Unless you’ve been totally unplugged for the past month, you are aware that Microsoft has rolled out the long-awaited Windows 10 operating system (OS). Users of the Windows 7 and 8 OSs were offered free upgrades, which they received via their update feature within their current OS.

Accompanying the update and installation of Windows 10 was a new and comprehensive privacy statement. The privacy statement outlines what, how and when Microsoft captures your data during your use of Windows 10. It’s an interesting read, but it’s matched by some curious new capabilities. One of the new features of Windows 10 is Wi-Fi Sense, which allows users to connect to others’ wireless networks and permits their friends and social network contacts to connect to the wireless networks that the user controls.

Windows 10 and Privacy

Windows 10 is able to provide to Microsoft volumes of information about how you use the operating system, the problems encountered and more. That’s not necessarily a bad thing from either the user’s or Microsoft’s perspective — as long as both parties have a handle on what is being shared and when, which the company is encouraging.

“You can view or edit your personal data online for many Microsoft services,” the July 2015 privacy statement notes. “You can also make choices about Microsoft’s collection and use of your data. How you can access or control your personal data will depend on which services you use.”

For some it will be as easy as programming your television’s remote control, but for others it will seem like the equivalent of launching NASA’s Apollo program. The key is in dissecting the massive privacy document and then finding where the toggles to control the various features are located, which will permit you to opt out of automated monitoring of your actions.

For example, according to Microsoft’s privacy statement, “When you use Bing services, we collect your search queries, location and other information about your interaction with our services.” From a corporate perspective this may or may not be a competitive intelligence risk, but each company’s threshold and use of Internet search capabilities are different.

Another feature is the ability to commingle your personal and business content via the OneDrive service. “OneDrive lets you store and access your files on virtually any device. You can also share and collaborate on your files with others,” Microsoft’s privacy statement notes.

“Some versions of the OneDrive application enable you to access both your personal OneDrive by signing in with your Microsoft account and your OneDrive for Business as part of your organization’s use of SharePoint Online.” That’s an absolute convenience for some companies and an unmitigated security risk for others.

About Wi-Fi Sense

The Wi-Fi Sense feature of Windows 10 has received a good deal of publicity — some positive, most negative. The feature will clearly make it a breeze for visitors (friends) to connect to networks without the hassle of having to issue user IDs and passwords. And according to the documentation and screen shots, you or your friends can “give and get Internet access without seeing shared passwords.” Yes, there is a “but” coming: Do you want your Facebook or Skype contacts connecting to your networks automatically, without the ability to do some configuration and/or limitation?


Figure 1: Wi-Fi Sense prompts users to allow access to networks.

The settings are available for you, the user, to decide. For you personal network, perhaps you are comfortable with the knowledge that your social network friends will have access when they are in proximity to your network — that is, physical proximity. For your work network, perhaps you need to have a different standard and may choose to not allow others to connect to open hot spots, especially if a potential friend is an employee of a competitor. The key in this instance is to know when and how you are sharing connectivity. When in doubt, turn those two switches off.

In sum, the days of simply plug-and-play are long gone. Now we must knuckle down and know what we are sharing and the context in which we are sharing access or information. For devices being used within an employer’s bring-you-own-device (BYOD) policy, your Windows 10 implementation and settings may end up putting you at cross purposes with your employer’s information security policies and procedures.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today