Archive for November, 2013
We may be facing a stalemate. Or, we may be evolving a new cyber biosphere.
Ceaselessly, with no end in sight despite outlays that amount to a tax on doing business, the decades-long struggle against malware drags on.
Today, around 5% of the average IT budget is devoted to security, estimates John Pescatore, a director at the SANS Technology Institute. Cybercrime (including malicious insider attacks and theft of devices) costs U.S. corporations an average of $11.6 million yearly, according to an October 2013 study by the Ponemon Institute that was sponsored by HP Enterprise Security. This cost represents a 23% increase over last year’s average of $8.9 million per company.
Asked why malware is the war without end, experts commonly embrace either a military or an ecological metaphor. Those with the military viewpoint say flawed defenses have led to a stalemate. The ecology-minded don’t see it as a war to be won or lost — they see an eternal cycle between prey and predator, and the goal is not victory but equilibrium.
Around 5% of the average IT budget is devoted to security, says John Pescatore, a director at the SANS Technology Institute.
One who favors the military metaphor is David Hoelzer, director of research for Enclave Forensics in Henderson, Nev. “We are essentially going in circles,” he says. “We improve only after our adversaries defeat our defenses. Most software is still riddled with vulnerabilities, but the vendors typically make no move to fix one until it becomes publicly disclosed. Coders are not trained in security, and ‘well written’ means ‘under budget.’”
Security consultant Lenny Zeltser chooses the ecology metaphor. “Attackers take advantage of the defenders, and the defenders respond. It’s part of the cycle,” he says. “If attackers get in too easily, they are spending too much to attack us. If we are blocking 100% of the attacks, we are probably spending too much on defense. We have been in a state of equilibrium for some time and always will be. But being complacent is dangerous, as we must constantly apply energy to maintain the equilibrium.”
Developments in the financial sector offer an example of why it’s important to constantly apply energy to maintain the equilibrium. A new report from Trend Micro points out that attacks aimed at stealing online banking credentials recently surged to a level not seen since 2002.
Nevertheless, experts agree that progress has been made — even if only toward the maintenance of ecological equilibrium or a military stalemate.
The wins so far
At this point, “there are no types of malware for which there are no defenses that we are currently aware of,” says Roel Schouwenberg, a researcher at anti-malware software vendor Kaspersky Lab.
“We no longer see the kinds of big spreading malware that we saw three or four years ago, [such as] the ILOVEYOU virus of 2000,” adds William Hugh Murray, a security consultant and a professor at the Naval Postgraduate School.
Interviews with analysts and executives at security vendors McAfee, AVG and Kaspersky Lab suggest that the following are the four principal weapons that make this possible:
• Signature detection. This approach gives you the ability to spot malicious code, among other things.
• Behavior monitoring. By adopting this technique, you can do things like spot malicious activity in a computer or determine if a suspicious file will respond to virtual bait
• Blacklisting. This is a mechanism for blocking access to sites and files that are included on a list of undesirable entities.
• Whitelisting. With this approach, essentially the opposite blacklisting, users are only allowed access to sites and files on a list of entities known to be harmless; access is denied to sites and files that aren’t on the list.
Each of the four has its supporters and detractors, and all the anti-malware software vendors queried for this article said they use some form of all four weapons, in combination.
Other defenses include firewalls, which can prevent intrusions and — with Windows at least — are part of the operating system, and periodic vendor patches to address vulnerabilities.
Frequency of cyberattacks
The frequency of different types of attacks experienced during a four-week period in 60 companies benchmarked.
Viruses, worms, trojans 100%
Web-based attacks 63%
Denial of service 50%
Malicious code 48%
Malicious insiders 42%
Phishing/social engineering 42%
Stolen devices 33%
Source: Ponemon Institute/HP Enterprise Security “2013 Cost of Cyber Crime” study.
A question sometimes raised is whether there are more advanced weapons that we haven’t yet learned about. “I’ve heard that [the anti-malware vendors] have better defenses up their sleeve that they choose not to release since they are not necessary yet, and they don’t want to tip their hand,” says Zeltser.
The vendors deny this. “Our secret weapons are in force every day — it’s a daily battle,” says Tony Anscombe, an executive at anti-malware software vendor AVG Technologies. Indeed, if vendors had something that can stop all viruses “it would be foolish to wait to use it,” says Kevin Haley, spokesman for anti-malware software vendor Symantec. “It would be a competitive advantage” to help sell more software, he points out.
