Pages

Wednesday, 14 August 2013

How to Let Someone Else Use Your Computer Without Giving Them Access To All Your Stuff

windows-7-guest-user
If you let someone use your computer, they could gain access to your saved passwords, read your email, access all your files, and more. Instead of looking over their shoulder, just use your operating system’s guest account feature.
Guest accounts are found on all desktop operating systems — from Windows and Mac to Ubuntu, Chrome OS, and other Linux distributions. The Guest account isn’t enabled by default on Windows, so you have to go out of your way to use it.
We’ve covered why it’s a good idea to use separate Windows user accounts, and using a guest account is ideal for the same reason. There’s no need to create a dedicated user account for temporary guest users.

Why You Should Use Guest Accounts

Have you ever needed to give someone else access to your computer? If you’re careful, you may have sat behind them, looking over their shoulder and ensuring they weren’t going to stumble into your private documents or unwittingly access your email. There’s a better way — use the special guest account that gives your guest limited access, allowing you to leave them alone with your computer and let them browse the web without giving them access to all your passwords, private documents, email, social media accounts, browser history, and everything else you do on your computer.

Guest accounts aren’t able to install software, configure hardware devices, change system settings, or even create a password that applies to the guest account. Guest accounts can shut down your computer — that’s about as much harm as they can do.
The guest account allows users to browse the web and use typical applications, so it’s a great way to give someone else access to your computer without feeling compelled to look over their shoulder. Even someone you trust may not access your personal data maliciously — they may open your browser, head to Gmail to check their email, and see your inbox if you’re already logged in. They’d then have to log out and log into their account, and you’d have to log back into your accounts when they’re done. Avoid this headache by using the guest account instead.

Enabling the Guest Account in Windows

To enable the guest account on Windows 7, open the Control Panel and select the Add or remove user accounts option.

On Windows 8, click the Change account type option instead.

Click the Guest icon to enable the account.

Windows will display some information — enabling the guest account will allow anyone to log into your PC and use it, although they won’t be able to access your personal files or install software. Click Turn On to enable guest access.

Using the Guest Account

Once you’ve enabled the guest account, it will be appear as a separate user account on your login screen. Anyone can log in as the guest account after booting your computer or accessing it when it’s locked.
You can log out of your current user account or use the Switch User feature to stay logged in, keeping your programs open and your account locked while allowing the guest to use your PC.

Once they’re done, they can log out of the guest account. Note that their browsing history, logged-in websites, and any other files or data they left lying around will remain accessible to future users of your guest account. Guest users should log out of any websites they accessed or just use a browser’s private browsing feature inside the guest account.

Guest Accounts on Mac, Linux, and Chrome OS

On a Mac, you can log in as the guest user by selecting the Guest User account on the login screen. If this option isn’t available, use the Users & Groups panel in System Preferences to enable the guest account.
On Ubuntu, the guest account is enabled out of the box. You can select the Guest user on the login screen to log in as the guest account.
Mac OS X and Ubuntu both automatically delete a guest user’s files when the guest user logs out, providing a fresh experience for each guest user. Windows doesn’t do this. Microsoft was working on similar functionality with “Guest Mode” when they were developing Windows 7, but this feature was dropped.

Google’s Chromebooks also offer a guest mode. Like Mac and Linux, all guest user data will be automatically wiped when the guest user logs out.

Tuesday, 13 August 2013

How Hackers Take Over Web Sites with SQL Injection / DDoS



Even if you’ve only loosely followed the events of the hacker groups Anonymous and LulzSec, you’ve probably heard about web sites and services being hacked, like the infamous Sony hacks. Have you ever wondered how they do it?
There are a number of tools and techniques that these groups use, and while we’re not trying to give you a manual to do this yourself, it’s useful to understand what’s going on. Two of the attacks you consistently hear about them using are “(Distributed) Denial of Service” (DDoS) and “SQL Injections” (SQLI). Here’s how they work.
Image by xkcd

