Unless you’ve been totally unplugged for the past month, you are aware that Microsoft has rolled out the long-awaited Windows 10 operating system (OS). Users of the Windows 7 and 8 OSs were offered free upgrades, which they received via their update feature within their current OS.

Accompanying the update and installation of Windows 10 was a new and comprehensive privacy statement. The privacy statement outlines what, how and when Microsoft captures your data during your use of Windows 10. It’s an interesting read, but it’s matched by some curious new capabilities. One of the new features of Windows 10 is Wi-Fi Sense, which allows users to connect to others’ wireless networks and permits their friends and social network contacts to connect to the wireless networks that the user controls.

Windows 10 and Privacy

Windows 10 is able to provide to Microsoft volumes of information about how you use the operating system, the problems encountered and more. That’s not necessarily a bad thing from either the user’s or Microsoft’s perspective — as long as both parties have a handle on what is being shared and when, which the company is encouraging.

“You can view or edit your personal data online for many Microsoft services,” the July 2015 privacy statement notes. “You can also make choices about Microsoft’s collection and use of your data. How you can access or control your personal data will depend on which services you use.”

For some it will be as easy as programming your television’s remote control, but for others it will seem like the equivalent of launching NASA’s Apollo program. The key is in dissecting the massive privacy document and then finding where the toggles to control the various features are located, which will permit you to opt out of automated monitoring of your actions.

For example, according to Microsoft’s privacy statement, “When you use Bing services, we collect your search queries, location and other information about your interaction with our services.” From a corporate perspective this may or may not be a competitive intelligence risk, but each company’s threshold and use of Internet search capabilities are different.

Another feature is the ability to commingle your personal and business content via the OneDrive service. “OneDrive lets you store and access your files on virtually any device. You can also share and collaborate on your files with others,” Microsoft’s privacy statement notes.

“Some versions of the OneDrive application enable you to access both your personal OneDrive by signing in with your Microsoft account and your OneDrive for Business as part of your organization’s use of SharePoint Online.” That’s an absolute convenience for some companies and an unmitigated security risk for others.

About Wi-Fi Sense

The Wi-Fi Sense feature of Windows 10 has received a good deal of publicity — some positive, most negative. The feature will clearly make it a breeze for visitors (friends) to connect to networks without the hassle of having to issue user IDs and passwords. And according to the documentation and screen shots, you or your friends can “give and get Internet access without seeing shared passwords.” Yes, there is a “but” coming: Do you want your Facebook or Skype contacts connecting to your networks automatically, without the ability to do some configuration and/or limitation?


Figure 1: Wi-Fi Sense prompts users to allow access to networks.

The settings are available for you, the user, to decide. For you personal network, perhaps you are comfortable with the knowledge that your social network friends will have access when they are in proximity to your network — that is, physical proximity. For your work network, perhaps you need to have a different standard and may choose to not allow others to connect to open hot spots, especially if a potential friend is an employee of a competitor. The key in this instance is to know when and how you are sharing connectivity. When in doubt, turn those two switches off.

In sum, the days of simply plug-and-play are long gone. Now we must knuckle down and know what we are sharing and the context in which we are sharing access or information. For devices being used within an employer’s bring-you-own-device (BYOD) policy, your Windows 10 implementation and settings may end up putting you at cross purposes with your employer’s information security policies and procedures.

More from Software Vulnerabilities

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today