Either way, the end result is that anti-malware software vendors can now respond to a new (or “zero-day”) exploit within two hours, although complicated exploits may require subsequent follow-up, says Haley.
In parallel, there have been efforts to make software less vulnerable to infection. For instance, Tim Rains, director of Microsoft Trustworthy Computing, says that Microsoft has revamped the code libraries used by developers to remove errors and vulnerabilities.
There are no types of malware for which there are no defenses that we are currently aware of.
Roel Schouwenberg, researcher, Kaspersky Lab
As a result, he notes, stack corruption was the vulnerability exploited 43% of the time in 2006, but now it’s used only 7% of the time. He also cites a study conducted in 2011 by analyst Dan Kaminsky and others indicating there were 126 exploitable vulnerabilities in Microsoft Office 2003, but only seven in Office 2010.
Years of security-related software patches downloadable by users have also had a measurable effect. Rains cites statistics derived from executions of Microsoft’s online Malicious Software Removal Tool, which showed that systems with up-to-date protection were 5.5 times less likely to be infected.
As of December 2012, the rate was 12.2 infections per 1,000 machines for unprotected systems vs. 2 per 1,000 for protected systems. The global average was 6 infections per 1,000.
On the other hand, infections still happen. But even the nature of the infections seems to have reached a state of equilibrium.
Today’s attacks: Two broad categories
Roger Thompson, chief security researcher at security testing firm and Verizon subsidiary ICSA Labs, divides today’s most common infections into two categories: APT (“advanced persistent threat”) and AFT (“another freaking Trojan.”)
New examples of APT malware appear about once a month, are aimed at a particular target and are produced by organizations with impressive resources, abilities and patience, he says. The classic example is the Stuxnet virus of 2010, whose goal appears to have been to make centrifuges in Iranian nuclear research labs destroy themselves by spinning too fast.
“Each one is different and scary,” Thompson notes.
As for AFTs, self-replicating malware is no longer the infection vector of choice, with attackers preferring to launch drive-by attacks from infected websites against victims who were tricked into visiting. (However, worms and older malware are still lurking on the Internet, and an unprotected machine can still get infected in a matter of minutes, sources agree.)
Average annualized cybercrime cost
These costs are weighted by attack frequency in 60 companies benchmarked.
Denial of service – $243,913
Malicious insiders – $198,769
Web-based attacks – $125,101
Malicious code – $102,216
Phishing/social engineering – $21,094
Stolen devices – $20,070
Botnets – $2,088
Viruses, worms, trojans – $1,324
Source: Ponemon Institute/HP Enterprise Security “2013 Cost of Cyber Crime” study.
The acquisition of new Trojans appears to be limited only by a researcher’s ability to download examples, experts agree; hundreds of thousands can be collected each day. Many examples are simply members of long-standing malware families that have been newly recompiled, and some malicious websites will recompile their payload — creating a unique file — for each drive-by attack. There are probably no more than a thousand such families, since there is a finite number of ways to take over a machine without crashing it, notes Thompson.
The initial infection is usually a compact boot-strapping mechanism that downloads other components. It may report back to the attacker on what kind of host it has infected, and the attackers can then decide how to use the victim, explains Zeltser.
These days, an infected home system is typically hijacked by the attackers for their own use. With a small enterprise, the object is to steal banking credentials, while with large enterprises, the object is typically industrial espionage, Murray explains.
While the anti-malware vendors have adopted a multi-pronged strategy, so have the attackers — for instance, writing malware that does not stir until it sees that it is not in the kind of virtual machine used to trick malware into revealing itself.
Meanwhile, the attackers have formed their own economy, with a division of labor. “Some are good at crafting malware, others are good at infecting systems, and others are good at making money off the infections, such as by sending spam, or by launching distributed-denial-of-service attacks, or by pilfering data,” says Zeltser.
“You can buy the software required to do the account takeover, and then to convert the money into cash you hire mules,” Murray adds.
New battlefields include XP, Android
But while many pundits expect to see a continued cycle of attack and defense, they also foresee additional future dangers: Windows XP may become unusable because of the support situation, and the Android smartphone environment may be the next happy hunting ground for malware.
For its part, Windows Vista is no longer receiving mainstream support, but Microsoft has announced the company will continue issuing security updates for the OS through mid-April 2017.