Denial of Service Attack


What is it?
A “denial of service” (sometimes called a “distributed denial of service” or DDoS) attack occurs when a system, in this case a web server, receives so many requests at one time that the server resources are overloaded the system simply locks up and shuts down. The goal and result of a successful DDoS attack is the websites on the target server are unavailable to legitimate traffic requests.
How does it work?
The logistics of a DDoS attack may be best explained by an example.
Imagine a million people (the attackers) get together with the goal of hampering Company X’s business by taking down their call center. The attackers coordinate so that on Tuesday at 9 AM they will all call Company X’s phone number. Most likely, Company X’s phone system will not be able to handle a million calls at once so all the incoming lines will tied up by the attackers. The result is that legitimate customer calls (i.e. those that are not the attackers) do not get through because the phone system is tied up handling the calls from the attackers. So in essence Company X is potentially losing business due to the legitimate requests being unable to get through.
A DDoS attack on a web server works exactly the same way. Because there is virtually no way to know what traffic is sourced from legitimate requests vs. attackers until the web server is processing the request, this type of attack is typically very effective.
Executing the attack
Due to the “brute force” nature of a DDoS attack, you need to have lots of computers all coordinated to attack at the same time. Revisiting our call center example, this would require all the attackers to both know to call at 9 AM and actually call at that time. While this principle certainly will work when it comes to attacking a web server, it becomes significantly easier when zombie computers, instead of actual manned computers, are utilized.
As you probably know, there are lots of variants of malware and trojans which, once on your system, lie dormant and occasionally “phone home” for instructions. One of these instructions could, for example, be to send repeated requests to Company X’s web server at 9 AM. So with a single update to the home location of the respective malware, a single attacker can instantly coordinate hundreds of thousands of compromised computers to perform a massive DDoS attack.
The beauty of utilizing zombie computers is not only in its effectiveness, but also in its anonymity as the attacker doesn’t actually have to use their computer at all to execute the attack.

