Windows XP, End Of Life or End Of The World? How Can I Stay Safe on Windows XP?

I guess by now you have heard that Microsoft ceased support for Windows XP on the 8th of April 2014. In some circles this is old news, the April 2014 End Of Life was already known in September 2010, when Microsoft announced that Windows XP will no longer be sold after 22 October 2010. Many people mistook this date as the date when Windows XP machines will stop functioning and this is mainly due to the manner in which the end of life date was announced, many sources made it sound like the end of the world for Windows XP users. But is this really the end of the world? In this article we will look at whether you should upgrade to a newer version of Windows and how you can stay safe not only on Windows XP, but on every other operating system as well.

First of all, your Windows XP machine will not stop functioning, but will continue to operate as it always did. The only difference is that you will no longer receive any Windows Updates because Microsoft will no longer develop patches for Windows XP after 8 April 2014. According to Microsoft, existing updates and fixes will still be available, but I guess after some years Microsoft might even pull these from their servers. The biggest concern by Microsoft is your security and to quote from their end of life page; “PCs running Windows XP after April 8, 2014, should not be considered to be protected, and it is important that you migrate to a current supported operating system”. Technically, this might be true, because should a hacker discover a flaw in a core component of Windows XP, it could be exploited to circumvent any security measures on a Windows XP machine and Microsoft will not be fixing that flaw. But is it fair to say that every XP machine should not be considered to be protected? In my humble opinion, no! There are a couple of things you can do to make sure your Windows XP computer is safe and secure.

I've read quite a lot of articles about Windows XP coming to end of life and from the comments on these articles, it is clear that a lot of people are not really worried about this. Some people feel that Windows XP is a very old system and people should have upgraded ages ago, while other believe that Windows XP still caters for all their needs and that they can continue to use the system without any foreseeable risk or problems. I am one of those people who have used Windows XP for years (and still do to a certain extent) without a single phone call to Microsoft for support. Whenever I ran into problems I always found a solution on the Internet and chances are you will still find solutions to Windows XP problems, because forums and articles will remain on the Internet for years. Computer repair shops will still have people with the necessary expertise to troubleshoot issues on Windows XP and many issues on Windows XP can still be addressed by a system restore or a re-installation, so it is not as if these tools are going to vanish now that Windows XP has reached its end of life.

The stark reality remains that at some stage it might be necessary to upgrade to a newer version of Windows, because certain hardware might not work on Windows XP, for example in the near future you might not be able to connect your mobile phone to your Windows XP machine. This has already been seen with the Nokia Lumia phones (running Windows Phone off course, so it is no surprise that support for Windows XP is pathetic). In order to connect a Nokia Lumia phone to a Windows XP machine, you need to install Service Pack 3 with Microsoft Windows Media Player 11. The lack of hardware support on Windows XP will boil over to many devices including DVD players, printers and graphics cards, because the manufacturers will no longer develop drivers for these devices. But the chances of installing a new DVD player or the latest graphics card in an old machine, running Windows XP is fairly grim. I still use an old Pentium 4 machine with an AGP slot for my graphics card, so I won't even be able to install a PCI Express card on that machine, so why would I worry about Windows XP drivers for a PCI Express card if I can't even install the hardware on the machine? Still, some people are running Windows XP on fairly new machines, so when they decide to buy new hardware in the future, they may be forced to upgrade to a newer Windows version because there won't be any drivers to run the hardware on Windows XP and I think this should be the only reason to move away from Windows XP.

Many companies still run Windows XP on their computers because their in-house software was developed on Windows XP and upgrading to Windows 7 or even Windows 8 is not financially viable at the moment. I can also speak out of experience. Years ago I developed a program in Windows 98 and had to make some modifications to it to make it work under Windows XP. I know comparing Windows 98 to Windows XP is not the same as comparing Windows XP to Windows 7, but it remains a pain in the neck to port your software to a new operating system. I could afford making the modifications, because I did not make any money from this software and I did not have any loss in production while I made these modifications, but certain companies cannot afford the downtime, so they opt to stay on Windows XP. If your software works well in Windows XP and you can continue to run your business using Windows XP, why upgrade? If it is not broken, why fix it? But in the end, I will still advise companies to develop Windows 7 or 8 solutions on the sideline, while running your in-house software on the Windows XP machines in the mean time. Should the time come when you are forced to upgrade, you will be ready to make the transition without too much effort. This is easier said than done for small and medium enterprises, who do not have the necessary manpower and financial resources to make such a transition, so they opt to stay on Windows XP for as long as possible. However, when your business model depends on software running on Windows XP alone, I think it is time to consider other alternatives, because you might face bankruptcy in the face if you are forced to leave Windows XP.

