Monthly Archives: March 2014

If customers must run XP after April 8, switch to alternate browser that still gets patches, advises team from Dept. of Homeland Security.

People who plan to run Windows XP after Microsoft pulls the patch plug should dump Internet Explorer (IE) and replace it with a different browser, the U.S. Computer Emergency Readiness Team (US-CERT) said Monday.

US-CERT is part of the U.S. Department of Homeland Security, and regularly issues security warnings and threat alerts.

“Users who choose to continue using Windows XP after the end of support may mitigate some risks by using a Web browser other than Internet Explorer,” US-CERT said in a Monday bulletin. “The Windows XP versions of some alternative browsers will continue to receive support temporarily. Users should consult the support pages of their chosen alternative browser for more details.”

US-CERT’s advice was not new: Security companies and experts have said the same before.

Because Microsoft ties support for Internet Explorer (IE) to the underlying operating system’s end date, people running Windows XP will also not receive patches for IE7 or IE8, although others, including customers running the same browsers on Windows Vista and Windows 7, will continue to receive fixes.

IE6, which debuted several months before XP in 2001, will be retired from all support next month.

With IE patches ending, security professionals have urged people sticking with XP to run a browser that will receive bug fixes, like Google’s Chrome, Mozilla’s Firefox and Opera Software’s Opera.

That anything-but-IE advice stems from on the fact that Windows malware often enters a PC by exploiting a browser vulnerability. Exploits of unpatched bugs, described as “drive-by attacks,” only require the user to browse to a malicious or compromised website, where attack code has been pre-planted.

Chrome will be patched until at least April 2015, Google pledged last October, leaving the door open to a later stop date.

However, Mozilla declined to specify a patch-until date when asked Monday.

“We listen to our users closely, and right now many of them are on XP and expect to stay on that platform. We have not announced any end of support for Firefox on XP at this time,” said Chad Weiner, director of product management, in an email response to questions.

Mozilla typically discusses impending support stoppages on its planning forum months before it discontinues updates for an operating system. Developers have not begun talking there about dropping support for Windows XP Service Pack 2 (SP2) or SP3.

And Mozilla often supports an OS long after its maker has stopped: The last version of Firefox that ran on Windows XP SP1, the patch roll-up Microsoft quit supporting in October 2006, was Firefox 12, which shipped in April 2012.

Previously, Opera has issued statements along the lines of Mozilla’s but it did not immediately reply to questions today, including whether it has set a firm end-of-support date for Windows XP.

Current XP users are most likely running IE8, the latest browser supported by the OS, because in early 2012 Microsoft began automatically upgrading users to the newest version of IE supported by a given operating system.

According to measurement firm Net Applications, IE8 accounted for 37.3% of all instances of Internet Explorer used in February. IE6, the version originally released with XP, accounted for 8% of all copies of Internet Explorer, a high percentage considering that Microsoft had gone to great lengths to eradicate that version.

Chrome, Firefox and Opera can be downloaded from the websites of Google, Mozilla and Opera Software.

Via: networkworld

A source code mistake in the GnuTLS library an open-source software building block used in a large number of different Linux distributions to handle secure Internet connections could prove a serious threat to the privacy of Linux users, as developers rush to patch the vulnerability.

Nikos Mavrogiannopolous, the developer of GnuTLS, announced Monday in a mailing list message that he had implemented a fix to the source code that closes the loophole. The flaw would have enabled an attacker to spoof GnuTLS’ system for verifying certificates, exposing supposedly secure connections to stealthy eavesdropping.

By creating a specific type of fake certificate, an attacker could trick GnuTLS into accepting it as genuine, granting access to an otherwise-secure connection. This done, the intruder could monitor traffic flowing through the connection in plain text, and even interject code of his own, potentially opening further avenues of attack.

Mavrogiannopolous, who called the bug “embarrassing,” said that the issue was discovered during an audit performed on behalf of his employer, Red Hat. Some major Linux distributions have already acted to apply Mavrogiannopolous’ fix, according to a security advisory posted by LWN.net. Ubuntu, Debian, Fedora, Red Hat, Oracle, Slackware and SUSE have all rolled out updates aimed at closing the loophole.