SQL Injection Attack


What is it?
A “SQL injection” (SQLI) attack is an exploit that takes advantage of poor web development techniques and, typically combined with, faulty database security. The result of a successful attack can range from impersonating a user account to a complete compromise of the respective database or server. Unlike a DDoS attack, an SQLI attack is completely and easily preventable if a web application is appropriately programmed.
Executing the attack
Whenever you login to a web site and enter your user name and password, in order to test your credentials the web application may run a query like the following:
SELECT UserID FROM Users WHERE UserName='myuser' AND Password='mypass';
Note: string values in a SQL query must be enclosed in single quotes which is why they appear around the user entered values.
So the combination of the entered user name (myuser) and password (mypass) must match an entry in the Users table in order for a UserID to be returned. If there is no match, no UserID is returned so the login credentials are invalid. While a particular implementation may differ, the mechanics are pretty standard.
So now let’s look at a template authentication query which we can substitute the values the user enters on the web form:
SELECT UserID FROM Users WHERE UserName=’[user]‘ AND Password=’[pass]‘
At first glance this may seem like a straightforward and logical step for easily validating users, however if a simple substitution of the user entered values is performed on this template, it is susceptible to an SQLI attack.
For example, suppose “myuser’–” is entered in the user name field and “wrongpass” is entered in the password. Using simple substitution in our template query, we would get this:
SELECT UserID FROM Users WHERE UserName='myuser'--' AND Password='wrongpass'
A key to this statement is the inclusion of the two dashes (--). This is the begin comment token for SQL statements, so anything appearing after the two dashes (inclusive) will be ignored. Essentially, the above query is executed by the database as:
SELECT UserID FROM Users WHERE UserName='myuser'
The glaring omission here is the lack of the password check. By including the two dashes as part of the user field, we completely bypassed the password check condition and were able to login as “myuser” without knowing the respective password. This act of manipulating the query to produce unintended results is a SQL injection attack.
What damage can be done?
A SQL injection attack is caused by negligent and irresponsible application coding and is completely preventable (which we will cover in a moment), however the extent of the damage which can be done depends on the database setup. In order for a web application to communicate with the backend database, the application must supply a login to the database (note, this is different than a user login to the web site itself). Depending on what permissions the web application requires, this respective database account can require anything from read/write permission in existing tables only to full database access. If this isn’t clear now, a few examples should help provide some clarity.
Based on the above example, you can see that by entering, for example, "youruser'--", "admin'--" or any other user name, we can instantly login to the site as that user without knowing the password. Once we are in the system doesn’t know we are not actually that user so we have full access to the respective account. Database permissions will not provide a safety net for this because, typically, a web site must have at least read/write access to its respective database.
Now let’s assume the web site has full control of its respective database which gives the ability to delete records, add/remove tables, add new security accounts, etc. It is important to note that some web applications could need this type of permission so it is not automatically a bad thing that full control is granted.
So to illustrate the damage which can be done in this situation, we will use the example provided in the comic above by entering the following into the user name field: "Robert'; DROP TABLE Users;--". After simple substitution the authentication query becomes:
SELECT UserID FROM Users WHERE UserName='Robert'; DROP TABLE Users;--' AND Password='wrongpass'
Note: the semicolon is in a SQL query is used to signify the end of a particular statement and the beginning of a new statement.
Which gets executed by the database as:
SELECT UserID FROM Users WHERE UserName='Robert'
DROP TABLE Users
So just like that, we have used an SQLI attack to delete the entire Users table.
Of course, much worse can be done as, depending the SQL permissions allowed, the attacker can change values, dump tables (or the entire database itself) to a text file, create new login accounts or even hijack the entire database installation.
Preventing a SQL injection attack
As we mentioned several times previously, a SQL injection attack is easily preventable. One of the cardinal rules of web development is you never blindly trust user input as we did when we performed simple substitution in our template query above.
An SQLI attack is easily thwarted by what is called sanitizing (or escaping) your inputs. The sanitize process is actually quite trivial as all it essentially does is handle any inline single quote (‘) characters appropriately such that they cannot be used to prematurely terminate a string inside of a SQL statement.
For example, if you wanted to lookup “O’neil” in a database, you couldn’t use simple substitution because the single quote after the O would cause the string to prematurely end. Instead you sanitize it by using the respective database’s escape character. Let’s assume the escape character for an inline single quote is prefacing each quote with a \ symbol. So “O’neal” would be sanitized as “O\’neil”.
This simple act of sanitation pretty much prevents an SQLI attack. To illustrate, let’s revisit our previous examples and see the resulting queries when the user input is sanitized.
myuser'-- / wrongpass:
SELECT UserID FROM Users WHERE UserName='myuser\'--' AND Password='wrongpass'
Because the single quote after myuser is escaped (meaning it is considered part of the target value), the database will literally search for the UserName of "myuser'--". Additionally, because the dashes are included within the string value and not the SQL statement itself, they will be considered part of the target value instead of being interpreted as a SQL comment.
Robert'; DROP TABLE Users;-- / wrongpass:
SELECT UserID FROM Users WHERE UserName='Robert\'; DROP TABLE Users;--' AND Password='wrongpass'
By simply escaping the single quote after Robert, both the semicolon and dashes are contained within the UserName search string so the database will literally search for "Robert'; DROP TABLE Users;--" instead of executing the table delete.

Learn How Websites Are Tracking You Online


cctv cameras header
Some forms of tracking are obvious – for example, websites know who you are if you’re logged in. But how do tracking networks build up profiles of your browsing activity across multiple websites over time?
Tracking is generally used by advertising networks to build up detailed profiles for pinpoint ad-targeting. If you’ve ever visited a business’ website and seen ads for that business on other websites later, you’ve seen it in action.

IP Addresses

The most basic way of identifying you is by your IP address. Your IP address identifies you on the Internet. These days, it’s likely that your computer shares an IP address with the other networked devices in your house or office. From your IP address, a website can determine your rough geographical location – not down to street level, but generally your city or area. If you’ve ever seen a spammy ad that tries to look legitimate by mentioning your location, this is how the ad does it.

