Google Chrome to abandon older versions of Windows and Mac OS X April 2016

Google Chrome icon

Back in November of 2015, Google made an unwelcome announcement which was some very bad news for older Windows and older Mac OS X users.

On their Google Chrome Blog posting at that time, Google announced that it will stop providing updates to Google Chrome for the following Windows and Mac OS X versions;

  • Windows XP
  • Windows Vista
  • Mac OS X 10.6 (Snow Leopard)
  • Mac OS X 10.7 (Lion)
  • Mac OS X 10.8 (Mountain Lion)

NOTE: Linux 32-bit Distribution users see the end of this article for your sad news too, but most of you are already aware of this since it happens this month!

This does not mean Google Chrome will stop working in these OS versions — which would almost be better security wise. Instead, Google has decided to simply stop providing updates to the installed versions of Google Chrome for these OS versions.

This is very bad news since Google Chrome has Flash built in (which is updated as needed with Google Chrome). These older versions of Windows and Mac OS X will be doubly vulnerable. Over the years, these users have gotten used to not having to update Flash separately like you need to do in other browsers like Firefox, Safari, Opera, earlier versions of Internet Explorer, Pale Moon, etc.
Because Flash is built in to Google Chrome, these abandoned users will not be getting the Flash updates either.

This will make these older versions of non updated Google Chrome extremely vulnerable to browser attacks from infected websites. Malware purveyors will quickly begin to adjust their attacks (if they have not already in anticipation of this change) to look for these older vulnerable systems using outdated/vulnerable versions of Google Chrome as new attack vectors for these abandoned Windows and Mac users.

Those thinking that being a Mac user will make you impervious to attack, think again. Browser attacks are one thing that every operating system including Windows, Macs and Linux have been subject to these days. Sure Windows users get hit more often but that is because they are the biggest user base and they have the largest target on their back, but Mac users and Linux users can still get hit at times if they have outdated operating systems, Flash, Java, etc. Even Android has been hit by a banking trojan these days – reported March 9, 2016 by ESET’s We Live Security Blog.

With other browsers, you could simply remove Flash from the system and be done with it if you were concerned about it and didn’t mind losing the ability to see YouTube videos and other Flash supported content on other websites. Although, with HTML5 support coming right along, that could be moot.

Some might be quick to blame Adobe Flash, but apparently this is not the case as Adobe is quick to point out in at least two places that they support these OSes:

Plus other browsers such as Firefox clearly still support these OSes and Flash on these OSes. However, they will have to update their supported browsers to NOT include Google Chrome after April 2016 unless Google rethinks all this for at least a couple of the newer, of the older, OS versions. 😉

If Google does not give a reprieve/stay of execution, once Adobe makes their final update to Adobe Flash in April 2016 and Google updates Google Chrome the final time for these OS version users that includes that last Flash version, it will apparently be the last Google Chrome AND thereby Flash update that these Google abandoned OSes will see Google based on the Google Chrome blog article posted November 2015.

Google has been very quiet on the subject since that date so no reprieve or stay of execution even for the newer OS versions to be abandoned; Windows Vista and Mac OS X 10.8 (Mountain Lion).

It seems quite harsh to drop support for these two OS versions (Vista and Mac OS X 10.8 (Mountain Lion)) since Google supported the earlier noted OS versions like Windows XP and Mac OS X 10.6 (Snow Leopard) for so many years! But there it is.

If you are using one of these older OS versions of Windows or Mac OS X, read it and weep for the loss of a great browser like Google Chrome, and make be wise to make the move to Mozilla Firefox newest version to-date 44.0.2 (STILL supports Mac OS X 10.6 Mountain Lion), or Opera (however NO support for Mac OS X 10.6 Mountain Lion, but does support Lion and Mountain Lion), which have not, so far, abandoned these users. But they are not the only players still in the game…

There is also another browser project that has gained a lot of popularity among Windows users — the Pale Moon browser. There are versions for Windows: Pale Moon, Pale Moon 64, Portable. There are also versions for:  Atom/XP, Linux and Android on the Download tab on the website.

There is also a Mac OS X version of Pale Moon 26.1.1 Unofficial available as of February 2016. As noted on their forum page:

Important note:
The Mac OSX version of Pale Moon is still very much in development. Your assistance in bringing this build to fruition is greatly appreciated, but you can expect there to be bugs and problems for a while yet!
Any specific bugs you find that don’t have their own topic yet: please make a new topic; one bug per topic please to keep things organized.
Please also note that these builds are currently created by BitVapor and Moonchild will likely not be able to provide insight or assistance due to lack of Mac hardware and OS/build knowledge for Mac.

