Windows XP is officially on its last legs – as far as Microsoft is concerned. There is less than a year remaining before official support ends for the 11-year-old operating system on April 8, 2014.

For users, the biggest impact of this will be that Microsoft will no longer release security updates for Windows XP vulnerabilities after that date. This wouldn’t be a problem, if it weren’t for the fact that so many users are still using XP. Net Applications data says that even now, more than a third of all PCs are still on XP. It was not until August 2012 that the number of Windows 7 users exceeded Windows XP users according to this data.

The potential for criminals to take advantage of this situation is significant. As long as there are significant numbers of XP users, they will continue to be targeted – and new exploits will continue to see the light of day. In the absence of any security patches from Microsoft, these will be all that more dangerous. (To highlight how they’re still finding new security holes in Windows XP, consider this: every Patch Tuesday in 2013 so far has had at least one Critical bulletin that covered XP.)

All users still on XP should consider upgrading right away. Most users may be due for an upgrade in their systems anyway, since it’s been years since XP was sold to end users. However, enterprise and other Windows XP users may well have had reasons not to migrate up to this point – for example, custom software that requires XP to work. However, running software that will never be patched is a significant gamble – particularly software that has been as enduring a target as Windows XP is.

Read the rest of this entry »

In response to the growing threat of mobile malware, one intriguing concept has emerged as a potential solution to help enterprises secure mobile devices: dual-identity devices.

The idea is actually fairly simple. On the phone there will be two distinct profiles: one for personal usage, another for work usage. The apps and data of each profile would be kept distinct from each other. The “personal” profile would be managed by the user, and the “work” profile would be kept locked down (the way most IT people would prefer it). In theory, everybody is happy: the user gets to use their phone as they see fit, the user’s company has their data safe and sound. It’s a win-win situation, right?

The concept is appealing enough that both Blackberry and Samsung have announced that they are both using this very concept in their newest products. However, the devil is in the details – and that is where we discover there are a few problems.

Firstly, there isn’t a standard for how to do this sort of security. What it means is that if enterprises really want to use a feature like this, they might find that only a small percentage of devices are as secure as they ought to be because many employee devicest ha aren’t on the right platform. Alternately, they mighve to limit their users to a very specific device or platform – which goes against the grain of the entire Bring-Your-Own-Device trend.

Secondly, there’s the issue of usability. How will the user “see” the secured, encrypted portion? Blackberry’s implementation treats home/work as a setting, which can be easily changed from the phone’s home screen. Samsung’s implementation is more analogous to an app that has to be used.

Read the rest of this entry »

March 31 was something of a… busy day on the calendar, so some people may not have noticed that it was also World Backup Day. It’s as good a day as any to remind people about how important it is to back up your data.

People today are generating more and more data. As our infographic shows, the mobile devices that are part of many of our lives generate – and store – amounts of data that would have been unthinkable not too long ago. Add to that what we generate elsewhere and people have significant amounts of digital “stuff”.

Important data needs to be backed up, because losing them could cause all sorts of damage: from the emotional (say, lost family pictures) to the financial (business records). How can you do it?

The accepted rule for backup best practices is the three-two-one rule. It can be summarized as: if you’re backing something up, you should have:

• At least three copies,
• In two different formats,
• with one of those copies off-site.

Let’s go through each of those rules. They’re all based on one concept, really: redundancy. Each of those rules is meant to make sure that your data is stored in multiple ways, so that at least one backup will survive.

Three different copies means three different copies in different places. (Different folders on the same hard drive or flash disk does not count.) Why three? In the digital era, it is very easy to make digital copies, and it’s better to have more copies than too few. By keeping them on different places, it reduces the risk of a single event destroying multiple copies.

Read the rest of this entry »

Recently, it was reported that Google was unilaterally removing all ad-blocking apps from the official Google Play store. Later on, the developers of the excised apps confirmed this, adding that according to Google their apps had been removed for violating the Developer Distribution Agreement that all Android developers must agree to.

In an ideal world, one could take Google’s move to be a positive one. The exact language says:

You agree that you will not engage in any activity with the Market, including the development or distribution of Products, that interferes with, disrupts, damages, or accesses in an unauthorized manner the devices, servers, networks, or other properties or services of any third party including, but not limited to, Android users, Google or any mobile network operator.

Emphasis is ours. The apps in question do break the agreement; Google is within its rights to remove the apps.

The trouble is we don’t live in an ideal world. The rather significant number of apps and websites with aggressive ads annoyed users and created this problem. Some of these may even behave maliciously and try to subscribe the user to premium services. Many users are already wary of how ad networks track them, and are tired of seeing ads wherever they go online. Simply put, users don’t always trust ad networks and act accordingly to protect themselves.

Read the rest of this entry »

The annual Pwn2Own hacking contest is always a rather frightening demonstration of how available exploits are. Year in, year out, the latest browsers and Web plug-ins fall to researchers demonstrating cutting-edge ways to craft exploits and defeat the latest security precautions put in place by various software vendors.

Most vendors, however, have become quite good at patching vulnerabilities as they are discovered in contests like this. For example, both Chrome and Firefox have received updates that fixed the flaws uncovered at Pwn2Own. Flash and Internet Explorer will receive similar updates next month.

We’ve talked before about how to best secure Java and PDF readers. What about Flash?

Can you do without it?

If you’re really security-minded, yes, you can do without Flash. To a large degree, Flash’s usage is now limited to online video, games, annoying ads, and the navigation menus of websites. (Among other things, the rise in popularity of smartphones and tablets – which generally don’t have Flash – has played a role in that development.)

If these are things that aren’t important to you, you can safely remove Flash and not have your day-to-day browsing experience be affected. For many people, the stumbling block is likely to be online videos. It may be a good idea to check if your favored video site has HTML5 support. For example, Youtube has HTML5 support – but it’s as an opt-in beta.

Is it built into your browser?

Some browsers actually have Flash directly integrated into them, making updating them relatively painless. Internet Explorer 10 (on Windows 8) receives Flash updates as part of Windows Update. Flash is completely integrated into Chrome, so auto-updates for Chrome also ensure that Flash is kept up to date.

Using these browsers ensures that the version of Flash for that browser is kept up to date by the browser itself as part of its own auto-update. This minimizes your exposure to exploit kits, as many cybercriminals (due to the cost of cutting-edge exploits) will prefer to use long-patched security flaws, aware that many users don’t always run the latest version of software.

How do I keep my version of Flash up-to-date?

Today, Flash comes with its own auto-update installer. However, it won’t hurt to check manually every now and then whether the version you have is up to date.

To do that, you can visit Flash’s about page and check what version you have installed. If you need to download an updated version,  the about page helpfully provides links to the download for Flash Player.

Even if you use multiple browsers, you only need to do this twice: one to check on Internet Explorer, and another for non-IE browsers collectively.

Read the rest of this entry »