IP addresses can change and are often used by multiple users, so they aren’t a good way of tracking a single user over time. Still, an IP address can be combined with other techniques here to track your geographical location.

HTTP Referrer

When you click a link, your browser loads the web page you clicked and tells the website where you came from. For example, if you clicked a link to an outside website on How-To Geek, the outside website would see the address of the How-To Geek article you came from. This information is contained in the HTTP referrer header.
The HTTP referrer is also sent when loading content on a web page. For example, if a web page includes an ad or tracking script, your browsers tells the advertiser or tracking network what page you’re viewing.
“Web bugs,” which are tiny, one-by-one pixel, invisible images, take advantage of the HTTP referrer to track you without appearing on a web page. They’re also used to track emails you open, assuming your email client loads images.

Cookies & Tracking Scripts

Cookies are small pieces of information websites can store in your browser. They have plenty of legitimate uses – for example, when you sign into your online-banking website, a cookie remembers your login information. When you change a setting on a website, a cookie stores that setting so it can persist across page loads and sessions.

Cookies can also identify you and track your browsing activity across a website. This isn’t necessarily a big problem – a website might want to know what pages users visit so it can tweak the user experience. What’s really pernicious are third-party cookies.

While third-party cookies also have legitimate uses, they’re often used by advertising networks to track you across multiple websites. Many websites – if not most websites – include third-party advertising or tracking scripts. If two different websites use the same advertising or tracking network, your browsing history across both sites could be tracked and linked.
Scripts from social networks can also function as tracking scripts. For example, if you’re signed into Facebook and you visit a website that contains a Facebook “Like” button, Facebook knows you visited that website. Facebook stores a cookie to save your login state, so the Like button (which is actually part of a script) knows who you are.

Super Cookies

You can clear your browser’s cookies — in fact, we’ve got a guide to clearing your browser’s cookies. However, clearing your cookies isn’t necessarily a solution – “super cookies” are increasingly common. One such super cookie is evercookie. Super cookie solutions like evercookie store cookie data in multiple places – for example, in Flash cookies, Silverlight storage, your browsing history, and HTML5 local storage. One particularly clever tracking method is assigning a unique color value to a few pixels every time a new user visits a website. The different colors are stored in each user’s browser cache and can be loaded back – the color value of the pixels is a unique identifier that identifies the user.
When a website notices that you’ve deleted part of the super cookie, the information is repopulated from the other location. For example, you might clear your browser cookies and not your Flash cookies, so the website will copy the value of the Flash cookie to your browser cookies. Super cookies are very resilient.

User Agent

Your browser also sends a user agent every time you connect to a website. This tells websites your browser and operating system, providing another piece of data that can be stored and used to target ads. For more information about user agents, check out our explanation of what a browser user agent is.

Browser Fingerprinting

Browsers are actually pretty unique. Websites can determine your operating system, browser version, installed plug-ins and their versions, your operating system’s screen resolution, your installed fonts, your time zone, and other information. If you’ve disabled cookies entirely, that’s another piece of data that makes your browser unique.
The Electronic Frontier Foundation’s Panopticlick website is an example of how this information can be used. Only one in 1.1 million people have the same browser configuration I do.

There are surely other ways that websites can track you. There’s big money in it, and people are brainstorming new ways to track every day – just see evercookie above for evidence of that.

Why Is Smartphone Battery Life So Bad?



Phones have improved dramatically in the last ten years. Modern smartphones seem like a technology from an alien civilization when placed next to the original cell phones. But battery life hasn’t improved. In fact, battery life feels like it’s getting worse.
Old dumb phones could run for a week or more on a charge, but modern smartphones often struggle to make it through an entire day. Battery technology doesn’t seem to be advancing fast enough. What gives?

