[clackers]

I maintain several networks in the public service, and the State Government Cybersecurity unit ordered that all Windows 7 and its like be updated or removed before the date. I had none of those, but I did have five old Server 2008 R2 boxes or virtual machines chugging on doing minor jobs or nothing at all. So dealing with them - they have the same advisory - has been my January so far.

[stevebrot]

I maintain several networks in the public service, and the State Government Cybersecurity unit ordered that all Windows 7 and its like be updated or removed before the date. I had none of those, but I did have five old Server 2008 R2 boxes or virtual machines chugging on doing minor jobs or nothing at all. So dealing with them - they have the same advisory - has been my January so far.

Anybody opting for extended support?


Steve

[clackers]

Anybody opting for extended support?


Steve

We'd only do that if there was a line-of-business product that depended on it, we don't have any of those.

Have upgraded four virtual machines to Server 2012 R2 (upgrade direct to Server 2016 or 2019 isn't a possible path), and decommissioned one physical box, an IBM x3650 (remember when they, not Lenovo, still made servers?) that for years has just acted as ad-hoc file storage without complaint. Will be sorry to see it go, it's been great, whatever the opposite of a lemon is.

[Dartmoor Dave]

I'll be sticking with Windows 7 for now. I keep my C: drive and MBR locked down with Faronics Deep Freeze, so that I'm effectively using a brand new Windows installation every time I reboot. In the past I've done a virus scan after temporarily thawing the system each month to run Windows Update, but now that updates have ended it's really just a case of keeping the machine deep frozen so that no new nasties would survive a reboot. I do all my web browsing in a heavily protected sandbox, and of course anything that I choose to let out of the sandbox gets carefully checked for malware first, so I'm reasonably confident of my level of protection.

I run Lubuntu as a dual boot too, and I could probably use Linux as my main OS quite happily if it wasn't that I don't want to have to learn a new photo editing package after so many years of Photoshop. I've tried running Photoshop under Wine, but it's really not quite stable enough.

(Although I still tend to do a lot of my photo editing under the influence of wine anyway. Usually cheap Aussie shiraz, good enough for the likes of me. . . )

I've tried Windows 10 and just detest it. So in the long run, when I've eventually switched to a powerful enough machine, I'll probably move over to Linux with one of the older versions of Photoshop running in a Windows VM with no network access.

---

Last edited by Dartmoor Dave; 01-25-2020 at 01:52 AM.

[WorksAsIntended]

Even one a very powerful machine Photoshop and Lightroom run poorly when installed natively, let alone emulated (yeah yeah I know, it is not an emulator).

[fs999]

How many times per month, eh?

I don't know. I've never been hacked, eh !

Less wellknown ones that are security relevant in a few months at least.

So Win10 is a major risk too !

I know plenty of ways to attack a win xp system out of my head, and I am far from an expert at this matter.

So explain me why Microsoft published 3 security updates for win xp, only for the last year, as win xp updates have been theoretical stopped on April 4, 2014 ...

[Serkevan]

Because they were *massive* vulnerabilities that very easily allowed an attacker full control of the affected machine and, most importantly, affected servers. That's an exception, not the rule.

EDIT: and the reason they were published was that the affected code was shared between Win XP, Vista and several server versions. Had it not been part of the *then serviced* server versions it wouldn't even have been addressed...

[WorksAsIntended]

I don't know. I've never been hacked, eh !


So Win10 is a major risk too !


So explain me why Microsoft published 3 security updates for win xp, only for the last year, as win xp updates have been theoretical stopped on April 4, 2014 ...

First of all, every OS is a risk. A secure OS would be too restrictive for everyday usage.
As I wrote before, if MS can finally concentrade on Win10 only, they can improve code quality and therefore make it less of an risk.
Still it would be a good idea to use the version which is less of a risk.
I know attack vectors against xp, not against win10 and in a few months there will be wellknown vectors against a freezed win7 too.
When a vector is found it gets more popular over time and usually fixed before the big bot armies make use of it. When there are no updates anymore, well, than the bots will abuse the issues for sure.
XP got a few utterly important security updates that were code compatible with newer versions. A very good decission by MS, but there are a lot of different still existing and wellknown security relevant bugs.

Most "hackers" are not doing anything intelligent. Those are bots trying to find a way to get the OS version and than use known methods to brake it. Take a look at metasploit. You will be supeised how much you can attack using it without understanding anything at all.

The fact you never realised you "got hacked" (for me hacking still is a slightly different thing, but I underatand it is often used in a wider context) does not mean you never have been. In fact, most of the modern attacks are silent attacks you will never know about (but maybe wonder why you get spam mail with parts of emails you just wrote).

Look at emotet, one of the biggest threads for MS systems at the moment. They only use a single exploid in the first hand, everything else, for example the selfdistribution in Windows AD is simply made using regular Windows utils. Another cade where restriction would be a n easy cover.
After distributing in the systems it remains silent, loading different other "tools" for data analysis in the network. Only in few occasions it is actually doing anything that destroys data or systems. Most systema are just delivering data which are than used to create new phishing attacks. In our case for example the attack was done by using an existing business mail communication and writing an answer to it with file expension. At our customer they simply collected data, we later found out they have been infected for several months without noticing.
How can you be sure your system is save? Well, you cannot as long as you have interfaces on it.
This is why offline backups remains the most important backup layer.
There was another attack bricking a lot of internet modems a few years back. It later came to knowledge that thid was a very long active attack with huge amount of victims that were taking part at bot attacks themselves after being infiltrated.
It came only to knowledge because there was a bug in the attack code that accidentaly bricked a specific kind of router and people finally realised something is going on.

