Security Paper suggests to remove McAfee from PCs, finds issues in OEM devices

A recent security analysis of OEM laptops running Windows 10 by Duo Security Inc concluded that all analyzed devices had privacy and network protocol related issues.

The seven laptops, produced by Dell, HP, Lenovo and Acer, shared many of the privacy and security issues, while some laptops had additional issues caused by installed OEM software.

The team looked at the network traffic that each device produced, and noticed -- among other findings -- the following:

Finding 1

Six of the seven laptops came with McAfee security software pre-installed. The researchers discovered that systems the software was installed on connected to a third-party tag server on the Internet.

Tags allow for management of cookies, tracking a browser/computer/user across time and space for marketing purposes, helping a vendor comply with “Do Not Track” settings in  browsers, allow for the management of content such as new product offerings based upon  numerous factors including time (like the first 30 days of a trial that starts after you power on your computer for the first time).

Odds are that McAfee is mainly using tags for the latter, but as I could find no documentation anywhere about how they are actually using it, I am assuming they are gathering at least some data from users

Suggestion: Uninstall McAfee software and use another security solution instead.

Finding 2

Automated network services put the computer at risk as soon as it started to talk on a network.

The researchers found the following protocols or services to be problematic from a privacy or security perspective:

1. Link Local

Link-local is an older protocol. In basic terms, it allows for a network interface to “self-configure” an IP address when other methods are absent (such as DHCP) or have simply failed (unable to read a config file).

However, when a wireless network interface is introduced, the local network segment is now confined by how powerful the wireless network interface actually is. This means that an attacker could conceivably start manipulating the wireless “local network” as they see fit.

2. WPAD and LLMNR

WPAD is really trying to make things easier for the end user. One common thing for the computer to ask is “where is the web proxy so web browsing will work?” WPAD is the one that asks the question and fields the answer. The issue - much more prevalent for wireless - is that anyone nearby could provide that answer, even when no proxy is required.

LLMNR is the IPv6 version of link-local, and as we mentioned previously an attacker could answer some of those important questions the victim computer is asking, allowing for the manipulation of traffic to the attacker’s advantage

3. Smart Multi-Homed Name Resolution

Smart Multi-Homed Name Resolution remembers what DNS server is the quickest. You connect up to the Wi-Fi at the coffee shop, the DNS for the coffee shop is deemed the fastest (probably by default), and then you connect up to the VPN at work.

Sure, your DNS requests are now going over the VPN, but a copy of the requests are still being sent to that coffee shop DNS, leaking DNS queries to the coffee shop’s ISP, or to anyone else in the coffee shop sniffing the Wi-Fi.

4. Teredo Tunneling and ISATAP

Teredo Tunneling and ISATAP are both technologies that build upon the same territory laid down by our friend link-local. Both are intended to help the computer operate IPv6 in IPv4-only and IPv4/IPv6 mixed environments respectively. However, if you plan on taking your new laptop to the coffee shop (or any other place with free Wi-Fi), there is an inherent danger of MITM attacks

Fixes for these issues:

Tap on the Windows-key, type regedit.exe and hit enter. You may need to confirm an UAC prompt before the Registry Editor opens. Keep it open until you are done disabling all features below.

To disable LLMNRT

1. Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT
2. Right-click on Windows NT and select New > Key.
3. Name the key DNSClient.
4. Right-click on DNSClient and select New > Dword (32-bit) Value.
5. Name the Dword EnableMulticast.
6. Set its value to 0.

To disable Smart Multi-Homed Name Resolution

1. Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
2. Right-click on DNSClient and select New > Dword (32-bit) Value.
3. Name the Dword DisableSmartNameResolution.
4. Set its value to 1.
5. On Windows 10, the following is required as well.
6. Navigate to the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
7. Right-click on Parameters and select New > Dword (32-bit) Value.
8. Name it DisableParallelAandAAAA.
9. Set its value to 1.

To disable WPAD

1. Tap on the Windows-key, type cmd.exe, hold down Shift and Ctrl, and hit enter. Confirm the UAC prompt. This opens an elevated command prompt window. Keep it open after you run the following command.
2. Run the command netsh winhttp reset proxy.
3. Tap on the Windows-key again, type services.msc and hit enter.
4. Locate the WinHTTP Web Proxy Auto-Discovery Service and stop it if it is running by right-clicking on it and selecting "stop" from the context menu.
5. Double-click on the service to open its properties and change its startup type to disabled.
6. Switch to the Registry Editor and navigate to the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
7. Right-click on Parameters and select New > Dword (32-bit) Value.
8. Name it UseDomainNameDevolution.
9. Set its value to 0.

Disable teredo tunneling and ISATAP

1. Switch to the elevated command prompt window and run the following commands
2. netsh interface teredo set state disabled.
3. netsh interface isatap set state disabled.

Finding 3

Privacy related settings were reset after certain updates were installed on machines running the Windows 10 operating system.

Since it cannot be helped, it is suggested to go through the Settings after updates are installed to make sure they have not been reset.

Closing Words

If you notice issues after making changes to the computer running Windows, then it is suggested to remove the Registry keys that you have created, and to change the state of services to enabled again.