10, 8, 7… We have lift off (of your data)

 In ITC's Threat of the Week

10, 9, 8, 7… We have lift off (of your data)

If you were paying attention, a couple of weeks back we raised the subject of the enormous amount of data being exfiltrated from your machines to the mountain halls (well DataCentres) of Microsoft when you use Windows 10, especially if it is configured with default express settings.

What data do they collect? Well quite a lot actually:

  • Search queries submitted to Bing
  • A voice command to Cortana
  • Private communications including email content
  • Information from a document uploaded to OneDrive
  • Requests to Microsoft for support
  • Error reports
  • Information gathered from cookies
  • Data collected from third parties

This was discovered just after the launch of Windows 10, when Microsoft changed their End User License Agreement to make it ok, at least on paper.

The subsequent furore in the press, both technical and mainstream barely registered an acknowledgment from The Lords in their Redmond castle who in a massive ‘up yours’ to their loyal customers, have now deployed much of the snooping tech into previous Windows versions 7 and 8 by way of a set of patches:

  • KB3068708Update for customer experience and diagnostic telemetry – This update introduces the Diagnostics and Telemetry tracking service to existing devices. By applying this service, you can add benefits from the latest version of Windows to systems that have not yet upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights. (Windows 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1)
  • KB3022345(replaced by KB3068708) Update for customer experience and diagnostic telemetry – This update introduces the Diagnostics and Telemetry tracking service to in-market devices. By applying this service, you can add benefits from the latest version of Windows to systems that have not yet been upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights. (Windows 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1)
  • KB3075249Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7 – This update adds telemetry points to the User Account Control (UAC) feature to collect information on elevations that come from low integrity levels. (Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1)
  • KB3080149Update for customer experience and diagnostic telemetry – This package updates the Diagnostics and Telemetry tracking service to existing devices. This service provides benefits from the latest version of Windows to systems that have not yet upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights. (Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1)

 

We recommend that you do not install these patches and if you have made the mistake of installing them, remove them using the Control panel or the following command as an admin user:

wusa /uninstall /kb:3080149 /quiet /norestart

Obviously this only removes patch kb380149. We are confident that you can work out the magic runes for the other three patches.

It might also be a good idea to restrict communications from your corporate machines to the following servers, which are hardcoded into the patches, although we cannot guarantee if this will prevent any other Microsoft services from working correctly:

vortex-win.data.microsoft.com

settings-win.data.microsoft.com

It’s not just the abuse of one’s privacy that worries us here. With all this data being pumped out of your environment by greedy Big Data miners it will make spotting traffic that may be indicative of Malware or APT infection much more difficult to spot amongst the burgeoning session logs being generated by your proxies and firewalls.

ITC’s NetSure360° platform already automatically looks for traffic to and from sites with poor reputation, a feature that we continue to work on and will be bolstering in the future by adding some smart analytics which inspect the type and frequency of data going out of the enterprise as well as the destination name and address, watch this space.

Perhaps we were wrong to insist you migrated from Windows XP, which remains (relatively) Microsoft Spyware free, but is almost certain to be carrying the software equivalent of The Plague by now.

If you would like more details about data slurping, malware identification and prevention or any security related topic, please contact us on: 020 7517 3900 or email enquiries@itcsecure.com

 

 

Author: Kevin Whelan

Recent Posts

Leave a Comment