Unless you’ve been totally unplugged for the past month, you are aware that Microsoft has rolled out the long-awaited Windows 10 operating system (OS). Users of the Windows 7 and 8 OSs were offered free upgrades, which they received via their update feature within their current OS.

Accompanying the update and installation of Windows 10 was a new and comprehensive privacy statement. The privacy statement outlines what, how and when Microsoft captures your data during your use of Windows 10. It’s an interesting read, but it’s matched by some curious new capabilities. One of the new features of Windows 10 is Wi-Fi Sense, which allows users to connect to others’ wireless networks and permits their friends and social network contacts to connect to the wireless networks that the user controls.

Windows 10 and Privacy

Windows 10 is able to provide to Microsoft volumes of information about how you use the operating system, the problems encountered and more. That’s not necessarily a bad thing from either the user’s or Microsoft’s perspective — as long as both parties have a handle on what is being shared and when, which the company is encouraging.

“You can view or edit your personal data online for many Microsoft services,” the July 2015 privacy statement notes. “You can also make choices about Microsoft’s collection and use of your data. How you can access or control your personal data will depend on which services you use.”

For some it will be as easy as programming your television’s remote control, but for others it will seem like the equivalent of launching NASA’s Apollo program. The key is in dissecting the massive privacy document and then finding where the toggles to control the various features are located, which will permit you to opt out of automated monitoring of your actions.

For example, according to Microsoft’s privacy statement, “When you use Bing services, we collect your search queries, location and other information about your interaction with our services.” From a corporate perspective this may or may not be a competitive intelligence risk, but each company’s threshold and use of Internet search capabilities are different.

Another feature is the ability to commingle your personal and business content via the OneDrive service. “OneDrive lets you store and access your files on virtually any device. You can also share and collaborate on your files with others,” Microsoft’s privacy statement notes.

“Some versions of the OneDrive application enable you to access both your personal OneDrive by signing in with your Microsoft account and your OneDrive for Business as part of your organization’s use of SharePoint Online.” That’s an absolute convenience for some companies and an unmitigated security risk for others.

About Wi-Fi Sense

The Wi-Fi Sense feature of Windows 10 has received a good deal of publicity — some positive, most negative. The feature will clearly make it a breeze for visitors (friends) to connect to networks without the hassle of having to issue user IDs and passwords. And according to the documentation and screen shots, you or your friends can “give and get Internet access without seeing shared passwords.” Yes, there is a “but” coming: Do you want your Facebook or Skype contacts connecting to your networks automatically, without the ability to do some configuration and/or limitation?

Figure 1: Wi-Fi Sense prompts users to allow access to networks.

The settings are available for you, the user, to decide. For you personal network, perhaps you are comfortable with the knowledge that your social network friends will have access when they are in proximity to your network — that is, physical proximity. For your work network, perhaps you need to have a different standard and may choose to not allow others to connect to open hot spots, especially if a potential friend is an employee of a competitor. The key in this instance is to know when and how you are sharing connectivity. When in doubt, turn those two switches off.

In sum, the days of simply plug-and-play are long gone. Now we must knuckle down and know what we are sharing and the context in which we are sharing access or information. For devices being used within an employer’s bring-you-own-device (BYOD) policy, your Windows 10 implementation and settings may end up putting you at cross purposes with your employer’s information security policies and procedures.

more from Software Vulnerabilities

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory.…