Monday, April 14, 2014

Windows XP: Through The Looking Glass

April 8, 2014: a day that will live in infamy. As of the eighth of April security patches for XP were no longer being provided. Without security patches these systems will continue to operate, but unprotected. And, if you have learned anything from this blog you know that good security is the linchpin for keeping our online lives safe from malware that steals our personal information.

One of the best things about Windows XP is also its great undoing. Because it was the most popular Microsoft operating system to date it had a huge user base, and was supported for 12 years. But, because of that long and popular run, thousands of XP machines will continue to run unprotected simply because it has anchored itself so well with users. The theory was once floated that if you wait long enough no one will bother exploiting an old operating system since so few people will be using it. That just isn't true, especially with Windows because the new versions are still built on the foundation of XP. Hackers can reverse engineer patches for Windows 7 and 8 and use that as an advantage to exploit the vulnerabilities in Windows XP.

Microsoft has pulled the plug on Windows XP, but maybe you haven't.
  • Maybe you still use Windows XP because your software isn't compatible with new versions of Windows.
  • Maybe your computer can't be upgraded to Windows 7.
  • Maybe you have heard horrible things about Windows 8.
  • Perhaps you believe you are a careful Internet user and there is a low risk of being compromised.

Here are some reasons it makes sense to move on from XP.
  • New hardware and software may not be compatible with XP.
  • Third party companies will no longer create products, write new software, or support existing products for an operating system that is no longer officially supported.
  • A steady path to regular upgrades and updates may seem expensive in the short term, but in the long term you won't generally have to throw everything away and start from scratch.
  • Steady upgrades make it easier to learn new features. The longer you wait to upgrade the steeper the learning curve.
  • Many companies will offer good discounts on upgrades to their software as long as you don't fall too far behind on staying current. It is less expensive than having to buy a new license all over again.
  • Some companies will offer you discounts on their software if you are switching platforms (i.e. from Windows to Mac).
  • Making a clean break from Windows XP gives you an opportunity to consider other operating systems like Mac OS X, Linux, or Chrome OS.

If you are still married to that tired old software that only runs on XP consider buying a new computer with a new operating system anyway. As long as that old software does not require use of a network connection you'll be fine. Notice I said, "network connection". An old XP system connected to your home network can still be infected even if you never use it on the Internet. Other systems connected to the Internet can spread malware to other devices on your network. A safer alternative would be to virtualize your Windows XP system and sandbox it. You can run the virtual machine on your new computer whether you stick with a new version of Windows or move to another platform. Talk to your local IT people to find out more about virtualization.

You can read more about it from Microsoft at: Microsoft XP End of Life

Friday, April 11, 2014

The Heartbleed Of America

If you have been paying attention to the news in the last few days you are likely aware of the "Heartbleed" vulnerability with secure Internet sites.

There are different implementations of security for websites, so figuring out which ones are vulnerable can be tricky. The permutation that is at risk to this vulnerability is OpenSSL. Not all sites use OpenSSL. Those that don't are not subjected to this issue. SSL, which is short for Secure Socket Layer is what is used to keep our communications to servers across the Internet secure. Any site that provides you with a login and password should be using SSL.

Some websites you have an account with may send you an email telling you to change your password. Please be advised that times like this there may be an uptick in email phishing schemes so do not click any links in emails purporting to be from those sites, rather go to the site directly by typing it in your web browser (or auto fill from your password manager applications). Phishing schemes often look like the real deal, but clicking links will take you to a spoofed site and steal your credentials.

You may be thinking, "What's the difference if my info has already been stolen?" The fact remains that it is unclear whether or not anyone's personal information has been compromised through the "heartbleed" vulnerability, so it is important to remain careful in how you handle your online business. It is unlikely that a hacker would target smaller sites, however those are the sites that may also take longer to patch the problem.

It does no good to change your password for sites that are still vulnerable. The last thing you would want is to change your password for those sites now, only to have the new password stolen before the site was patched. My recommendation is to change your password on those sites that have indicated that they have patched the vulnerability.

This Mashable article is fairly comprehensive in its list of popular sites with which you may have accounts. If a site is not listed here then you may need to go to the site itself for more information for their security recommendation.

I am really disappointed that over 75% of the sites I have accounts with have failed to disclose information regarding this issue. Most companies have remained silent saying absolutely nothing about this vulnerability. I find it egregious that many of the silent have no problem taking our money, but can't be bothered acknowledging that this vulnerability exists. If they don't use OpenSSL then why not just put a statement out there saying they aren't vulnerable? I don't need to know what implementation of SSL they use, nor do I care. I simply want, and need, to know if I have a reason to change my credentials. I applaud those sites that have indicated, one way or the other, the risk involved.

I think this is a good time to suggest, again, the use of a password manager if you do not have one. When you change your passwords length matters. So does randomness. And, so does creating a unique password for every login you have. All of the best Password manager tools can help you create really strong passwords. I recommend 18 character passwords (these days anything less than 13 is considered too short). For more information on passwords refer to my previous post: Pass The Word About Passwords