Windows XP Vista No Support Yellow Strip Popup Google Chrome

Windows XP Vista already shows No Support Yellow Info band in Google Chrome

Those using these older versions of Windows (See image to the right), and Mac are already getting an annoying yellow warning info band across the top of their Google Chrome browsers.It is advising them to move to a more modern operating system. Wise move on Google’s part and it also servers to show that they  do not appear to be backing down from their November 2015 announcement.

That means Google Chrome users will need to do something to address the issues by either upgrading to a more modern operating system where possible, getting a newer computer with a more modern operating system since all of these operating systems are older and most have been abandoned by their creators anyway except Vista which is coming next April 2017 (preferable security wise), or barring all that, changing to a supported browser, or using an extension to address the old version of Flash issue (see end of article posting).

If you move to another browser, it will be very important to keep Adobe Flash updated since only Google Chrome in Windows 7, 8.1 and Windows 10, or on Mac OS X: Mavericks, Yosemite and El Capitan! will include Flash updates automatically with browser updates after April 2016.
NOTE: In addition, in Windows 8.1, the latest versions of Internet Explorer (IE10, IE11), and of course the new Edge browser on Windows 10 include Flash built in and updated for you like Google Chrome does.

Older versions of Windows and Mac are not the only users to be abandoned/axed by Google Chrome in early 2016. ALL 32-bit Linux distribution versions are also being abandoned — this month — March 2016 as noted in BetaNews, Slash Dot, and PCWorld and other news outlets back in November and December 2015.

Even though many and maybe even most computers these days are 64-bit, there are still a lot of 32-bit computers and 32-bit operating systems in use around the world today so this may be a move forward for 64-bit, but it is also a sad day for all the 32-bit hardware/operating systems worldwide.

Of course, there are still several browsers like Firefox, Opera and Pale Moon available for Linux 32-bit computers —  just as there are for Windows and Mac users. There are also some alternative browsers based on Firefox available (Pale Moon noted earlier here is included), and distro-specific versions of Firefox like Iceweasel in Debian Linux, etc.)

For all users of Google Chrome, there are some Flash blocking or control Extension possibilities that can protect everyone, but particularly these older users from having Flash run all the time if they choose to continue to use Google Chrome:

WinPatrol Changing of the guard

WinPatrol – Scotty

WinPatrol has been very important over the years. I have several (six I think at least) lifetime memberships of WinPatrol software and I install it on all my Windows installs personally and for my friends, family and clients. It has been a staple in my security arsenal for many years now, and BillP has been a great friend to all of us.

BillP, thank you so much for continuing to look for someone who would fit the bill, as it were, and you certainly found a great choice!

I am very excited about the promise that Bret Lowry made to WinPatrol customers:

My commitment to WinPatrol customers is as follows:

One, your lifetime PLUS licenses are just that, lifetime licenses. That was the easiest topic in our negotiation and is written into the contract.

Two, WinPatrol will not have toolbars or other “add-ins” added to it or its installer. Installers that do that drive me crazy because I’m the guy people call to “fix” their computer after the installer completes its hijacking. I am not going to do that to my customers.

Three, I will be responsible for answering support questions, even more incentive to play nicely and stand-by item two above. And

Four, I use WinPatrol myself and therefore am committed to the continued improvement of WinPatrol. I am honored to have earned Bill’s trust and confidence in his allowing me to purchase WinPatrol. Bill has run WinPatrol with integrity since its inception, as a founder of Ruiware (along with my wife), I promise we will carry on that tradition.”

BillP, after reading your blog posting and Corrine’s Security Garden posting, I was totally thrilled to read about Bret Lowry, Ruiware, LLC being your choice.

Totally awesome! I knew you wouldn’t let us down! Thank you Bill for all the years you have given to us! We totally understand your need to step aside and wish your family all the best and your family is ever in my thoughts and prayers.

Corrine, thank you for letting us know of the change right away!

This must be a bittersweet day for BillP; to let go of his baby, to turn it over to someone else, but sweet knowing he turned it over to a great guy who will care for his customers the way he did.

Hi Bret Lowry! I am excited to meet you in Bits from Bill and from Security Garden Blog. Thank you for putting our minds at ease about the commitment you have given us. Hope you will still do the sales periodically like BillP always did and keep the price economical and the free edition which is so important.

On WinPatrol.com:

I’m very happy to announce WinPatrol’s future will be in the hands of Ruiware founder and former lead at Sunbelt Software, Bret Lowry. If you read today’s post and download our new version later today you’ll understand why I’m confident Scotty is in good hands.
Click here to find out why

And this wonderful note from Bret too:

WinPatrol.com - WinPatrol from Ruiware.

