5 Worst Tech Rip-offs

By Becky Worley | Upgrade Your Life – Wed, Apr 10, 2013

When you’re about to buy a new gadget or computer, you have to make a ton of decisions – decisions that could end up costing you way too much. So what are the worst tech rip-offs – and how can you avoid them?

Rip-off #1: Buying from the Carrier
Buying a new phone poses lots of questions – starting with: where should you get your new device? The cell service providers would love you to believe that if you buy from them, you’ll get an amazing package deal. They’d also love you to believe that you HAVE to get your phone from them. You don’t. As long as the type of phone is supported by the service provider you choose, you can often save a significant percentage by buying the device from a third-party site like Amazon Wireless or Wirefly. Just as an example, I recently found the HTC EVO 4G LTE for $30 on Wirefly, while the carrier wanted $100 bucks on for the exact same phone. Likewise, I found the Samsung Galaxy SIII listed for $200 with the carrier, the same day it was being offered by Amazon Wireless for $70. Note that in both of these examples, I made apples-to-apples comparisons – same phone, same service plan on the same carrier, and equally easy to set up. But speaking of apples, you may not be able to find an iPhone on these sites. So while these third-party cell phone sellers may not have deals on every phone, if you are in the market for an Android, Blackberry or Windows phone, shop around.

Rip-off #2: Software to Speed Up Your PC
Ads and infomercials promise to “keep your PC running like new.” But is that worth $30? Many of these programs will tweak a few settings and get rid of remnant files, but you can accomplish most of these simple fixes with the built-in Windows tools. Further, by installing the speed-up software, or any other program, you bog down your system even more. Bottom line, no software can make a 5-year-old computer run like new.

Rip-off #3: Extra Phone Services
When setting up your new phone service, for the most part, say no to all the extras:
Insurance: No. The accountants at the phone company have done the math: If they plan to make money selling you insurance, chances are, you’ll lose money by buying it.
Ring tones and ring-back tones: Again, no. You can make your own for free.
Navigation services: if you have a smartphone, navigation software comes included. Google maps and the IOS native mapping service both offer turn-by-turn directions. No need to spend between $3 and $10 a month for something you can get for free.

Rip-off #4 Extra Computer Services
When you decide to buy that new computer, all kinds of offers will fly your way:
Extended warranty: This is just like the insurance case above; manufacturers make money selling extended warranties because most people don’t actually need them.
Extra tech support: Maybe if you’re a complete novice who has never owned a computer before, this would be worth it. But chances are, you’re currently on a computer you’ve used a lot, and you’ll be fine without paying for this extra.
CD in the mail of software you will download or that comes preinstalled?? That’s just ridiculous. Once you download the software, burn a DVD with the files if you want a back-up copy.

Rip-off #5 Extra Hard Drive Space
When you buy a new laptop, you may think you should load up on internal hard drive storage. But adding 500 GB of internal storage on a new Mac laptop costs an extra $200; on a PC it costs over $80. On the other hand, if you buy a 500 GB external drive, it’s only $59. Plus, if you’re thinking of getting more hard drive space now because you might need more storage for all your photos and movies sometime in the future, that’s all the more reason not to buy more storage space now; prices will only drop. So unless you are doing super fast computing that mandates really fast access to a lot of data, wait, and buy an external drive when you really need it.

The malware wars: How you can fight it

By Michael Lasky

A tip-filled conversation with Andrew Brandt, director of threat research at Solera Networks, reveals some of the ways hackers sneak malware into PCs.

Malware most often embeds itself with our unwitting help, but even when we have our defenses fully up, malware can still climb aboard. Nevertheless, there are practical and effective ways to defeat it — or clean it out after the fact.

Malware detection and decryption is my business

I met with Brandt at the annual February RSA security conference in San Francisco, Calif. We sat down to talk about the current state of malware and online security.

“Bring it on!” is Brandt’s mantra on malware. That’s because his job is letting malware run on his systems — on purpose. Using Windows XP, Vista, Windows 7, and Windows 8 test machines, he regularly browses sites known to harbor malicious content. But his unprotected systems (sometimes referred to as honey pots) often get malware infections all on their own.

