Computers, Inc. RSS News Feed Computers, Inc. Tech News and Info en-US monthly 1 The end is near: Say goodbye to the Windows 10 free upgrade 2016-06-27 Don't look now, but July 29, 2016, is coming up fast. That is the one-year anniversary of the release of Windows 10, which means the ability to upgrade to the new operating system for FREE will soon expire. In a January 21, 2015, Windows Experience blog post titled The next generation of Windows: Windows 10, we learned that Windows 10 would be a free upgrade. Author Terry Myerson said: Today was a monumental day for us on the Windows team because we shared our desire to redefine the relationship we have with youour customers. We announced that a free upgrade for Windows 10 will be made available to customers running Windows 7, Windows 8.1, and Windows Phone 8.1 who upgrade in the first year after launch. A little over six months later, on July 28, 2015, Myerson penned another Windows Experience blog post, titled Windows 10 Free Upgrade Available in 190 Countries Today, in which he reiterated the free upgrade policy: From the beginning, Windows 10 has been uniquebuilt with feedback from five million Windows Insiders, delivered as a service with ongoing innovations and security updates, and offered as a free upgrade to genuine Windows 7, Windows 8.1 and Windows Phone 8.1 customers. If you've been reading articles by Woody Leonhard or Paul Thurrott in recent months, you know that Microsoft has been upping its game with the Get Windows 10, or GWX, program it built into Windows 7 and Windows 8.1. It really wants every Windows user everywhere to be running Windows 10. Any holdoutsWindows 7 or Windows 8.1 users who have been sticking to their guns so farhave only a few more weeks to go before losing their chance to get Windows 10 for free. In a recent Windows Experience blog post titled Windows 10 Now on 300 Million Active Devices - Free Upgrade Offer to End Soon, Yusuf Mehdi, the corporate vice president of Microsoft's Windows and Devices Group, said: ...we want to remind you that if you haven't taken advantage of the free upgrade offer, now is the time. The free upgrade offer to Windows 10 was a first for Microsoft, helping people upgrade faster than ever before. And time is running out. The free upgrade offer will end on July 29 and we want to make sure you don't miss out. After July 29th, you'll be able to continue to get Windows 10 on a new device, or purchase a full version of Windows 10 Home for $119. What will Windows 10 cost after July 29? As Mehdi pointed out in his post, you will be able to purchase a full version of Windows 10 Home for $119. But how much will Windows 10 Pro cost? Well, if you head over to the Microsoft Store right now, you'll find that you can purchase both Windows 10 Home and Windows 10 Pro as a download or on a USB flash drive. Windows 10 Pro will cost you $199.99. And moving past the July 29 deadline for the free upgrade, it's a pretty safe bet that prices will remain the sameespecially since they're the same price points that the full versions of Windows 8.1 Home and Pro sold for when that operating system was new. Will there be upgrade versions of Windows 10 after July 29? Since Microsoft provided free upgrades for a full year, I wonder if there will be upgrade packages for Windows 7 and Windows 8.1 users who decide to upgrade to Windows 10 after July 29. I suppose that it's possible, but then again, maybe not. When Microsoft introduced Windows 8.1 packages, it offered only the full versionsthere were no upgrade versions of Windows 8.1. With that in mind, it's easy to speculate that this may also be the case with Windows 10. Don't bother with Microsoft Windows 10 until you read this 2015-08-03 This OS release might fix many problems and resolve some usability problems, but make sure you look before you leap. Wait, doesnt it always make sense to download something for free? Microsoft released its brand-new operating system this week, and you can grab it at no cost, but make sure you know exactly what you are getting into before you upgrade. Let me be your guinea pig on this one. Ive been testing the beta for several weeks. HP just sent me an Elite X2 laptop with Windows 10 preloaded. And, Ive been testing and using Windows since the 2.0 release back when people used to question a windowing interface. Ive been testing Windows laptops for a decade or more. The first thing you should do before making the upgrade is to look closely at the gear you have attached to your computer. I mean closely. You might already know that Microsoft has put great effort into making sure just about every printer and scanner in the known universe will work with the new OS, but what if you own one from an unknown universe? More to the point, if you have really odd peripherals say, a 3D printer or maybe a drone that needs constant driver updates think twice about jumping on the download so quickly. Check with the peripheral maker first. Second, ask yourself some tough questions about why you are updating. Are you an early adopter? Its definitely less risky than being one of the first people to drive an autonomous car or use a new VR headset when there are so few VR apps. You can expect Chrome to run smoothly (Im using Google Docs on Chrome running on Windows 10 right now). But any new OS will have some issues. Maybe they are security-related. Maybe your accounting app will crash. Be ready to spend time tinkering and have a good backup plan (and a good backup). At least do the upgrade during a time when you don't have a ton of projects due. I do most of my work in the cloud these days, and I always have a few computers floating around. Its an incredibly low-risk upgrade for me. If one of them crashed, I'd grab another, I tend to live on the edge (and the Edge) when it comes to computing, but then again, I dont have to do the payroll for hundreds of employees or develop a marketing brochure using Photoshop by 5 o'clock tonight. If you get past those hurdles, its time to think about why the upgrade makes sense. Its a smarter interface. The Start menu is now located back where it belongs, on the left-corner of the screen instead of taking over your entire screen with tile apps. That means it is easier to use. Before, you had to know where to find simple features like how to turn the computer off. Microsoft has mostly addressed the usability problems in Windows 8 with this release. It's getting great reviews. Its faster, easier and smarter. Its also not going to change your world in a million ways. Windows 10 has not made much of a difference in how I work, the apps I use, or the fact that I tend to do most of my work in a browser these days. I don't mean that as a diss, I'm just not that OS-centric these days, Theres still some question about whether it will run reliably, and theres no way to know unless you try it with your apps on your computer for a few days or weeks. Its pretty tough to go back to a previous OS. Anything new in technology should be evaluated for the value it provides to you, not just because it is new, available, free or good. Im not saying to skip this release at all. After complaining about Windows 8 over and over again, I will say that Windows 10 is a big step forward in making the OS more user-friendly. Im happy with the update so far and havent have any problems. Your mileage (and patience level) will vary. As with any new OS, just be careful before you jump into the fray. Windows 10 release date, download preview & get it for free - out on July 29 2015-07-07 ***You will be offered a free upgrade for Windows 10. DO NOT PERFORM THIS UPGRADE WITHOUT CONSULTING US, PLEASE!! You may run into severe compatibility issues which will not be easily rectified if you act too hastily on this!*** Windows 10 is almost here, and it looks pretty exciting. The new OS has a chance to succeed where Windows 8 failed by being both a traditional desktop operating system for PCs and laptops, and an OS which works properly on smartphone and tablet touchscreens. In fact, Windows 10 will be designed to be a truly universal operating system, with apps working across computers and mobile devices. Microsoft's Build 2015 conference at the end of April gave us an even better idea of what to expect from Windows 10 and the direction the new operating system is taking, and so far we're certainly impressed. The opening keynote revealed a number of new features, and that the fact that Microsoft is planning to make it easier for developers to port Android and iOS code to the platform means the number of apps available, a current sticking point for Windows Phone and Windows 8, should rocket. For more details on what was unveiled at Build, see page 2 of this article. Here we describe in detail what to expect from the new OS, including how to download and install the Insider Preview, and how to get Windows 10 for free when it arrives. Windows 10 is RTM, launching July 29 We've had official confirmation that Windows 10 will be released to the public on July 29th for a while, but it has now official been released to manufacturers. This shows that Microsoft thinks the operating system is effectively "done", but the perpetual release nature of Windows 10 (see "No more versions", below") means there will likely be several more updates between now and July 29th. The company also took the time to re-iterate that the free upgrade to Windows 10 from Windows 7 or 8.1 will be available for one year from the launch date. After a computer has been upgraded to Windows 10, Microsoft will support it and provide updates for it for the life of the product, at no additional cost. Users that want to register to upgrade to Windows 10 can do so