The news comes days after Apple patched a similar issue in its own software, which had exposed iOS and OS X users to similar man-in-the-middle attacks. Thanks to the greater consumer reach of Apple’s products, that “goto fail” issue received widespread attention with some commentators even ascribing sinister motivations to Apple’s apparent sluggishness in fixing the flaws.

Via: itworld

F-Secure tells XP users how to maximize security and minimize risks as Microsoft ends support.

Without updates after April 8 Windows XP is expected to fall prey to any number of zero-day attacks for which Microsoft will provide no defense, but there are some things die-hard XP users can do to make their machines safer.

In its threat report for the second half of 2013, security vendor F-Secure sets down nine of them, including some for home users:

• Air-gap or isolate on separate networks the XP devices in order to protect more modern machines from being attacked by compromised XP devices.
  
• Install the final Windows XP update so machines start their unsupported lives protected from the latest known vulnerabilities.
  
• Install an alternative, current browser and make it the default. Windows XP comes with Internet Explorer but it only supports up to IE 9, making the security features of IE 10 and 11 unavailable.
  
• Fully patch Microsoft Office if it’s on the machine to reduce the chances of it compromising the device.
  
• Uninstall unused third-party software. The older it is, the more likely it is to be vulnerable.
  
• Consider disabling or uninstalling browser plugins for third-party software, and set the browser to ask what to do with PDFs, etc., rather than opening them by default.
  
• Install up-to-date firewalls and anti-virus software.
  
• Keep the computer on a trusted network behind a NAT router, which acts as a hardware firewall.
  
• Consider upgrading to a supported OS.
  

F-Secure says it’s very important to prevent XP computers from being exploited, “because once compromised it is much moredifficult to repair than its siblings. An ounce of prevention is really worth more than a cure in the case of XP.”

Via: itworld

Most of the world’s money machines run on software that will soon no longer get updates, but don’t panic (maybe).

As you’re probably tired of hearing by now, Microsoft is pulling the plug on Windows XP and really, really wants everyone to upgrade before full support ends on April 8th. There are solid security reasons to do so. Unfortunately, “everyone” includes banks around the world, with their hundreds of thousands of ATMs running Windows XP. Once support ends, hackers could potentially compromise these internet-connected machines, which is the last thing probably anyone (except thieves) want.

It’s expensive, however, and a major undertaking to upgrade all those systems. In the US, for example, there are about 200,000 Windows XP ATMs and, as CNN reports, to replace the operating system in them, banks would have to replace the entire computer inside as well–something that could coast between $1,000 and $3,500 per ATM. To the surprise of probably no one, banks haven’t been exactly racing to do this costly upgrade.

So what does it mean for us? If the majority of money-doling machines could be compromised by hackers, do we really want to give our account numbers and PINs to them? What other choices do we have and how can we know if an ATM is secure?

Well, there’s some good news. CNN’s article says that major banks are “cutting special deals with Microsoft” to extend life support for these aging ATMs, while the banks upgrade them. JPMorgan is called out specifically as having a one-year extension on support and says their Chase ATMs will begin the upgrade process to Windows 7 starting in July. Citibank and Wells Fargo also say they’re upgrading their machines, but no dates have been provided.

So, at the very least, you might feel safer withdrawing money or using the ATM for other purposes at Chase banks for now. Oddly enough, non-bank run ATMs at small convenience stores and similar places may be more secure as well, since they tend to run Windows CE (which still gets security updates from Microsoft). Or, if you’re truly concerned, take money out the old fashioned way–from your bank’s teller.

It’s a sad, pretty dire situation, but hopefully banks will upgrade these systems before the financial system crashes (in a different way).

Via: itworld

PowerLocker, also called PrisonLocker, is a new family of ransomware which in addition to encrypting files on the victim’s computer (as with other such malware) threatens to block users’ computers until they pay a ransom (like the ‘Police virus’).

Although the idea of ​​combining the two techniques may have caused more than a few sleepless nights, in this case the malware is just a prototype. During its development, the malware creator has been posting on blogs and forums describing the progress and explaining the different techniques included in the code.

