Friday, June 29, 2012

Windows XP is Dying

Windows XP was originally launched on October 25th, 2001. Despite it's age it's believed that around 25% of desktop and laptop computers are still running Windows XP. Unfortunately, like all good things this must eventually end. As of April 8th, 2014 Microsoft will no longer provide automatic fixes, updates, or online technical assistance for Windows XP. “So bottom line, PC’s running Windows XP will be vulnerable to security threats.” revealed Microsoft’s Stephen L Rose. “Furthermore, many third party software providers are not planning to extend support for their applications running on Windows XP, which translates to even more complexity and security risks.”
One question that is often asked is “Why is Microsoft doing this?”. The simple answer is that Microsoft hasn't been selling XP since 2009. This means that every update that they put out gets paid for by Microsoft with no return on investment. They haven't made money off of XP in over three years. Added to that is the fact that Microsoft is on the verge of launching Windows 8. This means that by the end of the year they will be supporting four separate operating systems. Supporting each of these operating systems requires a huge investment in time and money. Eventually they have to pull the plug. Realistically, thirteen and a half years is an amazingly long time to support an operating system. To put this into perspective, Apple typically supports versions of Mac OS with security patches for three to four years.
What does this mean for you if you're currently running Windows XP on your computer? It means that once that April 8th, 2014 date passes your system will no longer be safe to connect to the Internet. In fact, just having an XP system on your network after that date will put your other devices at risk. This effectively kills XP as a viable operating system in most cases, and it will be time to upgrade.
What does an upgrade entail? Because of the age of Windows XP, most computers that are still running it will not be able to handle Windows 7. Usually a hardware upgrade will be needed to upgrade your operating system. This is not always the case however, and many machines that were made for XP can comfortably run Windows 7. My laptop at home was designed for XP, and it actually runs better with Windows 7 installed. You can check to see if your computer will run Windows 7 with Microsoft’s Windows 7 Upgrade Advisor. You can download the tool from: As always, if you have any doubts consult a professional. Even if you don't plan to transition to Windows 7 until XP is abandoned, checking to see if your hardware can handle the upgrade will enable you to plan for the cost of whatever new hardware you require.
Once you find that your hardware can handle the upgrade the next step is to backup your documents. Because the infrastructure of Windows 7 is fundamentally different than XP the installation of Windows 7 will wipe your hard drive. Make sure that you have a second copy of anything that you want to keep.
Another thing to be aware of is the fact that many programs that were written for Windows XP will not work with Windows 7. Many of these will have an updated version but some will not, and the ones that do may charge you to upgrade. Usually, a quick visit to the software supplier's website will tell you what to expect.
Upgrading your operating system can be a daunting task. Unfortunately, if you are still using Windows XP the time is quickly approaching when you simply won't have a choice if you want to keep your system secure. With the approach of Windows 8 Microsoft is changing the look and feel of the desktop, so Windows 7 may be your last chance if you want to keep the familiar Windows look. On the upside Windows 7 is scheduled to be supported until 2020, so you won't have to make this transition again any time soon.

Monday, June 25, 2012

Can I Have Your Bank Account Information?

