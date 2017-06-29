Windows 10 Will Soon Protect Files and Folders From Ransomware (theverge.com) 67
Microsoft is making some interesting security-related changes to Windows 10 with the next Fall Creators Update, expected to debut in September. From a report: Windows 10 testers can now access a preview of the changes that include a new controlled folder access feature. It's designed to only allow specific apps to access and read / write to a folder. If enabled, the default list prevents apps from accessing the desktop, pictures, movies, and documents folders. "Controlled folder access monitors the changes that apps make to files in certain protected folders," explains Dona Sarkar, head of Microsoft's Windows Insiders program. "If an app attempts to make a change to these files, and the app is blacklisted by the feature, you'll get a notification about the attempt."
Just create a unique privileged user and have the program execute as that user. Is this not a solved problem?
Sure, if user context switching was a thing in Windows that would be problem solved. However I'm not going to log into a different account every time I wanted to access a certain file.
But the recent malware attacks weren't simply malicious trojaned apps changing each other's files. It was spread by compromising / using system services that are meant to be used to access a broad array of files. I don't see how changing the permissions model to block inter-app accesses will fix this...
I was going to mention this, but perhaps at least it will raise the bar somewhat so that instead of fighting all sorts of "apps" that people download you are only fighting unpatched systems and zero-days bugs...
So it'd be enough for ransomware to impersonate those specific apps or just get into the party list. Shouldn't it?
It's just one more slap-dash fix in a creaky operating system riddled with legacy APIs that are now being easily strangled with NSA-ware. Adding strict user space is what made XP SP2 somewhat tenable, but this is just one more embarrassing and glaring hole, and IMHO, a great reason to take a serious look at devops and agile as software development models. Windows 10 isn't new; it's the lipstick on a pig made from thousands and thousands of attempts to get it right.
I'm just entirely shocked that Microsoft's stock price hasn't cratered into the pit it deserves. Don't think that the current wave isn't the last or best; ransomware will be iteratively released until bitcoin shoots past $10,000/coin.
Because it's not really hurting Microsoft's pocket. There isn't really a legitimate alternative for windows. The general public seemed baffled by Linux (and Linux isn't getting the marketing spent to promote it). Apple is a walled garden that nobody wants.
Many business apps only run on windows. Microsoft's customers aren't going anywhere.
I know it's fun to hate on Microsoft but it's worth noting that Linux has no protection from this kind of malware either. With this change the user directory on Windows will actually be more secure than the user directory in Linux.
For Linux on the desktop, it seems like it should be possible to have apps, like a web browser and email client, that have their own users. You could then run the apps via sudo and they'd only have access to files for their user or group. But last time I tried this I couldn't get it to work. Has anyone else done this successfully?
You can use SELinux to accomplish a similar setup. You can ensure that a given application only has access to specific directories or files. Having spent a little time with it I can say it has an obscene learning curve.
But it also doesn't have the Windows problem of privilege-escalation or lots of insecure system processes for the ransomware to exploit in the first place
There seem to be plenty of them, if you care to open your eyes to the real world.
https://www.ubuntu.com/usn/ [ubuntu.com]
Not hating on Microsoft. They're their own worst enemy. And I have quite a bit of difficulty with your determination that this makes Windows more secure than Linux. Remember: Microsoft only recently even considered the concept of user space. Everything was root. Everything before XP SP2 was admin. Only now are they trying to protect user space in rational ways. And they're failing.
Why are they failing? Lack of rigorous testing made impossible by legacy APIs, horrific driver control, proprietary transports,
One extra hurdle for them to clear. Better than no change.
Mandatory or role based access control is no more sane than the configuration of it. The problem is that Joe Schmoe want to open his files in RandomApp without having to learn how to add rules for it.
Convenience wins over security any time.
And what would a sane security model look like? Ransomware runs under the credentials of the user that has executed the malware, so if the user has read/write access to files and folders, then those folders are vulnerable. It's not that much different than someone accidentally deleting a bunch of files they have access to. I suppose you could put some quantity monitoring, as in if x number of files are altered or deleted, then suspend the process that is doing the file system changes, but that would probabl
Ransomware runs under the credentials of the user that has executed the malware,
So, run your e-mail client in one user account, your browser in another and keep your local work (documents, etc.) in your 'main' user account. Read-only access (via group permissions) between accounts. This is a solution that I've used since before Linux had ACLs.