Right, so in a business environment, it might be necessary to upgrade to a newer version of Windows, but what about the individual, the normal man on street? I believe they have the least to worry about. If you are a happy Windows XP user, why upgrade now? When the time comes where a upgrade is inevitable, you will most likely have to buy a new PC, because older PC's can hardly handle Windows 7, so what are the chances of running a future version of Windows on a Celeron, Pentium 4 or Dual Core? (Yes I know, technically you can run Windows 7 for example on a Pentium 4 or Dual Core, depending on the size of the processor and RAM, but in the end they perform pretty poor when compared to running Windows XP on these systems). What about the Windows XP user who has a newer computer that can handle Windows 7 or 8 quite well? The question is not really about what your computer can handle, the question is, is it necessary to upgrade, merely out of a security point of view? I guess it depends on who you are and what you do on your computer. Unless you are a celebrity or high profile figure, chances are small that you are going to be targeted by hackers, but you still run the risk of getting infected by malware, leaking out personal and sensitive information to the creators of the malware. In order to get infected by malware you need to do something to introduce the malware to your system and even if the malware is exploiting a certain unpatched vulnerability in Windows XP, the malware still needs access to your system to make use of that vulnerability. So if you do not browse questionable and dangerous websites, if you are not “click-happy” (clicking on every link you see) and ignore strange and suspicious looking e-mails you have a lower risk introducing malware to your system.

So it boils down to clever computer use in general and not a specific operating system, so here are a couple of tips to keep you safe and secure on your PC (whether you are on Windows XP, Windows 7, Windows 8 and in some instances these tips are even good practice for Linux users).

PC Safety Tip #1: Only browse trustworthy websites

The hardest part for this tip is how to identify a trustworthy website. This discussion is a whole article on its own, but generally speaking, stay away from sites involved in piracy, pornography or advertised through spam. Rather stick to well-known sites with a good reputation and as a rule of thumb, use your gut feeling, if something is bothering you on a website, rather stay away from it.

PC Security Tip #2: Do not be “click-happy” but rather “click-vigilant”

Do not click on every single link or ad you see on the Internet or in an e-mail. You should NEVER click on any link in a suspicious e-mail and stay away from ads making unrealistic promises, or claiming that you have a new message, or that there are problems on your PC that needs fixing, or that you are the quadrillionth visitor to their site and that you have won a boat trip to the Bahamas. Use your common sense and once again follow your gut, if it sounds to good to be true... it probably is.

PC Security Tip#3: Uninstall all 3rd party software that you do not use

This is a very useful tips for Windows XP users, because you automatically close down vulnerabilities in your system by removing unused software. Over time we install a lot of programs and some of them is only used once to perform one specific task. If you do not think you are going to use a specific program again, rather uninstall it.

PC Security Tip#4: Refrain from adding programs to your system tray / Windows startup

Not all programs give you the option of adding it to the system tray, but normally these programs load at startup, so if you want to remove them, remove them from the Windows startup. As a rule of thumb, if you are not using it constantly and if it is not a security program, remove it from your Windows startup. Rather launch it when you need it, than having it run in the background, filling up your memory and introducing vulnerabilities to your system. Disable stuff like the Adobe and Java Updaters and rather update them manually. Do not leave your GPS updating software running in the background, rather launch the updater when you actually want to update your GPS. Refrain from leaving programs like TeamViewer running in the background, especially if you do not need remote access to that computer on a constant basis.

PC Security Tip#5: Do not install browser toolbars or plugins / add-ons

For Windows XP users, this is a must, especially if you want to make sure you are closing down any possible weaknesses in your system. Browser plugins and toolbars are the most vulnerable parts of your browser and is normally exploited to do drive-by installs. These plugins and toolbars are normally developed by 3rd party developers and do not go through all the security standards and checks that the browser's own components had to go through.