When was the last time you handed your house keys to a total stranger? Have you ever displayed a sign in your window listing all of your banking information? Most of us are going to think that these questions are pretty silly, but you may be doing the digital equivalent right now. If you are running an open wireless network any information that travels over that network is free for the taking. You also run the risk of somebody gaining access to your network and forcing their way into the computers connected to that network. As unlikely as these risks may seem, the number of cases of these things occurring is growing rapidly. You could go shopping and leave the keys in the ignition of your car while you're in the store, and your car would probably still be parked where you left it when you come back out. The question becomes, why risk it?
Putting a password on your network does more than just prevent people from getting on the Internet using your bandwidth. It also encrypts all of the information that travels over that network. This means that nobody can access that information without knowing the code, and they don't have access to the code without knowing the password. Of course there are differing levels of encryption, which will protect your information to different degrees. In the early days of wireless WEP was the standard. Unfortunately, it proved easy to defeat. There was a scramble to find a better encryption standard, but a patch was needed to give people protection in the mean time. WPA was released to be that patch. Once the new standard was decided upon it was released as WPA2. Any equipment built from 2005 on should be able to handle all three standards. The question is, how much security is needed? Well, let's put this all in perspective. WEP would be the equivalent of a lock on a screen door, it will keep out people that are just looking to steal some bandwidth but anybody with malicious intentions won't even be slowed down. WPA would be like closing and locking out all of your doors and windows, it should be enough of a deterrent to stop most small time crooks. WPA2 would be like adding an alarm system, some closed circuit cameras and maybe a guard dog or two. Is it possible to defeat? Sure, but somebody would have to really know what they're doing and really want to get in. They're more likely to move along and look for easier prey.
All of this may seem like a lot of bother, and besides how likely is it that somebody is going to come along and try to steal your information? There are a couple of recent cases which indicate that not only is this possibility plausible, but the consequences can be pretty extreme.
There was a case in Buffalo, NY in which federal agents stormed a family's home with assault weapons drawn and seized all of their computer equipment. The husband in this case was accused of downloading and distributing child pornography. The agents had traced the files to the family's Internet Provider, who provided them with an address. It was later found out that there was actually a neighbor tapping into their unprotected wireless network in order to commit these crimes. This information wasn't found out for three days however. In the meantime, the family was being barraged with questions and accusations, not to mention the embarrassment of being arrested for child pornography. In another case in Sarasota, FL a man parked his boat in a marina and scanned for unencrypted wireless networks. He found one in a nearby building, logged on and proceeded to download over 10 million images of child pornography. The results were the same, with the owner of the network having his home stormed by the police. There is a case currently pending in New York in which a man running an unencrypted network is being sued for illegally downloading movies. He claims that somebody must have logged onto his open network and downloaded the movies. The problem is, nobody else has been caught. While he is not being charged criminally, the movie studios are pursuing a lawsuit against him. The common thread in all of these cases is that the criminals knew that what they were doing was illegal and they didn't want the police knocking on their doors, so they simply found an unsuspecting neighbor and used their network to perform their criminal acts.
Another problem that is created with open networks is the practice of packet sniffing. As we discussed earlier, password protecting your network encrypts all of the data that is sent over that network. The flip side of this is that if you don't password protect your network, your data is being sent unencrypted. Packet sniffing is the practice of watching a network and intercepting messages that are being sent and received. Google is in the middle of a scandal in which it was revealed that their Street View vehicles engaged in packet sniffing. Google has admitted to grabbing log-in names, passwords, even entire emails while driving past unencrypted networks. Unfortunately, you don't need an advanced vehicle set up to steal information off of wireless networks. A quick YouTube search will reveal videos explaining how to get all of the equipment needed to sniff wireless networks into a backpack that can be worn while walking down the street. There is also a group of people that engage in “Wardriving”, which is driving around looking for wireless networks to infiltrate. Wardrivers will log the GPS coordinates of these networks and post them online, even going so far as to spray paint markers in front of houses that are vulnerable. While this is perceived by these groups as innocent fun, a marked network would definitely be seen as an opportunity for somebody looking to steal data.
Are any of the attacks mentioned today likely to happen? Maybe not, but just like taking your keys out of the ignition when parking your car, prevention is easy enough that there's no real reason not to protect yourself. Encrypting your network can take as little as five minutes, and it's a one-time procedure. As always, if you aren't familiar with how to configure your router seek professional help. An incorrectly configured router will leave you unable to connect to the internet to look for possible fixes. Taking these steps won't guarantee that you won't be targeted, but like locking your front door they will make you that much less appealing to somebody looking for an easy victim.

Friday, June 15, 2012

How Secure Is Your Smartphone?

Just a couple of years ago the biggest software concern you had about your cellphone was whether or not it could play Snakes. Today, smartphones have become a popular target among hackers and malware producers. It is a high-reward business because most people are unaware that their cellphone is just as vulnerable to cyberattacks as their desktop computer. Think about all of the things that you do on your cellphone, and then imagine a worst case scenario if somebody had access to all of the information that these tasks contain. At the least this would usually contain emails, online accounts, and your cell phone provider's accounts. At the worst it may contain online banking information or medical information. Either way, this is more than enough for a would-be identity thief to take advantage of. Luckily, with a few simple precautions we can keep our cellphones, and our data, safe.
The most obvious threat to the security of our smartphones is simply for the device to fall into the wrong hands. As silly as this sounds, most cases of smartphone data theft begins with a lost or stolen phone. The first line of defense is common sense. Don't put your phone down in a public place, and don't leave it where it is easily grabbed. In short, treat your phone as you would your wallet. In case your phone does get snatched by a passing evildoer, the next step is to make sure that you have a secure screen lock. For Blackberry, iOS and Windows phones use a secure password. Something that's easily remembered, but not easily guessed. If it includes personal information such as your name, birthday or address it is not safe. For Android users, make sure that your unlock pattern is relatively complex and crosses over itself. If not, somebody can deduce your pattern from the repeated smudge marks on your screen.
As with every computer, a good password alone is not enough to protect you. If your phone does get lost or stolen there is a line of software that will help you recover it, or wipe the data if you are unable to do so. The first step is a piece of software that will lock your phone down. This software will turn off the phone's screen and disable it, preventing an attacker from being able to easily access your information through the phone's operating system. Most of these programs will also be able to lock down the phone's communication ports stopping people from simply plugging your phone into a computer and downloading the information that way.
The next piece of software will turn on the GPS on your phone and lock it on. This way, as long as your phone has a battery with some life in it your phone will continuously broadcast it's location. This can be a huge help in a situation where you have simply lost your phone. Activate this feature and your phone will pop up on a map making it a simple matter to locate it. In the case of a theft, you can provide the location to the police department, vastly increasing the odds of recovering your phone.
The last ditch effort in the case of a lost or stolen phone is software that will completely wipe the memory. This is useful when other means of recovery have failed, and you have given up on hopes of recovering your phone. This software will remove all traces of personal information.
In addition to the threat of losing physical control of your phone, there is the threat of malware. Smartphone malware is similar to the viruses and trojans found on your home computers. Recently, Google had to remove 50 apps from their app store that they found to be malicious. These apps had already been downloaded to thousands of phones apiece. Apple and Amazon have also experienced malicious apps infiltrating their app stores. People get a false sense of security downloading programs from these large companies. They assume that these corporations have already weeded out all of the bad apples, and only post the good. While this is certainly the goal, it is impossible to be 100% certain 100% of the time. Oftentimes, a software programmer's account will get hacked. The culprit will take down their legitimate app and replace it with a copy that contains malicious code. This is usually discovered within hours, but by then the app has already been distributed to enough people to make the attack worthwhile. Another attack that has become popular is one in which a developer submits a legitimate program in order to get it approved for the app store. Once the app has been approved and downloaded by a sufficient number of people, the developer releases an update which contains malicious code. These attacks are much harder to control, as the updates will go out immediately to every person that has downloaded the app. For these attacks you need a good anti-malware program running on your phone.
Most of the major players in the PC malware game have mobile security suites as well. Familiar names such as AVG, Avast, Avira, Kaspersky, Norton, and McAfee all have mobile suites. Most of these suites include all of the protections that were mentioned earlier. However, the interface can vary greatly from provider to provider. Some will allow you to engage and interact with the anti-theft features via text messages to your phone, while others will use an internet browser. Some suites will be free and others will have to be paid for. You will still have to do your homework to determine which security suite will best fulfill your needs. Hopefully I've armed you today with the information you'll need to make an informed decision.  As always, if you are still unsure whether or not you're phone is safe consult a professional for their opinion.