WinPatrol.com – WinPatrol from Ruiware. “When I discovered WinPatrol I knew it was a winner and a program I’d install for my entire family. WinPatrol customers matter. You still won’t find obnoxious toolbars when you download WinPatrol. Instead, we help you get rid of them. Thanks, Bret Lowry — Click on image to go to WinPatrol.com

In closing, I would like to echo Corrine’s thoughts from her Security Garden blog entry:

On a personal note, I have long respected Bill Pytlovany and, because of his honesty and high ethical standards, held him in high esteem.  I know I won’t be losing contact with him but still wish to take this opportunity to publicly thank Bill for providing an excellent product.

I could not have said it any better!

Microsoft has quietly stopped serving security updates to Internet Explorer 11 (IE11)

Microsoft has quietly stopped serving security updates to Internet Explorer 11 (IE11) on Windows 7  according to an article on Computerworld:

Microsoft strips some Windows 7 users of IE11 patch privileges – Computerworld

Microsoft has quietly stopped serving security updates to Internet Explorer 11 (IE11) on consumer and small business Windows 7 PCs unless the customer has successfully applied an April update for the browser.

The requirement and associated patch stoppage were similar to those Microsoft mandated for Windows 8.1 when it told customers they had to migrate to Windows 8.1 Update by June 10 or lose their patch privileges. The Windows 7 requirement, however, affected only IE11, Microsoft’s newest browser, not the operating system.

This type of thing is very hard to understand. Why would Microsoft do such foolish things. Why would they cut off their nose to spite their face by making things so difficult for their users? Windows Update should provide what is needed as it is needed. Period. If they can’t figure out how to do that, maybe they need to get someone in there to help them do the updates.

At this rate, they will be causing more people to move from Windows to other platforms like Mac and Linux. Do they not realize this? Not to mention that people need their security updates not just for the operating system but for the browser. If they want to maintain market share with their IE browser, they are showing a very strange way of doing that by cutting off the very much needed security updates because one hasn’t installed as yet. Why is it not installed? That is what should be addressed here.

All future security and non-security updates for Internet Explorer 11 require you to have update 2919355 or update 2929437 installed in order to receive updates (emphasis added).”

With the way that malware is attacking Microsoft Windows, I can not see how they can feel it is OK to do this as well as stopping supporting Windows XP when it as still garnered nearly a third of all users world wide even after security update support was ended for Windows XP. As of today, June 15, 2014 it still garner’s over 25% or 1/4 of the total global market:

netmarketshare.com as of 6-15-2014 - choose operating system Desktop Share by Version

netmarketshare.com as of 6-15-2014 – choose operating system Desktop Share by Version

 

May 2010 Windows 2000 fell below 5% and end of life for Extended Life Support of Windows 2000 was July 10, 2010 so WINDOWS 2000 FELL below 5% TWO MONTHS BEFORE SUPPORT ENDED.

OS Statistics- w3schools_org – includes less then 5% Win2K market share at time of end of support (PDF)

Windows 2000 End-of-Life – Strategic Technology Resources – Site Home – TechNet Blogs-11-10-2009 (PDF)

Netmarketshare postings.

Then the Windows 8.1 Update 1 fiasco and now this IE11 fiasco.

There is something very anti-customer about all of this, don’t you think? Especially in light of the fact that Windows is the most high profile target for malware purveyors because it garners the greatest marketshare.

I personally feel Microsoft has a made a BIG mistake ending support for Windows XP when it still holds slightly over 25% or 1/4 (one quarter) of the total global marketshare as shown above. And they are continuing to make security missteps for Windows 8.1 and Windows 7 users now too.

I do not understand. Microsoft has never been this way before in it’s long history of being customer centric. It just does not make sense.

eBay – Change your passwords

Yep, this announcement was published by eBay and retracted and then put back out again. So yes, this is real.

EBay customers must reset passwords after major hack  CNN Money

Not just a rumor…as a precaution, in case the hackers are really good … time to change your ebay passwords. 

Hackers quietly broke into eBay two months ago and stole a database full of user information, the online auction site revealed Wednesday.

Criminals now have possession of eBay customer names, account passwords, email addresses, physical addresses, phone numbers and birth dates.

The company said the passwords were encrypted and are virtually impossible to be deciphered. Still, as a precaution, eBay is asking everyone to reset their passwords late Wednesday.

The company isn’t saying how many of its 148 million active accounts were affected — or even how many customers had information stored in that database. But an eBay spokeswoman said the hack impacted “a large number of accounts.”

eBay Suffers Massive Security Breach, All Users Must Change Their Passwords – May 21, 2014 – Forbes:

eBay is taking the breach extremely seriously stating that users employing the same password across eBay and other sites should also change those passwords. It stresses your eBay password should be unique.


eBay Inc. To Ask eBay Users To Change Passwords – eBay Announcements page (Posted May 21st, 2014 at 8:50 AM):

eBay Inc. To Ask eBay Users To Change Passwords

Earlier today eBay Inc. announced it is aware of unauthorized access to eBay systems that may have exposed some customer information. There is no evidence that financial data was compromised and there is no evidence that PayPal or our customers have been affected by the unauthorized access to eBay systems. We are working with law enforcement and leading security experts to aggressively investigate the matter.