Plugins are normally useless, unless it is a plugin for a specific, useful purpose like a dictionary. Try to stay away from all browser plugins or add-ons, but if you really need to use a browser plugin, make sure it is from a trustworthy developer and that the plugin is widely used.

While there are exceptions to plugins, browser toolbars are always useless, even the ones developed by anti-virus companies. I haven't come across a single toolbar that made my life easier. They are normally used for ads and change stuff in your browser that you never asked them to do. So stay away from browser toolbars, period.

PC Security Tip#6: Do not open attachments from unknown senders

You should not even open attachments from known senders if the e-mail look suspicious. I've seen malware sending itself to everyone on the victim's address book, so it may appear as if your best friend sent you a photo, but the attachment is actually an executable (EXE) file containing malware. Use care when opening e-mails.

PC Security Tip#7: Never let your browser save your passwords

This is once again a little common sense and good practice. The safest storage space for a password is your brain, but we all tend to forget our passwords sometimes, so rather store it in some offline location or device. Never store your passwords on a device that has Internet access and make sure the device is encrypted. I am not a big fan of a password manager, but if you have to use one, once again, use it on a computer without Internet access.

PC Security Tip #8: Only use trusted USB drives on your PC and disable Autorun

You should not trust any USB drive unless you use it yourself and even if you use it yourself, do not plug it into a computer that doesn't have an anti-virus on it. If you have to borrow it to a friend, colleague or family member, make sure you scan it with an anti-virus scanner before using it again. Use a tool like Panda's USB Vaccine to protect the USB from getting infected with Autorun malware. This tool can also be used to disable the Autorun feature on your PC altogether, which is a must for Windows XP users. Do not take any chances with USB drives on your Windows XP machine, you are more likely to get infected by a USB drive than being infected by a malicious e-mail.

PC Security Tip #9: Use an alternative browser and dump Internet Explorer

Microsoft might have stopped developing patches for Windows XP but alternative browser developers will continue to support Windows XP for quite some time. So I suggest a browser like Firefox, Chrome or even Opera. Remember, these developers will continue to update and fix their browsers, but Microsoft will no longer patch Internet Explorer 8 (which is the latest version you can install on Windows XP). Support for IE8 died when Microsoft pulled the plug on Windows XP.

PC Security Tip #10: Use an up to date anti-virus and firewall solution

Why did I not mention this as the first tip, it seems pretty important to have this in place before anything else, right? Well, that's not entirely true. If you follow tips 1 to 9 down to the last letter, without any compromises, I will even go so far as to say that you can remain safe and secure without any anti-virus software. I am not promoting the use of a PC without anti-virus software, I'm merely illustrating the point that you can minimise the risk of becoming a cyber crime victim, by having some good PC security habits.

It is not good enough to have an anti-virus application as your only line of defence against cyber attacks, these days you also need a good firewall on your PC (especially Windows XP users). Your best bet would be an Internet Security suite like avast Internet Security, but if you cannot afford the paid version, at least use a free anti-virus and firewall application.

Most people are running their Internet connections through a router these days. Make sure you are utilising the firewall features of your router and if possible, use a router with NAT (Network Address Translation) capabilities. Having a software firewall on your PC, combined with a NAT router is a great way of controlling both inbound and outbound traffic on your computer.

Conclusion

Windows XP is an old system, you can't argue that fact, but it has been and always will be a great and stable operating system. At some stage you will have to upgrade to something newer, but it has to be your own decision. I don't have a problem with Microsoft pulling the plug on Windows XP, but I have a problem with Microsoft bullying their loyal users into upgrading, by using scare tactics through claims that all Windows XP machines are suddenly insecure.

Should you upgrade immediately? Not necessarily, you can continue to use Windows XP for as long as it does the job for you. The purpose of this article is to illustrate that PC security is not only vested in a secure operating system, but also through safe and secure computer usage practices and habits. It is not the security flaws on its own that makes an operating system insecure, but the way you use that operating system, where those security flaws can be exploited.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, analysers of security software and raising awareness about spam and malicious software.

