Insecure By Design?

Jul 31, 2015


By Aleksander Gorkowienko, Lead Penetration Tester, 7Safe

The pressure to be first in the market creates its own dangers

Every day we are flooded by information about the newest technological solutions which obviously are intended to make our life easier and our work more efficient. This includes small vendors that want to pop-up and shine for a minute in the crowded IT market, as well as the large players such as Microsoft or Google. Competition is high and it is very important for every company to be able to present from time to time something unique, something which could bring attention and make people wow. It is no secret that quite often new “cool” features are announced without being well thought through and properly tested. It is important to be the first! It looks like vendors close their eyes and forget that anything they make publicly available immediately comes under intense scrutiny as thousands of eyes and hands start examining it, not just for fun, but also searching for security holes.

Only a thin line separates "feature" from "bug" or, what could be worse, a serious security issue. The simplest example is the good-old Autorun/Autoplay functionality in Windows. USB Autorun attacks became a serious problem back in 2005 but are they gone for good? Some researchers have reported that 12 percent of global Microsoft Windows infections in the first quarter of 2012 were Autorun-based threats. It does not surprise me as most Windows users don’t understand the security implications of using the Windows Autorun feature. What makes the matter worse - most users have very vague idea how to disable it!

Windows 10 WiFi Sense – a return to the bad old days?

But we are in 2015 AD, so surely things are getting better? Well, not necessarily. For example, Microsoft has just proposed another stunning feature. This time it's for Windows 10 and it is called ‘WiFi Sense’. It is already available on Windows Phone devices and automatically connects you to nearby Wi-Fi networks it knows about (which is good indeed), but also has the other interesting feature. It lets you exchange password-protected Wi-Fi network access with your contacts to give and get Internet access without seeing each other's Wi-Fi network passwords.

Of course Wi-Fi Sense would not disclose the clear text password to your Facebook friends, Outlook.com contacts or Skype contacts (and probably a couple of random people in your contact list), but it does allow them, if they have Wi-Fi Sense enabled, to have immediate access to your Wi-Fi. We may think that the password is probably kept somewhere on the Microsoft servers (which also raises many privacy-related concerns), and is copied to a device to be used. Theoretically you should not be able to see it in clear text but how successful that will it be is yet to be determined (all security aware people know that even hashing passwords would not solve the problem, so I would not expect miracles). So it is possible that very soon hackers will not even focus on known vulnerabilities, - rather, they will simply use a weak software feature to break its security.

Thinking about every business laptop which is running Windows 8 now and will be running Windows 10 in the nearest future - the potential security risk is high and should not be ignored.

There are various causes of insecure software. We could name a few, such as time and business pressure to release software as soon as possible, not sticking to secure coding guidelines, and also lack of risk analysis at the beginning of the project.

Such situations could be not only foreseen but successfully prevented by including a thorough security review and risk evaluation into software development process. It should start from the design phase when a qualified security specialist would evaluate all pros and cons and advise how to avoid potential embarrassment. After all, if software is designed and well thought securely from the start, it means far fewer problems down the road.

Find out how our Cyber Security Services could make your software more secure: Cyber Security Services.

Insure by Design?