As a precaution, we will be asking all eBay users (both buyers and sellers) to change their passwords later today. As a global marketplace, nothing is more important to eBay than the security and trust of our customers. We regret any inconvenience or concern that this situation may cause you.  We know our customers and partners have high expectations of us, and we are committed to ensuring a safe and secure online experience for you on any connected device.

Click here for updates and additional information.

– See more at: http://announcements…h.V13eaJ1m.dpuf

That Click here link above: Frequently Asked Questions on eBay Password Change – ebayinc.com:

What happened?

Our company recently discovered a cyberattack that comprised a small number of employee log in credentials, allowing unauthorized access to eBay’s corporate network.  As a result, a database containing encrypted password and other non-financial data was compromised.  There is no evidence of the compromise affecting accounts for Paypal users, and no evidence of any unauthorized access to personal, financial or credit card information, which is stored separately in encrypted formats.  The company is asking all eBay users to change their passwords.

What customer information was accessed?

The attack resulted in unauthorized access to a database of eBay users that included:

Customer name
Encrypted password
Email address
Physical address
Phone number
Date of birth

Was my financial information accessed?

The file did not contain financial information, and after conducting extensive testing and analysis of our systems, we have no evidence that any customer financial or credit card information was involved. Likewise, the file did not contain social security, taxpayer identification or national identification information.

Has the issue been resolved?

We believe we have shut down unauthorized access to our site and have put additional measures in place to enhance our security. We have seen no spike in fraudulent activity on the site.

BOLD RED emphasis mine.

More in the article.

I think there is some truth to this too:

eBay’s handling of cyber attack ‘slipshod’ – The Telegraph:

A British security expert has branded eBay’s reaction to a huge cyber attack “slipshod” as emails warning customers that their personal details were stolen have still not been sent out, almost 24 hours after news of the security breach was inadvertently leaked

I certainly would have appreciated an email (not with a link it it necessarily) but message within my eBay would have been good. I don’t click links in email but I would have gone to eBay announcements link at the bottom of every eBay page.

However, as a user, I really appreciate that eBay was forthcoming in the ebayinc.com FAQ.

I changed my eBay password as soon as I heard about it the first time. If you haven’t, please, go take care of that and make sure it is a unique password.

IE Zero-Day Vulnerability

Microsoft Security Advisory 2963983 – Vulnerability in Internet Explorer Could Allow Remote Code Execution – TechNet

General Information

Executive Summary

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.

Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates, and installing antimalware software.

Mitigating Factors:

  • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  • In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.

More information in the full article. There is no patch. But Microsoft has given some recommendations which are easier to understand at Security Garden’s posting:

Recommendations

As illustrated in the “Security Research and Defense Blog” reference below, users of IE 10 and 11 should ensure they haven’t disabled Enhanced Protection Mode.

Another option is to install the Enhanced Mitigation Experience Toolkit (EMET). The recommended setting for EMET 4.1, available from KB Article 2458544, is automatically configured to help protect Internet Explorer. No additional steps are required.

See the Tech Net Advisory for instructions on changing the following settings to help protect against exploitation of this vulnerability:

  • Change your settings for the Internet security zone to high to block ActiveX controls and Active Scripting

  • Change your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

 

Those still using Windows XP on the Internet, please be aware:

VERY IMPORTANT FOR ANY HOLD OUT WINDOWS XP USERS

This is the first of the security vulnerabilities that DOES NOT include workarounds  for Windows XP. The oldest Windows noted as being affected are: Windows Server 2003 SP2 and Vista SP2.

IMPORTANT NOTE: Once a Microsoft product’s support has expired — as is true now about Windows XP SP3 since April 8, 2014 — Microsoft no longer lists it as affected by the vulnerabilities being patched. Microsoft only list Windows versions which are still under Mainstream Support or Extended Support. This has always been the case.

If anyone is still using Windows XP on the Internet (UNWISE!!), it would be strongly recommended to disallow IE (Internet Explorer) access to the Internet through your software firewall*, and use another browser like Firefox and Google Chrome which will still be getting updates for a time.