How do you plan to save emailed documents to local storage, download files from the internet, then read-write to those files using local programs, etc?
And what would a sane security model look like? Ransomware runs under the credentials of the user that has executed the malware, so if the user has read/write access to files and folders, then those folders are vulnerable.
That's user based access control. What they're talking about here is role based access control, which prevents a user from modifying files unless the process he runs also in a role that allows modification.
The problem is that the rules for such systems must be maintained, so when Joe Schmoe installs a new word processing program, it won't be prevented from opening his documents because it hasn't been assigned to the correct role(s). And you cannot trust the users themselves to be able to determine that, o
Why not implement a sane security model instead
Because a "sane security model" uses defense in depth. There no one single "silver bullet" solution. Any security layer can fail, so you need additional layers to contain or mitigate the damage.
Your first layer of defense is your firewall
... your last layer is your offsite backups. You should have many more layers in between.
Your first layer of defense is your firewall
This is why working security can never be achieved. As long as there are people who think that he first layer of defense can be anything other than the human brain, and that security can be achieved through technology alone, the default state will continue to be vulnerable.
Maybe I am wrong, but it looks like Office has been an attack vector.
Will it be in the party list of "allowed apps"?
Office has ALWAYS been an attack vector. From damn Macro viruses in the 90's to other tecnhiques that embed in Word or other office products today.
My wife got a virus on her laptop recently opening a Word document. Office is still very much a vector.
Maybe not, but I suspect you are not Lord Nelson, either.
What's not to love about more and more annoying popups asking uninformed users questions they can't understand, and insisting they answer before they can continue?
How else can we convince people that Ubuntu is actually great, despite systemd, persistent and recurrent network software failure, and the system forgetting your sound card settings if you reboot?
Disclaimer: I use *BSD - but only because Ken Olsen said "Unix is snake
will be used to block steam unless you buy windows 10 pro gamer
..the next generation of Ransomware will exploit a vulnerability in this new service to prevent YOU from accessing these folders and files.
How very convenient!
Thank you for signing your post so we know who you are!
LOL!
This sounds strangely like the App-Locker feature that's available on some Windows Server and Enterprise editions...
This sounds strangely like the App-Locker feature that's available on some Windows Server and Enterprise editions...
Applocker prevents launching of applications based on rules. This sounds different in that it prevents apps from accessing data based on rules. So the application could be allowed, but it may not be allowed to access some data.
I used to get work done in Windows but I've diversified away from it on my production machines -- I do have it on a few test machines just in case they make some customer friendly decisions
Things I'm unhappy about:
- the broken update process (when I tried a few months ago, Windows 7 no longer auto-updates all the way through without manual intervention) -- it was supposed to work until 2020
- the telemetry which reportedly can't be completely be turned off -- I like building nice quiet machines that are read
Ah, Windows - the cause of, and solution to, all of life's problems.
Don't get me wrong. This is still a step forward to throw off simple malware but
Nice function to stop script kiddies. Microsoft is trying PR stunt to cover egg in the face and hide the fact that Windows is still full of serious security holes. The ransom-ware used by recent attacks was using holes in the OS that allowed full control of the machine. Nothing can stop such software from encoding entire hard drive any way it wants and demanding money. Software that has full control can easily undo the lock
No one solution is going to stop 100% of all attacks.
If this stops 5% of the attacks it's an improvement and a step in the right direction. By itself it isn't enough but if it stops some attacks (and doesn't introduce other attacks in the process) then I would want this.
So Microsoft is implementing a crippled version of SELinux?
Office macros are one of the most notorious attack vectors...
Personally I would be more concerned with exfiltration than deletion but if MS wants to provide safety they should consider versioning file system so that designated folders can be rolled back to prior states no matter what happened to the data. Not all fail is intentional and this could provide useful value beyond attack resistance.
Aspect based access control mechanisms have a tendency of subverting themselves in the name of convenience over time. First there was the windows firewall, then every app inst