Friday, June 8, 2012

Are You Scared Yet?

We have recently seen an increase in scareware incidents. Scareware is a tool that is being used to trick people into giving away money, control of their computers or personal information. This particular method exploits people's fear that there may be something wrong with their system. The culprit offers to help, thus duping the victim into allowing access to their system. Because these attacks are initiated by user input, they are very difficult for anti-virus programs to detect. Anti-virus programs are looking for other programs that are behaving suspiciously. In these attacks, it usually isn't a program that is performing the suspicious actions, but a user, so they fall outside of the scope of a traditional anti-virus.
The most common action scareware takes is to simulate real problems on your computer and then offer to fix them. The culprits will write a program that will change settings on your computer to cause problems and then pop up an advertisement offering a solution to these new problems. This advertisement will often be disguised as a Windows alert to try to trick people into thinking that this is a solution that is being offered by Microsoft, which makes it appear more authentic. This “fix” is usually something that you have to pay for, but sometimes is offered for free. Once they convince you to download their “fix” they have complete control of your system.
There are several different options for them to take at this point. Sometimes the “fix” will simply restore your settings and you'll think that it must have worked because everything is back to normal. This is usually done after you've paid for the “fix”, and is a method that allows the culprit to get positive online reviews from victims that have been tricked. This way future victims are more likely to fall prey, as a quick Google search will return results that would indicate that this program is legitimate.
Another option is for the “fix” to schedule periodic problems. Each time a problem comes up, you'll be asked to pay for another solution. This way people are duped into giving away money multiple times for a single infection.
The most common occurrence though, is for the “fix” to simply embed itself into your system and systematically send all of your data back to the culprits who created the program. Anything that you have on your computer or enter into your computer can be compromised. This includes not only your documents, but any online accounts, including banking and email accounts. They can also use your computer as a stage to launch attacks against other systems. This way, when the attacks get detected they're traced back to you instead of the perpetrators.
Another attack that we've been seeing lately involves a phone call. Somebody will call the victim and inform them that either there is a problem with their computer, or that there is an upgrade that they must do. They will convince the victim to punch some commands into the system, which will open a communication port. They are then able to load in whatever programs they want, and perform the same attacks mentioned above as if the victim had installed the program themselves.
Sometimes the culprits use a blended attack. In one incident we recently saw involved a pop up advertisement asking the victim to purchase software, and once purchased the victim was directed to call a number to register the software. When the number was called the victim was told to punch a code into the computer, which allowed the culprits to remotely access the computer.
The key to protecting yourself from these attacks is to do your research. If a warning pops up telling you that there's a problem with your computer, hop online and research the problem. Then, make sure that the download is coming from a trusted source, such as Malware will sometimes try to confuse you by using a Microsoft subdomain, which would look like This is actually connecting to, and not Microsoft. As always, if you still have doubts seek out a professional opinion.
There are people out there that are going to try to trick you into giving away your information. Don't allow access to your computer to anybody you don't know. That would be like handing your house or car keys to a stranger. You never know what they're going to do.