* Any Windows XP users still on the Internet should at least have:

  • a hardware router with Stateful Packet Firewall
  • should be using a ‘real’ software firewall as well as a good AV program. Just one good choice that will continue to support Windows XP is ESET’s Smart Security which is a very good antivirus and firewall. It is the one I use. It is not free. There are several free antivirus programs but not many free security suites.
  • block Internet Explorer through the ESET or other software firewall.
  • should be using a 3rd party browser like Mozilla Firefox with NoScript, Adblock Plus and WOT to help sort out safer search results on search engines, or Google Chrome with ScriptSafe, Adblock Plus and WOT Extension.
  • uninstall Java entirely, keep Adobe Flash religiously updated for Firefox as long as Adobe continues to provide them. Google Chrome updates Flash within itself. Might want to switch from Adobe Reader to Sumatra PDF reader which is a simple PDF viewer.
  • need to be even more careful than ever before about where you go. The bad guys will be looking with great anticipation for computers with expired Windows XP.
  • no risky behavior
  • no banking … note very soon banks will be disallowing expired Windows XP entirely anyway.

IMPORTANT: You can not block a program from getting out to the Internet with the Windows XP Firewall. It is only a one way firewall. It only monitors incoming Internet requests, instead of both ways as any real firewall including Windows 7 and Windows 8 built-in software firewalls do.

Here’s a quote from a ZDNet article:

To those planning to stick resolutely with the aged Windows XP operating system even after Microsoft ends support next year, the advice from experts is simple: Don’t do it.

Again: I would strongly suggest you get a new computer, upgrade your computer if it can be upgraded to a modern/still supported Windows such as Windows 7 or Windows 8, or get a Mac, or you could  convert/upgrade the computer to Linux or use a Linux LiveCD to visit the Internet and still use Windows XP as a standalone NOT CONNECTED TO THE INTERNET computer.

If you need help with any of this, please contact your computer guru, join a forums like Scot’s Newsletter Forums – BATL (Bruno’s All Things Linux) to ask questions, or you can use the contact info on my website  to contact me for some help.

Apple Security Updates – Safari for Macs

Apple security updates

safari logo

Safari 6.1.3 and Safari 7.0.3 – April 1, 2014

Affects

  • OS X Lion and OS X Lion Server v10.7.5
  • OS X Mountain Lion v10.8.5
  • OS X Mavericks v10.9.2

About the security content of Safari 6.1.3 and Safari 7.0.3 – HT6181:

This document describes the security content of Safari 6.1.3 and Safari 7.0.3.

This update can be downloaded and installed using Software Update, or from the Apple Support website.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see “How to use the Apple Product Security PGP Key.”

Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see “Apple Security Updates“.

Safari 6.1.3 and Safari 7.0.3

  • WebKit
    Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
    Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling

More in the KB HT6181 article about the specific CVE-IDs addressed.

 

According to ITWire article:

Specific changes called out by Apple are a fix for an issue that could cause the search and address field to load a webpage or send a search term before the return key is pressed, support for generic top-level domains (so that Safari loads the requested page instead of treating it as a search term), and strengthened Safari sandboxing.

Very important update.

MS Word users warned of ongoing attacks exploiting unpatched bug

Microsoft warns Word users of ongoing attacks exploiting unpatched bug – Computerworld

Biggest worry, says expert, is that exploits are triggered just by previewing malicious messages in Outlook 2007, 2010 and 2013

Microsoft today warned users of Word 2010 that in-the-wild attacks are exploiting an unpatched vulnerability in the software.

The company also published an automated tool to protect customers until it issues a patch.

An attacker could cause remote code execution if someone was convinced to open a specially-crafted Rich Text Format (RTF) file or a specially-crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer,” said Dustin Childs, group manager and spokesman for Microsoft’s Trustworthy Computing group in a blog Monday.

BOLD in the quote is mine.

Microsoft put out a Security Advisory 2953095 as Corrine noted on her Security Garden Blog including Fix it buttons for enabling and disabling reading email messages in plain text format.

This is one of the things for which both Microsoft in Outlook and Apple in Mail have massively fallen down on the job. This would not be happening if you could easily toggle various view options such as HTML or Plain Text for reading emails, as well as allowing and disallowing images inline.

This is something that I am very thankful that Mozilla Thunderbird got right from the very beginning. Mozilla Thunderbird gives very granular control regarding the various ways to Display email messages such as in PLAIN TEXT, SIMPLE HTML (simple html with javascripting disabled), or ORIGINAL HTML.

You also have control over how images are displayed or not in several ways and differentiating between attached images and remote images.

You can also close to enable do not track in emails. There are Security Add-ons like Adblock PlusEnigmail (OpenPGP), more. As well as lots of specialized Add=ons. One of these that I like is QuickText and a few others. It works on Windows, Mac and Linux.

There is also a pay to play $9.95 I think, but also has a free trial. It was originally for Macs and now there is a Windows version as well. It was created by the original developers of Thunderbird called Postbox. It has some but not all the Add-ons that Thunderbird has.