Battery Technology Isn’t Improving Much

We’re all used to technology improving dramatically. Every year, CPUs, memory, displays and other components become better, faster, and cheaper to manufacture. They offer more computing power, capacity, and pixels for your money. Moore’s Law has held, and technology is improving exponentially. Smartphones today have faster CPUs, cheaper storage, more RAM, and higher-quality displays then ever. The difference between a smartphone today and one released a few years ago is huge.
However, battery technology just isn’t improving at the same pace. Battery technology isn’t completely stuck, and battery technology is definitely improving – but it’s improving by small amounts. We don’t see the exponential increase we see with other types of technology. While other parts of modern portable electronics have been improving quickly, batteries have been lagging behind. Other components are shrinking, but batteries still take up a large part of a phone’s internals.
Various people are working on new battery technologies, but it’s unclear when they’ll make it to the market. Even the most optimistic predictions leave us with only small improvements for the next few years.

Batteries Are Becoming Thinner and Smaller

Battery technology has been improving somewhat, and smartphone components are becoming more power efficient, requiring less electricity to produce the same amount of performance output. So why haven’t we seen noticeable improvements?
Modern smartphones are becoming thinner and lighter. Rather than capitalize on improvements by offering more battery life at the same form factor, smartphone manufacturers choose to make the batteries even thinner so they can shrink the size of their smartphones. The iPhone 5 is thinner and lighter than the iPhone 4S and advertises somewhat longer battery life, but the battery life could have improved more dramatically if Apple had chosen to keep the iPhone 5 the same thickness as the iPhone 4S. Like other smartphone manufacturers, Apple chose to offer a thinner, lighter phone. Larger batteries are also more expensive, so shrinking them helps keep costs down.
Extended batteries were once an option. However, as more and more phones ship without user-serviceable batteries, we no longer have the option to buy bigger batteries or carry a spare battery with most phones.
Not all phones have such tiny batteries. The Droid Razr MAXX line is loved for its long battery life, and iPhone fans craving longer battery life can buy battery packs like the popular Mophie Juice Pack. However, most phones are becoming thinner and thinner.

Push Notifications and Background Sync

A dumb phone did very little. It wasn’t constantly receiving notifications of new emails, social network updates, and other current information. It wasn’t checking your podcasts and downloading new episodes. It wasn’t checking for app updates, downloading new weather forecasts, automatically updating your location, or anything else like that.
Modern smartphones are basically just computers – in fact, they run the same software. Android uses Linux, iOS uses Darwin (Darwin powers OS X), and Windows Phone 8 uses the Windows NT kernel used by Windows on the desktop.
Your phone’s screen may be off, but the phone itself may be on and busy. We’ve explained how to identify and eliminate wakelocks on Android – wakelocks are the things that keep your phone awake when its screen is off. On Android, where apps have more freedom to misbehave thanks to a more flexible process model, bad apps could run in the background while your phone is off, consuming CPU resources.
Apple’s iOS restricts programs much more, but push notifications and syncing can still drain battery power.

Larger Screens, Faster CPUs, More Cores, and LTE Radios

Price per performance may be improving, but we’re shoving much more powerful hardware into our phones. Every year, displays get larger and higher-resolution, CPUs get faster and add cores(the Samsung Galaxy S 4 has an 8-core CPU), and LTE radios are added to more phones. While LTE allows for faster data transfers than previous generation 3G technology, LTE radios require more battery power.
There’s also more hardware in a modern smartphone than an old dumb phone. Aside from the cellular radio, there’s Wi-Fi, Bluetooth, GPS, and NFC. It may not be on all the time, but it drains your battery life when it is.


Battery technology hasn’t been improving at the exponential rate that other smartphone technologies have, so a smartphone with longer battery life requires trade-offs. You could have a smartphone with much longer battery life, but it would be heavier and thicker. You could squeeze even more battery life out of a smartphone by putting less-demanding hardware into the phone, but people want large, high-resolution displays and fast CPUs.

If One of My Passwords Is Compromised Are My Other Passwords Compromised Too?