The malware creator’s message in pastebin

In this post for example, the creator describes how PowerLocker is a ransomware written in c/c++ which encrypts files on infected computers and locks the screen, asking for a ransom.

The malware encrypts the files, which is typical of this type of malware, using Blowfish as an encryption algorithm with a unique key for each encrypted file. It stores each unique key generated with an RSA-2048 public/private key algorithm, so only the holder of the private key can decrypt all the files.

Also, according to the creator, PowerLocker uses anti-debugging, anti-sandbox and anti-VM features as well as disabling tools like the task manager, registry editor or the command line window.

However, all the publicity surrounding PowerLocker that the creator has been generating across forums and blogs before releasing it, has led to his arrest in Florida, USA. Consequently, today there is no definitive version of this malware and there is no evidence that it is in-the-wild.

Nevertheless, we still feel it’s worth analyzing the current version of PowerLocker, as someone else could be in possession of the source code or even a later version.

PowerLocker analysis

The first thing PowerLocker does is to check whether two files with RSA keys are already created, and if not, it generates the public and private key in two files on the disk (pubkey.bin and privkey.bin).

Unlike other ransomware specimens, which use the Windows CrytoAPI service, PowerLocker uses the openssl library for generating keys and encrypting files.

Once it has the keys, PowerLocker runs a recursive search of directories looking for files to encrypt, excluding, not very effectively, files with any of the file names used by the malware: privkey.bin, pubkey.bin, countdown.txt, cryptedcount.txt. It also avoids $recycle.bin, .rans, .exe, .dll, .ini, .vxd or .drv files to prevent causing irreparable damage to the computer. The creator has however forgotten to exclude certain extensions corresponding to files which are delicate enough to affect the functionality of the system, such as .sys files. This means that any computer infected with PowerLocker would be unable to reboot.

Moreover, in this version it is possible to use a parameter to control whether the ransomware encrypts or decrypts files using the pubkey.bin and privkey.bin keys generated when it was first run.

This version does not include the screen lock feature described by the creator, although it displays a console with debug messages, names of the files to encrypt/decrypt, etc. and asks you to press a key before each encryption or decryption.

Conclusions

At present, there is only a half-finished version of PowerLocker which could practically be labelled harmless, and which lacks many of the most important features that the creator has described on the forums and blogs, such as anti-debugging, screen locking, etc.

Despite it not being fully functional we would recommend having a system for backing up critical files, not just to offer assurance in the event of hardware problems, but also to mitigate the damage of these types of malware infections.

Also bear in mind that if you don’t have a backup system and your system is infected, we certainly do not recommend paying the ransom, as this only serves to encourage the perpetrators of such crimes.

Via: pandasecurity

A security expert identified a new scam that uses an elaborate form of phishing to target Netflix subscribers.

A new scam is making its way around the Internet, and it targets Netflix users. If you fall for it, you could get stuck paying for $400 worth of useless tech support, or even worse: Hackers could gain access to your computer and steal files.

Here’s how it works: A legitimate looking email purporting to be from Netflix arrives in your inbox. It suggests you go to a support page because of a problem with your account, and you see a screen like the one below telling you your account is suspended.

If you dial the on-screen phone number, you’re connected to someone posing as a Netflix support technician, who then requests permission to send you so-called diagnostic software that allows him to take control of your computer.

When that software is running, the fake tech tells you he sees multiple problems created by hackers on your system. He’ll even show you a legitimate-looking page detailing those errors. But every bit of this support session is faked.

Once the tech shows you the bogus report, he suggests you go to Microsoft tech support to have your system cleaned up. It will cost you hundreds of dollars, but don’t worry; you’ll get a $50 Netflix discount. Meanwhile, the remote control software allows the fake support tech to examine every file on your computer and steal anything he wants.

The scam came to light through the efforts of a security expert named Jerome Segura who has been tracking tech support scams for a year. He mentioned the Neflix scam in a blog post that includes a video he made while chatting with the scammers.

Because Segura is a pro, he had software on his computer that showed him exactly which of his carefully planted files were being downloaded. At that point in his interaction with the scammers, he was asked to provide a credit card and identification. When he didn’t provide the information, they hung up on him.