The viruses, Trojans, etc. deposited daily on his computers are fodder for his primary work: reverse-engineering malware so he can understand how the latest exploits work — and how to prevent malware from intruding again. “Unfortunately,” says Brandt, “the goal posts are constantly changing with each malware sample. By design, more-sophisticated malware scripts change every time they run; they effectively create a custom version and, in doing so, change their identity every time they run. That constant change defeats much of the security software in use, which is looking for some previous design [or signature].”

Does that mean installing and using AV software is futile? “No,” says Brandt, “any amount of protection certainly helps. Some security software is better than others at finding and quarantining infections, but no single product can detect everything that’s out there, especially when it changes by the minute — not by the day, by the minute!“

As Brandt explains, AV programs need to cross-check each instance of a malware attack against a constantly updated database. But a database containing every version of malware is infeasible; it gets too large to be of practical use. Hacking codes often change their signature by as little as one byte — which might be enough to defeat signature-matching. Moreover, well-written (for want of a better term) malware uses obfuscation techniques to hide itself within a PC. “So an infection can be found only after the damage is done.” Brandt notes, “Of course, then it’s too late.”

To prevent infections, says Brandt, “You’ve got to embrace [anti-malware] deficiencies and take more personal responsibility. Most people tend to click before they think, and sites like Facebook have made matters worse. We click a link simply because it came from a social-network friend. At this point in the malware wars, you need to put a critical eye on any link — no matter how trusted the source. Your Facebook or email friend might have been fooled, and the link they sent you goes to a site that automatically loads its exploit.”

Social-engineering threats are rapidly growing, courtesy of the security vulnerabilities of sites that regularly use abbreviated URLs. Anyone who’s read Twitter or Facebook posts is familiar with cryptic URLs such as bitly, tinyurl, and snipurl. Because they’re shortened to seemingly random letters, numbers, and characters, you don’t know where they’re actually taking you. But all too often, we click them anyway.

• Tip: You can preview shortened URLs to see their true destination. For example, with bitly addresses, simply paste them into your browser, add a + after the URL (for example, //bitly.com/13LRaF4+ [Solera Networks page]), and press Enter. Adding the plus sign takes you to the bitly site first, where you’ll see a stats page for the destination site.

  For tinyurl addresses, add “preview” before the address. For example, enter //preview.tinyurl.com/{xxxxx}, and the uncloaked address will appear at the tinyurl site.

  For snipurl addresses, add “peek” before the shortened address. For example, //peek.snipurl.com/26kl5qy takes you to the Snipurl site and displays the full URL:

  https://windowssecrets.com/top-story/surviving-your-first-hour-with-office-2013/

For any link — short or long — in a webpage, hover your cursor over the link and the true, full address should appear at the bottom of the browser window. Say, for example, you get an email from PayPal with what looks superficially like a legitimate link. But if the true link is something like //X5932OwzBulgaria45634.cn or //paypal.gotcha.co.ru, it could well lead to getting hacked or phished.

Figure 1. Fake PayPal notification

The ingredients of a malicious hack recipe

From his years of observing malware, Brandt believes that “the number one delivery method of a hack is a ZIP file. It might be disguised as a link or email attachment, but when opened, it will automatically unzip and execute the exploit that lodges malicious code in your computer.” Zipping the malware also hides its signature executable file, thus preventing its detection by AV software.

Other popular methods for delivering malware include PDFs, EXE files, and links that take you to intermediate sites that then immediately forward you to compromised sites. So again, it’s important to preview the address of a link. Some poorly written ones will actually show an executable file at the end — //dangerousmalware.com/569dk.exe, for example.

According to Brandt, if you know where a malware file resides on your computer, you might be able to manually remove it. But then you have to know exactly what you’re looking for. “From my research, I’ve noticed that these files are usually deposited in temp-file locations. They show up as .exe or .dll files.” You don’t normally find executable files in a temp-file folder.

“If you are still using XP, I’d advise upgrading to Win7 or Win8 as soon as possible — XP is wide open to malware intrusions. Vista and Windows 7 [mostly] fixed this open door with the User Account Control; it pops up every time there is an attempt to make changes to your system, legitimate or not (such as when a new app tries to install). Most people just click Okay and continue, but this is one point when there’s a chance of stopping an infection from entering.”

