Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OS tied to Email Account question


  • Please log in to reply
8 replies to this topic

#1 Winterland

Winterland

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:12:18 AM

Posted 19 October 2014 - 08:19 AM

Hello.

 

So, I just got done testing out the Windows 10 Tech Preview and I'm glad I did but not over the moon about it.

 

I'm very comfortable with Windows 7 and will hang on to that the way others are/were clinging to XP.

 

As I was testing the OS the one item that seemed odd to me and that a little unsure of was the requirement of having to log into my OS with my email credentials.

 

I realize this started with Windows 8 and that, I believe (but am not sure) that Apple OS' require this also but I don't like this idea of logging onto my local machine and it immediately "calls home" and heads to my email account.

 

            Please note that I am not seeking to bash Microsoft here.

 

There are things I don't like about how MS does business, but I can say the same about Target stores, Bojangles, Wal-Mart, etc, so this is not my focus.

 

Instead, I'm wondering - and am seeking technical-based feedback - about the dangers of having your Local Machine having to log into your email account on Start Up.

 

It hasn't been addressed on the articles that I searched for, most of them literally say, "get over it" or some other oddly dismissive statement. I know that you can log on without email credentials, but every article I read mentions the "reduced functionality" of the OS if a person elects to take that route.

 

 

Is this the new trend?

 

And, if your email is hacked - and don't we see a lot of that here at BC - is your machine compromised?

 

Any feedback, or articles that address this would be greatly appreciated and again, any bashing of MS will be ignored.

 

Admin / Mods - if you think this Topic doesn't belong here, please move it to the appropriate part of the Forums.

 

Thank you.

 

Winterland

 

 

 

 

 

 


Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 AM

Posted 19 October 2014 - 08:51 AM

This started with Windows 8, but is not mandatory.

 

When you start using Windows 8/10 and you have to create your account, you can refuse to enter your "e-mail credentials" and create a local account in stead (like we do on Windows 7 and older).

 

I do this on my Windows 8.1 machine (and I did it with the Windows 10 technical preview), and I'm not bothered by the "reduced functionality".

 

Anyways, if you want to use it, there is nothing that prevents you from creating a dedicated e-mail account. You would only use it for Windows 8, and not e-mail with it.


Edited by Didier Stevens, 19 October 2014 - 08:54 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Winterland

Winterland
  • Topic Starter

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:12:18 AM

Posted 20 October 2014 - 09:37 AM

Hello Didier and thanks for the feedback.

 

The idea of creating an email account dedicated just for the OS was (and is) the process that I've taken, and was wondering if others did it as well.

 

When I got my first Android phone a few years back I created a Gmail Email account and have used it exclusively for that, never even sending an email out from it ever.

 

Heck, it's so off-the-grid that I don't even get Spam - the only email account I have that can boast that.

 

I will consider among my new Best Practices.

 

 

As for newbies or someone who doesn't take that route - I'm still left wondering:

 

If your MS/Outlook/Hotmail email account is hacked or otherwise compromised, does that allow the hacker to have access to your local machine?

 

I haven't seen this mentioned and/or addressed and was wondering if anyone had seen talk of this dynamic?

 

Thanks again for checking in and the feedback.

 

Winterland

 

 


Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 AM

Posted 22 October 2014 - 09:12 AM

If your MS/Outlook/Hotmail email account is hacked or otherwise compromised, does that allow the hacker to have access to your local machine?
 


I suppose you're talking of remote access to your machine?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Winterland

Winterland
  • Topic Starter

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:12:18 AM

Posted 23 October 2014 - 06:10 AM

 

I suppose you're talking of remote access to your machine?

 

 

Yes sir, that's exactly what I was talking / wondering about.

 

If, upon boot, my machine heads on out to the WWW and, amongst all the processes (updating AV, MBAM, Windows Updates, etc.) also logs into my email, does this create yet another possible avenue for exploiting my machine?

 

If I click on my Mail icon in Win 8 or Win 10 (rather than opening a browser) and then look at my Inbox and then open a False/Malicious email and get infected, how quickly would that impact my local machine?

 

Even faster than if I was just viewing my Inbox through a browser?

 

Please note that I'm not looking to conjure up some more unnecessary fear for newbies, but rather am attempting to understand and possibly mitigate any new dynamics that these new OS's are rolling out with.

