Locking Down Windows 10 Workstations - Windows 10 Microphone Listening 24/7 ?

GreaterNinja · January 2017

I noticed my Windows 10 Professional installations enable microphone voice capture by default without consent, meaning "Cortana" is likely listening 24/7 and collecting data. This occurs, even after disabling all data collection/sync switches during the installation prompts.

Additionally, I found:

- Running "netstat -an" reveals ridiculous amount of open ports for TCP/IP v4 and TCP/IP v6 protocols.
- Some remote PowerShell exploits work on patched Windows 10 hosts.
- I found a virus embedded in the Windows Hibernate file. Meaning, if the Windows 10 power plan allows standby or hibernate, the windows machine could be compromised.

So far I've done the following:
-Disabled known data collection settings for Windows 10
-Disabled Flash
-Disabled and uninstalled java
-enabled popup blockers
-Disabled IPv6
-Patched all machines
-Changed PowerShell policy so that it is restricted
-Then Disabled PowerShell applications in gpedit.msc
-Removed unnecessary user and group privileges to PowerShell
-installed AV/host based security software
-turned p2p updates off
-disabled/removed unnecessary startup files via msconfig
-disabled/removed unnecessary startup files via HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
-disabled/removed unnecessary startup files via HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
-check DNS settings, host file settings, services settings, proxy settings, search engine settings, browser plugin/extension settings to make sure they are not compromised.
-changed host based firewall rules
-blocked all non-essential DST/SRC port traffic to the WAN and LAN. Basically port 80, 443 and a few other ports work.
-changed dns on WAN and hosts to use CloudFlare or OpenDns (depending on server or client)
-moved all Windows 10 machines to a different VLAN and disabled them from communicating to the rest of the network.

I am considering:
- Complete file and application system control (Whitelist/Blacklist) that uses signature check systems to detect modifications or possible evidence of compromised systems. If a system file or application is modified I can revert to a different version.
- Moving all critical servers and workstations to Linux environment and using Windows VM or emulation.
- Comprehensive File and volume encryption systems. Bitlocker is insecure, so I need something else.
- Implementing a host based IDS/IPS
- Firewalling hosts from each other due to p2p vulnerabilities on LAN. I'm not sure if I want to do this or not.

It may seem that I'm a little paranoid, but I feel this is a major invasion of privacy and Windows 10 is insecure because of how it was designed. What do our IT Security Gods and Systems Administrators think? Have you noticed this too or have I just had too much coffee? What recommendations do you have for securing a small to mid-size Windows 10 + Linux network on a low budget?
Any constructive feedback is welcome. Thank you guys

.

TechGromit · January 2017

GreaterNinja wrote: »

I noticed my Windows 10 Professional installations enable microphone voice capture by default without consent, meaning "Cortana" is likely listening 24/7 and collecting data.

This is why I'm not in any hurry to upgrade to Windows 10. The same was true for windows XP. I didn't upgrade to Windows 7 until there was software applications I wanted that wouldn't run on XP. I have no plans to update to Windows 10 until software is released I want/need that does not run on Windows 7. I don't need the latest or greatest because some fool says it's the next great thing. Windows 7 works perfectly fine for me.

As for the Microphone thing, my Desktop PC doesn't have a microphone unless I plug in a headset, but most laptops have built in microphones.

NetworkingStudent · January 2017

Here are some tips:
http://mikenation.net/files/11_Windows_10_Tips.pdf

wastedtime · January 2017

I think you may be a bit paranoid but I feel that you should secure as much as you can until maintenance/lost productivity cost outweigh your risk. Also, I am not a fan of anything that listens by default (Google home and Amazon echo is included in that).

I am not that familiar with Windows 10 but have heard of some of the strides that Microsoft has made to improve the Security Architecture of the system. This would include the work they did to remove font rendering out of the kernel, LSA isolation, Microsoft Edge virtualization, and windows new update scheme.

You will mitigate most vulnerabilities by following the same security practices that are required of any computer system. Minimize the computers foot-print on the network and the software/services on the system. Run software with least privilege. It is rare that people actually come across an actual zero day exploit. Nearly always when people get hit with exploit kits it is from something that has already been patched. I don't have numbers, just going on my experience on this one.