Caught red-handed: A conversation with a hacker

The malware-monitoring systems in Brandt’s lab see constant activity from online. “One time, I was tending to one PC and, when I turned away from it momentarily, I noticed an open chat window on another machine. A message in the chat screen stated, ‘Yo, bro, you caught me.’ I responded back with an ‘LOL.’” Using malware installed on the XP system, a hacker was creating a text-based report of every open window’s titlebar and sending it to an address in Tunisia.

“I created a text file on my desktop that said, ‘Hey, come back.’ He did. In a series of chat sessions, he told me his story: He ran a network business in Tunisia but, because of the revolution there, business was slow. So to earn money to take care of his family, he was creating botnets to take over computers around the world. He used the botnets to harvest passwords, credit card numbers, and other personal data that he could then sell to other hackers.” (A lot of malware guys get cocky and start communicating with security analysts directly, in a sort of catch-me-if-you-can game.)

“There are open, online markets where malware exploit codes are available free or for sale. The Tunisian hacker would get them as soon as they were made available and use them. He also used free (and perfectly legitimate) remote-control software — TeamViewer (site ) — to take over computers. It would send back screen shots from infected PCs to him every 30 seconds.”

Today, says Brandt, most of the malicious code comes from Russia and other East European countries and from China. Much of it is implemented lazily, so it conforms to known patterns which many email clients recognize and immediately send to spam folders. But some of it does get through. Unfortunately, many of these guys are one step ahead of the analysts.”

Brandt’s Tunisian chat-pal hacker was apparently close to getting caught but shut down his operation in the nick of time. After that he was more particular about his exploits.

When asked the top three ways to deter malware on a PC, Brandt’s suggestions are ones we should all know — and follow — by now.

• Stop using Windows XP.
• Install and keep updated security software such as the free AVG (site) and Malwarebytes (site).
• Most important: Think before clicking any link and whenever Windows unexpectedly asks whether you want to proceed with a change to your PC settings.

“Ratters” – They Watch Through Your Webcam

By Becky Worley | Upgrade Your Life – 13 hrs ago

R.A.T. Remote Access Tools
This scenario is happening more and more; there are myriad photos and videos available online indicating the practice is getting easier and more popular with an online community called Ratters. They use Remote Access Tools (R.A.T.s) to activate the webcams of compromised computers and record video of unsuspecting users. They call the owners of these infected computers “slaves,” and compromising videos, especially of female slaves, are openly traded, and posted on YouTube.

Online Forums of Ratters Grow
The practice of taking over a computer is not new. Hackers have produced software for years that gives complete control of a machine to a remote attacker. Aspects of these tools are also common in the IT field for offering remote tech support. But what’s new is the community of remote attackers who have formed in hacking forums to share or trade access to the enslaved computers and talk about their exploits.

In a detailed article on Ars Technica, journalist Nate Anderson probes into the members at hackforums.net, which he says has more than 134 pages of posts featuring captured images and video of female slaves. Some are recorded from webcams, and others are videos or images found on the hard drives of compromised computers that their owners thought were private and secure.

Scare Tactics
Beyond invading a victim’s privacy, Ratters have tools in their software to scare or annoy remote victims. They can open and close their DVD drives, display graphic images on screen, have the computer read aloud using text-to-speech applications, or even hide the start button.

Hard to Police
While this type of unauthorized computer intrusion is clearly against the law, the fight against Ratting is a challenge. There are many free or low-cost programs already available online, attackers are not usually local or in close proximity to victims, and while any one forum of Ratters could be shut down, others could easily pop up elsewhere.

How Victims Are Infected
Victims are infected with remote access tools the same way many viruses spread: opening attachments, drive-by downloads from sketchy sites, downloading files from torrents or file-sharing sites, or being tricked into clicking links through social media sites.

How to Protect Yourself
The good news is that these tools can be detected and held at bay. First, pay attention to the little light next to your webcam. If at anytime it’s lit and you aren’t using your webcam, find out why it’s engaged by running either an antivirus program or hitting ctrl-alt-del to see what processes are actively running. If you see anything suspicious, it’s time to disconnect from the Internet and disinfect.

[RELATED: Does Your PC Have a Virus – Or Is It Just Slow?]

Best practices to stay safe include using a firewall, keeping all software up to date, and using an anti-virus program. Also, staying away from torrent sites and sketchy websites will add a layer of protection, as many Ratters seed files on these sites disguised as free videos, music or software programs. If your paranoia is high and you really want to be sure your webcam isn’t spying on you, some have suggested taping a piece of paper over the camera, but this does nothing to protect your information or image/video files already on your computer.