Windows XP, released in 2001, is still widely used, but Microsoft will stop issuing security updates for it after April 2014. At that point, Microsoft will continue to issue security updates for Windows 7 and Windows 8, and after each one is issued the malware writers will reverse-engineer it to identify the vulnerability that it addresses, Rains predicts.
“They will then test XP to see if the vulnerability exists there, and if it does they will write exploit code to take advantage of it,” Rains says. “Since XP will never get another update, the malware writers will be in a zero-day-forever scenario. If they can run remote code of their choice on those systems it will be really hard for anti-virus protection to be effective. The situation will get worse and worse and eventually you will not be able trust the operating system for XP.”
“People should not be running XP,” agrees Schouwenberg. “When it was written the malware problem was very different than it is today. It had no mitigation strategies and is extremely vulnerable.”
Android, meanwhile, is going like gangbusters on smartphones — outselling Apple’s iOS phones in the third quarter of this year, according to Gartner — making it a huge target for crackers.
Experts see many parallels between Android’s development and the early history of the Windows market, with hardware vendors adapting a third-party operating system for their products, leaving no single party ensuring security. And with the Android market, the additional involvement of telecommunications carriers is a complicating factor.
Average days to resolve attack in 60 companies benchmarked
Malicious insiders include employees, temporary employees, contractors and, possibly, business partners.
Malicious insiders – 65.5
Malicious code – 49.8
Web-based attacks – 45.1
Denial of service – 19.9
Phishing/social engineering – 14.3
Stolen devices – $10.2
Malware – 6.7
Viruses, worms, trojans – 3
Botnets – 2
Source: Ponemon Institute/HP Enterprise Security “2013 Cost of Cyber Crime” study.
“It is not like the case with Apple, which can push security updates to every iPhone in the world in one day,” says Schouwenberg. “With Android, the manufacturer has to implement the patches and then go through certification with the carrier before the patches are deployed. Assuming your phone still gets security updates it may be months before you get them. That would not be considered acceptable with a laptop.”
“Android is in a position that Windows was in a few years ago; there is not enough protection,” adds Johannes Ullrich, head of research at the SANS Technology Institute, which certifies computer security professionals.
Is there hope?
Returning to the ecology metaphor, sometimes the impact of an asteroid will drive species into extinction. And, indeed, sources can point to extinction types of events in the short history of the malware biosphere.
Thompson, for instance, points out that the adoption of Windows 95 drove MS-DOS malware into extinction by adding protected mode, so one program could not overwrite another at will. Microsoft Office 2000 drove into extinction (PDF) malware based on Office 1995 macros by adding a feature that basically required user permission before a macro could run. Windows XP Service Pack 2 in 2004 set the Windows firewall on by default, wiping out another generation of malware.
The success rate for social engineering is phenomenal.
John Strand, network penetration tester, Black Hills Information Security
“But there is no extinction-level-event in sight to wipe out the current Trojans,” Thompson says.
Even if there were such a miracle, attackers could fall back on persuasive email, officious phone calls, smiling faces or other non-technical manipulations usually referred to as “social engineering.”
“The success rate for social engineering is phenomenal,” says John Strand, network penetration tester with Black Hills Information Security in Sturgis, SD.
People will call in pretending to be from a help desk, suggesting that the user download (infected) software. Or plausible emails such as a delivery notification will entice users to click on infected links, he explains.
And then there’s software that tells the user to disable the system’s malware protection “to ensure compatibility.” “I don’t think there is any legitimate software that needs you to disable security protection for compatibility reasons,” says Schouwenberg. “But some software does ask you to disable it during installation, creating a precedent, so they think it’s all right when they get email from a website telling them to turn it off.”
Even if users are trained to resist such ploys, smiling people with clipboards and faux badges may show up at the front desk saying they need to inspect the server room on some pretext — and they’ll probably be allowed in, says Strand.
Beyond that, large numbers of log-in credentials to corporate networks are always for sale at various malicious sites, because people have registered at third-party sites using their office email addresses and passwords — and those sites were later compromised, Strand adds.
“The good news is that it is relatively easy to defend against most malware, if you use up-to-date anti-virus software, run a firewall, get security updates and use strong passwords,” Rains says. “These techniques can block the major attacks used today and probably for years to come.”
“The best practices I was telling people about 10 years ago I still have to tell people about today,” Haley adds. “Have good security software, update the system and use good common sense. Don’t link to email that doesn’t seem right.”