now, following our handy guide on how to claim your free Windows 10 upgrade. To reserve your free upgrade of Windows 10, current Windows 7 and 8.1 users should look for a small Windows icon in the notification area in the bottom right hand corner of their screen (see the image below). This is the 'Get Windows 10 App', and all you need to do is simply click on the icon and click Reserve your free upgrade in the app window. Youll need to enter your email address if you want confirmation of the reservation, but its as simple as that. Youll then get a notification when your upgrade is ready and youll be able to install it at a time thats convenient for you. You can also cancel your reservation at any time. Although Windows 10 will launch on 29th July, Microsoft has yet to confirm full details of availability, so it's currently uncertain whether people who want to buy fresh copies of the software will be able to do so as a download, or if boxed copies will be available on this date. We've asked Microsoft for clarification and will let you know when we hear back. There's a good chance that subscribers to MSDN (the Microsoft Developer Network) will get copies slightly earlier, as the ISO files are typically made available when the software is Released to Manufacturing (RTM); in other words, when the final software is locked down and ready to go. As soon as we've got a copy we'll bring you our full review. What we do know is how much Windows 10 will cost if you're buying a boxed copy - at least in the US. According to PC World, Microsoft has said Windows 10 will cost the same amount as Windows 8.1, so Windows 10 Home will cost $119 while Windows 10 Professional will cost $199. Meanwhile, a Windows 10 Pro Pack (which lets you jump from a licensed copy of Windows 10 Home to Professional will cost $99. Windows 10 hardware requirements There is a caveat, however. Microsoft has recently revealed that you may not be offered Windows 10 if your PC has incompatible hardware or software. According to the Microsoft operating system chief Terry Myerson, you'll only be offered the upgrade if Microsoft has done its "compatibility work" and has confirmed that your PC will give you a "great experience". What Microsoft appears to mean by a "great experience" is that none of your hardware or currently installed applications are incompatible with the new OS. If the Windows 10 installer finds any problems, it will put you on to the relevant hardware or software company in order to help you find a fix. However, Myerson has also said that incompatibilities may not necessarily mean the upgrade will be a failure; you may be allowed to carry on regardless, and "find alternative compatible solutions in the Windows Store after you upgrade". You can do a clean install of Windows 10 Once you've registered with the free Windows 10 upgrade application mentioned above, it is implied that the upgrade will then download in the background, in a similar way to how Windows 8 updates to Windows 8.1. However, along with the current lack of clarification about how potential users will be able to buy Windows 10 (see above), some users are worried that there won't be a way to do a clean install of Windows 10 from scratch; we're generally not fans of in-place operating system upgrades, as we find they can cause performance and stability problems. However, there has recently been some clarification from Microsoft on this front. Neowin spotted a tweet from the head of the Windows Insider program, Gabe Aul, confirming that "Once you upgrade W10 w/ the free upgrade offer you will able to clean reinstall Windows 10 on same device any time". To us, this seems to imply that you'll have to perform the in-place upgrade, then perform an operating system refresh from within your upgraded Windows 10 installation in order to have a properly clean new operating system. Of course, this had led to some other questions, such as what will happen if you need to reinstall Windows 10 from scratch further down the line. We doubt Microsoft will make you reinstall your original Windows 7 or 8 operating system then download the Windows 10 update again, particularly as the upgrade offer will only be available for a year after Windows 10 is launched on 29th July. In response to a question about wiping disks completely before a reinstall, Gabe Aul did say this was possible, which makes us think a Windows 10 ISO image will eventually be available for download. No more VERSIONS Rather than waiting years for a big update, Microsoft is promising more regular updates. Terry Myerson announced the news at Microsoft's press conference in California. Myerson also said that the question of "what version are you running?" will soon cease to exist, as Microsoft aims to keep developing Windows 10 for the foreseeable future, suggesting it could be "one of the largest internet services on the planet" in the next couple of years. This is great news for consumers, as it could signal the end of big drastic OS upgrades every few years. It's also good news for developers as it means they'll be able to target all device types with just one application, providing greater parity across PC, laptop, mobile and Microsoft's Xbox One games console ("the most fun games console ever", according to Myerson). How a constantly updated OS will affect consumers and business is another matter, however, but we have some ideas. Securing your computing ecosystem from smartphone to PC 2015-02-05 The computing landscape has become more complex and hazardous than ever. Hackers dont just want to compromise your PC; they want your phone and tablet, too. Heres a look at five big security trends that todays tech users need to watch for along with tips on how to prevent these attacks from being successful. Malware-Infected Apps By all accounts, mobile malware, particularly on the Android platform, is getting more prevalent and more dangerous. This summer, Google itself revealed that malware may now impact some 5 million Android users, and that doesnt include the Kindle or the entirety of China. Google continues to fight fake and virus-ridden apps from the back end, but Android users are advised to take extreme caution when installing new apps, and to protect themselves with an anti-malware tool like Bitdefender Antivirus Free for Android. Smishing SMS phishing, or smishing, has become a hotbed of hacker activity because it has become so easy to send out these types of attacks en masse. An SMS-based attack, much like a standard email-based phishing attack, is designed to trick the recipient into visiting a compromised website or giving out their personal information. These simple messages typically look like confirmations for services the recipient never ordered: Visit here to cancel your $20/month subscription, or Click here now if you did not place this order. By scaring the receiver into believing they are being charged for something imminently, the attack is more effective. User training is the best defense here banks and legitimate merchants never confirm transactions via text message but services that help to halt Smishing attacks are being developed. Ransomware Exploits One of the most nefarious types of Windows-based attacks today involves whats known as ransomware. It has only one goal: To get you to pay the malware creator/owner to have it removed. Ransomware often ironically conceals itself as an anti-malware app (Click here to protect your PC!). The good news: Standard anti-malware software like Bitdefender Total Security will protect against ransomware. Instant Messaging/Telephone-Based Phishing Scams As computer defenses get more sophisticated, some attackers are resorting to old-school methods to compromise PCs. One new attack involves a hacker sending an instant message or initiating a phone call to a user. The attacker claims to be from Microsoft or a computer security company and tells the user they have detected problems on their PC. (The method for this detection is never explained.) The attacker then attempts to walk the user through actually installing malware on their computer by hand, thus bypassing any security measures on the PC. Since its a direct hands-on approach, this is a high-risk and high-cost attack for the hacker, and its only defense is common sense and good user training. These remote problem detection services dont exist, and users should never follow the instructions of a stranger over the phone. Man-in-the-Middle (or Man-in-the-Browser) Exploits Increasingly popular on both mobile and PC platforms is the man-in-the-middle attack, often known as the man-in-the-browser attack, because it frequently plays out via website. While the attack has many forms, the most common involves rogue or compromised hotspots, in which an attacker sets up or hijacks an unencrypted Wi-Fi access point, then delivers phony versions of websites to users who are connecting to the web through that access point. These sites look just like the real thing, so a user contacting his bank, webmail provider, or shopping site is none the wiser that an attack is even taking place. Defenses are tricky, but anti-malware software can protect against these attacks. Lenovo Recalls 544,000 Power Cords Over Fire, Burn Hazards 2014-12-10 If you own a Lenovo laptop, you better go check your power cord. The computer brand has issued a recall for hundreds of thousands of AC power cords over fire and burn hazards, according to a notice from the U.S. Consumer Product Safety Commission. The recall affects 500,000 power cords in the U.S. and 44,000 in Canada. According to the notice, the affected power cords can potentially overheat, causing a fire and/or burns. Fortunately, no injuries have been