The scam combines two well-known online attacks. The first is called “phishing,” in which you receive an email that purports to be from a familiar institution, such as your bank. Following a link in the message takes you to a dangerous site that might place malware on your computer, send you buckets of spam, or in the case of the Netflix scam, place you in the hands of hackers.

The other piece of the scam is one that I’ve seen myself. You get a phone call from someone purporting to be from Microsoft saying that he has detected unusual activity on your computer, and it needs to be fixed or you’ll be barred from the Internet.

When I’ve stayed on the phone to see where it leads, the result was very similar to what Segura reported. The guy wanted to take control of my PC, and clean it — for a hefty fee. At that point, of course, I hang up.

The lessons: Never let a stranger put software of an sort on your computer; be very skeptical of unsolicited tech support; and if you get email from your bank or other institution, look closely at it to be sure its legitimate and check the URL if you click onto a site to make sure it’s the one you expect.

Via: cio

A fake version of Netflix that steals personal data and sends it to Russia has been found on several phone models.

David Jevans, CTO and founder of Marble Security, recently received some bad feedback from a potential customer testing his company’s product, which helps organizations manage and secure their mobile devices.

“They basically said ‘Your stuff doesn’t work’,” Jevans said. “It thinks Netflix is malicious.”

Marble Security performs static code analysis of Android and iOS applications, which shows what the code is supposed to do. Apps are also run through an emulator with instrumentation that allows analysts to get a larger view of how an application performs. They also check an app’s network traffic to see if it is communicating with known malicious servers.

After taking a close look at the suspicious application, Jevans said they found it wasn’t the real Netflix app.

“We’re like, yeah, this isn’t the real Netflix,” Jevans said “You’ve got one that has been tampered with and is sending passwords and credit card information to Russia.”

Security experts have long warned that downloading applications from third-party marketplaces for the Android platform is risky since the applications have often not undergone a security review. Google patrols Android apps in its Play store, but malicious ones occasionally sneak in. Apple’s App Store is less affected due to the company’s strict reviews.

With the fake Netflix application, the organization told Marble Security the app was pre-installed when it bought the device. Marble Security then looked at devices from its other customers and found the problem was widespread. They found a fake version of Netflix on phones and tablets from at least four different manufacturers, Jevans said.

“We suspect for most of them, it is preinstalled,” Jevans said.

Marc Rogers, principal security researcher with Lookout Mobile Security, said his company has seen instances of malware show up on new phones. Lookout found a variant of a family of Chinese malware on new devices imported on the gray market from China.

“We can say that we’ve seen malware authors target device supply chains as a way to install malware in a device before it ends up in the hands of a customer,” Rogers said via email.

It is possible that somewhere in the supply chain, a bundle of applications that were not vetted well were installed on hundreds of thousands of devices, Jevans said.

The applications in those bundles “are rarely run through anti-malware or privacy leak detection software,” he said.

Another possibility is that companies are buying refurbished phones, which may have taken a loop through another supply chain with loose security controls.

Marble Security found the fake Netflix app on six devices from Samsung Electronics: the GT-N8013 Galaxy Note tablet, the SGH-1727 Galaxy S III phone, the SCH-1605 Galaxy Note 2 phone, the SGH-1337 Galaxy S4 phone, the SGH-1747 Galaxy S III phone and the SCH-1545 Galaxy S4 phone.

Samsung spokeswoman Jessica Baker said in an email that “if there is a fake Netflix app on the devices, it is something that was not preloaded by Samsung or U.S. carrier partners.” Netflix spokesman Joris Evers said the company did not have a comment.

The fake app was also found on three Motorola Mobility devices, the Droid Razr, Droid 4 and Droid Bionic; two Asus tablets, theA Eee PadA Transformer TF101 and the Memo Pad SmartA MT301; and on LG Electronics’ Nexus 5 phone. Those companies didn’t respond to a queries asking for comment.

Jevans said it’s not Netflix’s fault, as the company is just an attractive target for cybercriminals. At least four different fake versions of Netflix were found by Marble’s analysts, some of which were a modified clone of the real application.

Ideally, an application’s hash — a mathematical calculation of the exact size of the program — should be compared to that of the legitimate application before it is installed at a factory, Jevans said. If those figures are different, it may signal a fake.