[fs999]

First of all, every OS is a risk. A secure OS would be too restrictive for everyday usage.
As I wrote before, if MS can finally concentrade on Win10 only, they can improve code quality and therefore make it less of an risk.
Still it would be a good idea to use the version which is less of a risk.
I know attack vectors against xp, not against win10 and in a few months there will be wellknown vectors against a freezed win7 too.
When a vector is found it gets more popular over time and usually fixed before the big bot armies make use of it. When there are no updates anymore, well, than the bots will abuse the issues for sure.
XP got a few utterly important security updates that were code compatible with newer versions. A very good decission by MS, but there are a lot of different still existing and wellknown security relevant bugs.

Most "hackers" are not doing anything intelligent. Those are bots trying to find a way to get the OS version and than use known methods to brake it. Take a look at metasploit. You will be supeised how much you can attack using it without understanding anything at all.

The fact you never realised you "got hacked" (for me hacking still is a slightly different thing, but I underatand it is often used in a wider context) does not mean you never have been. In fact, most of the modern attacks are silent attacks you will never know about (but maybe wonder why you get spam mail with parts of emails you just wrote).

Look at emotet, one of the biggest threads for MS systems at the moment. They only use a single exploid in the first hand, everything else, for example the selfdistribution in Windows AD is simply made using regular Windows utils. Another cade where restriction would be a n easy cover.
After distributing in the systems it remains silent, loading different other "tools" for data analysis in the network. Only in few occasions it is actually doing anything that destroys data or systems. Most systema are just delivering data which are than used to create new phishing attacks. In our case for example the attack was done by using an existing business mail communication and writing an answer to it with file expension. At our customer they simply collected data, we later found out they have been infected for several months without noticing.
How can you be sure your system is save? Well, you cannot as long as you have interfaces on it.
This is why offline backups remains the most important backup layer.
There was another attack bricking a lot of internet modems a few years back. It later came to knowledge that thid was a very long active attack with huge amount of victims that were taking part at bot attacks themselves after being infiltrated.
It came only to knowledge because there was a bug in the attack code that accidentaly bricked a specific kind of router and people finally realised something is going on.

[jeallen01]

OH deary me as a relative internet "simpleton", most of the above is "above me and my capabilities"

Thus, for my part (and, I guess, many others here!) suggestions for a few "simple to implement" precautions would be much appreciated (apparently just having had my ISP's Primary a/c hacked, and thus with all the hassles resulting there-from!).

[WorksAsIntended]

OH deary me as a relative internet "simpleton", most of the above is "above me and my capabilities"

Thus, for my part (and, I guess, many others here!) suggestions for a few "simple to implement" precautions would be much appreciated (apparently just having had my ISP's Primary a/c hacked, and thus with all the hassles resulting there-from!).

For private use there are only a couple of simple rules to follow, which most of the users do naturaly:


1) Keep your system up to date with latest security fixes
2) Use some kind of scanner software

Windows 10 has a build in AV-Software. It works suprisingly well. Still it is a good idea to use some third party software in addition
3) Keep your browser up to date
Install latest security fixes and be carefull with browser extensions, even those by av software. av-software browser extension in chrome, chromium and firefox brake parts of the sandboxing
4) Do not save credentials in the browser (they are saved in clear text)

5) Be careful what kind of third party software you install. Use trusted sources only.

6) Do not use admin users if not necessary.
7) Be careful what you get via email. Only open attachment of know sources you trust. If they are executables, do not open them. If they are office documents, do not allow makros.

8) If there are links in the mails carefully check where they head to
A nasty example is something like
https://paypal.comSomeEndlessStringLookingLikeAToken/ihackyou.com
A lot of software will shorten the string in a way it looks like it is actually send by paypal.com.
If they ask you to check account information do not use the link provided in the mail but go to the website and log in there. You might end on a clone where your credentials are phished.
9) Never answer data relevant questions on a phone or via mail if not part of old conversation. Nobody will ever call you to do computer service and asking for access to your computer first. The police will not threat you via mail, etc.
10) When browsing make sure to use SSL/TLS (shown by using https://, usually port 443) encryption on websites where you enter information.
All up to date browser will warn you otherwhise. If the certificate is invalid and you do not know the reason why (own server with self signed certificate for example) do not ignore it.
11) For important services (bank, paypal, email, storage) do not use the same passwords. Do not use passwords that are easy to guess.

12) If there is any reason to think your data are lost, change passwords.

13) On really important stuff use two factor authentification

[jeallen01]

@ WorksAsIntended

Many thx for that advice - and others should also take notice thereof!

I think I already follow most of those "rules" - but I will re-examine Nos 6 & 13 more carefully tomorrow and try to "fix" them rather better

[beachgardener]

14) switch to Linux and forget about 2) to 13) easy

[WorksAsIntended]

Gnu/Linux distros are more secure desktop systems, still not completly secure and it will stay that way in the foreseable future. Browser attacks btw often work in Linux too and there are linux specific viruses, although mostly targeting servers.
A lot of attacks these days are against iot devices, most of them run Gnu/Linux in some way (although most attacks are possible due to missing security updates).
There have also been cases of phishing software distributed through user repositories.

[beachgardener]

basically a non issue compared to Windows.