Capturing online passwords and Antivirus…

The “traditional means” of capturing online passwords had been provided by “key-loggers” for decades, that capture every key-strokes by the local users. As of late, Antivirus companies have added additional protection for preventing key-loggers from collecting passwords. This security protection has various names and dependent on the Antivirus company, such as safepay, password manager, etc. Almost all of these protections integrate virtual keyboard, that require clicking on the password and/or using a touchscreen for entering the password, instead of the traditional key-board strokes.

Do they actually work?

The short answer is yes, they could prevent key-loggers collecting the password since the keyboard is not used for entering account information. The problem is that, if the end user computer has a key-logger, the machine also has a root-kit (a requirement to install the key-logger) that has full access to the system, including the Antivirus. As such, the root-kit can routinely exempt itself from Antivirus protection and in theory, it could capture the virtual keystroke as well.

Hackers always seem to be ahead of Antivirus solutions and that certainly seems to be the case for capturing online passwords. Instead of using a key-logger, they have developed a solution that capture the user account credentials by grabbing them with an HTML form grabber. The form grabber “grabs” the authentication credentials from within the browser, where the login credentials are entered. It does not matter, if these credentials entered by keyboard, virtual keyboard, or auto-filled, the form grabber captures it. The malicious package had been released in May, 2013, pretty much around the time when Antivirus companies starting to advertise/claim to secure the end user’s passwords. Coincidence, you might say? It could be… The HTML form grabber also requires a root-kit for its operation, similarly to the key-loggers above.

In both cases, the common need for capturing the end user’s authentication credentials is the root-kit, without it, neither of them can capture the password. The Antivirus solutions would be better off preventing the root-kit getting on the computers, instead of rolling out additional features with dubious claims.

The Antivirus solution, while it is still necessary, requires additional security measures to augment protection against root-kits. Friends, don’t let friends rely on Antivirus protection only…


How to block Windows 8.1 smart search…

The previous blog described the inner working of Windows 8.1 smart search, its privacy, and security risks. This blog will look at the ways to block Microsoft tracking the end user’s activities.

The Windows 8.1 preview version does not have an “uninstall” option for the smart search and as such, disabling smart search based tracking requires system and firewall policy modifications.

The easiest way to block Microsoft tracking of the end user is simply not using the smart search, or “Search Charm”. Other searches in the preview version, Windows Explorer, browsers, applications, etc., are not integrated with Bing searches. They might as well be in the final, but not in the preview version.

If that’s not an option, here are some of the ways that can help prevent the smart search dishing out advertisements to the unsuspected end user.

  1. As stated in the previous blog, the “Search & Apps” options can be changed not to receive Bing search results within the smart search; in which case the web search results are not displayed, but the tracking data is transferred to Redmond
  2. Turn off “Windows Location Provider” and “Windows Search”, accessible through the “Control Panel\Add/Remove Programs and Features\Turn Windows features on or off”. This also stops the web search results to be displayed, but tracking data is still transferred to Microsoft
  3. Block access to the destination server via the firewall policy, by DNS name and/or IP address, at the Internet gateway.

Turning off Windows features requires local administrator access and rebooting the system for the changes to take effect. The actual changes are simply removing a check-mark as shown below:

Windows featuresThe colors indicate the impact of disabling the feature to the system. For desktops, the “Windows Location Provider” (simply tracking the location of the computer) can be safely removed. Removing “Windows Search” feature will have a performance impact and locating files on the local system will take longer. As such proceed with caution.

When the two Windows features are disabled, the local search still works through the smart search; however, the web search throws an error message:

Windows search feature disabled

Is it me, or the second “your search” is not necessary in this message?


The firewall policy can block access to Redmond’s destination server, that does stop Microsoft tracking end users’ activities. The policy is rather simple, such as “source address=any”, “protocol=any”, “destination=Redmond destination DNS/IP”. The local system search results are displayed, tracking data not transferred to Microsoft, and the Web search displaying an error message:Smart search blocked

And that’s quite alright… If I want to be bombarded with advertisements, I’ll use a browser…

Windows 8.1 smart search… Is it really smart?

The Windows 8.1 preview introduced the “Search Charm”, that includes searching the Internet via Bing:

CharmThe default search option is to search everywhere, when the search charm is selected:

Search defaultThe drop down arrow lists the options for limiting the search to the selected area:

Select search option

Any of the options can be selected that causes the search results to be displayed in the chosen area only.

As the search term(s) entered, highlights of the result are displayed:

Search result displayThe priority is given to local search over the Web search results, that are hyper-linked. Clicking on any of the results brings up the application handling the file type. In this example, the “DDR3 memory.docx” file opens in MS Word in the the desktop; the web link of “ddr3 memory” opens up a Wikipedia in IE11, also within the desktop.

Continuing the search displays the results in full screen, with local search results on the left and the web search results on the right:

ddr3 search results display

The web search results are the same as the Bing’s search results in an actual browser, with one difference. The browser lists the “” as the first link.
The order of the web links is influenced by advertisement for the smart search, the same way as it influences the browser search results. Integrated paid advertisement into the Operating System (OS) isn’t new either, arguably, Apple and Google are ahead of Microsoft from this perspective. Right or wrong, it is a business decision by Microsoft that prioritized advertisement revenue, as evidenced by the statements in the search settings:

Default Search OptionIntegrating advertisement driven search results in the OS does present a privacy risk to the end user. Making the web search integration the default option, while understandable from business perspective, should not be for the end users. Fortunately, Microsoft allows opting out from Bing searches in the OS:

Opt-out from Bing searchThe end users who opted out of Bing searches will receive local system searches only. Kudos for Microsoft for providing and interface that disables the Bing web search integration into the OS.

The question is, does the opt-out really disable Bing web search? The short answer is seemingly yes. Doing a search with the “Everywhere” option selected results in displaying local system search results only.

The long answer is that while web searches are not displayed, the “smart search” continues tracking the end user’s search activities. Anytime the user opens up the “Search Charm”, the OS will:

  1. Establish a TLS 1.2 encrypted connection to a destination server
  2. Once the search term(s) entered, it is sent to Microsoft
  3. The search result of the local system may, or may not being sent to Microsoft
  4. The web search results are not displayed

Microsoft should state that disabling Bing searches does not stop “smart search” from tracking end user activities.

The “smart search” poses a privacy risk to the end user and in addition, it could become a security risk as well. Especially when hackers “re-engineer” Microsoft’s smart search and use it for their malicious purposes. The smart search is nothing else, but a combination of APIs that can be called by malicious software to collect information about the end users.The Bing search results could also be changed on the fly to redirect the browser to a site that hosts the malicious software, prior to connecting the end user to the legitimate website.

In some ways, Microsoft had made it easier for the hackers to exploit the end users. Smart, real smart Microsoft…