When means other then exploit kits are used to install malware on a system, it typically means that the user needs to allow it. Common ways are from phishing emails, tech support scams through the browser or by cold calling are common ways. Social engineering is usually involved and even the badly done emails will work sometimes. You can train the users as much as possible and implement mitigating factors to include spam blocking, antivirus, HIPS, and application policies. One thing I like which will stop most stage one downloaders is changing the default action of windows script host programs (aka, js, jse, vb, vbe, wsf, wsh files). By default the action is Open, and changing it to edit will open the program in notepad or something similar when it is double clicked.

It sounds like you are trying to prevent a computer incident as much as you can. What have you done to prepare for and respond to one?
Do you have backups?
Do they work?
Have you tested it?
Are they backing up the right information?
If you have an incident what is your procedure?
Who needs to be notified?
Do you need/have tools?

These are just some questions that may need to be answered.

To sum this all up:
- Patch/Update as soon as you can
- Minimize your attack surface
- Preventing an incident is just as important as being able to prepare and responding to one.

It sounds like you are doing most of the prevention already.

Let me know if I missed something or need to expand on something.

GreaterNinja · January 2017

I appreciate the pointers, but I've already covered those quite well. I wish to hear from people who have actually noticed certain privacy and security issues with Windows 10 for their organization or at home.

For example:
-Since p2p is being used on Windows 10, it is possible to detect Windows 10 hosts behind a firewall, initiate an encrypted session that punches holes through firewalls, gain administrator access, deliver payloads and compromise the host.

-Bitlocker drive encryption can be circumvented in multiple ways to gain unauthorized access to disk and files.

-Powershell is still highly vulnerable. It can be exploited remotely behind a firewall and Administrator access is easy to attain.

-Newer Plaintext viruses encoded in base64 can execute malware by just viewing text on a webpage like this. This is not necessarily new, but Windows 10 is still vulnerable even with 3rd party AV products and all OS updates.

wastedtime · January 2017

I stumbled upon this today during my near daily review of current security news.

https://isc.sans.edu/forums/diary/Making+Windows+10+a+bit+less+Creepy+Common+Privacy+Settings/21947/

TheFORCE · January 2017

You disabled/ uninstalled java? How are you going to perform any type of work? Many applications use java these days.

Also have you tested the port blocks? What about DNS, what about NTP, what about SQL, Oracle or other databases that use other ports, what about your AD, you disabled those too?

You patched the systems for now, what about next month, when you have to re-ptach?

Is this home or work environment?

beads · January 2017

Check out Belarc Advisor at: Belarc Advisor - Free Personal PC Audit, for software, hardware and security configuration information on your computer. Software license management, IT asset management, cyber security audits, and more.

You'll never get to 100 percent secure. As an added bonus its free for home use.

- b/eads

ally_uk · January 2017

Windows spyware edition that's why they initially made it free to spy on the masses. I hate Windows 10 with a passion same as 8 and 8.1 they all are a step backwards in my eyes. Why the hell as a user should you apply patches and fixes to stop them snooping. Unistall that junk O/S and get Linux on there pronto problem resolved.

GreaterNinja · March 2017

"[h=3]CIA malware targets Windows, OSx, Linux, routers[/h][FONT=&quot]The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware. This includes multiple local and remote weaponized "zero days", air gap jumping viruses such as "Hammer Drill" which infects software distributed on CD/DVDs, infectors for removable media such as USBs, systems to hide data in images or in covert disk areas ( "Brutal Kangaroo") and to keep its malware infestations going.[/FONT]
[FONT=&quot]Many of these infection efforts are pulled together by the CIA's Automated Implant Branch (AIB), which has developed several attack systems for automated infestation and control of CIA malware, such as "Assassin" and "Medusa".[/FONT]
[FONT=&quot]Attacks against Internet infrastructure and webservers are developed by the CIA's Network Devices Branch (NDB).[/FONT]
[FONT=&quot]The CIA has developed automated multi-platform malware attack and control systems covering Windows, Mac OS X, Solaris, Linux and more, such as EDB's "HIVE" and the related "Cutthroat" and "Swindle" tools, which are described in the examples section below."

I suspect 98-99% of Windows 10 machines are already infected/compromised. I suspect 98-99% of systems with google chrome are infected with malware plugins/extensions that are not detectable to the traditional AV. We seriously need our best security experts to look into this. I find it baffling that less than 1% of those in this realm seem to be aware of something that has been going on for at least several months.

