Windows 10 Upgrade: Security and Privacy

By June 30, 2016blog

Lately, 300 million active devices received and accepted the Windows 10 upgrade notification that read, in essence: “Dear users, how about if you upgrade to Windows 10?”. In some cases, the message displayed by Microsoft on legitimate copies of Windows 7 and Windows 8.1 was not even that subtle, reading more along the lines of: “Your operating system will be upgraded to Windows 10 on [date]”.

Main points:

  • You should accept the Windows 10 upgrade, if only because it has much better security concepts built around it, such as: Windows Hello, Microsoft Passport, BitLocker, Trusted Platform Module and the developer’s Control Flow Guard found in Visual Studio 2015.
  • It is essential to be aware of the potential privacy issues surrounding the newer operating system, which is used to train and make Cortana better – Microsoft’s artificial intelligence, among other related features.
  • Use the new Privacy Tools included with jv16 PowerTools 2017 to adjust the data mining features built into the Windows 10 upgrade. We designed the Windows AntiSpy tool shipped with jv16 PowerTools 2017 in a way that will help you to easily decide what to turn on or off in terms of anonymous data collection by the operating system.

Keep in mind that what some may consider privacy issues, others may regard as reliable features. Cortana, the personal digital assistant in Windows 10, has helped answer over 6 billion questions since launch.

Now, let us show you why we believe the Windows 10 upgrade should be welcomed from the security point of view.

windows 10 upgrade security approach

Windows 10 Upgrade – Improved Authentication Security

Research to replace passwords has been carried out for many years. Almost everyone agrees that passwords are one of the backbone problems of internet security. Starting with Windows 10, Microsoft introduced “Windows Hello” which offers perhaps up to date the most realistic chance of eradicating the archaic operating system authenticator.

Alternative projects were announced in recent years by other organizations concerned with archaic authentication methods (using passwords) for networks and workstations. One of them is the industry group FIDO (Fast IDentity Online) Alliance. It consists of the computer-maker, Lenovo, the security firm, Nok Nok Labs, the online payment giant, PayPal, the biometrics experts, Agnito, and the authentication specialists, Validity. Other similar projects include the one by the Defense Advanced Research Project Agency (DARPA), a research and development arm of the Defense Department, USA.

While DARPA and FIDO Alliance joined forces to replace passwords, Microsoft presented its solution to the problem in the form of biometric identifiers.

windows 10 upgrade hello

The video cameras from both desktop and mobile devices are used by Windows 10 to identify your face or iris and can recognize you in a variety of lighting conditions, according to Microsoft. Fingerprint authentication has also been included. Computers with built-in fingerprint scanners will be Windows Hello compatible once the Windows 10 upgrade has been installed.

“For facial or iris detection, Windows Hello uses a combination of special hardware and software to accurately verify it is you – not a picture of you or someone trying to impersonate you” said Joe Belfiore, vice president of the operating system group at Microsoft.

Another new technology, Microsoft Passport, can tie a certain device to a PIN code or Windows Hello. To use this feature, you should register a laptop and a Windows smartphone and tie them to your Microsoft Passport. To unlock the laptop, you should have the smartphone positioned to face the laptop and swipe the fingerprint scanner to unlock your laptop without the need for a password.

windows 10 upgrade bitlocker

One more security layer for those that choose to stick with old-school passwords is the protection provided by Windows 10 to prevent attempts to brute-force the password or trick Windows Hello. A feature called BitLocker locks the device after a set number of unsuccessful username / password login attempts and then requires a supposedly uncrackable 48-symbol password, which BitLocker generates on setup.

With this sort of protection enabled, even if someone managed to get access to the storage device and modify it, the drive would not load. You may also enable a PIN code, which will then be required to boot the system.

BitLocker required the presnece of the Trusted Platform Module (TPM) – a purpose-built integrated chip used primarily for encryption and storage of the most critical data needed for regaining access to your system. TPM can be found in the latest generation of hardware and mobile devices.

Trusted Platform Module offers facilities for the secure generation of cryptographic keys, and limitation of their use, in addition to a random number generator. It also includes capabilities such as remote attestation and sealed storage:

  • Remote attestation – creates a nearly unforgeable hash key summary of the hardware and software configuration. The program hashing the configuration data determines the extent of the summary of the software. This allows a third party to verify that the software has not been changed.
  • Binding – encrypts data using TPM bind key, a unique RSA key descended from a storage key.
  • Sealing – encrypts data in a similar manner to binding, but in addition specifies a state in which TPM must be in order for the data to be decrypted (unsealed).

As a result, Windows 10 can use a Trusted Platform Module to authenticate hardware devices.