Finally, Pescatore suggests looking to the field of public health (rather than the military or ecology) for a metaphor about living with malware. “We have learned to wash our hands and keep the cesspool a certain distance from the drinking water,” he notes. “We still have the common cold, and we still have occasional epidemics — but if we react quickly we can limit the number who are killed.”
10 mistakes companies make after a data breach
Michael Bruemmer, vice president of Experian Data Breach Resolution, outlines some the common mistakes his firm has seen as organizations deal with the aftermath of a breach during a presentation for The International Association of Privacy Professionals (IAPP) Privacy Academy.
How to weather the storm
The aftermath of a data breach, such as the one experienced last month by Adobe, can be chaotic if not dealt with properly. The result of such poor handling could see organizations facing a hit to reputation, or worse, financial and legal problems.
No external agencies secured
Sometimes a breach is too big to deal with in-house, and the type of breach may make that option an unwise one. So it’s best to have external help available if needed. Incident Response teams, such as those offered by Verizon Business, Experian, Trustwave, or IBM (just to name a few), should at least be evaluated and considered when forming a business continuity / incident response plan.
“The process of selecting the right partner can take time as there are different levels of service and various solutions to consider…Not having a forensic expert or resolution agency already identified
No engagement with outside counsel
“Enlisting an outside attorney is highly recommended,” Bruemmer said.
“No single federal law or regulation governs the security of all types of sensitive personal information. As a result, determining which federal law, regulation or guidance is applicable depends, in part, on the entity or sector that collected the information and the type of information collected and regulated.”
So unless internal resources are knowledgeable with all current laws and legislations, then external legal counsel with expertise in data breaches is a wise investment.
No single decision maker
“While there are several parties within an organization that should be on a data breach response team, every team needs a leader,” Bruemmer said.
There needs to be one person who will drive the response plan, and act as the single source of contact to all external parties. They’ll also be in charge of controlling the internal reporting structure – in order to ensure that everyone from executives and individual response team members are kept updated.
Lack of clear communication
Related to the lack of a single decision maker, a lack of clear communication is also a problem. Miscommunication can be the key driver to mishandling a data breach, Bruemmer said, as it delays process and adds confusion.
“Once the incident response team is identified, identify clear delegation of authority, and then provide attorneys and [external parties] with one main contact.”
No communications plan
Sticking to the communications theme, another issue organizations face is the lack of planning as it relates to the public, especially the media.
“Companies should have a well-documented and tested communications plan in the event of a breach, which includes draft statements and other materials to activate quickly. Failure to ingrate communications into overall planning typically means delayed responses to media and likely more critical coverage,” Bruemmer explained.
Waiting for perfect information before acting
Dealing with the aftermath of a data breach often requires operating with incomplete or rapidly changing information, due to new information learned by internal or external security forensics teams.
“Companies need to begin the process of managing a breach once an intrusion is confirmed and start the process of managing the incident early. Waiting for perfect information could ultimately lead to condensed timeframes that make it difficult to meet all of the many notification and other requirements,” Bruemmer said.
Micromanaging the Breach
“Breach resolution requires team support, and often companies fail when micromanaging occurs. Trust your outside counsel and breach resolution vendors, and hold them accountable to execute the incident response plan,” Bruemmer said.
No remediation plans post incident
There should be plans in place that address how to engage with customers and other audiences once the breach is resolved, as well as the establishment of additional measures to prevent future incidents.
“If an organization makes additional investments in processes, people and technology to more effective secure the data, finding ways to share those efforts with stakeholders can help rebuild reputation and trust. Yet, many fail to take advantage of this longer-term need once the initial shock of the incident is over,” Bruemmer said.
Not providing a remedy to consumers
Customers should be put at the center of decision making following a breach. This focus means providing some sort of remedy, including call centers where consumers can voice their concerns and credit monitoring if financial, health or other highly sensitive information is lost.
“Even in incidents that involve less sensitive information, companies should consider other actions or guidance that can be provided to consumers to protect themselves,” Bruemmer said.
Failing to practice
“Above all, a plan needs to be practiced with the full team. An incident response plan is a living, breathing document that needs to be continually updated and revised. By conducting a tabletop exercise on a regular basis, teams can work out any hiccups before it’s too late,” Bruemmer said.
