could Microsoft address the threat of keyloggers, screenshot takers etc on OS policy level?

AFAIK there are fairly standard categories of serious spyware threats to the user - keyloggers, packet inspectors/loggers, screenshot takers, spyware browser plugins and possibly some others. Well, so let’s say Microsoft really cares about protecting the user from all that. Hypothetically :slight_smile:

Could they introduce a bunch of policies into the operating system that would have made all this stuff either non-functional or easy to detect? E.g. let’s say in order to do screenshot we make it, by default, necessary for the user to jump through several hoops to enable the functionality temporarily and the time that each screenshot was taken gets logged for later review. To combat keyloggers let’s say registering to monitor all keyboard activity is made very hard, while keeping it relatively easy to register a hook to track a hotkey with a CTRL or ALT key involved. With paket inspectors maybe make it hard to register for such activity so that basically only firewalls could register for it after jumping through many hoops.

Well, so I was wondering, what is it about Windows that makes my above suggestions apparently not really workable? Are there fundamental reasons why none of this would work? Or are these valid approaches that are slowly seeping in into Windows whenever Microsoft isn’t too busy messing up user interface into a more Vista shape :slight_smile: ?

Microsoft has introduced policies that make it far more difficult for spyware/malware to install - it arrived with Vista and was called UAC. The only problem is many people found it intrusive and annoying and turned it off without fully understanding the consequences. Or they didn’t read/understand the questions that they were being asked.

The other policy decision that was taken with Windows XP was that by default, User accounts were set up as users (without rights to modify global settings). Again, for convenience many users changed their accounts to Administrators, thus negating the benefits of the security system. They were not assisted by application developers who assumed that the user had complete control over their system, and who used inappropriate API functions/files/directories.

The solution to the spyware/malware problem involves a robust security model, a willingness on the part of users to co-operate with the model and will think about the questions they are being asked, and security software that identifies/blocks potential threats. The alternative is a much more restrictive software model (like the iPhone App Market) where software has to be reviewed by someone, thus adding to the costs involved.

Si

This has been possible since NT. You just run as a limited user, not an admin. Then you cant install things that hook into the system like this. Or at least most of them.

Nowadays, MS has the UAC that watches out for these things, but if the user clicks Yes to installing not_a_trojan.exe then all bets are off.

This problem isnt a technological problem, its a user issue. If the user chooses to run as admin and double-clicks a program that installs malware, then he is at fault, not the OS. The OS is doing its job. The user has the right of ownership, so he or she should be able to install what he or she wants. If they choose viruses then so be it. MS isnt going to babysit them.

>To combat keyloggers let’s say registering to monitor all keyboard activity is made very hard, while keeping it relatively easy to register a hook to track a hotkey with a CTRL or ALT key involved.

These are hacks that really arent hard to get around if you run malware as admin. Okay, say you have some scan for keypresses, now youve broken the legitimate apps that do this. Pretty much any script that simulates keypresses. Or youve broken legitimate keyloggers companies run on machines they own.

>With paket inspectors maybe make it hard to register for such activity so that basically only firewalls could register for it after jumping through many hoops.

I doubt the average user can comprehend or know what to do with an alert from an IDS. Not to mention even the best IDS rules give false positives frequently. On top of that, MS’s hands are tied by its monopoly conviction. Its only now that they can offer a free AV for home use.
>Or are these valid approaches that are slowly seeping in into Windows whenever Microsoft isn’t too busy messing up user interface into a more Vista shape :slight_smile: ?

I think this attitude is really part of the problem. Users whine and complain about using limited user accounts so MS gave them the UAC. Now they whine and complain about an extra click. I think users need to change their attitudes towards security first. Or someone should start selling them a locked down appliance PC with approved apps and centralized management because it doesnt seem people arent able to resist running malware even with a dozen warnings.

Also remember, businesses LIKE keystroke loggers, and packet inspectors. It’s business that make MicroSoft not personal users. Businesses want to know what their employees are doing.

This leaves MS with the option of making two kinds of computers, one for businesses and one for personal use. OR simply making one kind of computer with tools to prevent keystroke loggers and such.

