive answers, it’s just me, bored, comparing two operating systems. Windows 8 is entirely outside of the scope of this as it includes many new security features.

I could write a lot more like how Linux is inherently more secure because blah blah blah open source blah blah blah kernel blah blah blah but I won’t. Not tonight. Maybe some other night I’ll do an “Is Linux more secure than Windows?” blog post that goes in depth into things like ASLR implementations (mmap is randomized, virtualalloc isn’t), NX(execshield, emet), smartscreen, DAC vs MAC, etc.

Sources:
https://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx
https://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx
https://wiki.ubuntu.com/Security/Features