The head of Amazon Web Services bashes IBM and launches a VDI service at this year’s AWS Reinvent conference
Private clouds offer “none of the benefits” of a robust public cloud, and are only a stopgap solution perpetuated by “old-guard” IT companies such as IBM, said Andy Jassy, Amazon senior vice president who heads up Amazon Web Services.
“If you’re not planning on using the public cloud in some significant fashion, you will be at a significant competitive disadvantage,” Jassy told a packed auditorium of nearly 9,000 IT pros Wednesday in Las Vegas, for the opening keynote of the AWS Reinvent conference.
Jassy split his time between extolling the benefits of using large public clouds such as Amazon’s and introducing new services.
While he spent much of his presentation discussing the benefits of cloud computing, arguing that it offers increased agility, better security and lower costs, he also took time to criticize private clouds, or cloud infrastructures that organizations have set up in-house for their own use.
To set up a private cloud, an organization still needs to invest a considerable amount of money in hardware and software, so it requires up-front capital costs that a public cloud doesn’t, he said. Private clouds don’t offer the agility of public clouds, in that the enterprise still can’t change to a new platform or set of software as quickly. It also doesn’t offer economic advantages of buying hardware in large amounts.
Some organizations, such as governments and health-care providers that have strict regulatory requirements, still need to run operations in private data centers, he said, but over time, these specialized-use cases will diminish as more of the features required will be available on public clouds.
Amazon offers a number of services that help organizations run hybrid clouds that are partially run on Amazon and partially in-house, including VPNs (virtual private networks), and identity and access management. The company also works with traditional enterprise IT management tool providers, such as Eucalyptus, CA Technologies and BMC Software, to provide a single view of both on-premises and cloud operations.
But AWS put these services and partnerships to help customers move almost entirely to the AWS public cloud.
“We have a pretty different view of how hybrid is evolving than the old-guard IT companies,” Jassy said. The approach popular with companies such as Hewlett-Packard, Microsoft and IBM, for instance, assumes an enterprise will want to run most of its operations in-house and use public clouds to augment operations when traffic is heavy.
“We believe in the fullness of time, very few enterprises will run their own data centers,” Jassy said to note the difference in the AWS approach. “That informs our approach in what we build. We will meet enterprises where they are now, but we will make it simple to transition to where the future workloads will be, in the cloud.”
“I think a lot of old-guard technology companies aren’t so thrilled about how fast things are moving to cloud,” Jassy said. He showed a slide of one of a number of advertisements that IBM has placed on buses this week in Las Vegas that claim that the IBM Cloud service hosts “30 percent more top websites” than any other cloud provider.
“It’s creative, I’ll say that,” Jassy said. “I don’t think anybody who knows anything about cloud computing would argue [IBM] has a larger cloud business than AWS.”
In June, IBM purchased SoftLayer to boost its public cloud offerings.
Jassy also took time to announce some new services.
Perhaps the most notable launch for the company is a new VDI (virtual desktop infrastructure) service, called Amazon Workspaces.
Workspaces provides a virtual desktop for an organization’s employees that can be accessed from Apple Macs, Microsoft Windows computers or Android devices. It provides a “persistent state,” Jessy said, meaning that the desktop’s contents will remain the same no matter what device the desktop is accessed from.
Despite the advantages it offers administrators in managing their users’ computers, VDI thus far has not made major inroads into the enterprise IT market, though Amazon is hoping Workspaces will prove cost-effective and easy enough to manage that it will be appealing.
Workspaces will cost about half of the expense of the current average VDI implementation, he said. The service, which is now offered in a limited preview, can be paid for on a month-by-month basis. A Workspaces desktop with one virtual CPU and 50GB of storage space will cost US$35 a month, and the “performance” desktop with 2 virtual CPUs and 100GB of storage will cost $60 per month.
With Workspaces, an organization can bring its own licenses for Microsoft Office and security software, or Amazon will offer these applications for an additional $15 a month.
AWS also launched a security service that can provide customers with detailed log reports of who is accessing their APIs (application programming interfaces) and what services they consume, as well as a streaming service for apps.
Google is going to stop allowing non-sanctioned extensions to work on its Chrome for Windows browser. It’s for your safety, you understand.
The sad march towards tribal fiefdoms continued Thursday, as Google announced that it will only allow Chrome for Windows users to download extensions hosted by Google’s own Chrome Web Store starting in January.