If one of your passwords is compromised, does that automatically mean that your other passwords are also compromised? While there are quite a few variables at play, the question is an interesting look at what makes a password vulnerable and what you can do to protect yourself.
Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-drive grouping of Q&A web sites.

The Question

SuperUser reader Michael McGowan is curious how far reaching the impact of a single password breach is; he writes:
Suppose a user uses a secure password at site A and a different but similar secure password at site B. Maybe something like mySecure12#PasswordA on site A and mySecure12#PasswordB on site B (feel free to use a different definition of “similarity” if it makes sense).
Suppose then that the password for site A is somehow compromised…maybe a malicious employee of site A or a security leak. Does this mean that site B’s password has effectively been compromised as well, or is there no such thing as “password similarity” in this context? Does it make any difference whether the compromise on site A was a plain-text leak or a hashed version?
Should Michael worry if his hypothetical situation comes to pass?

The Answer

SuperUser contributors helped clear up the issue for Michael. Superuser contributor Queso writes:
To answer the last part first: Yes, it would make a difference if the data disclosed were cleartext vs. hashed. In a hash, if you change a single character, the entire hash is completely different. The only way an attacker would know the password is to brute force the hash (not impossible, especially if the hash is unsalted. see rainbow tables).
As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventions on passwords on sites you use.
Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.
As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.
It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?
Another Superuser contributor, Michael Trausch, explains how in most situations the hypothetical situation isn’t much cause for concern:
To answer the last part first: Yes, it would make a difference if the data disclosed were cleartext vs. hashed. In a hash, if you change a single character, the entire hash is completely different. The only way an attacker would know the password is to brute force the hash (not impossible, especially if the hash is unsalted. see rainbow tables).
As far as the similarity question, it would depend on what the attacker knows about you. If I get your password on site A and if I know you use certain patterns for creating usernames or such, I may try those same conventions on passwords on sites you use.
Alternatively, in the passwords you give above, if I as an attacker see an obvious pattern that I can use to separate a site-specific portion of the password from the generic password portion, I will definitely make that part of a custom password attack tailored to you.
As an example, say you have a super secure password like 58htg%HF!c. To use this password on different sites, you add a site-specific item to the beginning, so that you have passwords like: facebook58htg%HF!c, wellsfargo58htg%HF!c, or gmail58htg%HF!c, you can bet if I hack your facebook and get facebook58htg%HF!c I am going to see that pattern and use it on other sites I find that you may use.
It all comes down to patterns. Will the attacker see a pattern in the site-specific portion and generic portion of your password?
If you’re concerned that you current password list isn’t diverse and random enough, we highly recommend checking out our comprehensive password security guide: How To Recover After Your Email Password Is Compromised. By reworking your password lists as if the mother of all passwords, your email password, has been compromised, it’s easy to quickly bring your password portfolio up to speed.

6 Ways Windows 8 Is More Secure Than Windows 7

00_lead_image_windows_8
Whatever you think of it, Windows 8 isn’t just a new interface slapped on top of Windows 7. Windows 8 has seen a lot of security improvements, including an integrated antivirus, an application reputation system, and protection from boot-time rootkits.
There are also quite a few low-level security improvements under the hood. Microsoft hasn’t spelled out all of them, but Windows 8 manages memory in a more secure way and includes features that make security vulnerabilities harder to exploit.

Integrated Antivirus

Windows 8 finally includes an integrated antivirus program. it’s named Windows Defender, but the interface will be immediately familiar to anyone that’s ever used Microsoft Security Essentials – this is Microsoft Security Essentials with a new name. You can easily install any other antivirus you prefer and Windows Defender will be automatically disabled if another antivirus is running, but the integrated antivirus is a capable product. Best of all, this ensures that all Windows users will finally have antivirus protection out-of-the-box.

