If you’re still a Windows XP user, you’re probably singing a sad song knowing that after 12 long years Microsoft will end its support for the world’s second most popular operating system on April 8, 2014.
Microsoft warns you that if you continue to use its OS first introduced before the iPhone even existed “your computer will still work but it might become more vulnerable to security risks and viruses.” And if that isn’t enough to encourage you to upgrade or get a computer, maybe the fact that “you can expect to encounter greater numbers of apps and devices that do not work with Windows XP” will.
But given the millions of PCs running the OS and the scarce amount of time and resources many people have, some people will certainly be XP users well after its “expiration date.” If you’re going to be one of these daredevils, our Security Advisor Sean Sullivan has some suggestions.
“Folks that continue to use XP at home can do so with some reasonable amount of safety, but they absolutely need to review their Internet and computing habits as April draws near,” he told us. And he broke down 7 ways to avoid the trouble from the criminals who will surely be targeting these unsupported systems.
1) Install an alternative browser — not Internet Explorer.
2) Review the third-party software you’ve installed and uninstall anything that isn’t needed.
3) For the third-party software that you keep – consider disabling or uninstalling the browser plugins. Or at least set the browser to “always ask” what to do about things such as PDF files. (Personally, I always download PDFs to my desktop and open them from there. I don’t want the PDF viewer plugin installed, and I don’t like being in the habit of opening certain file types in my browser’s window.)
4) Have an up-to-date security product with antivirus and firewall installed.
5) Keep your XP computer connected to a NAT router, which will act as a hardware firewall. (Practically speaking, this means you shouldn’t be roaming around outside of your home with an XP computer. Don’t plug into a university network for connectivity – keep your computer at home on a trusted network.)
As you can see, living in the past may not make life easy. But if it’s your only option, you should at least try to stay as safe as possible.
[Image via Patrick Hoesly via Flickr.com]
We have a dilemma, and maybe you want to help us. I have written a lot about privacy and the trust relationship between users and software vendors. Users must trust the vendor to not misuse data that the software handles, but they have very poor abilities to base that trust on any facts. The vendor’s reputation is usually the most tangible thing available. Vendors can be split into two camps based on their business model. The providers of “free” services, like Facebook and Google, must collect comprehensive data about the users to be able to run targeted marketing. The other camp, where we at F-Secure are, sells products that you pay money for. This camp does not have the need to profile users, so the privacy-threats should be smaller. But is that the whole picture? No, not really. Vendors of paid products do not have the need to profile users for marketing. But there is still a lot of data on customers’ devices that may be relevant. The devices’ technical configuration is of course relevant when prioritizing maintenance. And knowing what features actually are used helps plan future releases. And we in the security field have additional interests. The prevalence of both clean and malicious files is important, as well as patterns related to malicious attacks. Just to name a few things. One of our primary goals is to guard your privacy. But we could on the other hand benefit from data on your device. Or to be precise, you could benefit from letting us use that data as it contributes to better protection overall. So that’s our dilemma. How to utilize this data in a way that won’t put your privacy in jeopardy? And how to maintain trust? How to convince you that data we collect really is used to improve your protection? Our policy for this is outlined here, and the anti-malware product’s data transfer is documented in detail in this document. In short, we only upload data necessary to produce the service, we focus on technical data and won’t take personal data, we use hashing of the data when feasible and we anonymize data so we can’t tell whom it came from. The trend is clearly towards lighter devices that rely more on cloud services. Our answer to that is Security Cloud. It enables devices to off-load tasks to the cloud and benefit from data collected from the whole community. But to keep up with the threats we must develop Security Cloud constantly. And that also means that we will need more info about what happens on your device. That’s why I would like to check what your opinion about data upload is. How do you feel about Security Cloud using data from your device to improve the overall security for all users? Do you trust us when we say that we apply strict rules to the data upload to guard your privacy? [polldaddy poll=9196371] Safe surfing, Micke Image by balticservers.com