reported, but Lenovo has received 15 reports from outside the U.S. of incidents involving "overheating, sparking, melting, and burning," the agency said. The problem affects Lenovo's LS-15 AC power cord manufactured from February 2011 to December 2011. The power cords were distributed with IdeaPad brand B-, G-, S-, U-, V-, and Z-series laptops as well as Lenovo brand B-, G-, and V-series laptops. The recalled power cords are black in color and are marked with "LS-15" on the AC adapter end. You'll also see the manufacture date in the format REV: 00 YYMM on a label attached to the cord. Laptops with the affected power cords were sold at computer electronics stores, authorized dealers, and on Lenovo's website from Feb. 2011 until June 2012 for between $350 and $1,500. "Consumers should immediately unplug and stop using the recalled power cords and contact Lenovo for a free replacement," the Consumer Product Safety Commission said. Affected individuals can contact Lenovo at (800) 426-7378 from 9 a.m. to 5 p.m. Eastern Monday through Friday. Ad-borne Cryptowall ransomware is set to claim FRESH VICTIMS 2014-10-23 Security watchers are warning of a surge in CryptoWall ransomware victims this month that will coincide with a campaign to spread a new variant of the malware though advertising networks. More than 830,000 victims worldwide have been infected with the malware, a 25 percent increase in infections since late August when there were 625,000 victims, according to security researchers at Dell SecureWorks. The UK was one of the hardest hit regions when it comes to CryptoWall infections, with more than 40,000 victims. The ransoms demanded typically range from $200 to $2,000 and the larger sums usually reserved for victims who do not pay within the allotted time (usually 4 to 7 days). Data collected directly from the ransom payment server reveals that a total of $1,101,900 in ransoms had been paid from March through August 2014 to the CryptoWall criminals. In the three months since a further 205,000 new victims have been claimed, doubtless increasing the total take to $1.4m or more. CryptoWall is a strain of file-encrypting ransomware that encrypts files on infected Windows PCs and attached storage devices with RSA-2048 encryption before demanding a ransom for the private key needed to recover scrambled documents. CryptoWall was first distributed in early November 2013, but the threat only went prime-time around February 2014. Early CryptoWall variants closely mimicked both the behaviour and appearance of the infamous CryptoLocker ransomware but the malware has evolved since then. It even survived a takedown operation against its command and control servers back in June. Security researchers at Proofpoint warn that a new variant of CryptoWall recently spread through malicious banner ads. Surfers ran a risk of being faced with ransomware purely by visiting one of the impacted sites, which included various properties in the Yahoo!,, and AOL domains, among others. "The sites themselves were not compromised; rather, the advertising networks upon which they relied for dynamic content were inadvertently serving malware which in turn, was not due to an explicit compromise of the networks; rather, it was due to the networks accepting ads from a malicious source without screening detection," Proofpoint explains in a lengthy blog post. The malicious code contained in the ads used browser vulnerabilities and the like to push a new variant of CryptoWall onto the PCs of surfers visiting the affected sites. The malvertising campaign itself ran from 18 September until at least 18 October, when Proofpoint stopped recording new detections. "Although we have notified impacted parties and halted this malvertising campaign, the attackers may be spreading CryptoWall 2.0 via other means," Proofpoint warns. Based on the flows of ransom payments to Bitcoin addresses, Proofpoint estimates that the attackers made $25,000 per day, or anything up to $750,000 through the latest campaign. The crooks behaind CryptoWall have used the tactic of distributing their malware through tainted ads before, as recently as August. CryptoWall was previously spread via malicious email attachments and download links sent through the Cutwail spam botnet. "CryptoWall 2.0 added TOR support and therefore made it much harder to trace back to the attacker's command and control servers," explained Wayne Huang, lead researcher at Proofpoint. "With CryptoWall 2.0, the attackers are also heavily using obfuscation and anti-sandboxing techniques. This campaign saw at least two very different obfuscator + anti-sandboxer in use, although the naked payloads are exactly the same." The Microsoft Windows Service Center Scam 2014-08-20 The Microsoft Windows Service Center scam is something that has been active for quite a while. It all starts with a phone call with an overtly helpful customer care person at the other end. The main pitch is that there have been complaints from the users internet service provider stating the existence of a severe problem with the computer with respect to viruses. The hows and whys of the contact between the service provider and the service center is usually left to the victims imagination, which in most cases gets slowed down upon hearing the two terms Microsoft and virus. The ploy has always been based around offering help to the user by asking them to open up Windows Event Viewer to check all recent activities and then downloading a cleanser program from a particular website. An offer of remotely controlling the machine from the callers side is also offered to ease the process. Upon downloading the cleanser program however the only thing that happens is that a malware gets installed on to the victims machine, which apart from showing that there are a huge number of viruses on the machine, also makes sure to collect all of the users personal data from the computer. The malware is also quite apt at concealing its true purpose as it is supposed to cling on to the machine and record all of the victims future online correspondences and data entries. Apart from that whats stated above, the other side of the card is not uncommonly, money. If someone provides a service, they are sure to charge for it as well. The repair fee is definitely quite exorbitant considering the irony of the word repair and to add to the woes of the victims- there never exists a way to get their money back upon their vivid of the scam. The Works of the Trade It is usual for a lot of computer users to have viruses on their machines. Computers might get slowed down and its performance might be hampered as well. It is however of absolute importance to use anti-virus softwares to clean up the mess instead of relying on distant phone calls offering help for the same. The way the scam works is that internet users often end up downloading malwares on to their machines by surfing or clicking on unsafe websites or links. The scammers set out their web of viruses to see who gets caught in it. The moment someone gets caught, the call is made. Someone states that they are calling from Windows Service Center and asks whether the user has lately been having problems with their computer and asks them to check whether a certain file exists on their machine. The file as can be understood was planted by them even before the phone call was made. From here on, the caller provides the user directions to download a virus cleansing software from a particular website or requests to take remote control over the users machine via softwares like Team Viewer and the likes. If a person is naïve enough to allow that then the fraudsters will claim control of the victims computer and readily access all of their private information. The cleansing software is in reality a malware whose job is to readily access data from the computer while maintaining that it is cleaning up and fixing the innumerable viruses on the victims machine. The worse part of this malware is that it attaches itself to the host machine and collects all data from future web surfing and confidential data entries that the user might make online, like email account details, banking details, passwords etc. Investigation and Facts Investigations have directed that such calls have their origin in Kolkata, India. Investigators in the United Kingdom have gone so far as to say that all these call center scams might also be headed by a single person. The report states that in theory the email addresses and phone numbers of the victims night be obtained by illegal access of sales databases of the software companies and / or the machines of the victims. Fact for the freshers to keep in mind is neither does Microsoft calls its users to ask whether their computer is not functioning perfectly nor does it offer to help them and / or ask for their banking details for charging a fee for the same. The company never even sends an email either for the same purpose. As a matter of fact Microsoft has alerted major online payment organizations like PayPal and AlertPay to freeze the accounts related to several fraudsters. Protection In case one realizes that they have been scammed, the obvious thing to do is to stop using the computer and clean the hard drive before thinking of using it again. If credit card details were obtusely divulged, the issuing bank or company needs to be alerted immediately regarding the same. In case one had made payment to the fraudsters via their bank, a complaint can be sent to the bank requesting them to cancel the transfer. Finally it is advisable that one changes the passwords to their email accounts and bank accounts for safetys sake and be careful not to divulge such secure details to anyone in the future. Russian Hackers Amass Over a Billion Internet Passwords 2014-08-06 A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say. The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems. Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information. Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites, said Alex Holden, the founder and chief information security officer of Hold Security. And most of these sites are still vulnerable. Mr. Holden, who is paid to consult on the security of corporate websites, decided to make details of the attack public this week to coincide with discussions at an industry conference and to let the many small sites he will not be able to contact know that they should look into the problem. There is worry among some in the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. In December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from the retail giant Target by hackers in Eastern Europe. And in October, federal prosecutors said an identity theft service in Vietnam managed to obtain as many as 200 million personal records, including Social Security numbers, credit card data and bank account information from Court Ventures, a company now owned by the data brokerage firm Experian. But the discovery by Hold Security dwarfs those incidents, and the size of the latest discovery has prompted security experts to call for improved identity protection on the web. Companies that rely on user names and passwords have to develop a sense of urgency about changing this, said Avivah Litan, a security analyst at the research firm Gartner. Until they do, criminals will just keep stockpiling peoples credentials. Websites inside Russia had been hacked, too, and Mr. Holden said he saw no connection between the hackers and the Russian government. He said he planned to alert law enforcement after making the research public, though the Russian government has not historically pursued accused hackers. So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work. But selling more of the records on the black market would be lucrative. While a credit card can be easily canceled, personal credentials like an email address, Social Security number or password can be used for identity theft. Because people tend to use the same passwords for different sites, criminals test stolen credentials on websites where valuable information can be gleaned, like those of banks and brokerage firms. Like other computer security consulting firms, Hold Security has contacts in the criminal hacking community and has been monitoring and even communicating with this particular group for some time. The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally not just virtually. Their computer servers are thought to be in Russia. There is a division of labor within the gang, Mr. Holden said. Some are writing the programming, some are stealing the data. Its like you would imagine a small company; everyone is trying to make a living. They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity. Mr. Holden surmised they partnered with another entity, whom he has not identified, that may have shared hacking techniques and tools. Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets networks of zombie computers that have been infected with a computer virus to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as an SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database. They audited the Internet, Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place. By July, criminals were able to collect 4.5 billion records each a user name and password though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals database included about 542 million unique email addresses. Most of these sites are still vulnerable, said Mr. Holden, emphasizing that the hackers continue to exploit the vulnerability and collect data. Mr. Holden said his team had begun alerting victimized companies to the breaches, but had been unable to reach every website. He said his firm was also trying to come up with an online tool that would allow individuals to securely test for their information in the database. The disclosure comes as hackers and security companies gathered in Las Vegas for the annual Black Hat security conference this week. The event, which began as a small hacker convention in 1997, now attracts thousands of security vendors peddling the latest and greatest in security technologies. At the conference, security firms often release research to land new business, discuss with colleagues or simply for bragging rights. Yet for all the new security mousetraps, data security breaches have only gotten larger, more frequent and more costly. The average total cost of a data breach to a company increased 15 percent this year from last year, to $3.5 million per breach, from $3.1 million, according to a joint study last May, published by the Ponemon Institute, an independent research group, and IBM. Last February, Mr. Holden also uncovered a database of 360 million records for sale, which were collected from multiple companies. The ability to attack is certainly outpacing the ability to defend, said Lillian Ablon, a security researcher at the RAND Corporation. Were constantly playing this cat and mouse game, but ultimately companies just patch and pray. Self-propagating SMS worm Selfmite targets Android devices 2014-06-28 A rare Android worm that propagates itself to other users via links in text messages has been discovered by security researchers. Once installed on a device, the malware, which was dubbed Selfmite, sends a text messages to 20 contacts from the device owner's address book. Most malware programs for Android are Trojan apps with no self-propagation mechanisms that get distributed from non-official app stores. Android SMS worms are rare, but Selfmite is the second such threat discovered in the past two months, suggesting that their number might grow in the future. The text message sent by Selfmite contains the contact's name and reads: "Dear [NAME], Look the Self-time," followed by a shortened URL. The rogue link points to an APK (Android application package) file called TheSelfTimerV1.apk that's hosted on a remote server, researchers from security firm AdaptiveMobile said in a blog post. If the user agrees to install the APK, an app with the name "The self-timer" will appear in the app list. In addition to spreading itself to other users, the Selfmite worm tries to convince users to download and install a file called mobogenie_122141003.apk through the local browser. Mobogenie is a legitimate application that allows users to synchronize their Android devices with their PCs and download apps from an alternative app store. The Mobogenie Market app was downloaded over 50 million times from Google Play, but is also promoted through various paid referral schemes, creating an incentive for attackers to distribute it fraudulently. "We believe that an unknown registered advertising platform user abused a legal service and decided to increase the number of Mobogenie app installations using malicious software," the AdaptiveMobile researchers said. The security vendor, which claims that its technology is used by some of the largest mobile operators worldwide, said that it detected dozens of devices infected with Selfmite in North America. The short URL that was used to distribute the malicious APK was visited 2,140 times until Google disabled it. That doesn't mean attackers can't create another URL and launch a new attack campaign. Giving its current distribution model the threat is likely to only affect users who have configured their devices to allow the installation of apps from "unknown sources" -- sources other than Google Play. Most users don't enable this feature on their phones, but some do because there are legitimate apps that are not distributed through Google Play. "The impact on the user is not only have they been fooled into installing a worm and other software they may not want; the worm can use up their billing plan by automatically sending messages that they would not be aware of, costing them money," the AdaptiveMobile researchers said. "In addition, by sending spam the worm puts the infected device at danger of being blocked by the mobile operator. More seriously, the URL that the worm points to [in the browser] could be redirected to point to other .apks which may not be as legitimate as the Mobogenie app." Windows Server 2003 End-Of-Life Support Rapidly Approaching 2014-05-26 Whats Your Action Plan? The Problem Windows Server 2003 is fast approaching its end-of-life. Microsoft has announced the official date for end-of-life support as July 14th, 2015. While many administrators are well aware of this fact, there are still nearly a million servers across the globe currently running live applications on Windows Server 2003. It should be cause for alarm that so many businesses are still reliant upon an operating system originally released almost 10 years ago (December, 2005 for Windows 2003 R2). More concerning is that many of these W2k3 servers are running applications originally developed for a 32-bit operating system. Even if your Windows 2003 server is stable at this time, do you want to risk running your applications on a server that will not ever again be supported starting July 15, 2015? Consider also that most all hosting service providers will ultimately force their customers to migrate to newer, fully supported platforms so that they can continue to provide the support and security promised in their service level agreements, which will not be possible once the Windows 2003 server OS is officially unsupported. Unfortunately, WSM has found