 

I appreciate your time and responses.

 

Winterland


Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#6 rp88

rp88

  • Members
  • 3,048 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:18 AM

Posted 24 October 2014 - 02:07 PM

Linking email accounts/ online accounts with a local user account is a BAD IDEA. It clearly does open up more vulnerabilities and also makes your computer more dependent on having an internet connection. I find it very scary, and also think it highly dangerous, to over-connect systems in this way. It's like a synced backup, the syncing means that if one bit fails in certain ways the rest all fails. I don't think microsoft accounts are quite as foolish as the fully synced backup example of over connectedness (or that the electrical grids rely on GPS signals, that is dangerously over-connection to, if we lost the satelites we wouldn't only lose navigation)but thye are still more closely linked to other parts than thye should be. I have always, and will always, consider a local account superior in every way. If you want to access your files from something other than your home computer you should have thought about it earlier and uploaded them to an online browser accessed backup location before you left your front door. I don't knwo the specs of your machine but if it does log into your email accoutn upon logon that is certainly a big vulnerability. Now if your machine is decently secured and if no one can get physical access to it then the risk to your email account hasn't been raised much, but it has still been raised. I don't know whether the danger works the other way round but the case of a journalist who used apple products and lost all his files to hackers when they took over his main apple account (he agreed not to get them arrested if thye told him how they did it) serves as a reminder that having your local hardware depend on a online service is risky. I don't think that microsoft accounts and such have yet been exploited by hackers and virus makers but it is only a matter of time. Just think of it as having a larger surface that attacks could be against. My advice of rusers is to use a local account and do without the "advantages and features" that an online account based system offers, i don't think there are any proven risks to using an online account like that but there are certainly lot of problems looming in the future, all of which outweigh the small gains made by using that account type. This is not about criticising ms, it's about criticising anyone who makes systems more connected than thye should be(many people are guilty of that, we all hope that they make critical systems less connected before it's too late).

Edited by rp88, 24 October 2014 - 02:08 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 AM

Posted 24 October 2014 - 03:01 PM


If, upon boot, my machine heads on out to the WWW and, amongst all the processes (updating AV, MBAM, Windows Updates, etc.) also logs into my email, does this create yet another possible avenue for exploiting my machine?

 

 

In theory, it does. But it is the same risk as using a local account and then using an email client with your e-mail credentials.

 

If your e-mail gets compromised (i.e. your credentials are stolen, leaked, ...), then these credentials can be used to log on locally on your machine.

In theory, remotely is also possible, but the services on your machine that permit this are not accessible over the Internet (blocked by your firewall, NAT router, ISP, ...).


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Winterland

Winterland
  • Topic Starter

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:12:18 AM

Posted 26 October 2014 - 07:18 AM

In theory, it does. But it is the same risk as using a local account and then using an email client with your e-mail credentials.

 

If your e-mail gets compromised (i.e. your credentials are stolen, leaked, ...), then these credentials can be used to log on locally on your machine.

In theory, remotely is also possible, but the services on your machine that permit this are not accessible over the Internet (blocked by your firewall, NAT router, ISP, ...).

 

 

Hello Didier, thank you for the explanation and reminder.

 

It is language like this that I was looking for.

 

My guess is that this/these type of question(s) will be coming into play with greater frequency as we get closer to the roll out of Windows 10 and more and more Users start using Windows 8 and I wanted to be able to explain what the security-related concerns are & also what type of fears were fact-based and which ones weren't.

 

Appreciate the time and all that you bring to these Forums.

 

@rp88 - thanks to you as well for all the points you made, esp. the reminder -  if you need access to files/folders from somewhere other than your Home Computer, this is something you should tend to before you leave the house and/or as you set up your new machine.

 

I try not to presuppose what every User I help should do but rather try to ask, "what do you do with your computer? & what would you like it to do?"

 

Every one wants their machine to do something different and I try to be able to assist them in reaching those goals, even if it's something I don't think they should do or even (esp.) if it's something I don't know about or understand (which covers a lot of territory, mind you :lol: ).

 

Again, much thanks ~

 

Winterland


Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 AM

Posted 26 October 2014 - 07:24 AM

You're welcome.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users