/rant on

I am not saying everyone should move to Mozilla Thunderbird. What I am saying is that Microsoft Outlook and Apple Mail should give their users these types of granular control so people can choose how they wish emails to be viewed. Both do some things but they stop way short of what is really needed in this day and age with emails.

HTML is like a venetian blind. It hides what is behind it. You can’t see what is behind all that HTML. You can’t decide to see HTML only if you trust the email after viewing what is in that email. This makes it way too easy for phishing emails to look like your bank, PayPal, your credit card company, etc. It also allows companies to track you with web beacons, transparent gif images and other remotely loaded images so they know if and when you view their email.

Something needs to be done about all this. Mozilla Thunderbird makes it so easy for folks to be able to toggle images so they can’t track you, use SIMPLE HTML to keep the ‘form’ of an email message without the more dangerous javascripting. Or allows you to totally view the email in plain text so you can see that that link that appears to be going to your bank actually goes to some strange URL that has nothing to do with your bank or a store you may or may not do business with.

People need these tools. Some may or may not realize it, but they really do.

I have heard so many people say that the email look just like it was from their bank and they fell for it. Or a store they frequent and gave up their login credentials by clicking on the link rather than going to the website because it looked like it was the store’s promotion.

Sure, no one should click on links in email, but if it looks legit, many do. Sure, if you like something in a promotion for a store, it might be better to just go to the store’s website but some stores really don’t have a page on their website that is clickable to get you there, unless you click on the link in an email. Also, the links are often obfuscated by third party trackers and campaign tracking sites, etc. This all makes life very difficult for email users to know what’s good and what’s not.

OK, I will get off my soap box now.

/rant off

 

A few security lessons from the Target breach

A few security lessons from the Target Breach by Susan Bradley, WindowsSecrets.com

The Target breach points out some facts of life on the Web: We’re all targets (pun intended) of cyber thieves.

Fortunately, there are steps we can take to protect ourselves. Here’s how to protect yourself from the next big breach.

I am a target. I shop online, I shop in large department stores, and I regularly use credit and debit cards. Shopping at large stores that process thousands of sales daily makes me even more of a target, because my transaction information (name, account number, etc.) gets combined with that of all other shoppers. And I became a potential victim when I shopped at Target this past Christmas shopping season.

These days, every time I swipe my credit card on a point-of-sale system, I think to myself: “Is this vendor doing all they can to keep me safe?” Retail companies believe they are; claiming that by following the Payment Card Industry (PCI) standards, they’re doing all they can to keep customer credit-card information safe. But I’m not convinced — especially in the U.S. European credit cards are considered more difficult to hack because they use an onboard security chip rather than the magnetic stripe common on U.S. cards.

This is so true! The article covers some great topics regarding malware designed to attack retail point-of-sale systemsWhen fishing, go for the biggest catch, and Ways to help protect yourself from POS attacks. 

Must read article.

There is also another excellent article from Wired.com that is also a must read:

Target Got Hacked Hard in 2005. Here’s Why They Let It Happen Again by Kim Zetter – Wired Threat Level

A gang of shadowy hackers tears through the systems of big-box retailers, making off with millions of credit and debit card numbers in a matter of weeks and generating headlines around the country.

Target and Neiman Marcus last week? Nope. This oh-so-familiar attack occurred in 2005.

That’s when Albert Gonzalez and cohorts – including two Russian accomplices — launched a three-year digital rampage through the networks of Target, TJ Maxx, and about half a dozen other companies, absconding with data for more than 120 million credit and debit card accounts. Gonzalez and other members of his team eventually were caught; he’s serving two concurrent sentences for his role, amounting to 20 years and a day in prison, but the big-box breaches go on.

The latest string of hacks attacking Target, Neiman Marcus, and others raise an obvious question: How is it that nearly a decade after the Gonzalez gang pulled off its heists, little has changed in the protection of bank card data?

Oh, and just in case you have forgotten them all, here is a list of all the others:

Target got off easy in the first breach: A spokeswoman told Reuters an “extremely limited” number of payment card numbers were stolen from the company by Gonzalez and his gang. The other companies weren’t as lucky: TJX, Hannaford Brothers grocery chain, the Dave & Busters restaurant chain, Office Max, 7-Eleven, BJ’s Wholesale Club, Barnes & Noble, JC Penney, and, most severely, Heartland Payment Systems, were hit hard.

BOLD emphasis mine.

Again, much more in the must read article including sections; What the Target Thieves GotInherent Flaws In the System, and the most telling section, Retailers Oppose Tougher Standards.

And as if that wasn’t bad enough, just yesterday on January 25th, Michael‘s too:

Sources: Card Breach at Michaels Stores by Brian Krebs – KrebsOnSecurity.com

Multiple sources in the banking industry say they are tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc., an Irving, Texas-based arts-and-crafts retailer that maintains more than 1,250 stores across the United States.