Also, the application’s security certificate should be checked to ensure it is not self-signed, a trick that some malware writers use to make their software look more legitimate.

“People aren’t checking the apps that are on these things,” Jevans said.

Via: cio

With enterprises looking to achieve cost savings as their top priority in managing their IT systems, the IT help desk market is getting commoditized very fast, leaving little room for any disruptive innovation. ManageEngine, a division of Zoho, is offering its flagship IT help desk software — ServiceDesk — for free starting today, underscoring just how competitive and commoditized this market has become. Starting today, over 60,000 customers of ServiceDesk Plus Standard Edition will not pay any additional fee, irrespective of whether they are using the software in the cloud or on premise. The offer includes unlimited number of agents, users and tickets raised, processed. Previously, ServiceDesk Plus Standard Edition was free for up to five technicians/agents, the company said in a statement.

The IT services Management (ITSM) market is dominated by older established rivals such as BMC’s Remedy and ServiceNow apart from newer entrants including Freshdesk, which is actually founded by former Zoho employees. Within this market, the IT help desk portion is getting increasingly commoditized because most of the processes are repetitive and can easily be automated.

Raj Sabhlok, the president of Zoho’s ManageEngine said in an interview that making ServiceDesk available for free is a bold step, especially because it’s also the highest revenue generating software for the division. Without disclosing current revenues earned by ManageEngine, he said it runs into “nine figures” (in USD). The division is growing at over 30% annually in terms of revenue. GE Capital, Barclays, Infosys, Thomas Cook and Sony are among top users of ManageEngine globally.

“Today, customers can and typically spend thousands of dollars on help desk software — look no further than help desk software from ServiceNow or BMC Remedy. Similarly, operating systems were once a significant cost of the computing environment, but today are viewed simply as a free enabling technology,” he said.

For its part, ManageEngine is hoping to make up for whatever loss in potential help desk revenue it will incur by gaining a bigger share of the IT management market. As we reported in January this year, ITSM market is dominated by slow growing but established incumbents such as IBM, CA, BMC (Remedy) and HP. This market witnessed one of its first disruptions when ServiceNow was launched in 2004 by Fred Luddy, a former CTO of Peregrine Systems. ServiceNow used SaaS model to woo existing customers of its much bigger rivals, and is expected to report over $400 million in revenue for 2013. It’s currently valued at around $8 billion.

Clearly, ManageEngine is taking aim at much bigger rivals by offering ServiceDesk for free.

“The help desk becomes the ‘operating system’ or the fundamental building block for companies trying to organize IT. Providing help desk software at no-cost is the first step on the road to service level maturity,” Sabhlok added.

The big question is how well Zoho’s help desk compares with much bigger products that offer far deeper expertise. Also, customers need to go for ManageEngine offerings to be able to get help desk software at no extra cost. But is that a functionality customers can afford to trust a free, commoditized product with?

“Last year, we made ITIL affordable for all businesses at just $995. This is not just ‘another help desk software.’ It is one of the best in the market with loads of thoughtfully built features,” he said.

“We always say that IT organizations should never pay more for tools, than what the tools are managing – which is often the case with many vendors,” Sabhlok said.

Via: techcrunch

Smartphones are spreading throughout the business world. Their use is growing across organizations and at all levels.

According to Gartner, sales of mobile devices in the second quarter of 2011 grew 16.5 percent year-on-year. Smartphone sales grew 74 percent year-on-year and accounted for 25 percent of overall sales in the second quarter of 2011, up from 17 percent in the second quarter of 2010.

Not only are the numbers of smartphones growing, their versatility is increasing. Where staff used to carry laptops when they went out of the office, to retrieve email and use other applications on the move, they can now carry just a smartphone.

This potentially allows them to send and receive emails, use a variety of applications, link to the company network to access data and use network-based applications, access social networking sites, and carry out online e-commerce and banking transactions.

A smartphone raises key security issues, which many organizations have not fully realized yet or, if they have, they may not have taken appropriate measures to ensure network safety.

