If you’re still a Windows XP user, you’re probably singing a sad song knowing that after 12 long years Microsoft will end its support for the world’s second most popular operating system on April 8, 2014.
Microsoft warns you that if you continue to use its OS first introduced before the iPhone even existed “your computer will still work but it might become more vulnerable to security risks and viruses.” And if that isn’t enough to encourage you to upgrade or get a computer, maybe the fact that “you can expect to encounter greater numbers of apps and devices that do not work with Windows XP” will.
But given the millions of PCs running the OS and the scarce amount of time and resources many people have, some people will certainly be XP users well after its “expiration date.” If you’re going to be one of these daredevils, our Security Advisor Sean Sullivan has some suggestions.
“Folks that continue to use XP at home can do so with some reasonable amount of safety, but they absolutely need to review their Internet and computing habits as April draws near,” he told us. And he broke down 7 ways to avoid the trouble from the criminals who will surely be targeting these unsupported systems.
1) Install an alternative browser — not Internet Explorer.
2) Review the third-party software you’ve installed and uninstall anything that isn’t needed.
3) For the third-party software that you keep – consider disabling or uninstalling the browser plugins. Or at least set the browser to “always ask” what to do about things such as PDF files. (Personally, I always download PDFs to my desktop and open them from there. I don’t want the PDF viewer plugin installed, and I don’t like being in the habit of opening certain file types in my browser’s window.)
4) Have an up-to-date security product with antivirus and firewall installed.
5) Keep your XP computer connected to a NAT router, which will act as a hardware firewall. (Practically speaking, this means you shouldn’t be roaming around outside of your home with an XP computer. Don’t plug into a university network for connectivity – keep your computer at home on a trusted network.)
As you can see, living in the past may not make life easy. But if it’s your only option, you should at least try to stay as safe as possible.
[Image via Patrick Hoesly via Flickr.com]
In response to news that the secret records of more than 22 million Americans have been breached, possibly by attackers from China, you may have heard the loaded term being used to describe the unprecedented attack. "Why are we ignoring a cyber Pearl Harbor?" a conservative columnist asked. F-Secure Security Advisor Sean Sullivan joined other experts in explaining that while the Office of Personnel Management hack was a very big deal, it's hyperbole to call it an act of war. Sean argues that the term cyber war should be limited to cyber weapons that cause actual physical damage. It would have to break the so-called "kinetic barrier". There is no international treaty that defines online rules of engagement but he points to NATO's Tallinn Manual on the International Law Applicable to Cyber Warfare, which attempts to apply existing laws to cyber warfare. Cyber attacks present an even more vexing challenge in attributing the author of an attack than stateless terrorism. But regardless the author, any cyber attacks on a hospital, for instance, would be illegal under existing law. Sullivan sees the OPM hack as more likely to be part of another governmental activity that predates the internet: espionage. "Espionage can be a part of warfare, if you think they’re gathering that information for military defense purposes," he said. "Or it can be counterintelligence." He suggests the OPM hack data could be used to find which Americans are, for instance, not working on diplomatic mission and thus might be intelligence. He notes that former NSA contractor Edward Snowden briefly worked at a U.S. embassy. The lack of a background check in that instance could suggest that he was working as a spy under a false identity. There’s a difference between war and warfare, Sean notes. "It could be China is interested in defensive capabilities," he said. "It’s an aspect of warfare. It’s not war." If it were to transgress to the level of war, the results would be severe. "We can assume that China is a rational actor," Sean said. "It wants world power without wrecking the world economy. Military posturing is more likely." He suggests that the U.S. should be much more concerned about the protection of all of its digital data. “I guarantee you that the IRS’ records are just as vulnerable," he said, suggesting that the one thing that may be keeping taxpayers' records safe is the government's tendency to rely upon dated technology like magnetic tape. And at least some powerful U.S. officials agree that more must be done to secure America's private information. But don't expect them to be satisfied with the same sort of restricted networks the private sector relies upon. A bipartisan coalition of senators are backing new legislation that would give the Homeland Security secretary the authority "to detect intrusions on .gov domains and take steps similar to what the National Security Agency can do with the Pentagon," according to Roll Call. Ah, so more powers for the NSA. Isn't that always the endgame these days when the language of war being tossed around? [Image by U.S. Naval War College | Flickr]
Wired.com broke a shocking but hardly surprising story on July 21st. The reporter was driving his Jeep on the highway when strange things started to happen. First the fan and radio went on and later the whole car came to a stop. On the highway! Andy Greenburg was not in control of the car anymore. It was controlled remotely by two hackers, Charlie Miller and Chris Valasek, from miles away. They had not tampered with the car, and as a matter of fact never even touched it. All was done by connecting remotely to the vehicle and utilizing a vulnerability in its own software. A highway is not the safest place for this kind of demonstration so they continued with the brakes and steering manipulation in a parking place. Yes, that’s right. Brakes and steering! Scary? Hell yes! This is a great demonstration of security issues with the Internet of Things trend (IoT). Anything connected to the net can in theory be hacked and misused remotely. IoT is typically associated with “smart” appliances like toasters and fridges, but a car connected to the net is very much IoT as well. And a hacked car is a lot scarier than a hacked fridge. So let’s look at the tree fundamental questions this hack raises. How can this be possible? Car manufacturers were taken with their pants down. They have for decades been thinking deformation zones and airbags when you say security. Now they need to become aware of digital security too. I’m confident that they already have some level of awareness in this field, but the recent Jeep-incident shows that