How Windows 10 Could Finally Put an End to Malware in Windows
Anyone with minimal tech knowledge knows that Windows has historically been much more vulnerable to malware than other operating systems like Mac OS X and Linux. In fact, that has always been one of the main disadvantages of Windows – the fact that a hacker or a piece of nefarious code could actually compromise the quality, performance, and safety of an operating system that consumers are expected to pay for.
To most techies, it has seemed nearly unacceptable that such a premium, paid product (the Windows operating system) would be affected by security issues for so long, despite the thousands of security updates Microsoft has issued over the past decade.
All of that could change with the introduction of Windows 10, which is set to implement a host of security precautions and changes that could do away with most of the harmful malware seen in current versions of Windows.
Many of us were impressed by the security improvements made in Windows 8, with compatibility for biometric scanning (fingerprint sensors) and a number of other key changes being introduced. However, it seems the changes coming to Windows 10 will be even more significant and, according to Chris Hallum, manager of the security department at Windows and Windows Phone, “entire classifications of issues” will be addressed and “in some ways” they may be able to “eradicate the issue in its entirety.”
In the following paragraphs, we'll discuss the main ways in which Windows 10 could eliminate the majority of malware issues that affect the Windows operating system:
Rethinking the Use of Passwords and Credentials in Windows
Mr. Hallum has also been quoted as saying “We're no longer thinking about passwords as a problem,” going on to elaborate that they're actually a “real-time crisis,” and stating that consumers “have to move to something better.”
Like Windows 8, Windows 10 will be looking to further the use of next generation credentials that go beyond the standard username/password combination. The new OS will utilize multiple types of two-factor authentication, with built-in cryptoprocessors facilitating the second authentication factor. A secure cryptoprocessor, also called a Trusted Platform Module (TPM), is a security chip that has already been pre-installed in many modern PCs and by 2015 it will come included in all Windows devices.
Windows 10 users will be able to optionally use this built-in TPM chip within their device as one of the two factors that verifies their identity as the owner of an account. Thus, a hacker would then need to steal not only your basic login credentials (i.e. password/PIN, and/or fake your fingerprint), they would also have to be logging into your account from your “trusted” device.
In October, Microsoft announced that two-factor authentication is coming to Windows 10. The new OS will also let users designate their smartphones as authentication factors -pairing your smartphone or tablet with your PC or laptop via Bluetooth close-range unlocks the encrypted security key, and after that you can log in. So again, a hacker would need to steal your smartphone AND have access to your login credentials, which can include your fingerprint, a password, or a PIN (not the standard 4-digit PIN; it can be up to 20 characters and include any combination of symbols, numbers, spaces, and upper/lowercase letters).
Increased Usage of Fingerprint Sensors
Security experts agree that biometric scanning is the most secure way to digitally verify an individual's identity. Fingerprint sensors are already being included in the latest round of smartphones, and PC owners can easily plug a fingerprint sensor into one of their device's USB ports.
Although there has been some controversy about whether fingerprint sensors could be tricked by fake fingerprints. Mr. Hallum expects the technology to continue to improve to the point where it will be able to read your fingerprint as a 3D image to detect peaks and valleys that indicate whether a finger is real or fake.
He's also discussed the commercial likelihood of a 9mm fingerprint sensor that would only require a single tap, rather than multiple taps like the current sensors used on the iPhone and other devices. Hallum says that Microsoft has an OEM “signalling” but “not committing” to putting such enhanced sensors in all of their products. During the next 5 years it could become common occurrence to see manufacturers installing advanced fingerprint sensors in the majority of new devices.
Password-replacing credentials like fingerprints are being embraced by not only Microsoft, but also other FIDO Alliance members like Google. Hallum also hinted at the possibility of entirely new authentication devices that haven't even been discussed yet. It seems likely that we could see a compact retina scanner become commercially available in the next 5 years.
Eliminating the Need to Manually Log In
In the past, you would either have to type in your username and password, or set your browser or app to remember your login details. Both of these practices presented security concerns. First, because malware like keyloggers and remote spy apps can record your input to capture your username and password. Secondly, setting a browser or any other program to remember your passwords leaves open the possibility that a hacker could then get to those stored passwords.
With next generation authentication, your device will serve as a login key, in combination with your advanced PIN/password or a few taps of your fingerprint. So you'll never have to type any passwords or take more than a few seconds to log in. Perhaps the biggest advantage here is that you'll be able to use existing devices as authentication keys. So your smartphone could easily be paired with your PC via Bluetooth to tell your computer to only allow logins from an individual carrying that specific smartphone.
Hallum has stated that “every app within Windows should be able to take advantage of” the next generation login credentials, and Microsoft has already begun promoting awareness about the new methods to consumer and business oriented services. We should see major services like Netflix and other companies integrating these new login capabilities within their apps during the coming year.
Separating Keys Into Highly Secure Containers
So what exactly happens after you sign in with one of the aforementioned “next-generation” authentication methods? It opens up one of the many “containers” that Windows 10 is separated into, primarily for security reasons. The actual operating system is sealed in its own container, while the security token from the Active Directory that provides access to your network, and the LSA authentication service that issues the token, are stored in separate containers. The containers run on top of each other in Hyper-V Virtualization within a mode that Microsoft is calling “Virtual Secure Mode.”
Why are such security tokens so important? In the recent attacks we've seen on many major companies like Albertsons and J.P. Morgan, the security tokens were the main prize that were sought by the offending hackers to gain access to the company's networks using a technique known as “Pass the Hash.” Once a hacker had the Active Directory security token, they essentially had all the identity information and credentials needed to gain administrative privileges. They could then move through the network freely, going from server to server without ever being asked for a single password or PIN.
So, what do the containers do to protect these tokens, you ask? In previous versions of Windows, the Active Directory security tokens were kept in a “software store that was susceptible” to malware or applications with high privilege levels. In Windows 10, those tokens will be stored in their own separate container, from which no information can be extracted. Even if the kernel itself is compromised, the hacker still wouldn't be able to extract the security key from its container. So even if your system was infected by a bootkit or rootkit, the security tokens would still be protected.
The container that the security token will be stored in is essentially what makes the Virtual Secure Mode (VSM) what it is supposed to be. The VSM container is a miniature operating system in its own right, loaded with only enough RAM to process the built-in LSA authentication service that it runs. Your authentication device communicates directly with the VSM container to unlock the actual version of Windows where all of your files are stored. The new security precautions will be especially useful to companies and organizations that need to ensure the utmost security within their network.
While Windows 10 certainly seems to be addressing the main hacking issues that have been affecting businesses on the enterprise level, it is impossible to say whether or not Microsoft's newest OS will actually conquer the entire malware problem once and for all. There are so many ways for malware to infect and utilize a computer, so there'll be much more to consider than login authentication, but for now the added OS protection features are indeed major starting steps.