Of course we have that now but, as others have pointed out people don’t use it

so 95% of the users are too dumb to drive and the designers are blameless? Maybe the smart designers are supposed to use their brilliant heads and find a solution that’s a bit more foolproof and a whole lot less annoying, as it were?

I am aware of Vista restrictions where you have to click “confirm” on making a sneeze. If users (myself included) don’t like it, maybe they have to design measures that are not annoying AND that work? E.g. why is it that when running as admin I should not have protection against keyloggers? Why is it that, like I said, on policy level keyloggers could not be heavily restricted while keeping apps not having to do with keyboard monitoring unaffected?

HorseloverFat says that some legit apps will be broken by restrictions on keyloggers, but then neither me nor millions of others have those legit apps or care about them. If a small minority does have them and care about them, let them jump through ten hoops to enable such functionality.

Likewise, who will be hurt if screenshot taking is restricted and monitored? Or if Windows makes it unambiguously clear to me just which apps are inspecting packets in the IP stack and will especially notify me about sudden additions of new ones (after all, I have used the same firewall for years, so new ones should not have been added)?

Screenshots are used all the time in business, documentation & troubleshooting. I’d be surprised if I don’t take 20-30 screenshots a day in the course of my work.

It’s the unattended screenshots that you’re worried about, and I’d just turn the responsibility back to you. Don’t install programs that are unsafe. Don’t download from unsafe sources. Not every attachment that you receive needs to be opened.

I run all machines as full admin. I’ve not had many problems with my PCs over the years, as I keep AV up to date, the machine fully patched, and pay attention to what I’m doing.

There has to be a balance between security, and usability. The biggest problem with the “extra steps,” is that they impede work, and are never descriptive enough to allow people to make good decisions. If you receive 10 pop ups for security questions in your first 1/2 hour on a PC, you ignore them forever more, or disable that level of security.

Microsoft could certainly make it more difficult to install programs like this, but it’s unlikely that they could make it impossible via software alone.

Ultimately, fully restricting things like this has to be done in hardware, because any protection that’s done solely in software can be hacked out in software. If you’re running as admin and you click “OK”, the software that you’re installing can do quite a lot of things. If its signature is known, then it can later be detected as malware, but as long as the malware makers are accomplished programmers, then they can get around the known security checks, and Microsoft simply can’t issue updates as nimbly as the malware writers can.

code_grey, I think you’re missing the fact that you can’t make a fully self-consistent system in software alone (and, even if you could, the likelihood that you wouldn’t put any exploitable bugs in is slim). Sure, Microsoft could add a program that checks for keylogging, or screenshots, or something, but what’s to stop a malicious program from just modifying that program? Or from checking to see if you’ve already got a keylogging app, or a firewall, and glomming onto them? You can require that all software be signed, but then you’re letting Microsoft dictate what software you can install, and most people (including important ones at the Department of Justice) aren’t too happy with that sort of restriction.

As long as the potential profits (stealing huge amounts of money from bank accounts) are high, then Microsoft will have difficulty stopping this on their own. That’s not to say that they can’t make life harder for the thieves, but it won’t actually solve the problem.

The real solution to this sort of thing is to change the profit potential, which involves changing the laws around banking. If it were not possible to transfer huge sums of money simply by obtaining information from a computer screen, then the profit for malicious keyloggers, etc. would be diminished. If banks were liable for such fraudulent transfers, then they’d very quickly figure out some effective security measures.

Given that there are technological solutions that exist (see capability based security), how can it be purely a user issue?

Why is the user even allowed to be an admin? To install software? Is that the only solution? An idea that is not purely software is to have a key that must be switched to the unlocked position to allow any kind of changes to the OS or applications (there are pros and cons, but it’s a start).

Microsoft certainly doesn’t have an easy job, and because originally PC’s were not connected to networks they were not designed from the ground up with the kind of security we clearly need today (I know, NT was a rewrite, but clearly not enough was done), but that doesn’t mean that technology can’t go a long way to minimizing the issues (yes, users need to play their part as si_blakely correctly recapped in his/her post).

iamthewalrus,

you have not answered my question about POLICY level restrictions. You just say, well, don’t install bad apps. But I am saying, we know ahead of time that bad apps will get through, so let’s design a policy that would prevent or mitigate bad consequences.