Security alert: Bogus tech-support phone calls

By Fred Langa

“Hello. This is Microsoft Tech Support. Your PC has notified us that it has an infection.”

The call is a scam — an extremely prevalent one. Here’s how it works and what you need to know to stay out of the trap.

Scams come and go, but this particular one seems to have staying power — and it’s spreading quickly. It’s now so common, the Internet Crime Complaint Center (a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center) issued a Jan. 7 special alert, “New twist to online tech support scam.”

Windows Secrets reader Scott Brande was recently on the receiving end of a typical tech-support con. Recognizing it for what it was, he carefully documented the attempted snow job, then sent in his notes as a service to all Windows Secrets readers.

His narrative, plus the resources I’ll list at the end of this article, can help you — and the people you care about — avoid falling prey to this malicious tactic.

Scott’s description of how the scam played out:

• “This morning I received a telephone call (the second such call in two weeks) about infected files on my computer; the caller then offered to fix the problem. Suspecting a scam, I decided to play along.

  “I think it was the same caller both times. He had a strong accent, the kind I’m used to hearing on outsourced help lines. I asked the caller’s name both times; the first time he replied, ‘Mike Tyler,’ and the second time he was ‘Andrew.’ He began the call by saying that he’s with Microtek, an authorized supporter for Windows operating systems. (My spelling of the company’s name was a guess; the caller never spelled it out.)

  “I asked immediately whether this was a sales call. Without directly answering my question, he launched into what sounded like a script. He stated: ‘Our servers have received information from your computer that indicates it is infected.’

  “When I questioned him about his company, he told me I’d find ‘Microtek’ listed on [an online business directory] — as if a listing in the directory were proof his call was legitimate! When asked where the company was located, he replied, ‘Houston, Texas.’ I then asked for his employee ID; he gave me ‘MSCE079502.’

  “(After the call, I ran an online search and came up with a Microtek in Houston; it’s a training facility for business computer users — not a technical-support center. I assume the caller just picked Microtek’s name off the Web. I don’t believe the real Microtek had anything to do with the bogus tech-support call.)

  “Changing topics, I asked how he knew my computer was infected. He replied that his company is an authorized Microsoft Partner and, because I use Microsoft Windows, my computer sends notifications to Microtek servers.

  “I then asked how he knew about my specific computer; he stated that his server gets updates from my PC. He then asked whether I ran Windows Update. When I said yes, he went on to say that Microtek servers got the information about infected files in my system via Windows Update.

  “I countered, stating that Windows Update goes only to Microsoft servers — not Microtek servers. But he simply repeated that Microtek is an authorized Microsoft Partner.

  “Next, I asked him which one of my computers was infected (I have several at home), to which he said something vague about a MAC address. When asked which MAC address he had for my machine, he would state only that, for ‘security reasons,’ he couldn’t tell me the MAC address (even though it was my own PC).

  “At this point, I expressed my doubts about all this information. But he was quite persistent; he stated that ‘some of our clients in your area have been affected by the infected files on your machine.’ He then claimed I had upward of ’1,000 infected files.’ When asked who these local clients were, he said he couldn’t tell me that (of course).

  “I asked how his clients’ machines could possibly be affected by my home computer. He didn’t answer this but went directly to the following: ‘OK, I’ll show you the infected files on your computer.’ He instructed me to enter .inf into the Start menu search box, then declared that all these files were ‘infected’ (that .inf stands for ‘infected’ or ‘infection’).

  “At that point, I said I didn’t believe that was true; it was my understanding that .inf was a particular type of file that comes with software installed on my computer.

  “At this point, he ended the call — probably because I knew that .inf didn’t refer to infected files. As it was, I’d had him on the line for a good 15 minutes.

  “As I mentioned, this is the second such cold call I’ve received in about two weeks. The pitch given in the two calls was very consistent; I surmise there must be many others who have been presented with the same scam.”

Great job, Scott! Your suspicions are totally correct: This was just a scam. And yes, it’s extremely widespread.