Control Flow Guard (CFG) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows. CFG extends previous exploit mitigation technologies such as /GS, DEP, and ASLR.

Windows 10 Upgrade – For Developers

For applications intended to fully use the capabilities offered by the Windows 10 upgrade from the security point of view, we strongly encourage developers to enable Control Flow Guard. Control Flow Guard (CFG) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities. You don’t have to enable CFG for every part of your code, as a mixture of CFG enabled and non-CFG enabled code will execute just fine.

How To Enable Control Flow Guard?

According to MSND, this feature is available in Microsoft Visual Studio 2015, and runs on “CFG-Aware” versions of Windows—the x86 and x64 releases for Desktop and Server of Windows 10 and Windows 8.1 Update (KB3000850).

windows 10 upgrade cfg howto

Malware Protection

Windows 10 is shipped with a sophisticated anti-malware protection mechanism. The way it is supposed to guard critical data against malware infections is at the very bottom layer, using the Unified Extensible Firmware Interface (UEFI). This firmware boots before the operating system and now has a digital signature. At each system start, the integrity of the firmware is checked to prevent unauthorized modifications.

Improvements done for malware protection:

  • UEFI updates should also have a digital signature
  • Settings can be modified only by a user
  • The OS loader has a digital signature
  • Kernel components and drivers must have digital signatures

As a result, a system that respects all these conditions boots only if all components have valid digital signatures. Some of those options can be disabled, but Microsoft is going to enable them by default over time.

You should still use a dedicated 3rd party internet security solution or an antivirus supplement that can detect second generation malware to combat 0-day vulnerabilities. If you require assistance choosing a security solution, open a support ticket with us and we will be glad to offer a variety of choices based on your needs. If you already own a security solution, make sure to keep all your critical software up to date (especially Adobe Flash and Oracle Java).

Windows 10 Privacy Concerns

Once you sign in to Windows 10 with your Microsoft account the operating system immediately starts to syncs settings and data to the company’s servers. That includes your browser history, favorites and the websites you currently have open as well as saved app, website and mobile hotspot passwords and Wi-Fi network names and passwords.

In an article by The New York Times, it is explained how Microsoft plumbs the ocean’s deaths to test the option of migrating its datacenters underwater. This shows the amount of data that needs to be stored and the need to reduce the bill for cooling down land based storage centers. According to the article, the idea for the underwater system came from a research paper written in 2014 by several Microsoft data center employees, including one with experience on a Navy submarine.

jv16-pt-2017rc1b-windows-10-antispy

We believe that the end user should be properly informed to decide if otherwise enabled by default private data sending features should be left on or off. As a response to these privacy concerns, we wanted to help those that would probably not agree to send all the mentioned data and more to Microsoft and that don’t find their way around the Windows 10 privacy settings. Our approach is unique in the way in which we explain each privacy related feature / concern in our product’s interface.

jv16-pt-2017rc1b-windows-10-antispy-extra

Other Privacy Tools are also included in jv16 PowerTools 2017 and have been developed specifically to address growing concerns such as the transmission of pictures metadata (location and device specific information that may leave the door open to targeted attacks or identify theft).

jv16-pt-2017rc1b-privacy-tools

The new Pictures AntiSpy tool offers the ability to automatically clean pictures metadata before you upload them to your favorite social media websites, that may or may not clean pictures metadata before making the content public. Using the custom scan folder feature built into Pictures AntiSpy, you can also scan and clean specific pictures folders of your choice.

jv16-pt-2017rc1b-pictures-antispy

For photographers and photo editors, rest assured that we have made it very easy to disable Pictures AntiSpy. By default, Pictures AntiSpy automatic metadata cleaning engine is disabled so you have no reason to worry about loosing any precious time stamps assigned for organizing albums.

jv16-pt-2017rc1b-pictures-antispy-settings

To upgrade or not to upgrade to Windows 10?

That is not really the question. We recommend upgrading to Windows 10. The new operating system is much more secure than older versions. At the same time, we urge you to use a dedicated security solution as well.

After The Upgrade: Clean and SpeedUp Windows 10

jv16-powertools-2017-release-candidate-1b

Even Windows 10 can get cluttered. We will soon showcase the results of tests made to measure how much jv16 PowerTools 2017 can actually clean and speedup a system with many different software installed. Click here to download and install jv16 PowerTools as a free 60 days (fully functional) trial version.

We only publish software that meets our quality standard.  That means 100% free of bloat, bundles, crapware, adware, scareware or every other type of hidden monetization related nonsense known to man. If you are going to accept the Windows 10 upgrade and already like the idea of what jv16 PowerTools can do for your system then why not get a license.