The dangers

The biggest danger, of course, is that smartphones go missing. Many of us will have lost a mobile phone in the past or know someone who has. Research by getsafeonline shows that about one in five owners of smartphone devices can expect to lose or have them stolen at some point.  Surveys show the level of phone loss in London taxis is at a world-leading, and fairly consistent, 10,000 per month. Yes, that’s right, 10,000 per month!

Smartphones are often used for both business and personal reasons and if they are lost, both sensitive company data and personal data stored on the phone may be exposed. Email exchanges could be seen. Personal data relating to online purchasing or banking might be viewed.

If the phone is connected via a VPN, company networks are exposed to malware or could be hacked. Philippe Winthrop, an analyst at consultancy Strategy Analytics Inc., commented: “If I take your device and muck around with it, what if the VPN is set up on it? It’s a huge risk not being dealt with enough today.”

Getsafeonline’s Tony Neate says: “Users must remember that they are essentially carrying around a tiny laptop with a wealth of personal information that is very attractive to fraudsters.”

Smartphones are now at the stage that PCs were at around 1999. Many people didn’t think security was necessary then, hardly anyone had firewalls, but security concerns were beginning to be a focus. It’s a similar situation now with smartphones.

For example, last year the MMS Bomber virus affected millions of mobile users in China, costing them significant sums dialing out on their phones.

It doesn’t take long for criminals to think of ways of stealing and using information fraudulently. Some security experts have pointed out that targeting smartphones could potentially be more profitable for criminals than aiming at computers.

Security policies

With the rapid proliferation of smartphones and the very real security risks, organizations now need to factor smartphone use into their security policies and make sure they are managed centrally.

Smartphones have also extended the network boundary even further. Employees may use devices for both company and personal use, bringing dangers to the company network, in the same way that remote workers created new and different security issues for the IT department.

In addition, these devices cross the divide between voice and data, so that companies using them are taking a strategic direction into convergence, perhaps without realizing it, and probably without planning for it. They are at the cutting edge of fixed and mobile convergence and users are only rarely required to connect over secure VPNs and even less required to use secure authentication to connect to the network.

Fixed/mobile convergence creates other security and financial threats. Unsecured access to PBX systems (traditional and IP) exposes organizations to an increased risk of toll fraud, as well as risks such as DOS attacks, backdoor attacks on the data network, and call recording.

Security tips

There are a number of basic security procedures which organizations and individuals can take to increase security.

* Use the PIN or passcode function to secure the phone. Don’t rely on the
default factory settings.

* Install data wiping facilities so critical information can be destroyed if it’s thought the phone has fallen into the wrong hands. This might happen, if for example, a password is entered wrongly a certain number of times, or when a device has been off the network for a certain period of time.

* Employ time out policies, to prevent further use of the phone, if it is inactive for a certain period of time. This should be initiated from a central management console.

* Install GPS tracking so the phone can be located if stolen.

* Install SIM watch. This reports the new number back to you if the SIM is removed and replaced

* Take a note of your International Mobile Equipment Identity number. The IMEI number is used by the GSM network to identify valid devices and therefore can be used for stopping a stolen phone from accessing the network in that country. It’s easy to find on most phones by typing *#06# into the keypad.

* Take similar data leakage protection measures as with a PC.

– treat the phone like it’s a PC. Beware of phishing emails, don’t follow links you’re not sure of, don’t download anything suspect, recognize the risks of unsecured WiFi connections, etc.

– stipulate that sensitive, critical information should be made available to users of smartphones on a ‘need to know’ basis

– use two factor authentication (with challenge response) to validate access to the smartphone

– encrypt sensitive data, as many smartphones and security suppliers provide facilities to enforce this.

There is often as much data on a smartphone, as on a laptop, but it is more vulnerable to loss or theft. The ICO (Information Commissioner’s Office) has now started fining organizations which lose unencrypted data that should have been secured.

– run anti-virus. The impact of a virus, both in terms of data loss and financial cost, is considerable

Solutions
Commercial security solutions for smartphones are available from a number of vendors such as Kaspersky Lab, CRYPTOCard and Check Point.

Kaspersky Lab’s Mobile Security 9, for example, helps users to safely browse the web and communicate via social networks. Features include inbuilt GPS to locate a lost or stolen smartphone, protection from malware and network attacks with real-time anti-malware scans, automatic updates and blocking of dangerous network connections.