they still have a lot to learn. I’m not only thinking about preventing this from happening in the first place. No system is perfect, and they must also be able to deal with discovered vulnerabilities. A fix for the problem was created, but patching vehicles required a visit to the car dealer. Like taking your computer to the store to have Windows updates applied. No way! This underlines that digital security is about more than just design and quality control. It’s also about incident response and maintenance processes. Good morning car manufacturers and welcome to the world of digital security. You have a lot to learn. Ok, it can be done, but why? We are now at the “Wow! This is really possible!” –stage. The next stage will be “Ok, but how can this be utilized?” There’s a lot of headlines about how we could be killed by hacked cars. That may be technically possible, but has so far never happened. Hackers and virus writers used to work out of curiosity and do pranks just because it was possible. But that was in the eighties and nineties. Earning money and collecting information are the motives for today’s cyber criminals and spies. Killing you by driving your car off a cliff will not support either of those objectives, but it does make juicy headlines. Locking your car and asking for a ransom to unlock it is however a plausible scenario. Turning on the hands-free microphone to spy on your conversations is another. Or just unlocking it so that it can be stolen. Anyway, the moral of the story is that scary headlines about what car hackers can do are mostly hype. The threat will look very different when or if it becomes reality in the future. Let’s just hope that the car manufacturers get their act together before this becomes a real problem. Should I be worried? No. Not unless your job is to design software for vehicles. The current headlines are very important wake-up calls for the car industry, but have very little impact on ordinary consumers. Some early incidents, like this Jeep case, will be handled by calling cars to the dealer for an update. But it is clear that this isn’t a sustainable process in the long run. Cars are like appliances, any update process must be fully automatic. And the update process must be much faster than applying the latest software once a year when the car is in for routine maintenance. So any car hooked up to the net also needs an automatic update process. But what about the hackers driving me off a cliff? You said it could be possible, and I don’t want to die. First, does anyone have a motive to kill you? Luckily most of us don't have that kind of enemies. But more important. Doing that may or may not be possible. Car manufacturers may be inexperienced with hacking and IT security, but they understand that any technical system can fail. This is why cars are built with safeguards at the hardware level. The Jeep-hackers could steer the car remotely, but only at low speed. This is natural as the electronically controlled steering is needed for parking assistance, not for highway cruising. Disabling this feature above a certain speed threshold makes perfect sense from safety perspective. But, on the other hand. I can think of several scenarios that could be lethal despite low speed. And the hackers could fool the speedometer to show the wrong speed. What if they can feed an incorrect speed reading into the system that turns off electronic steering? Ok, never say never. But hiring a traditional contract killer is still a better option if someone want's you gone. And there’s naturally no safeguards between software and hardware when the self-driving cars take over. Widespread self-driving cars are still sci-fi, and hacking them is even further away. But we are clearly on a path that leads in that direction. A few wrong turns and we may end up with that problem becoming reality. The good news is on the other hand that all publicity today contribute to improved digital security awareness among vehicle manufacturers. But finally back to today’s reality. It is still a lot more likely for you to be killed by a falling meteorite than by a hacker taking over your car. Not to talk about all the ordinary traffic accidents! Safe cruising, Micke
Tomasz was a finance graduate, fresh out of university. This wasn’t what he had dreamed of studying, but he expected to find a well-paid job afterwards. This is why he started working in a branch of a local cooperative bank. The job wasn’t very demanding. During the day he didn’t have to deal with many customers, which suited him just fine. It did annoy him a bit that his work computer was only connected to an internal network and not the Internet, as with every other computer in the bank. This protocol protected the system from unauthorised outside access, which is crucial for a bank. It also, however, meant that employees were not able to check their private email accounts or access newsfeeds on social networking sites. One day, Tomasz noticed his computer behaving in a strange way. The machine was slow and crashed repeatedly, not to mention the error messages flashing on his screen. It was of no use for work. Things got even worse when the monitor simply went dark. Despite trying numberous times, Tomasz couldn’t turn it on again. He didn’t want to waste his precious time so he called the IT department about the problem. It turned out that he wasn’t the only one. All of the computers at the bank had gone crazy. The branch had to be closed down for four hours. A ten-person IT team responded to the crisis, launching a backup system. After several hours they were able to restore all computers to working order. What had happened was that a virus had infected the network. The head of the IT department wanted to know whose computer was attacked first. An internal investigation revealed that the malware came from Tomasz’s machine and the source of the infection was one of the bank’s flash drives. A few weeks earlier, Tomasz had copied his holiday photos to the drive to show them to his colleagues. The virus entered the device’s memory when the photos were copied from Tomasz’s private laptop. He was quickly called into his boss’s office. Tomasz knew all too well that he had violated security protocol. He knew that he would be punished, but how harshly? In the end, Tomasz was officially reprimanded and a note was placed on his file. Considering that his negligence cost the bank several thousand euro, this was merely a slap on the wrist. However, because of his recklessness, Tomasz had endangered sensitive data stored in the bank’s system, not to mention his own future career. Your business can be smart enough to prevent your own Tomasz from causing you heartache. "Your network can be set up so only administrators can add new hardware," F-Secure Security Advisor Sean Sullivan explained. "And why shouldn't it be?" For more insight into how to keep your business safe, check out our Business Insider blog. Cheers, Sandra