Bogus tech-support call raises red flags

Two of the caller’s assertions in Scott’s narrative immediately indicate a scam:

• Microsoft or one of its partners made the call: False! Microsoft flatly states:

  “Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes. … Do not trust unsolicited calls. Do not provide any personal information.” (See the full text on Microsoft’s “Avoid tech support phone scams” page.)

• Windows Update collects personally identifiable information: False, again! Even if it wanted to, Microsoft — or a Microsoft Partner — can’t track you down and cold-call you via information acquired by Windows Update. You’ll find more details on the online “Windows Update privacy statement” page; a more colloquial version on the “Using Windows Update” page states unequivocally: “Windows Update is committed to protecting your privacy and does not collect your name, address, e-mail address, or any other form of personally identifiable information.”

Scott’s caller raised other red flags, too. For example — just as Scott thought — .inf stands for information, not “infection.” An .inf is just a plain-text file containing information Windows uses when it’s installing a driver.

Knowledge of INF files is somewhat specialized — not everyone will know what they’re used for. But the first two red flags should be easily recognized by any experienced Windows user.

Bottom line: If you get an unsolicited call from anyone offering to “fix” your computer (especially if they claim to be from Microsoft or a Microsoft Partner) hang up immediately — it’s a scam!

Further scam-proofing — and reporting scammers

For more information about how to recognize the type of scam Scott ran into, see the MS Safety & Security Center page, “Avoid scams that use the Microsoft name fraudulently.”

You’ll find additional ways to generally scam-proof yourself on the U.S. Federal Trade Commission (FTC) site, “Telemarketing Scams.”

If you receive (or have already received) a scam-related phone call, the FTC requests you dial (toll-free) 1-877-FTC-HELP or visit the Complaint Assistant site.

If you’re on the receiving end of an attempted scam via the Web (rather than by phone), file a complaint on the Internet Crime Complaint Center’s free website.

And here’s some preventive medicine that might help. Register all your phone numbers with the National Do Not Call Registry (free; site). You need to register a number only once; the registry never expires. This won’t stop all unsolicited calls, but it will stop most. If your number is on the Registry and you still get calls, they’re likely to be from scammers ignoring the law. In that case, call the FTC number listed above and file a complaint.

 

Oracle Corp to fix Java security flaw “shortly”

By Jim Finkle | Reuters – 1-12-13

BOSTON (Reuters) – Oracle Corp said it is preparing an update to address a flaw in its widely used Java software after the U.S. Department of Homeland Security urged computer users to disable the program in web browsers because criminal hackers are exploiting a security bug to attack PCs.

“A fix will be available shortly,” the company said in a statement released late on Friday.

Company officials could not be reached on Saturday to say how quickly the update would be available for the hundreds of millions of PCs that have Java installed.

The Department of Homeland Security and computer security experts said on Thursday that hackers figured out how to exploit the bug in a version of Java used with Internet browsers to install malicious software on PCs. That has enabled them to commit crimes from identity theft to making an infected computer part of an ad-hoc computer network that can be used to attack websites.

Java is a computer language that enables programmers to write software utilizing just one set of codes that will run on virtually any type of computer, including ones that use Microsoft Corp’s Windows, Apple Inc’s OS X and Linux, an operating system widely employed by corporations. It is installed in Internet browsers to access web content and also directly on PCs, server computers and other devices that use it to run a wide variety of computer programs.

Oracle said in its statement that the recently discovered flaw only affects Java 7, the program’s most-recent version, and Java software designed to run on browsers.

Java is so widely used that the software has become a prime target for hackers. Last year, Java surpassed Adobe Systems Inc’s Reader software as the most frequently attacked piece of software, according to security software maker Kaspersky Lab.

Java was responsible for 50 percent of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28 percent of all incidents. Microsoft Windows and Internet Explorer were involved in about 3 percent of incidents, according to the survey.

The Department of Homeland Security said attackers could trick targets into visiting malicious websites that would infect their PCs with software capable of exploiting the bug in Java.

It said an attacker could also infect a legitimate website by uploading malicious software that would infect machines of computer users who trust that site because they have previously visited it without experiencing any problems.

They said developers of several popular tools, known as exploit kits, used by criminal hackers to attack PCs, have added software that allows hackers to exploit the newly discovered bug in Java.

Security experts have been scrutinizing the safety of Java since a similar security scare in August, which prompted some of them to advise using the software only on an as-needed basis.