that the vast majority of businesses neglect to plan their server migration and upgrade with enough lead time, often resulting in a last minute, frantic, stressful and risky forced migration in order to ensure continuity of service, support and security. This all comes down to the simple matter of maintenance. If youre still running Windows Server 2003, its highly probable that you havent been proactive with maintenance, patching, upgrades, etc. The problem with a last minute migration approach is when the server/version upgrade results in problems, errors or inconsistencies with security, stability, or functional issues with your applications that require immediate remediation, and most often programmatic revisions. Needless to say, waiting until the last minute to perform your Windows 2003 server migration is a risky proposition. Windows Server 2003 End-of-Life Server Options There exists an understandable (but unwise) reluctance to migrate from a currently stable Windows Server 2003, likely due to fear of the inevitable challenges that administrators and developers may encounter with incompatibilities (especially between 32-bit and 64-bit platforms). Although some migration tools can aid the migration of some applications/websites, most services still running on Windows 2003 servers are fairly custom and will present unique, specific challenges during migration/version upgrade. Therefore, best practice to prepare for your migration is to start with a thorough migration and upgrade plan well in advance of the end-of-life date, for the reasons we have stated here. Your Options 1. Stay Put. In this scenario, you no longer require server support, are prepared for major vulnerabilities, and are perfectly fine to just kick the can down the road. Assuming you actually rely on your Windows 2003 server applications, this option is only viable if you already are underway with replacing all your applications and servers with a new architecture from the ground up. In this case, the risk of unsupported servers/applications, security breach, functional errors etc. is outweighed by the benefit of focusing all your resources on the overhaul effort to all-new applications, to replace all the services on your current Windows 2003 server. 2. Upgrade The Server. Performing an upgrade to your existing server, if even an option, in most cases will result in functionality errors with your applications that youll need to resolve in a live environment. Moreover, its likely the server itself is several years old (or more), so youre solving one problem in a potentially reckless, short-sighted manner while leaving the legacy hardware issue for a later date, compounded by having to diagnose and resolve application failures (at an unknown magnitude of time and expense) in your live environment. This option is extremely high risk, unless you are certain that you wont encounter any significant application errors upon the server upgrade, and your business can withstand a possible services outage of 48 hours (or more), and economy/budget is way more important to your business than longevity, security and support. 3. Migrate and Upgrade. In most all cases this is your best, most logical option. Start with your plan, and start now. Best practice planning for your Windows 2003 server migration should include phases for project scope (technical and project management), resource allocation, capability (i.e. programmers and testers), and budget. There are more granular components as well, but these are a good place to start. In summary, the rule of thumb for successful migrations is to plan ahead, be thorough, and dont wait until the last minute if it can be avoided. Hackers find first post-retirement Windows XP-related vulnerability 2014-04-28 Computerworld - Microsoft on Saturday told customers that cyber-criminals are exploiting an unpatched and critical vulnerability in Internet Explorer (IE) using "drive-by" attacks. "Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11," the company said in a security advisory. According to Microsoft, the attacks have been launched against IE users tricked into visiting malicious websites. Such attacks, dubbed "drive-bys," are among the most dangerous because a vulnerable browser can be hacked as soon as its user surfs to the URL. All currently-supported versions of IE are at risk, Microsoft said, including 2001's IE6, which still receives patches on Windows Server 2003. The same browser will not be repaired on Windows XP, as the operating system was retired from patch support on April 8. The IE flaw was the first post-retirement bug affecting XP. And that's important. Because Microsoft will eventually patch the drive-by bug in IE6, IE7 and IE8, then deliver those patches to PCs running Windows Vista and Windows 7, it's likely that hackers will be able to uncover the flaw in the browsers' code, then exploit it on the same browsers running on Windows XP. Microsoft said that was the biggest risk of running XP -- and IE on it -- after the operating system was retired, claiming last year that XP was 66% more likely to be infected with malware once patching stopped. Windows XP users can make it more difficult for attackers to exploit the IE bug by installing the Enhanced Mitigation Experience Toolkit (EMET) 4.1, an anti-exploit utility available on Microsoft's website. The security advisory included other steps customers can take to reduce risk. Among them is to "unregister" the vgx.dll file. That .dll (for dynamic-link library) is one of the modules that renders VML (vector markup language) within Windows and IE. Another way Windows XP users can avoid IE-based attacks is to switch to an alternate browser, like Google's Chrome or Mozilla's Firefox. Both will continue to receive security updates for at least the next 12 months. Microsoft did not explicitly promise a patch, but it will almost certainly issue one. The next regularly-scheduled Patch Tuesday is May 13, just over two weeks away. The company has been very reticent of late to ship emergency patches, called "out-of-band" or "out-of-cycle" updates. In this case, the most likely scenario under which it would issue a quick fix was if the number of attacks quickly climbed. Although IE6 through IE11 are vulnerable, the attacks seen so far have targeted only IE9, IE10 and IE11, according to FireEye, whose researchers spotted the active exploits. On Saturday, FireEye published more information about the attacks, which it labeled "Operation Clandestine Fox" on its own blog. On that blog, FireEye called the flaw "a significant zero day" and said that the current exploits rely in part on the presence of Adobe Flash Player. "Disabling the Flash plug-in within IE will prevent the exploit from functioning," FireEye wrote. FireEye said the hacker group behind the IE exploit is a sophisticated gang that has launched browser-based attacks in the past. "The APT [advanced persistent threat] group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past," Firefox claimed. "They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure." Experts Find a Door Ajar in an Internet Security Method Thought Safe 2014-04-09 A flaw has been discovered in one of the Internet's key security methods, potentially forcing a wide swath of websites to make changes to protect the security of consumers. The problem was first discovered by a team of Finnish security experts and researchers at Google last week and disclosed on Monday. By Tuesday afternoon, a number of large websites, including Yahoo, Facebook, Google and Amazon Web Services, said they were fixing the problem or had already fixed it. Researchers were still looking at the impact on consumers but warned it could be significant. Users most sensitive information passwords, stored files, bank details, even Social Security numbers could be vulnerable because of the flaw. The most immediate advice from security experts to consumers was to wait or at least be cautious before changing passwords. Changing a password on a site that hasnt been fixed could simply hand the new password over to hackers. Experts recommended that, before making any changes, users check a site for an announcement that it has dealt with the issue. This is a good reminder that there are many risks online and its important to keep a watchful eye around what youre doing, just as you would in the physical world, said Zulfikar Ramzan, the chief technology officer of Elastica, a security company. The extent of the vulnerability was unclear. Up to two-thirds of websites rely on the affected technology, called OpenSSL. But some organizations appeared to have had advance notice of the issue and had already fixed the problem by Tuesday afternoon. Many others were still working on restoring security. Because attackers can use the bug to steal information unnoticed, it is unclear how widely the bug has been exploited although it has existed for about two years. On Github, a website where developers gather to share code, some were posting ways to use the bug to dump information from servers. The Finnish security researchers, working for Codenomicon, a security company in Saratoga, Calif., and security researchers at Google found the bug in a portion of the OpenSSL protocol which encrypts sessions between consumer devices and websites called the heartbeat because it pings messages back and forth. The researchers called the bug Heartbleed. Its a serious bug in that it doesnt leave any trace, said David Chartier, chief executive at Codenomicon. Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and theres no trace theyve been there. Organizations were advised to download immediately the newest version of the OpenSSL protocol, which includes a fix, and quickly swap out their encryption keys. It also meant organizations needed to change their corporate passwords, log out users and advise them to change their own passwords. Then companies began taking inventory of what they may have lost. But because the flaw would allow attackers to surreptitiously steal the keys that protect communication, user passwords and anything stored in the memory of a vulnerable web server, it was virtually impossible to assess whether damage had been done. Security researchers say they found evidence that suggests attackers were aware of the bug. Researchers monitoring various honey pots stashes of fake data on the web aimed at luring hackers so researchers can learn more about their tools and techniques found evidence that attackers had used the Heartbleed bug to access the fake data. Actual victims may be out of luck. Unless an attacker blackmails you, or publishes your information online, or steals a trade secret and uses it, you wont know if youve been compromised," Mr. Chartier said. "Thats what makes it so vicious." Mr. Chartier advised users to consider their passwords compromised and urged companies to deal with the issue quickly. "Companies need to get new encryption keys and users need to get new passwords," he said. Security researchers say it is most important for people to change passwords to sensitive accounts like their online banking, email, file storage and e-commerce accounts, after first making sure that the website involved has addressed the security gap. By Tuesday afternoon, many organizations were heeding the warning. Companies across the web, including Yahoo, Amazon and PayPal, began notifying users of the bug and what was being done to mitigate it. Tumblr, the social network owned by Yahoo, said it had issued fixes and warned users to immediately swap out their passwords. "This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit, the security team at Tumblr, which is part of Yahoo, wrote on its site. This might be a good day to call in sick and take some time to change your passwords everywhere especially your high-security services like email, file storage and banking, which may have been compromised by this bug." Microsoft extends Security Essentials support to 2015, but is still ending XP updates this April. 2014-03-26 There has been a bit of confusion for Windows XP users (yes, they still exist) over whether or not they would be able to obtain antivirus support after July 2015. Let us take a few moments to talk about what antivirus support you won't have after the 2015 date, but what might still be available. In addition, take a second to learn why you will still be at risk after this April even if you choose to continue using a third party service's security solution. If you are still using Windows XP and the separation anxiety is just too much to deal with, you will be able to stay protected with antivirus support after July 2015. On the previously specified date, Microsoft will end support of their free Security Essentials software for the now decrepit operating system. What does it exactly mean that they are ending support for the platform? Well, the company will stop providing new antivirus definitions for the software. What that means, is that the software simply will not be updated after that date. If you continued to use Microsoft Security Essentials with Windows XP, you will be protected against viruses in the database prior to July 2015, but your computer will be susceptible to malicious software created after that date. In essence, this means that you will want to abandon Microsoft Security Essentials when the 2015 date comes around town. The misunderstanding is that some people currently think that all antivirus support will end for the operating system - that is simply not true. While Microsoft is backing out of Windows XP and encouraging growth with Windows 8, other third party companies will still provide security solutions. You will still be able to obtain security solutions from companies including Norton, AVG, Trend Micro, and Kaspersky. It will depend on the exact company, but some are promising to continue providing support as late as 2019. That being said, Window XP is twelve years old and it is really time to move on. While Microsoft Security Solutions may provide support until 2015, security and bug fixes for the operating system will cease this April 8. Even if you continue to use a third party security suite until 2019, the updates and fixes for the operating system will stop and that still creates a terrible circumstance. If new exploits are found in the operating system after this April that hackers could take advantage of to compromise your data, Microsoft will not be issuing any sort of patch or protection - you will be on your own. Windows XP is truly coming to an end and we strongly urge any of you still using the operating system to get your stuff and move to a more modern operating system. After this April, there will simply not be enough protection for users still on the platform. Don't wait till April 8 to move though, do it now and get settled in to the future. If you truly hate Windows 7 and Windows 8, then I would rather see you on a Mac or Linux platform - at least you will be safe. Please, purchase an upgrade to Windows 7 or Windows 8 soon - it is truly for your own good and security well being. Microsoft Windows Server 2003 End of Life 2014-03-11 As of July 14 2015 all versions of Microsoft Windows Server 2003 will no longer be supported. How to Protect Yourself Online 2014-02-09 Background The Internet and the information it connects to is a resource that many have come to depend upon. Facts that once might have taken several days to locate in a research library can now be obtained instantaneously using your personal computer or even a handheld wireless device. Individuals can publish to a world wide audience, mix up previously existing content to form new creations, or act as curators, sharing with friends the best new content found on the Internet. Because almost anyone with a computer or wireless device can connect to the Internet, however, some bad actors have found ways to use it to cause harm. Several US Government agencies, including the Federal Communications Commission (FCC), and non-profit organizations have joined in an effort to provide consumers useful, easy-to-understand information on Internet safety that can be found at This guide summarizes some of this valuable information. Spam (and what it can lead to) Spam is online junk mail, which is inconvenient and wastes time. Spam can change from annoying to malicious if spam emails, or anything attached to them, steal personal information (spyware) or work to disrupt your personal computer or wireless device by implanting viruses or worms (malware). Some malware can integrate your computer into a network to distribute spam, turning it into a zombie that becomes part of a botnet Ways you can reduce spam include: Look for an email provider with strong anti-spam filtering capability. You don't have to use the email service provided by your Internet Service Provider (ISP), the company from which you purchase your access to the Internet, but can chose an independent email service. One way email providers compete for your business is to provide better filtering capability. You can also talk to your provider if you think spam filtering could be improved. Some email spam filters have settings that can be changed to make them stronger. Check your filter to be sure it's set where you want it to be. If you have questions about changing settings, contact your email provider. Identify unwanted spam with the spam button. Many email services allow you to select spam email, and then push a spam button to identify it as unwanted email. Use this button if you have it, because it lets your email provider know what email you don't want. Email settings also allow you to prevent images such as logos and pictures from automatically displaying when you open an incoming email. Open images can contain malware and spyware and let spammers know their emails have been opened, and thus that the emails have been sent to a valid address. Set your email so that it doesn't automatically accept incoming appointments or automatically download attachments, again so that you don't let spammers know the email has been sent to a valid address. Try to limit sending or displaying your email address to people or groups you know. Check the privacy policy before sending your address to a Web site or directory, and, if you can, opt out of allowing your address to be shared. Protect your friends' addresses by putting them on the bcc line when sending emails to a group of people who don't know each other. Consider using two email addresses, one for personal mail, and one for correspondence with companies or groups that you deal with regularly. Never respond to spam. The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, a federal law, requires senders of commercial email to give you a return email address or other Internet-based response method to opt out of future emails. Senders must honor your opt out request within ten days, and cannot sell or transfer the email address in your opt out request unless the transfer is to allow another sender to comply with the Act. Find out more about the Act. You can report spam received on your computer to the Federal Trade Commission (FTC) by sending a copy of the message to The CAN-SPAM Act also prohibits the sending of unwanted commercial messages to wireless devices using an Internet address without prior authorization. Ways you can control spyware and malware that may