Programs can do what they do only if OS allows that. If OS were to disallow getting keyboard data for all apps except ones I name explicitly (I know that’s dumb, but just hypothetically here, as extreme example) than no keylogger would work.

Or are you saying that the bad guys will just hack through any Windows policy and literally maul the OS into letting them do what they want? That may be, but then there may be ways to counter that too, e.g. we could explicitly prohibit big chunks of OS code to be modified at all on disk.

butler1850,

I take about 5 screenshots per day. And I would be very happy to be able to access an OS utility that would show me a list of those screenshots with timestamps (that would get especially interesting if screenshots were taken when I was not doing anything screenshot related, or maybe 100 screenshots were taken in a single day).

Again, I am not necessarily suggesting prohibiting screenshots or other potentially dangerous activities. I am suggesting adding OS level policies that would make it easy for the human to detect the fact that these things happened.

Why not start at the beginning:

  1. Why are the OS and/or installed applications allowed to be changed in any way without being initiated by the user?
  2. Why can memory be modified outside of the scope of the intended usage. For example: why do buffer overflows occur? why is the program allowed to touch any memory with that pointer outside of the exact bounds of the declared usage? (I know, this potentially limits some popular C activities, doesn’t mean it can’t work, just need to find a way to restrict the possible damage).
  3. Why is memory that is allocated for data allowed to be executed?

If the OS controlled access to every bit of memory, it would be easier to control these things but clearly there would be a performance hit without support from hardware. However, with the extra performance available today in most pc’s, there may be some amount of this that can be accomplished without hurting response time too much.
None of this solves the problems of scripted languages that have access to resources, and certainly there are things that need access to the resources but use them in a way they shouldn’t (e.g. reading an address book and sending spam, both the reading and sending may be perfectly valid for a well behaved app). That’s why I say that it’s not an easy job for Microsoft, but it doesn’t mean that significant progress can’t be made.

At least half of the proposed ideas are already in the frigging group policy. Whitelist the apps you can run: done. Disable certain key combinations: done. Not allowing certain users to do certain things: done. Disabling exceptions in the firewall: done. Detecting keyloggers? AV software will do this. heck, Windows defender and Security Essentials does this.

Oh disabling screenshots via registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
“Scancode Map”=hex:00,00,00,00,00,00,00,00,03,00,00,00,00,00,37,e0,00,00,54,00,
00,00,00,00

The problem is people dont want to enable these restrictions and when MS does enable some of these things by default like making the UAC run as default, they just shut it off.

Like I wrote above, the biggest issue is user ignorance and user recklessness. The only solution I can think of is buying a PC as a service and having it run as a managed locked down box like an iphone. Signed apps only, mandatory patching, etc. Maybe someone should start this business.

Yep, grandma’s ignorance of this simple screenshot disabling technique is the problem. The solution needs to tailored to average computer illiterate person because there isn’t enough time in the day (even for a tech person like myself) to go figure out all of this stuff.

And how do you propose an average joe figure out whether they should allow the UAC prompt or not? Should they call you? This is simply not a workable solution because they simply don’t know if it’s ok or not.

It doesn’t mean Microsoft sucks, it just means there are better solutions that start earlier in the process instead of at that point. And they aren’t easy, but it doesn’t mean you just throw your hands in the air and blame everything on the user.

That would be a good option.

The problem is that there may be multiple ways to grab those screenshots, and malware writers will seek to achieve their goal while avoiding the monitoring. That screenshot disabling thing only disables the keyboard screenshot action. Software and malware writers use programmatic methods to get the screenshot - possibly by installing a shim driver/filter into the graphics subsystem. There are multiple ways to do this, I’ve seen several approaches.

Adding the ability to monitor increases system overhead and can almost certainly be subverted or avoided. The returns don’t justify the costs when the current measures (when used appropriately) provide quite high security.

Si