Update 1:34 p.m. ET: The U.S. Secret Service confirmed that it is investigating a potential data breach at Michaels. Also, Michaels has just issued a statement stating that it “recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.”

I think Gartner’s analyst Avivah Litan’s quote in the January 17 2014 Wired Threat Level article was spot on:

“It’s a big failure of the whole industry,” says Gartner analyst Avivah Litan. “This is going to keep getting worse, and this was totally predictable a few years ago and no one did anything. Everyone got worked up, and no one did anything.”

Often these days, I will get cash from the bank and use that instead of the card if I plan on visiting any retailers that have been a part of a security breach, which sadly leaves few you can actually feel comfortable using your credit/debit cards online and off.

I wonder how many others will do the same rather than chance the annoyance, the fear of loss of your hard earned money, the frustration of being without a card while it’s replaced when they disable the current one that’s compromised in a security breach or is used in a fraudulent transaction after a breach (even if it’s limited to $50 or whatever, that’s really not much help for the anxiety it puts people through), and finally of course dealing with the aftermath of your information being at large and the potential of someone using that information to impersonate you…believe me, a 6 month or 12 month credit monitoring does not help that much, or help you sleep at night knowing all that information being out there could be used to do as more and more of your information is made available through these breaches.

If retailers and credit/debit card companies want our ‘faith’ in them, and have us get the warm fuzzies regarding them being responsible enough to be trusted with other people’s money, they need to do what’s needed to get that faith back. Period.

And skimping on it like they did in 2005 won’t cut it, nor will the PCI compliance standards and the blame game. Something really needs to be done about this. People need to feel comfortable using credit/debit cards or they will go the way of the dodo.

Fix the problem, not the blame.*

Thanks to the movie, Rising Sun for the quote.

BTW: Might want to check out the Privacy Rights Clearinghouse and their page on data breaches since 2005. There have been quite a few more than just those noted in this posting!

EDIT 1-26-2014 8:508PM: @SecurityGarden posted the following and linked to this article; Exclusive: FBI warns retailers to expect more credit card breaches – Reuters:

@SecurityGarden Status regarding expanding on this posting on the security breaches

@SecurityGarden Status regarding expanding on this posting on the security breaches

XP SP3 and Office 2003 Support Ends April 8, 2014

Windows XP has been around since August 24, 2001 – 12 years ago now. It is getting VERY long in the tooth.

Windows XP SP3 and Office 2003 Support Ends April 8th, 2014

Like many Operating System versions, Windows XP was not such a great OS in the beginning. BUT, like many Microsoft products, it got better after Service Pack 1 (SP1), but wasn’t the best it could be till after Service Pack 2 (SP2) and mildly better after Service Pack 3 (SP3). SP3 is the current version of Windows XP.

I loved Windows XP for a long time, even though it was getting long in the tooth. But I have come to love Windows 7 even more. Windows 8 … the jury is still out. For me I use several different operating systems. I also love and use Mac OS X or just OS X (as it is called now) and Debian Linux.

Windows XP has been on life support or Extended Support since April 8, 2009 when Mainstream Support ended. That was after two says of execution as it were since it was supposed to be ended earlier than 2009.

Windows XP has been the main stay for many folks for a long time in the Windows world — the last 12 years. That’s a long time for an Operating System version.

Windows XP still holds the #2 spot at 31.24% of computer users as shown below in the graph from NetMarketShare.com:

NetMarketShare.com Operating System Breakout - November 1, 2013

NetMarketShare.com Operating System Breakout – November 1, 2013

Windows 7 holds the #1 spot for a very good reason. It is still the best of the newer Operating Systems from Microsoft to date — in my opinion and nearly half of all Windows users to date. And Windows 7 is still good to go until January 14, 2020 (end of Extended Support – it is still in Mainstream Support until January 15, 2015). Here’s the break out of the Windows lifecycle fact sheet info:

Windows Life Cycles from the Windows Life Cycle Fact Sheet

Windows Life Cycles from the Windows Life Cycle Fact Sheet

I have said all this because we need to see where were are, and where we need to be as computer users, particularly as Windows users with April 8, 2014 looming over those of us still using Windows XP.

Especially in the light of the pervasive malware purveyors out there today.

We need to make sure we are all no longer using Windows XP of any kind before or at least by April 8, 2014 when Microsoft will no longer be providing ANY security updates for Windows XP.

A few years back they did the same thing with Windows 2000. It’s now Windows XP’s turn.

Please read the following articles to see why this will be very important:

Windows XP infection rate may jump 66% after patches end in April – Computerworld

Microsoft yesterday again put the scare into Windows XP users, telling them that after April 8, 2014, the chance that malware will infect their PCs could jump by two-thirds.