Google says the decision to transform Chrome into a gated community stems from security concerns, in an echo of the official reason that Microsoft moved to the Windows Store model to distribute modern UI apps. Google engineering director Erik Kay points the finger at the damage caused by rogue extensions in a blog post detailing the lock-down.
“Bad actors have abused this mechanism, bypassing the prompt to silently install malicious extensions that override browser settings and alter the user experience in undesired ways, such as replacing the New Tab Page without approval. In fact, this is a leading cause of complaints from our Windows users.”
The policy shift will no doubt make it easier for Google to police the sanctity of said extensions. Google’s been on a bit of a security tear recently; last week, the company announced plans to step up Chrome’s malware-busting chops.
But, it’s also worth noting, developers who want to include their Chrome Web Store have to pay a $5 registration fee–and if your Chrome Web Store-hosted app or extension generates income, Google will take a 5 percent cut of the revenue.
The move to a gatekeeper-type model carries other implications: For example, while you can currently find the Adblock Plus extension in the Chrome Web Store, Google scrubbed the app from Android’s Play store earlier this year. Android users can still sideload the Adblock Plus app after jumping through some hoops.
Everyday Chrome users would not have the same ability under the new extension policy, though developers and enterprise Chrome users will still be able to install “unauthorized” extensions.
Crappy par for a crappy course
Sadly, the shift away from the Open Web ideal is nothing new.
Windows 8′s move to the walled-off Windows Store caused anger amongst developers (andA may have spurred the creation of the Linux-based SteamOS in response). Earlier this year, Google caught flak from privacy advocates for shifting away from the open XMPP technology built into Google Talk to the proprietary technology in its new Hangouts messaging service. Android looks less and less open by the day. And this week alone, both Microsoft and Google announced plans to cut off third-party client access to bothA Skype and Google Voice, respectively. (Again, they “pose a threat to your security.”)
Before I sign off, I’ll leave you with the words of Google co-founder Larry Page, from this year’s Google I/O keynote.
“And I think that we’ve really invested a lot into the open standards behind all that. And I’ve personally been quite saddened at the industry’s behavior around all these things… I’d like to see more open standards, more people getting behind things, that just work, and more companies involved in those ecosystems.”
Lofty ideals indeed, and noble ones. Just don’t forget to practice what you’re preaching, Google.
Although Windows 8′s Start menu is still MIA in Windows ‘Blue,’ a smorgasbord of replacements can fill the void
Seems Microsoft really has put its Windows Start menu out to pasture, alongside Bob, Clippy, and Rover. Sure, the forthcoming 8.1 update to Windows 8 has a shiny new Start button, but clicking it doesn’t cause a familiar menu to pop up, providing users quick access to their preferred apps and files. Why’d Microsoft retire the menu in the first place? It was a design choice made by Steven Sinofsky, former head of Microsoft’s Windows division.
If you fall into the category of users who don’t share Sinofsky’s vision of a menu-less Windows 8, take heart. Several third-party developers have built menus for the operating systems — and some are arguably superior to any that Microsoft has ever made.
Classic Shell was originally designed to replace the Windows 7 Start menu with the XP-style Start menu. Now it brings a Windows 7 Start experience to Windows 8 users. Apps can be pinned to the menu area via drag and drop. A pair of flyout menus provides access to classic Desktop programs and Metro apps, respectively. The program also supports starting directly in the Desktop and disabling Windows 8 hot corners.
Classic Shell adds changes to File Explorer, too, such as an icon ribbon populated with commonly used file commands (cut, copy, paste, and so on) and the ability to shut off the “breadcrumb” trail in the address bar and replace it with the full folder path.
Author: Ivo Beltchev
Cost: Free (open source)
Pokki Menu is a more ambitious program than many of the others shown here. SweetLabs hasn’t so much restored the original Start menu as provided an enhanced replacement for it. Beyond delivering familiar Start menu functionality, for example, it also serves as a source for notifications. It does this via various apps available in Pokki’s own app store, which include clients for common social networks.
The Pokki Menu has undergone a significant facelift since InfoWorld looked at it last year. Aside from such aesthetic changes as new colors and layout, the app has improved search and the ability to set files and apps as favorites from File Explorer.
