The Windows Hack: What’s a Consumer to Do?

From Yahoo to Windows to Jeff Bezos, the past few weeks have been a stark reminder that any person or entity can fall victim to hackers.

Microsoft issued a free software patch on Jan. 14 after the U.S. National Security Agency uncovered and alerted the company to a vulnerability in the Windows 10 operating system. The security flaw in Windows 10 made it possible for hackers to insert malicious code into an affected computer and make it appear to be from a safe and trusted source.

According to Wired, Windows 10 is the most-used PC operating system in the world, installed on more than 900 million computers. When a system is that ubiquitous, dumping it isn’t an option for consumers or for businesses, says Babak Forouraghi, Ph.D., professor and chair of computer science at Saint Joseph’s University.

“Seventy percent of the PC’s in the world run Windows and many of the applications are at the enterprise level -- it’s used by companies to run business applications,” says Forouraghi, who also directs SJU’s recently launched cybersecurity master’s degree and certificate programs. “You can’t tell companies to get rid of their software because that translates to millions of dollars. Windows is part of our infrastructure; we can’t do without it.”

And even if companies or individuals did move on to competitors like Linux or Apple iOS, those systems also contain vulnerabilities, and would attract increased attention from hackers if they were to overtake Windows, Forouraghi says.

A more productive solution, he says, is to make sure you or your employees have Windows updates enabled and not to over-rely on anti-virus software.

“Users are under the assumption that if they have their anti-virus software on, they don’t need to worry about Windows updates,” Forouraghi says. “But anti-virus software is limited in its functionalities and in this situation, the malware was taking advantage of the trust system that is at the core of Windows.”

Anti-virus software wouldn’t have caught the Windows hack, he adds, because the malware would have appeared to be from a safe source.

“There really has to be a whole paradigm shift for anti-virus programs to work, where we concentrate more on the behavioral analysis of malware as opposed to just looking at the signature — we need to see what malware is doing and constantly check the behavior of programs,” Forouraghi says.

The Windows hack was notable in that the National Security Agency discovered the flaw, let Microsoft know about it and took the credit for spotting it, rather than remaining quiet and using the flaw as a means to develop cyberweapons.

“The mentality is that we have to see what are the benefits of hiding and what are the dangers of doing that. When the dangers outweigh the benefits, the NSA decided to come out and tell Microsoft to do something about it,” Forouraghi says.

The overarching lesson from the Windows hack for consumers is that there is never going to be an end to cyber threats: Hackers are becoming increasingly more sophisticated and as soon as a patch is created for one vulnerability, they’ll find and exploit a different one.

“Don’t just rely on the fact that you have your Windows Defender on; be really cognizant when you receive an e-mail whether you know the person or think about why they are asking you to click on a link to get this information rather than receiving a phone call,” Forouraghi says. “Phishing attacks try to take advantage of people’s naivete; to protect yourself as a consumer, treat everything as if it’s malware.”

Fighting against hacks, he says, has to be “a mix of technology and our own good sense.”