PC Security DIY Part I: Malware - The Most Wanted Cyber Criminal

By Coenraad De Beer

More or less 3 weeks ago, several anti-scammer websites fell victim to DDoS (Distributed Denial of Service) attacks by the Storm botnet. The comments made on blogs and news sites about these attacks, made it clear once again that cyber security experts are well aware of the dangers of malware infections, which are the backbone of any botnet, as well as the impact these infections have on the online industry. The fact that security experts realise these problems is all good and well, but it does not really help addressing the problem. Normal computer users need to understand the implications of malware infections as well, but more importantly, they have to carry the consequences of their actions if they refuse to take appropriate preventative measures against malware.

Before we start, I would like to explain a couple of terms to users not familiar with DDoS attacks and botnets. A botnet is a network of software robots controlled remotely by crackers. A software robot in this specific case is a compromised computer, infected with specific malware types like Trojan horses and worms. A compromised computer is also called a "zombie computer". A botnet is therefore a collection of compromised or "zombie" computers. I am not going into the details of a DDoS attack, but a Denial of Service attack basically happens when a botnet sends thousands, even millions, of communication requests to a web server. This results in a bottleneck of incoming traffic, causing the server to crash, or making it so slow that it cannot serve the website to normal visitors anymore. An attack from a big botnet will therefore have a much larger impact on a web server than an attack from a smaller botnet. Okay, now that we have the jargon out of the way, lets delve deeper into the impact of malware infections on the Internet as a whole, but also for the individual Internet user.

The Internet is often referred to as the information superhighway. Off course the Internet as we know it today, is much more than just an information superhighway, the Internet has become a digital world where many offline tasks can be done online as well. You can work, play, recruit, date, shop, chat, watch TV, listen radio and do many other things online. But for the sake of this article I will stick to the term information superhighway, because the rules of the road fit perfectly in with what I want to illustrate. According to Wikipedia, it is estimated that up to one quarter of all personal computers connected to the Internet, are part of a botnet. This estimate is not that hard to believe, I will even go so far to say that this figure may even be bigger than a quarter of the Internet's population, especially if you take into account the rate at which malware infections spread through the Internet. Ignorance plays a big role in malware infections, but don't leave negligence out of the equation. If it only stopped at ignorance and negligence, large and influential companies are able to address the problem, but they are unwilling to sacrifice profit for the safety of other Internet users.

Internet Service providers are in pole position to address the increasing threat of malware infections, the one thing that's making botnets grow larger and larger by the day. Unfortunately they are only interested in making money instead of providing a safe and quality service to their loyal and honest customers. No they would rather keep the clients distributing malware, sending out spam or taking part in Denial of Service attacks, because it means loss of revenue for them if they decide to suspend the services or terminate the accounts of these clients. Most ISPs will state in their Terms of Service that they do not tolerate this kind of behaviour, but it is only done to make them look great on paper, they seldom enforce these terms. John Masters, anti-spam activist and a dedicated supporter of Cyber Top Cops, sent me an e-mail the other day, suggesting that we should roll out penalties against people who use unprotected computers connected to the Internet. Although I realise the difficulty of getting something like this into place, I personally think it is a great idea and I wholeheartedly agree, but before we start to punish the user, start with the ISP for not taking action against the user.

It makes a lot of sense to fine people who use unprotected computers on the Internet. This is why I referred to the information superhighway earlier in this article. The Internet can be compared to a real highway, where several road safety rules apply. Driving on a highway with a vehicle that's not roadworthy does not only put your own safety at risk, but also the safety of other road users. If a traffic officer pulls you off the road and find that your vehicle is not roadworthy, you will most probably receive a fine (unless you bribe the traffic officer). If you continue to drive like this you may end up with a suspended driver's licence. The same principle applies to computer security. If you use an unprotected computer on the Internet you're not only putting your own safety at risk, but the safety of other Internet users as well. If your ISP becomes aware of the fact that you're connecting to the Internet without appropriate, up to date anti-malware software installed on your computer, you are supposed to be fined for putting the safety of all other Internet users at risk. They should suspend your services if you continue to connect to the Internet with an unprotected computer.