This is the seventh in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. "If I weren’t a lawyer, I probably wouldn’t have survived today”, Kate thought, as she opened a bottle of whiskey. She had earned it. It was a hard day, a disaster. Well, not a total disaster. When she had closed down her law firm and joined Mordor, Inc., she thought she would finally get a little peace of mind… She could not have been more wrong. * * * [The same day, 12 hours earlier] As every morning, she got into her white BMW slightly late and drove to work through the city streets. Caught in the traffic jam, she had time to do the makeup and swipe through some photos on Tinder. “I can't wait to add my skydiving picture and fill in my height,” she thought. “My profile is too polite and too boring. But that's going to change...” A few days ago she had ordered a new parachute. A gift for herself her 50th jump. It was red and went very well with her blonde hair. Unfortunately, the Tinder crowd would have to wait for the parachute picture. As usual, the Post Office was still holding up the package. She spent the first few hours at work doing what she always did. She checked some outstanding contracts, adding comments. Her golden rule: at least one note per page to justify her existence. Then she moved on to writing proposals. This was her favorite task. She could do it quickly, using templates she had dating all the back to law school. Copy-and-paste time. She was finishing adding few words the last sentence of the document when she heard that happy sound indicating that a new e-mail had arrived. FROM: firstname.lastname@example.org TO: email@example.com SUBJECT: Poczta Polska S.A. Order update Your package could not be delivered to the delivery address on October 27, 2015, because no one was at home. In order to obtain information regarding your shipment, click the link. You can pick up the shipment at the nearest Poczta Polska office by presenting the printed ADVICE NOTE: Your ADVICE NOTE WARNING! If the package is not picked up within 7 days, a storage fee will be charged. After another 7 days, the package will be sent to the warehouse in Koluszki and destroyed or auctioned under supervision of a committee. Kind regards, Poczta Polska. "Damn. I should have picked the thing up," she thought. But then she remembered that a few days back the company hired her an assistant. “Wonderful. Someone else will stand in line for me.” She forwarded the message to her assistant, adding one sentence to appropriately prioritize the matter: Yvonne, no one will hold it against you if you can’t pick it up today, but I hope you can go to the post office ASAP. What was Yvonne to do? She set aside the invoices she'd been assigned to pay online when the accountant called in sick and clicked the link to download Kate's claim note. Because ASAP means ASAP. On the page that appeared, she immediately saw a large “View details” button. She clicked again to download the file named awizo.pdf. After saving the file on the disk, she opened it and printed the notice. She locked her computer screen just as IT had instructed her during her orientation. What Yvonne didn't know is she had downloaded an awizo.pdf.pif file. PIF is a very interesting extension. Even if Windows has been configured to display file extensions, the PIF extension does not show up. The icon does not look like a PDF file, but icons are constantly changing. So who knows? It was too late. Her computer was infected. The antivirus did not react because… there was no antivirus. To cut costs, Mordor Inc. had not renewed the license. The company calculated that it will be cheaper to train the employees that “bad file formats that cannot be opened in any circumstances." Still PDF files were allowed… It was almost lunchtime. To get to the post office as soon as possible, Yvonne couldn't let the elevator open for each of the building's 20 floors. She pressed both the “ground floor” and “close the door” buttons and held them down for three seconds. This trick enabled “fast travel mode.” It was often used by security staff to get to the selected floor without stopping. It worked only on elevators made by OTIS, like this one. Before the elevator got to the ground floor, malware known as VBKlip was installed on Yvonne’s computer. It worked in a very simple way. If a bank account number appeared in the infected computer's clipboard, e.g. copied from an invoice, VBKlip changed it into another one. This way the victims were oblivious to the fact that by using copy and paste they were helping online criminals rob them. * * * “Let me explain it again. We don’t have your package and we do not send emails to customers. This is Poczta Polska! Stamps and date-stamps are sacred! Any notice without a stamp is invalid. OK? Now, would you like to buy some Wite-Out or Exorcist Guide magazine? We have also candles”. Yvonne, who had waited in the line for 30 minutes, was not happy. But there was nothing she could do. She got back to the office and finished paying the invoices. An hour later the lights in her office suddenly turned off. * * * “You had a very simple task. Pay the invoices. How tough is that?” In the dark, the CEO looked more threatening than ever. “Rent. That's pretty important, in case you didn't notice. You see, Mrs. Yvonne, it's hard to work without power”. “But...” Yvonne stared, but the CEO would not let her talk. “You will now go down to the building’s manager office and convince the building manager that we didn't mean to deceive him. And promise him that this time we were willing to pay on time. And do it quickly." “But I paid all the invoices… I have confirmations here." Yvonne logged into the bank's website. But after entering the login and password, she saw a message: her computer was likely infected. The bank had cut off access for security reasons. "Hmmm," she said. "One of the accounts she paid must have marked as 'suspicious' by the bank." IT came and quickly confirmed the infection. A quick phone call to the bank dispelled any doubts. The money had already gone and could not be recovered. To