Conclusion

Smartphones are an incredible tool for a whole range of people and their use will proliferate. However, smartphone security is lagging ten years behind the growth curve, especially as they are so easily lost or stolen.

Smartphones carry with them the risks of any computer on a network and at the same time cross the divide between voice and data, which brings security risks of its own. For an organization to remain secure, smartphones need to come within the sphere of the security policy, their use needs to be regulated and active steps should be taken to employ them securely.

Via: realwire

If you can’t cut the Windows XP cord completely, here’s how to keep your computer as safe as possible once security patches go buh-bye.

The Windows XPocalypse is almost upon us. After a legendary dozen year run, Microsoft will stop providing security patches for Windows XP on April 8, 2014. Without Microsoft’s protection, all those WinXP PCs will have targets painted on their hard drives.

Nearly 30 percent of Internet-connected PCs still run Windows XP, and no, they won’t die that day. They’ll continue running like normal, but they’ll be rotting inside, becoming increasingly full of security holes. Microsoft itself has dubbed the condition “Zero day forever.”

Look, let’s be honest. You should upgrade from Windows XP right now if at all possible — but not everyone can cut the XP cord so completely. If you can’t upgrade, there are some things you can do to protect yourself. Make no mistake: These tricks are like sticking your finger in a leaking dam. They’ll help a bit, but the dam is crumbling and it’s time to get out of the way.

Understand the risks
When Microsoft says it’s ending support for Windows XP, that means it will no longer produce security patches for critical vulnerabilities in the operating system. As time goes on, more and more critical security holes will be found, and attackers will have free reign to exploit them. Large organizations can pay exorbitant fees for continued custom Windows XP support, but those updates will never trickle out to everyday users or small businesses.

Smart attackers are likely waiting to exploit holes they already know about. They’ll unleash their attacks when Microsoft has moved on. The problems will never be fixed, so they can continue to attack them until the last Windows XP system vanishes from the Internet.

Other software developers will eventually stop supporting Windows XP, just as they no longer support Windows 98, creating even more attack vectors. This won’t happen overnight, but Windows XP will gradually be abandoned by everyone.

Choose your software wisely
If you use Microsoft’s Internet Explorer, it’s time to let go. Internet Explorer 8, the most recent version available for Windows XP, is already several generations old and will no longer receive security patches. Google Chrome will continue supporting Windows XP until at least April 2015, while Mozilla Firefox has no announced plans to stop supporting Windows XP. So switch to Chrome or Firefox and you’ll have a secure, modern browser.

Most antivirus solutions will still continue supporting Windows XP. Even Microsoft’s own Microsoft Security Essentials will support Windows XP until July 14, 2015. Antivirus-testing company AV-TEST asked 30 different antivirus companies about their plans for Windows XP support and all of them committed to support Windows XP until at least April 8, 2015. Most committed to supporting it for even longer, into at least 2016.

Be sure you’re using an antivirus program that’s actually receiving updates, though, because that expired copy of Norton isn’t going to help you. An antivirus app isn’t a foolproof solution, and Microsoft warns, “Our research shows that the effectiveness of anti-malware solutions on out-of-support operating systems is limited.” Still, having some type of third-party protection certainly won’t hurt.

If you’re still using the now-defunct Outlook Express, you should stop using it right now. If you really love the Outlook experience, switch to the full version of Outlook included in Microsoft Office. Mozilla is still supporting Mozilla Thunderbird with security patches, though it’s unclear how long they’ll support Thunderbird on older operating system. Of course, you can always just use a web-based email service in Chrome or Firefox.

Microsoft will also stop supporting Office 2003 on April 8, 2014. If you’re still using Office 2003 — or, even worse, Office XP — you should update to a newer, supported version of Office for improved security. Yes, this means only ribbon-ified versions of Office will be supported. Sorry.

Remove insecure software
The Java browser plug-in is extremely exploit-prone on any operating system. Unless you really need Java for a specific purpose, you should uninstall it. If you do need it, be sure to disable the browser plug-in and keep it up-to-date.