come with spam are: Install anti-virus and anti-spyware software, which scans incoming emails and files for problems, and keep it up to date. This software may come pre-installed on a new computer or device, can be downloaded from your ISP or software company websites, or purchased in retail stores. Because bad actors continually come up with new viruses and spyware, your software needs to be updated regularly. Some software updates automatically. Set your operating system software (such as Windows or an Apple computer operating system) to automatically download and install new security patches. Be careful about opening attachments or downloading files; even if you think you know the sender. The cover email should mention the attachment and describe what's in it. Download free software, including games and toolbars, only from sites you know and believe are genuine. Use a firewall, which blocks all incoming communications from unauthorized sources, when connected to the Internet. Why SSL? The Purpose of using SSL Certificates 2013-12-21 Why SSL? As a web developer, I have come across many customers who ask "Why do I need SSL? What will it do for me?" This is an important question for anyone involved in the web to understand. SSL is the backbone of our secure Internet and it protects your sensitive information as it travels across the world. It keeps the Internet from being ruled by anarchists and criminals and provides many direct benefits to you and your customers. Why use SSL? To Encrypt Sensitive Information The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can understand it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves. Authentication In addition to encryption, a proper SSL certificate also provides authentication. This means you can be sure that you are sending information to the right server and not to a criminal's server. Why is this important? The nature of the Internet means that your customers will often be sending information through several computers. Any of these computers could pretend to be your website and trick your users into sending them personal information. It is only possible to avoid this by using a proper Public Key Infrastructure (PKI), and getting an SSL Certificate from a trusted SSL provider. Why are SSL providers important? Trusted SSL providers will only issue an SSL certificate to a verified company that has gone through several identity checks. Certain types of SSL certificates, like EV SSL Certificates, require more validation than others. How do you know if an SSL provider is trusted? You can use our SSL Wizard to compare SSL providers(link) that are included in most web browsers. Web browser manufactures verify that SSL providers are following specific practices and have been audited by a third-party using a standard such as WebTrust. Why Use SSL? To Gain Your Customers' Trust Web browsers give visual cues, such as a lock icon or a green bar, to make sure visitors know when their connection is secured. This means that they will trust your website more when they see these cues and will be more likely to buy from you. SSL providers will also give you a trust seal that instills more trust in your customers. PCI Compliance It is also important to know that you take credit card information on your website unless you pass certain audits such as PCI compliance which require a proper SSL certificate. Why SSL protects from phishing A phishing email is an email sent by a criminal who tries to impersonate your website. The email usually includes a link to their own website or uses a man-in-the-middle attack to use your own domain name. Because it is very difficult for these criminals to receive a proper SSL certificate, they won't be able to perfectly impersonate your site. This means that your users will be far less likely to fall for a phishing attack because they will be looking for the trust indicators in their browser, such as a green address bar, and they won't see it. Disadvantages of SSL With so many advantages, why would anyone not use SSL? Are there any disadvantages to using SSL certificates? Cost is an obvious disadvantage. SSL providers need to set up a trusted infrastructure and validate your identity so there is a cost involved. Because some providers are so well known, their prices can be overwhelmingly high. Performance is another disadvantage to SSL. Because the information that you send has to be encrypted by the server, it takes more server resources than if the information weren't encrypted. The performance difference is only noticeable for web sites with very large numbers of visitors and can be minimized with special hardware. Overall, the disadvantages of using SSL are few and the advantages far outweigh them. It is critical that you properly use SSL on all websites that require sending sensitive information. Proper use of SSL certificates will help protect your customers, help protect you, and help you to gain your customers trust and sell more. If you're still not sure why SSL should be used on your website, read more of our SSL FAQ. Nasty new malware locks your files forever, unless you pay ransom 2013-11-06 CryptoLocker, a new and nasty piece of malicious software is infecting computers around the world encrypting important files and demanding a ransom to unlock them. According to Sophos, the worldwide digital security company, it's been hitting pretty hard for the past six weeks or so. "It systematically hunts down every one of your personal files, documents, databases, spreadsheets, photos, videos and music collections and encrypts them with military-grade encryption and only the crooks can open it," said Chester Wisniewski, a senior security advisor at Sophos. Even though it's infected, your computer keeps working normally; you just can't access any of your personal files. It's scary, especially if you haven't backed-up your data. "Cybercrime is evolving, as the bad guys get smarter and use newer technologies," noted Michael Kaiser, executive director of the National Cyber Security Alliance. "They're always looking for new ways to steal your money." CyrptoLocker is different from other types of "ransomware" that have been around for many years now that freeze your computer and demand payment. They can usually be removed which restores access to your files and documents. Not CryptoLocker it encrypts your files. There's only one decryption key and the bad guys have that on their server. Unless you pay the ransom within three days, that key will be destroyed. And as the message from the extorters says" "After that, nobody and never will be able to restore files" The typical extortion payment is $300 USD or 300 EUR paid by Green Dot MoneyPak, or for the more tech savvy, two Bitcoins, currently worth about $400. To instill a sense of urgency, a digital clock on the screen counts down from 72 hours to show much time is left before that unique decryption key is destroyed. Sophos The criminals behind CryptoLocker deliver their digital ransom note on the victim's computer screen. The typical demand is for $300 or two Bitcoins. Note the yellow countdown clock at the bottom left. It gives the time remaining until the unique decryption key is destroyed and the encrypted files are inaccessible forever. One victim described his anguish in an online post: "The virus cleverly targeted all of our family photos, including all photos of my children growing up over the last 8 years. I have a distraught wife who blames me!" This sophisticated malware is delivered the old-fashioned way an executable file hidden inside an attachment that looks like an ordinary ZIP file or PDF. One small business reports being compromised after clicking on an email attachment that was designed to look like a shipping invoice from the U.S. Postal Service. Open that file and bad things start to happen, although it may take several days for the ransom demand to pop up on your screen after the machine is infected. "The author or this (malware) is a genius. Evil genius, but genius none the less," an IT professional commented in an online tech forum. Another wrote, "This thing is nasty and has the potential to do enormous amounts of damage worldwide." Good anti-virus software can remove the CryptoLocker malware from your computer, but it cannot undo the damage the encryption is that good. "It's the same type of encryption used in the commercial sector that's approved by the federal government," Wisniewski told me. "If the crooks delete that encryption key, your files are gone forever even the NSA can't bring them back." Victims large and small The cyber-crooks are targeting both businesses and individual computer users anyone who will pay to regain access to their files. The CryptoLocker forum on is filled with page after page of horror stories. Here is a small sample: "When we discovered the infection from a user's workstation on the network, this program had encrypted over 180,000 files through the network shares in a period of 6 days. I pretty much shut down the business for 2 days after we realized what was happening." "Our company was infected this morning. The virus hit a machine 4 days ago and today we got the pop up about the ransom. All files on the network drive the user had access to are now encrypted." "We had a workstation get infected yesterday that encrypted everything on our network share drive. We had backups, although they weren't recent enough, so despite all feelings against it, we paid the ransom and everything started to decrypt overnight." Of course, there's no guarantee there will be a happy ending if you pay the ransom. And then there's the bigger issue by doing this, you're helping fund a criminal operation. "It