make matters worse, in addition to VBKlip, another Trojan had been discovered that targeted credit card numbers. Yvonne had written the company’s credit card data in the text file so she could easily paste it into other sites. The Trojan had located the file, and the credit card number had been immediately put up for sale on the carder forum. The credit limit (PLN 20,000) has been used up in just one hour to purchase electronics... Yvonne was heartbroken. To cover all the losses, it would be PLN 75,000, out of her own pocket. With tears in her eyes, she began searching for similar cases of theft on the online. She wished she had found the article that warned against such attacks and explained how to safely perform money transfers earlier, before it was too late. * * * Kate felt partly responsible for Yvonne’s troubles. After all, she told Yvonne to print the fake mail claim. So she decided to do what lawyers do. After many phone calls to the bank, she obtained information about the accounts and banks the money went to. Another batch of calls ensured that the money was blocked on dummy accounts. It was a matter of time before it would be returned to Mordor’s account. She did not have much trouble recovering the funds from the credit card, either. Kate decided to use an effective, though little-known chargeback procedure offered by banks in cooperation with payment organizations. She simply had to ask an agent to send the appropriate form, in which she would describe the circumstances of the event and indicate fraudulent transactions on the bank statement. After several days, the money would be back in Mordor's account -- but all the whiskey would be gone.
We are all sad about what’s happened in Paris last Friday. It’s said that the terrorist attacks have changed the world. That is no doubt true, and one aspect of that is how social media becomes more important in situations like this. Facebook has deployed two functions that help people deal with this kind of crisis. The Safety Check feature collects info about people in the area of a disaster, and if they are safe or not. This feature was initially created for natural disasters. Facebook received criticism for using it in Paris but not for the Beirut bombings a day earlier. It turned out that their explanation is quite good. Beirut made them think if the feature should be used for terror attacks as well, and they were ready to change the policy when Paris happened. The other feature lets you use a temporary profile picture with some appropriate overlay, the tricolor in this case. This is a nice and easy way to show sympathy. And it became popular very quickly, at least among my friends. The downside is however that it seemed so popular that those without a tricolor were sticking out. Some people started asking them why they aren’t supporting the victims in Paris? The whole thing has lost part of its meaning when it goes that far. We can’t know anymore who genuinely supports France and who changed the picture because of the social pressure. I changed my picture too. And it was interesting to see how the feature was implemented. The Facebook app for iOS 9 launched a wizard that let me make a picture with the tricolor overlay. Either by snapping a new selfie or using one of my previous profile pictures. I guess the latter is what most people want to do. But Facebook’s wizard requires permissions to use the camera and refuses to start until the user has given that permission. Even if you just want to modify an existing picture. Even more spooky. The wizard also asked for permission to use the microphone when I first run it. That is, needless to say, totally unnecessary when creating a profile picture. And Facebook has been accused of misusing audio data. It’s doubtful if they really do, but the only sure thing is that they don’t if you deny Facebook microphone access. But that was probably a temporary glitch, I was not able to reproduce the mic request when resetting everything and running the wizard again. Your new profile picture may be temporary, but any rights you grant the Facebook app are permanent. I’m not saying that this is a sinister plot to get more data about you, it may be just sloppy programming. But it is anyway an excellent reminder about how important the app permissions are. We should learn to become more critical when granting, or denying, rights like this. This is the case for any app, but especially Facebook as its whole business model is based on scooping up data about us users. Time for an app permission check. On your iOS device, go to Settings and Privacy. Here you can see the categories of info that an app can request. Go through them and think critically about if a certain app really needs its permissions to provide value to you. Check Facebook's camera and microphone permissions if you have used the temporary profile picture feature. And one last thing. Make it a habit to check the privacy settings now and then. [caption id="attachment_8637" align="aligncenter" width="169"] This is how far you get unless you agree to grant Facebook camera access.[/caption] [caption id="attachment_8638" align="aligncenter" width="169"] The Settings, Privacy page. Under each category you find the apps that have requested access, and can select if the request is granted or denied.[/caption] Safe surfing, Micke PS. The temporary profile picture function is BTW simpler in Facebook's web interface. You just see your current profile picture with the overlay. You can pan and zoom before saving. I like that approach much more. Photo by Markus Nikander and iPhone screen captures