Early Launch Anti-Malware

In Windows 8, antivirus products can start earlier in the boot-up process to scan the system’s drivers for malware. This helps protect against rootkits that start before the antivirus program and hide from it. Windows Defender starts earlier in the boot process out-of-the-box, and third-party antivirus vendors can also add the Early-Launch Anti-Malware (ELAM) feature to their products.

SmartScreen Filter

Previously used only in Internet Explorer, the SmartScreen filter is now implemented at the operating system-level. It will be used to scan EXE files you download from Internet Explorer, Mozilla Firefox, Google Chrome, and other programs. When you download and double-click an EXE file, Windows will scan the file and send its signature to Microsoft’s servers. If the application is known-good, such as the installer for iTunes, Photoshop, or another popular program, Windows will allow it to run. If it’s known-bad, perhaps if it contains malware, Windows will prevent it from running. If it’s new and Windows doesn’t know what it is, Windows will warn you and allow you to bypass the warning.
This feature should help less-experienced users from downloading and running malicious programs from the Internet. Even new pieces of malware will be detected by the SmartScreen filter as an unknown new program that should be approached with caution. Read more about the new SmartScreen filter here.

Secure Boot

On new Windows 8 computers that use the UEFI firmware instead of the old-style BIOS, Secure Boot guarantees that only specially signed and approved software can run at boot. On current computers, malware could install a malicious boot loader that loads before the Windows boot loader, starting a boot-level rootkit (or “bootkit”) before Windows even launches. The rootkit could then hide itself from Windows and antivirus software, pulling the strings in the background.
On Intel x86 PCs, you’ll be able to add your own security keys to the UEFI firmware, so you could even have your system boot only secure Linux boot loaders that you’ve signed. Read more about Secure Boot here.

Memory Management Improvements

Microsoft has made a lot of under-the-hood improvements to the way Windows 8 manages memory. When a security hole is found, these improvements can make the security hole harder or even impossible to exploit. Some types of exploits that function on earlier versions of Windows wouldn’t function at all on Windows 8.
Microsoft hasn’t spelled out all of these improvements, but they have mentioned a few:
  • ASLR (Address Space Layout Randomization) has been extended to more parts of Windows, randomly moving data and code around in memory to make it harder to exploit.
  • Mitigations that were once applied to Windows applications are now also applied to the Windows kernel.
  • The Windows heap, where Windows applications receive their memory from, includes additional checks to defend against exploit techniques.
  • Internet Explorer 10 includes improvements that make 75% of the security vulnerabilities reported over the last two years more difficult to exploit.

New Apps Are Sandboxed

Apps for Windows 8’s new Modern interface (formerly known as Metro) are sandboxed and restricted in what they can do on your computer.
On the Windows desktop, applications had full access to your system. If you downloaded and ran a Windows game, it could install drivers on your system, read files from everywhere on your hard drive, and install malware on your computer. Even if programs run with limited credentials thanks to UAC, they typically install with Administrator privileges and can do anything they want during installation.
Windows 8 apps function more like web pages and mobile apps on other popular mobile platforms. When you install an app from the Windows Store, that app has limited access to your system. It can’t run in the background and monitor all your keystrokes, logging your credit card number and online banking passwords like applications on the traditional Windows desktop can. it doesn’t have access to every file on your system.
Apps for Windows 8’s new Modern interface are also available only available through the Windows Store, which is more controversial. However, users can’t install malicious Modern apps from outside the store. They’d have to go through the Windows Store, where Microsoft has the ability to pull them if they’re discovered to be malicious.

How Attackers Actually “Hack Accounts” Online and How to Protect Yourself

silly-hacker-stock-photo
People talk about their online accounts being “hacked,” but how exactly does this hacking happen? The reality is that accounts are hacked in fairly simple ways — attackers don’t use black magic.
Knowledge is power. Understanding how accounts are actually compromised can help you secure your accounts and prevent your passwords from being “hacked” in the first place.

