Windows 7 makes remote connectivity to corporate networks seamless, protects data on thumb drives, and offers fewer user account control prompts to bug users compared to Vista, Microsoft said on Monday.

The software giant began an education blitz about the security features of the newest version of its operating system at the start of the RSA 2009 security conference.

Windows 7, which was released in public beta in January, will have 29 percent fewer user account control (UAC) prompts than Windows Vista has, and fewer prompts in general, according to Paul Cooke, director of Windows Client Enterprise Security.

"We've put users in control and allowed them the ability to tune the level of prompting" using a slider bar, he said in an interview.

Other new security features in Windows 7 are DirectAccess and BitLocker To Go.

DirectAccess offers remote workers the same level of seamless and secure connectivity as they have in the office. The system automatically creates a secure tunnel to the corporate network and workers don't have to manually substantiate a connection, Cooke said.

DirectAccess also allows IT administrators to patch systems whenever a remote worker is on the network, he said.

BitLocker To Go extends the data encryption features introduced in Vista to removable storage devices like USB thumb drives and flash drives. A password or a smart card with a digital certificate stored on it can be used to unlock the data. The devices can be used on any other Windows 7-based machine with the correct password. On XP and Vista machines the data on the drives can be read but not modified, Cooke said.

Smart-card provider Gemalto is offering multifactor authentication for Windows 7 for even more secure access to machines accessing the network, said Ray Wizbowski, director of marketing and communications at Gemalto. Now, a user can insert a card into a smart-card reader built into a laptop and either enter a personal identification number or use a fingerprint to access the data, he said.

Windows 7 also includes AppLocker technology that allows administrators to control the software that runs in the corporate network to ensure that only authorized scripts, installers, and dynamic load libraries are accessed. It also can be used to keep unlicensed software off machines, according to Cooke.

More information about Windows 7 security features are in posts on the Windows Security Blog and the Windows Blog.

Be careful who you give your mobile phone number out to. An attacker with the right toolkits and skill could hijack your phone remotely just by sending SMS messages to it, according to mobile security firm Trust Digital.

In the Trust Digital demo on YouTube, an attacker sends an SMS message to the victim phone (on the left) which opens up a Web browser and downloads an executable file that directs it to send an SMS to the attacker's phone (on the right).

(Credit: Trust Digital)

In what it calls a "Midnight Raid Attack" because it would be most effective when a victim is asleep, an attacker could send a text message to a phone that would automatically start up a Web browser and direct the phone to a malicious Web site, said Dan Dearing, vice president of marketing at Trust Digital. The Web site could then download an executable file on the mobile phone that steals data off the phone, he said.

Dearing demonstrates how this can be done in a video on YouTube.

In another type of attack, an attacker could hijack a phone by sending a type of SMS message called a control message over the GSM network to a victim's phone that is using a Wi-Fi network and then use special toolkits to sniff the Wifi traffic looking for the victim's e-mail log-in information. This attack is explained in another YouTube video.

While the attacks at this point are proof-of-concepts, they could be done if someone has the requisite knowledge and toolkits, said Dearing. Trust Digital recently announced software called EMM 8.0 that can help organizations protect employee phones from these types of attacks, he said.

"This is a completely real threat," said Philippe Winthrop, a director in the global wireless practice at Strategy Analytics. "We will see these attacks. It's a matter of time."