[/FONT]

Queue · March 2017

Disclaimer not an expert yet: When you disabled all non essential ports except 80 and 443 and a few others, what were your intentions? I thought of doing that to prevent my home PC's from doing things I was not aware of. However, when I asked about that methodology at work I was told that most apps now-a-days are designed to fail back to port 80 if the port they wanted to use is blocked. Thus rendering what I was looking to accomplish null.

cshkuru · March 2017

GreaterNinja wrote: »

"CIA malware targets Windows, OSx, Linux, routers

[FONT=&amp]The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware. This includes multiple local and remote weaponized "zero days", air gap jumping viruses such as "Hammer Drill" which infects software distributed on CD/DVDs, infectors for removable media such as USBs, systems to hide data in images or in covert disk areas ( "Brutal Kangaroo") and to keep its malware infestations going.[/FONT]
[FONT=&amp]Many of these infection efforts are pulled together by the CIA's Automated Implant Branch (AIB), which has developed several attack systems for automated infestation and control of CIA malware, such as "Assassin" and "Medusa".[/FONT]
[FONT=&amp]Attacks against Internet infrastructure and webservers are developed by the CIA's Network Devices Branch (NDB).[/FONT]
[FONT=&amp]The CIA has developed automated multi-platform malware attack and control systems covering Windows, Mac OS X, Solaris, Linux and more, such as EDB's "HIVE" and the related "Cutthroat" and "Swindle" tools, which are described in the examples section below."

I suspect 98-99% of Windows 10 machines are already infected/compromised. I suspect 98-99% of systems with google chrome are infected with malware plugins/extensions that are not detectable to the traditional AV. We seriously need our best security experts to look into this. I find it baffling that less than 1% of those in this realm seem to be aware of something that has been going on for at least several months.

[/FONT]

So if I was an intelligence agency I would monitor forums for threads like these because obviously the person who started it has something to hide or worry about; then if his machine suddenly dropped out of the bot net I would be sure to target that person for some extra special attention. Just sayin' is all.

GreaterNinja · March 2017

cshkuru wrote: »

So if I was an intelligence agency I would monitor forums for threads like these because obviously the person who started it has something to hide or worry about; then if his machine suddenly dropped out of the bot net I would be sure to target that person for some extra special attention. Just sayin' is all.

Indirectly calling judgement and false assumptions of guilt on an individual is of very poor taste. I have to highly disagree with that perspective because it assumes guilt without cause and follows the lines of archaic witch-hunting.

Being aware enough to notice minute things are off does not imply guilt or an individual is hiding anything. It certainly does not justify why the U.S. government is violating the 4th Amendment rights of almost every single American. Lastly, the original post really was about new malware, vulnerabilities, and data mining of Windows 10. The recent news just reinforces original assertion that Windows 10 appears to be very insecure.

wastedtime · March 2017

GreaterNinja wrote: »

"CIA malware targets Windows, OSx, Linux, routers

GreaterNinja wrote: »

The recent news just reinforces original assertion that Windows 10 appears to be very insecure.

I don’t see the correlation so maybe you can spell it out for me (I also take crayon drawings)? As you don't like assumptions maybe you can leave those out.

techwizard · March 2017

Put the coffee down, and back away, slowly.

I would simply adhere to whatever your organization's IT policy is, in regards to security. I upgraded all of my organizations workstations from Windows 7 pro/ent to Windows 10 pro/ent, and for the most part, have not had any issues. You could turn all the features off on Windows 10 all day, but what it really comes down to is end user awareness.

veritas_libertas · March 2017

Sigh. Lots of paranoia in this thread. If a nation state like the US, Russia or China wants into your workstation they will likely get in. I would worry more about those that are after you for cash. A good place to start is with the CIS benchmarks:

https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_10_Enterprise_RTM_Release_1507_Benchmark_v1.0.0.pdf

NetworkNewb · March 2017

Exactly ^^^ Reminds of a charity golf tournament I played in 3-4 years ago. I got paired up with none other then Jesse Ventura. Definitely an interesting guy. I think I was going to Mexico or something around that time because he got to talking about a house he owned in Mexico. Which in his words were "completely off the grid and self-sustained". I'm sure some of you have seen his "Conspiracy Theory" youtube videos...

Locking Down Windows 10 Workstations - Windows 10 Microphone Listening 24/7 ?

Comments