Your computer may be distributing malware, sending out spam, phishing e-mails and advance fee fraud scams. Your computer may even be used in Denial of Service attacks. So you end up becoming an accomplice in Internet crime. You unknowingly become a spammer, a scammer or a malware distributor. By using an unprotected computer you contribute to cyber crime instead of fighting it. That's not all, the malware may be monitoring your keystrokes, capturing everything you type, stealing passwords, e-mail addresses, account numbers, social security numbers, credit card numbers, names, telephone numbers, physical addresses... can you see where I'm going with this? These programs are able to compile a complete profile about yourself, this information is then transmitted back to the operator of the malware, who may use it to commit fraud in your name, in other words steal your identity. The perpetrator may even clean out your bank account, open credit cards or take out loans in your name and guess who is going to receive the bills at the end of the month, you!

What are the practical implications of implementing a penalty system for reckless Internet users? First of all, the ISP needs to have solid evidence, proving that the guilty party was really using an unprotected computer. Secondly, if the user had anti-malware software installed on his/her computer, the ISP needs to prove that the software was outdated. Finally, if the user had up to date anti-malware software installed, the ISP needs to prove that the software was not appropriate for preventing malware infections. This means that anti-malware software needs to comply with certain safety standards before they can be accepted as approved anti-malware solutions. This will effectively force all anti-malware developers to put their software through specific tests, conducted by a computer security standards authority. This will also cause anti-malware application prices to rise, which may pull the plug on the development of free anti-malware solutions, unless the developers certify these free applications as well. The ISP should use special software to check whether these approved anti-malware applications are installed on the client's computer. The software should send out several warnings to the clients who do not comply with these standards, giving them a reasonable amount of time to attend to the problems and providing detailed instructions on how to resolve them. Access to the Internet should only be terminated if the user fails to respond to these warnings.

Many people might ask, how should I update my anti-malware application if my Internet access is terminated? Your Internet access should only be terminated if you fail to respond to the warning notifications sent to you. If you end up with a terminated Internet access account, it means you ignored the notifications and you should have thought about the implications of your actions before you decided to ignore them. Other may claim that they are computer illiterate and cannot install software or keep them up to date. Most anti-malware applications update themselves and it does not take a rocket scientist to install them. With most of these installations you simply need to click on the "Next" button until you see a "Finish" button. If you can surf the Internet, then I'm sure you know how to click a button. I understand that not every Internet user is a computer expert, so if you find it difficult to install software, join an online forum like BleepingComputer.com, GeeksToGo.com or TechGuy.org and ask for assistance. It is extremely important to secure your computer before it gets infected with malware.

I just painted a pretty grim picture, didn't I? The burden placed on Internet Service Providers to check up on clients, to prove that clients are using unprotected computers, to penalise those who disobey the rules and to close down the accounts of regular offenders. Then there is the problem of high anti-malware prices and no more free anti-malware solutions for the people who cannot afford expensive anti-malware protection. But this is where the Internet is heading if we do not take action now. Online fraud is causing consumers to loose confidence in Internet shopping. Phishing scams are making users afraid of signing up for Internet banking services. People are weary of online payment and trading services like PayPal and eBay, no matter how safe they claim to be. Spammers are stealing bandwidth and the Internet user have to cough up for the costs. Expensive hardware and software is needed to fend off Denial of Service attacks. Malware is at the root of all these problems. It is the biggest contributor to cyber crime and eliminating malware is like removing a species from the food chain. This will be a big blow to spam and bot networks, resulting in less spam and phishing scams, fewer Denial of Service attacks and fewer stolen identities, passwords and credit card numbers. All the money saved through proper prevention of malware, including malware related problems like spam and Denial of Service attacks, can be utilised to build better protection against malware and assist companies to continue the development of free anti-malware solutions for home users.

So what is the bottom line? Internet Service Providers need to take responsibility for their networks. Customers are paying for Internet access, free from spam and malware attacks. It is the responsibility of the ISP to keep spam and malware infections within acceptable limits. Proper legislation needs to be put into place and governments need to take action against ISPs if they allow these threats to rise beyond acceptable limits. How do ISPs keep these threats within acceptable limits? Listen to the complaints sent through to your abuse departments, stop ignoring them, terminate the services of regular offenders and publish these actions for everyone to see. Make examples of those who do not want to listen and soon enough you will have people sticking to the rules. People will continue to do what they want if they know there is no punishment for their wrongdoing.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, providers of free malware removal assistance and helpful Internet security tips for the novice user. In the next instalment of the PC Security DIY article series, we will look at the foundation of Internet Security, using a secure browser and e-mail client and getting into safe browsing and e-mail reading habits.