Subscribe

Category Archives: #Fail

A Banking View on Windows XP and the End of Support: See It, Block It

A Banking View on Windows XP and the End of Support: See It, Block It
By Christopher Budd


We are a couple of days away from a proverbial red letter day: the end of security support for Windows XP on April 8, 2014.

For the past few months, we’ve been talking about this impending event. We’ve talked about what people can expect in terms of the number of vulnerabilities they may see when Microsoft stops issuing security patches. And we’ve tried to make very clear that this is a situation that can affect everyone, not just those running Windows XP.

 

 
When we talk about the dangers that people on Windows XP pose to others, there’s probably no single industry that faces a greater set of risks by users being on Windows XP than banking and finance. More than any other industry, banking and finance face significant risks of fraud and loss due to its customers’ making the unwise decision to stay on Windows XP. As an industry facing extraordinary, unprecedented risks around Windows XP, banking and finance should consider equally extraordinary, unprecedented steps to protect themselves by alerting customers who are on Windows XP of the risks and encouraging them to upgrade. In some cases, especially as time goes on, the banking and finance sector should consider taking steps to block customers still on Windows XP from their services entirely.

The reason that banking and finance are at so much at risk by its users being on Windows XP is that unpatched vulnerabilities will be found and attacked on Windows XP. And as we’ve shown in our 2013 Threat Roundup, online banking malware is a huge problem. From 2012 to 2013, detections of online banking malware more than doubled from 500,000 worldwide in 2012 to more than 1 million in 2013. And the United States and Brazil alone accounted for 50%, or 500,000 detections, of online banking malware. Skyrocketing online banking malware combined with a coming slew of never-to-be-patched vulnerabilities means that online banking on Windows XP is going to become incredibly dangerous soon. And while that is a risk to the users of those Windows XP systems, in aggregate and in the end, it’s those users’ banks and financial institutions that face the greatest risks.

From a technological point of view, when users go to websites, it’s a relatively simple matter to detect the browser and operating system that’s accessing the site. Using that information to create an alert to make people aware of the risks of being on Windows XP and what they should do about it is an easy way to help spread the word. And a step like this will reinforce actions that Microsoft themselves are taking to alert users through alert messages. The broader the net is spread to pass the word about these risks the better.

But warnings may not be enough. People tune warnings out and ignore them. We shouldn’t fool ourselves into thinking that warnings alone will be sufficient. And as time goes on, this situation will become worse and worse. Banks and financial institutions should also start considering the drastic measure of actively blocking users on Windows XP from using their online services entirely.

This is clearly an extreme measure as it will cause lost business. But this step may be justified, especially if the risks of financial losses from Windows XP users exceed the risks of losses from losing those customers. It’s not desirable to turn customers away, but businesses do it all the time in service of their larger concerns. The coming situation with Windows XP and the risks those users pose to their banks and financial institutions is a good example of when these larger considerations pertain.

Of course, in addition to online alerts or blocks, further education campaigns make sense. Notifying customers of the risks and what they should do, through email and online campaigns, can further reinforce the message. Banks and financial institutions (and really anyone) should feel free to disseminate our flyer that outlines these risks.

Banking and finance aren’t the only sectors that are particularly at risk starting next week. But it is the sector that may face some of the greatest impact over time as its users continue to refuse to switch. We’re getting down to the wire and time is running out. Increasingly, those still on Windows XP represent those who most stubbornly refuse to take action. Increasingly, organizations who are themselves at risk by the non-actions of these recalcitrant users will have to themselves take actions that seek to spur those users into action. In short, we have to make it more painful for these users to do nothing than to take action. And so, a viable tactic in support of this goal around Windows XP is if you see it, block it.

Christopher Budd is a communications manager with Trend Micro. His focus is on communications around online security and privacy threats to help people understand in plain English the risks they face and what they can do about them. In addition, he focuses on managing crisis communications utilizing a framework and processes he helped put in place.

Turkey Shuts Down Twitter

Turkey Shuts Down Twitter
By Emma Sinclair-Webb



In the run up to the March 30th municipal elections, the government of Turkey’s Prime Minister Recep Tayyip Erdoğan has closed down Twitter in the country.

On March 20th, Erdogan made an election speech in the western city of Bursa in which he threatened to “eradicate” what he called “Twitter Schmitter”. Then his office complained in a statement that Twitter had failed to abide by Turkish court orders calling for the removal of links in some tweets and that this might necessitate closure of the whole site.
 

 
Shortly afterwards, at around midnight local time, the Telecommunications Communication Directorate went ahead and closed down Twitter’s website in Turkey. The page that appears on the Twitter website states that the Directorate has applied a “protection measure” (closure order) on the basis of a March 20th Ankara prosecutor’s decision. Three earlier court orders are also mentioned and represent decisions to remove particular content following complaints without providing any detail.

This is another fundamental blow to the freedom of expression in Turkey and the right to access information, and the closure order should be immediately lifted. The move further signals that the Turkish government has taken an anti-democratic turn which significantly sets back its human rights record.

If in practice it is easily possible to get around the ban and access Twitter by using proxy servers, that should not be regarded as a comfort. Prime Minister Erdogan’s move spells the lengths he will go to censor the flood of politically damaging wiretap recordings circulating on social media. These implicate his family and government ministers in corruption, reveal his willingness to press media bosses to censor news coverage, and show one of his close aides ordering the arrest of a journalist. Such material has been surfacing as links on Twitter accounts such as  @haramzadeler333 and @başçalan in the wake of a corruption scandal that broke on December 17, 2013, and led to the resignation of four ministers.

The government has dismissed the corruption allegations and wiretaps as part of an “international conspiracy,” involving the US-based cleric Fethullah Gülen and his followers inside the judiciary and police, to overthrow the prime minister.

Conspiracy or not, limiting freedom of speech is no way for the Turkish government to tackle a political crisis.

Emma Sinclair-Webb, senior Turkey researcher with the Europe and Central Asia division, joined Human Rights Watch in 2007. She has worked on issues including police violence, accountability for enforced disappearances and killings by state perpetrators, the misuse of terrorism laws, and arbitrary detention. She was researcher on Turkey for Amnesty International from 2003-2007, and previously worked in publishing as a commissioning editor on books on history, culture, and politics in the Middle East and southeast Europe. She has degrees from Cambridge University and Birkbeck College, London, and speaks Turkish.