Other browser plug-ins are also frequently targeted by attackers. Adobe Flash and Adobe Reader are particularly crucial, so keep them up-to-date. Modern versions update themselves automatically, but older versions didn’t even check for updates. If you don’t need these applications, you should probably uninstall them to lock down your XP system as much as possible.

PCWorld senior writer Brad Chacos got sick of the constant security klaxons and tried living without Java, Reader, and Flash, discovering that it should be surprisingly easy for many people.

To scan for unpatched software on your computer, you can perform a scan with Secunia PSI, a tool that will scan your system for security problems. You can also visit Mozilla’s Plugin Check page to see if you have outdated browser plugins installed. Don’t let the name fool you — it works in other browsers, too, not just Firefox.

Insecure behavior will be magnified in a post-patch world, too, so be sure to check out PCWorld’s guides to keeping your PC safe in the web’s worst neighborhoods and protecting yourself against devious security traps.

Now let’s roll up our sleeves and dig into the more drastic, but totally appropriate measures.

Go offline
Let’s say you still need Windows XP to run some crucial business application, or to interface with a piece of hardware that doesn’t work with newer versions of Windows. If possible, you should disconnect that Windows XP machine from the network.

Sure, you won’t be able to do this if you need Internet or even local network access on your XP system. But, if you can, this is the easiest, most fool-proof way to keep an important Windows XP computer secure.

Use a limited account day-to-day
Barring being purely disconnected, if there’s a single tip that could make any Windows PC more secure, it’s this: Stay away from administrator accounts. If you’re blasted by malware, it can only do as much damage as the account it infects. Admin accounts give baddies the keys to your computing kingdom.

Once Windows XP stops being patched, stick to using a Limited account for your day-to-day activities if at all possible. Use an admin account to create the locked-down login and stock it with the software you need — keeping our previous program advice in mind — and then don’t stray from Limited land unless you need to install or update software. (And even then, only stick in the admin account for as long as is absolutely necessary to get the installation done.)

Confine Windows XP to a virtual machine
Virtual machines are an excellent way to continue using software that requires Windows XP while also upgrading to a newer version of Windows. They allow you to run Windows XP in an isolated container, placing an entire Windows XP system into a window on your desktop. Windows 7 Professional includes Windows XP Mode for just this reason, offering businesses and other professional users the ability to easily set up a Windows XP virtual machine without buying an additional Windows XP license.

If you’re upgrading to Windows 8 or even Windows 7 Home, Windows XP Mode is not included. If you really want to use Windows XP in a virtual machine, you’ll have to get a boxed copy of Windows XP — if you have an old one, that will work — and install it inside a virtual machine. You don’t have to buy virtual machine software — the free VirtualBox and VMware Player will both work fine.

Virtual machines will allow you to run most types of Windows XP applications, but not all of them. If an application needs direct access to a piece of hardware, it may not work.

Note that Microsoft is also ending support for Windows XP Mode and Windows XP in virtual machines on April 8, 2014. However, if you have to run Windows XP, running it in a virtual machine on a modern version of Windows is much more secure than running Windows XP as your primary operating system.

Move on
Let’s say you have a trusty old Windows XP PC that works okay for browsing the web and you just don’t want to buy a new PC or a new version of Windows. To stay secure, you can try installing Ubuntu Linux — we have guides to ease the transition and make Ubuntu look like Windows 7 — or even Lubuntu, a more lightweight version of Ubuntu. These completely free operating systems are designed to work well on older hardware, and will be supported with security patches for years to come. In fact, the city of Munich recently handed out Ubuntu discs to their citizens to help them sidestep the Windows XPocalypse threat.

If you’re ready to upgrade to a new version of Windows but Windows 8 puts you off, you can still upgrade to Windows 7. It’ll be supported until 2020. New copies of Windows 7 or 8 cost nearly $100, however, and they might not run on hardware from the XP era, so you could be better off just buying a new computer and getting a modern version of Windows included.

Sure, Microsoft just wants to sell you a new Windows license, but it has been 12 years. Even if you have to use Windows XP for a bit longer, you should really be making plans to move on. You don’t have to go to Windows 8, but you can’t stay here — not for long, at least.

Via: infoworld