encourages them to continue this bad behavior," said Howard Schmidt, former White House Cyber Security Advisor and a co-founder of Ridge-Schmidt Cyber. "As people pay the ransom, the bad guys have the money to reinvest in create research that are more virulent and hide better from detection." How to protect yourself Go on the Internet and there's no way to guarantee malware won't make it onto your computer even if you follow all the rules of safe computing. So you need to act defensively, and that means regular backups. "Backup, back, up, back up," said Schmidt. "That's the only way to reduce the risk of losing your files forever." If you have a recent backup, you can recover from CryptoLocker and other malware with no serious consequences. That backup should be a snapshot of everything on the system and not a simple synchronization, as happens with most automated external hard drives and many cloud-based services. With these synchronized backups, stored files that have changed on the master drive are overwritten with the new ones. If a malicious program encrypts your master files, those backups would also be encrypted and useless. Your backup should be disconnected from your computer until the next time you need to access it. Major Security Issues with Cloud Computing Being Ignored 2013-11-01 Businesses are completely ignoring a growing problem facing their organizations as cyber criminals look to target increased security flaws as operations move to the cloud. Cloud computing was one of the buzzwords of 2012, gaining widespread adoption among individuals, SMEs and major corporations all around the world. It is going to make our lives easier while saving us millions of pounds at the same time. However, one issue which is being ignored by the vast majority of organizations is security, with a Pricewaterhouse Coopers survey from last year showing that more than three quarters of respondents across a range of companies believed cloud computing did not increase their security risk. A belief shattered by a report published this week by security firm Imperva which highlights just how easy it is for even one of the world's largest online companies to be hacked and have sensitive consumer data stolen. "More than 75 percent of businesses don't see a problem by moving an application to the cloud. For me this is the big story, this is the big problem," Barry Shteiman sector security strategist with Imperva told IBTimes UK this week. The Hacker Intelligence Initiative report (PDF) details an attack on online giant Yahoo, which took place in December of last year. It shows just how easy it was for a hacker to breach Yahoo's security as a result of poor security measures which didn't take into account insecure third-party code. Shteiman believes that companies are not aware that, in the cloud, if you are trading information with another application, especially if it is sensitive customer and financial information, then the other app needs to be as secure as you are. SQL injection The attack on Yahoo took advantage of one of the most widespread vulnerabilities on the web, using what is known as a SQL injection attack. These types of attack see hackers exploit web application vulnerabilities in order to access the organizations's data in an unauthorized manner. It is a relatively unsophisticated type of attack and simply involves typing computer code into the fields of a website form. For example, instead of typing in a credit card number or a last name, a hacker types in some code. An attack like this, which is all the more common now that organizationss are moving services and resources online, is potentially hugely damaging for your company. As well as gaining access to your customer database and their personal details, the attacker could steal the site administrator's password and username, giving them full control of your website. The hacker may also plant malicious code, known as malware, which would then be automatically downloaded onto the PC of every user who visits the site - known as a drive-by-download attack. In the Yahoo attack, the hacker didn't target any of the company's own apps, knowing they would be likely to be better protected. Instead he targeted an app called, which wasn't created by Yahoo staff or even hosted on Yahoo servers. Portal is, according to its website is the "leading astrology portal in India" and based on users' dates of birth and other information gives them astrology readings. Because the code was written by a third party, and Yahoo did not ensure it was secure, the hacker was able to infiltrate Yahoo's database, as Yahoo shared user information with Shteiman believes this is a huge problem for organizations, who are simply unaware of the problem: "If I have my application and you have your application and we transact with each other the information of our users then you have to maintain the same security level that I do. Because people are not aware of that problem they don't enforce it." As well as a lack of awareness there is also a lack of regulation a lot of the time because the information being transacted is not credit card numbers or bank details and therefore doesn't come under the scrutiny of anyone in particular. However emails, passwords, home addresses and phone numbers can be just as valuable to hackers as credit card numbers. "If you look at application security, anything in security, it is all about awareness. You are looking at a space where companies who have spent millions in security equipment haven't even looked at, or are not focused on, or understand that [moving to the cloud] promotes problems," Sheitman continues. While Imperva has reverse engineered the attack based on information the Egyptian hacker ViruS_HimA - who claimed responsibility for the attack - released and is "certain" that this was how the attack was carried out, Yahoo continues to say nothing about the attack, having never publically acknowledged it ever took place. IBTimes UK contacted Yahoo for a comment in relation to this article and the publication of Imperva's report but it declined to comment. Disclosure Because Yahoo didn't disclose anything it's impossible to know for sure what information was disclosed during the hack. ViruS_HimA, who carried out the attack is, according to Shteiman, known for hacking into systems in order to show up their vulnerabilities rather than for financial gain. The refusal to disclose any information about the attack is not going to help Yahoo in terms of its reputation among internet users. Shteiman believes it was not a good idea to deny the attack, causing the company more damage rather than less: "Look at banks. It makes you trust them, even if you're bank gets breached, you feel scared for a while but if [they] disclose it, come clean and say this happened, you safe now and we can control it, your reputation is intact. In my eyes hacks should always be disclosed, regardless of the company." With such a viable and constant threat out there, organizations need to take notice and become aware of the problem. Once they do, putting a web application firewall in place is the first step they need to take. However a firewall is only the first step, with Imperva adding that organizations then need to concentrate on making sure any third-party code they are using is up to the same security standards as their own code and actively test their systems to see how vulnerable they are. Microsoft ending support for Windows XP and Office 2003 2013-10-01 In 2002 Microsoft introduced its Support Lifecycle policy based on customer feedback to have more transparency and predictability of support for Microsoft products. As per this policy, Microsoft Business and Developer products, including Windows and Office products, receive a minimum of 10 years of support (5 years Mainstream Support and 5 years Extended Support), at the supported service pack level. Thus, Windows XP SP3 and Office 2003 will go out of support on April 8, 2014. If your organization has not started the migration to a modern desktop, you are late. Based on historical customer deployment data, the average enterprise deployment can take 18 to 32 months from business case through full deployment. To ensure you remain on supported versions of Windows and Office, you should begin your planning and application testing immediately to ensure you deploy before end of support. What does end of support mean to customers? It means you should take action. After April 8, 2014, there will be no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. Running Windows XP SP3 and Office 2003 in your environment after their end of support date may expose your company to potential risks, such as: Security & Compliance Risks: Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization’s inability to maintain its systems and customer information. Lack of Independent Software Vendor (ISV) & Hardware Manufacturers support: A recent industry report from Gartner Research suggests "many independent software vendors (ISVs) are unlikely to support new versions of applications on Windows XP in 2011; in 2012, it will become common." And it may stifle access to hardware innovation: Gartner Research further notes that in 2012, most PC hardware manufacturers will stop supporting Windows XP on the majority of their new PC models. Get current with Windows and Office. This option has upside well beyond keeping you supported. It offers more flexibility to empower employees to be more productive, while increasing operational efficiency through improved PC security and management. It also enables your organization to take advantage of latest technology trends such as virtualization and the cloud.