Another open source option, Power8 provides a self-sorting menu of commonly used applications, a set of flyouts for the main Start menu app hierarchy, and flyouts for Computer, Libraries, Control Panel, Administrative Tools, and Network shortcuts. The old search functionality is also replicated, Metro features (charms, hot corners, etc.) are disabled, and — one very nice touch — Windows 7 taskbar jump lists are retained. Among the drawbacks, Power8 is short on configurable features.
Since InfoWorld last dabbled with Power8, its developers have made several upgrades and fixes, including boosting the file-system event watching and a more flexible updater.
Author: Power8 Team
Cost: Free (open source)
RetroUI isn’t designed to be more than a strict replacement for the traditional Start menu. Clicking the RetroUI Taskbar icon brings up a tile grid that’s reminiscent of the Windows 8 Start screen, but outfitted with flyouts that borrow from the original Start menu (Libraries, Computer, Control Panel). Also included are handy shortcuts to the Metro task switcher and Charms bar. Another taskbar icon opens an icon-grid view that displays Metro apps and major system locations.
Thinix has continually updated RetroUI since InfoWorld’s last review, adding features such as optimized file searches, the ability to set default shutdown actions, and caching technology to speed up the Start menu.
Cost: Starts at $5 per seat
Stardock Software has created a Start menu replacement that behaves uncannily like the original. From its accordion-style opening of folders to its subcategorized type-to-search results, Start8 delivers all the familiar functionality, alongside considerable configurability.
Apps can be pinned to the Start8 menu via a right-click contextual menu option in File Explorer. Even the system shortcuts (Control Panel, Computer, etc.) can be toggled as needed. Better yet, the bottom-left hot corner can take you straight to Start8, even from within a Metro app. Hot keys can bring up Windows 8′s own Start screen, hot corners can be selectively disabled, and Metro apps can be hidden from Start8 if you don’t want them there.
Author: Stardock Software
Cost: $5 for a single-user license
StartIsBack is a startlingly precise recreation of the Windows 7 Start menu, orb and all, although a good deal more tweakable than the original. Each Windows 8 hot corner can be selectively toggled. The Start screen can be skipped on login, invoked with a dedicated hot key, and reserved only for Metro programs. Just right-click a program in Explorer to pin it to the StartIsBack menu.
Since InfoWorld last tested StartIsBack, developer Tihiy has made numerous upgrades. For instance, you’ll find a new shortcut to the Start screen in the Start menu, the option to display all programs in a multicolumn flyout menu, and the option to enable the Start screen hot corner on the Desktop.
Cost: $3 for two-PC license
Launch StartMenu8 and you’re greeted with the familiar Windows 7 Start menu orb, along with a fairly spot-on reconstruction of the rest of the classic Start menu. The StartMenu8 interface wasn’t as customizable as its competitors when InfoWorld tried it out last December. There was no way to toggle things like the links to the games folder or the Control Panel, and most of the program’s behaviors appear to be hard-wired. Users can log in directly to the Desktop, and StartMenu8 can deactivate the Windows 8 hot corners and the Metro Charms bar. The latest version includes a key for opening Metro, a new Settings interface, and some aesthetic improvements.
Start Menu Reviver
Start Menu Reviver brings the Metro look, fat-finger friendliness, and lots of customizability to a Start menu for either Windows 8 or Windows 7. Like a mini Windows 8 Start screen, Reviver presents buttons and tiles (large or small, as you like) that give you direct access to literally anything on your PC — documents, folders, desktop apps, Metro apps, favorite URLs, you name it. A flyout menu provides speedy access to everything else. Along with the tiles, menus, colors, text, and tile icons, a few other settings are configurable. You can boot directly to the Desktop or have the Windows key open the Start menu.
StartW8 is a good classic Start menu recreation, though it lacks much in the way of customization options, and pinning programs to the Start menu isn’t as straightforward as it could be. Options include the ability to switch to the desktop immediately after signing in; the ability to activate the menu with the Windows key; buttons for logging off, locking the system, and powering off; a traditional search field; and the ability to designate favorite apps. The latest update adds the option to ignore Hot corners, along with an automatic update feature.
ViStart is a free Windows Start menu app that boasts a high level of customizability. The latest version comes with three Start Menu skins and four Start menu buttons, alongside a renewed skin manager. You can download 25 additional skins and 20 buttons from the developer’s site. A new control lets you configure Windows 8 to skip the Metro screen and boot directly to the Windows 8 Desktop. You can also disable features such as the Charms bar and start corners. ViStart even indexes the Start menu to speed up searches for files and programs.