Windows lifecycle fact sheet – Microsoft.com (image above)

New stats show Windows 8 usage up sharply as XP usage plummets – ZDNet (for curiosity though, look at the difference between the table on ZDNet’s article and the one today).

NetMarketShare (choose Operating Systems from the dropdown to see the chart above in real time)

Gartner Says Worldwide PC, Tablet and Mobile Phone Shipments to Grow 4.5 Percent in 2013 as Lower-Priced Devices Drive Growth – Gartner.com

Source: Gartner Oct 2013 - Worldwide Device Shipments by Segment

Source: Gartner Oct 2013 – Worldwide Device Shipments by Segment

It would appear, that, as predicted, many around the world are moving to other types of computers, in particular mobile devices. This was forecast and it would seem to be coming to pass rather dramatically now.

It is amazing to see the number of people who rarely if ever use their desktop computers these days, relying on their mobile devices for almost all, if not all, their computing and Internet needs. Some folks no longer even have a computer other than a tablet, like the iPad or Nexus Tablet, or Surface, etc., or just use their smartphones for their email, browsing, messaging, gaming, etc. which is the bulk of what people seem to do on the Internet these days. Unless of course if their work or business, or gaming bents, are important to them. Having said that, even gaming has very much gone mobile for many people.

I am hoping that folks will take a look at the overall picture and determine which direction they wish to go now that there are only a few months left before Windows XP will no longer be a viable Internet connected computer.

Will a Desktop or Laptop be the way to go, or will a Mobile device like a Tablet or maybe even just a smartphone be enough for many folks? Staying with Windows or moving to a Mac may also be a consideration.

No matter which way folks ultimately go, deciding will be important and thinking about this is really needed with Windows XP going away in just a short few months.

Over 31% of computer users will need to make this decision before April 8, 2014, if they wish to remain as safe as they can be on the Internet.

Even with Google Chrome continuing to support Windows XP SP3 a year after Microsoft (till 2015), if the Operating System itself has no updates, that will certainly not be enough.

Lots to think about and only a few months to decide … Windows XP SP3 and Office 2003 Support Ends April 8th, 2014

WinPatrol PLUS For Everyone Just $2

Tech gift guide: Gift copy of WinPatrol Plus gives lifetime of PC protection – USAToday

There are a couple of reasons you might want to shell out $29.95 for gift copies of WinPatrol Plus and give them to all the PC users on your shopping list.

WinPatrol may be one of the best kept secrets in computer protection. What’s more, it is the creation of an iconic tech personality, Bill Pytlovany, one-man researcher/developer/distributor at BillP Studios.

Pytlovany has a loyal following of tech geeks who swear by the basic version of WinPatrol, which he created in 1997, graciously keeps updated and continues to make available for free — for the greater good.

I found the above article while reading BillP’s blog posting: WinPatrol PLUS For Everyone Just $2:

About once a year I go crazy and try to introduce WinPatrol PLUS to the folks who have never heard of WinPatrol or have never experienced this small powerful app. For over 15 years WinPatrol has been recommended by friends and family but I never invested in any kind of expensive PR campaign.

I heard about WinPatrol many years ago, at least 10-15 years ago … it could have been when it first came out. But I am not really sure. I could have found WinPatrol from Corrine at one of the Anti-Spyware forums I frequented, or FreedomList where she is an admin, or at Scot’s Newsletter Forum where she is also a fellow admin. Or it could have been through Fred Langa‘s LangaList which I subscribed to for many years before Fred merged LangaLIst with WindowsSecrets Newsletter with Brian Livingston who himself retired in 2010, or from an article in WindowsMag (one of my all time favorite magazines. I was very sad that CMP retired Windows Mag on June 25, 1999 but we did have an online version at WinMag.com for a couple more years). WinMag had some great writers and they all knew BillP. WInMag and PCMag were my initial magazines for Windows in the early days. It is where I read great articles from: Scot Finnie, Fred Langa, Mike ElganKaren Kenworthy (1),  and many other great writers (I used to know all their names off the top of my head, now these four I remember the most).  But, I digress…

This is a great time to consider buying WinPatrol PLUS for only $2! Can’t beat it! And BillP’s WinPatrol is a best in class software! Check out the Free version at WinPatrol.com, and upgrade if you like it. Can’t go wrong for $2.

For those who (EEEK!) might still be using Microsoft’s old and long unsupported OSes;  Windows 98 or Win2K, WinPatrol Downloads has something for you as well.

BillP’s  Message to Windows XP users – Very important as the April 2014 retirement of Windows XP approaches.

WinPatrol runs on Windows XP, Vista, Windows 7 and Windows 8 including x64 versions.

USA Today says…

“…best kept secret in computer protection.”