At the summer hacker conferences, researchers have been talking up Windows 8 and its improved security. They talk a good game, but here’s the end run around it.
During a casual search of file sharing services looking for material with my byline, I found something. Intrigued, I clicked on the link to see what would happen. What didn’t happen was what I expected, which was my browser asking me if I wanted to open or download a PDF file. Instead, the site wanted to send me an executable file that would in turn download the requested PDF.
I didn’t run it.
I’m approximately 50% certain the executable would in fact download the file for me. The trouble is, what else was that executable file going to do? I had no way of knowing. So I cancelled the download. I’m absolutely positive that if I’d scanned the file for viruses, it would have come up clean. But all the program has to do is download the malicious code, instead of carrying it onboard.
The problem with trying to secure an operating system is that when there are web sites out there willing to entice users with free, desirable content, some segment of the population is going to eagerly click on anything and everything they have to click on in order to get it. Some won’t even care if their computers get infected along the way. Most of those who remain will just believe that the antivirus program they’re running will protect them. (Want to place a bet on whether that antivirus program is itself pirated, or expired?)
Whatever else you want to say about Windows 8, I don’t see it causing much of a change in my workload. All it takes is a few people willing to click through whatever the machine says, and in my experience, there’s no shortage of those.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.