Reusing Passwords, Especially Leaked Ones

Many people — maybe even most people — reuse passwords for different accounts. Some people may even use the same password for every account they use. This is extremely insecure. Many websites — even big, well-known ones like LinkedIn and eHarmony — have had their password databases leaked over the past few years. Databases of leaked passwords along with usernames and email addresses are readily accessible online. Attackers can try these email address, username, and passwords combinations on other websites and gain access to many accounts.
Reusing a password for your email account puts you even more at risk, as your email account could be used to reset all your other passwords if an attacker gained access to it.
However good you are at securing your passwords, you can’t control how well the services you use secure your passwords. If you reuse passwords and one company slips up, all your accounts will be at risk. You should use different passwords everywhere — a password manager can help with this.

Keyloggers

Keyloggers are malicious pieces of software that can run in the background, logging every key stroke you make. They’re often used to capture sensitive data like credit card numbers, online banking passwords, and other account credentials. They then send this data to an attacker over the Internet.
Such malware can arrive via exploits — for example, if you’re using an outdated version of Java, as most computers on the Internet are, you can be compromised through a Java applet on a web page. However, they can also arrive disguised in other software. For example, you may download a third-party tool for an online game. The tool may be malicious, capturing your game password and sending it to the attacker over the Internet.
Use a decent antivirus program, keep your software updated, and avoid downloading untrustworthy software.

Social Engineering

Attackers also commonly use social engineering tricks to access your accounts. Phishing is a commonly known form of social engineering — essentially, the attacker impersonates someone and asks for your password. Some users hand their passwords over readily. Here are some examples of social engineering:
  • You receive an email that claims to be from your bank, directing you to a fake bank website and asking you to fill in your password.
  • You receive a message on Facebook or any other social website from a user that claims to be an official Facebook account, asking you to send your password to authenticate yourself.
  • You visit a website that promises to give you something valuable, such as free games on Steam or free gold in World of Warcraft. To get this fake reward, the website requires your username and password for the service.
Be careful about who you give your password to — don’t click links in emails and go to your bank’s website, don’t give away your password to anyone who contacts you and requests it, and don’t give your account credentials to untrustworthy websites, especially ones that appear too good to be true.

Answering Security Questions

Passwords can often be reset by answering security questions. Security questions are generally incredibly weak — often things like “Where were you born?”, “What high school did you go to?”, and “What was your mother’s maiden name?”. It’s often very easy to find this information on publicly-accessible social networking sites, and most normal people would tell you what high school they went to if they were asked. With this easy-to-get information, attackers can often reset passwords and gain access to accounts.
Ideally, you should use security questions with answers that aren’t easily discovered or guessed. Websites should also prevent people from gaining access to an account just because they know the answers to a few security questions, and some do — but some still don’t.

Email Account and Password Resets

If an attacker uses any of the above methods to gain access to your email accounts, you’re in bigger trouble. Your email account generally functions as your main account online. All other accounts you use are linked to it, and anyone with access to the email account could use it to reset your passwords on any number of sites you registered at with the email address.
For this reason, you should secure your email account as much as possible. It’s especially important to use a unique password for it and guard it carefully.

What Password “Hacking” Isn’t

Most people likely imagine attackers trying every single possible password to log into their online account. This isn’t happening. If you tried to log into someone’s online account and continued guessing passwords, you would be slowed down and prevented from trying more than a handful of passwords.
If an attacker was capable of getting into an online account just by guessing passwords, it’s likely that the password was something obvious that could be guessed on the first few tries, such as “password” or the name of the person’s pet.
Attackers could only use such brute-force methods if they had local access to your data — for example, let’s say you were storing an encrypted file in your Dropbox account and attackers gained access to it and downloaded the encrypted file. They could then try to brute-force the encryption, essentially trying every single password combination until one works.

People who say their accounts have been “hacked” are likely guilty of re-using passwords, installing a key logger, or giving their credentials to an attacker after social engineering tricks. They may also have been compromised as a result of easily guessed security questions.
If you take proper security precautions, it won’t be easy to “hack” your accounts. Using two-factor authentication can help, too — an attacker will need more than just your password to get in.