At the time, they advised businesses to allow their workers to use Java browser plug-ins only when prompted for permission by trusted programs such as GoToMeeting, a Web-based collaboration tool from Citrix Systems Inc.

Java suffered another setback in October when Apple began removing old versions of the software from Internet browsers of Mac computers after its customers installed new versions of its OS X operating system. Apple did not provide a reason for the change and both companies declined to comment at the time.

(Reporting by Jim Finkle; editing by Gunna Dickson)

How do I disable Java in my web browser?

I copied this information directly from Java website. I urge you to follow the directions here to disable Jave until further notice. If you go slowly and read it step by step, making sure you understand what it directs, it will work. Be sure to disable it on every browser you use.

This article applies to:

• Platform(s): Solaris SPARC, Solaris x86, Red Hat Linux, SUSE Linux, Oracle Enterprise Linux, Windows 8, Windows 7, Vista, Windows 2008 Server, Macintosh OS X
• Browser(s): Internet Explorer, Firefox, Chrome, Safari
• Java version(s): 7.0, 7u10+

---

Starting with Java Version 7 Update 10, a new security feature has been added to Java. Some web pages may include content or apps that use the Java plug-in, and these can now be disabled using a single option in the Java Control Panel.

Disabling Java through the Java Control Panel will disable Java in all browsers.

Find the Java Control Panel

Windows XP

• Click on the Start button and then click on the Control Panel option.
• Double click on the Java icon to open the Java Control Panel.

Windows 7, Vista

• Click on the Start button and then click on the Control Panel option.
• In the Control Panel Search enter Java Control Panel.
• Click on the Java icon to open the Java Control Panel.

Windows 8
Use search to find the Control Panel

• Press Windows logo key + W to open the Search charm to search settings
  OR
  Drag the Mouse pointer to the bottom-right corner of the screen, then click on the Search icon.
• In the search box enter Java Control Panel
• Click on Java icon to open the Java Control Panel.

Disable Java through the Java Control Panel

Note: The example shows Java Control Panel for Java 7 Update 10

1. In the Java Control Panel, click on the Security tab.
2. Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser.
3. Click Apply. When the Windows User Account Control (UAC) dialog appears, allow permissions to make the changes.
4. Click OK in the Java Plug-in confirmation window.
5. Restart the browser for changes to take effect.

---

RELATED INFORMATION

Disable the Java content in the particular browser

Internet Explorer

The only way to completely disable Java in Internet Explorer (IE) is to disable Java through the Java Control Panel as noted above.

Chrome

1. Click on the Chrome menu, and then select Settings.
2. At the bottom of Settings window, click Show advanced settings
3. Scroll down to the Privacy section and click on Content Settings.
4. In the Content Settings panel, scroll down to the Plug-ins section.
5. Under the Plug-ins section, click Disable individual plug-ins.
6. In the Plugins panel, scroll to the Java section. Click Disable to disable the Java Plug-in.
7. Close and restart the browser to enable the changes.

Note: Alternatively, you can access the Plug-ins settings by typing about:plugins in the browser address bar.

Firefox

1. Click on the Firefox tab and then select Add-ons
2. In the Add-ons Manager window, select Plugins
3. Click Java (TM) Platform plugin to select it
4. Click Disable (if the button displays Enable then Java is already disabled)

Safari

1. Choose Safari Preferences
2. Choose the Security option
3. Deselect Enable Java
4. Close Safari Preferences window

U.S. warns on Java software as security concerns escalate

By Jim Finkle | Reuters – 1-11-13

U.S. Department of Homeland Security urged computer users to disable Oracle Corp’s Java software, amplifying security experts’ prior warnings to hundreds of millions of consumers and businesses that use it to surf the Web.

Hackers have figured out how to exploit Java to install malicious software enabling them to commit crimes ranging from identity theft to making an infected computer part of an ad-hoc network of computers that can be used to attack websites.

“We are currently unaware of a practical solution to this problem,” the Department of Homeland Security’s Computer Emergency Readiness Team said in a posting on its website late on Thursday.

“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered,” the agency said. “To defend against this and future Java vulnerabilities, disable Java in Web browsers.”

Oracle declined on Friday to comment on the warning.

Java is a computer language that enables programmers to write software utilizing just one set of code that will run on virtually any type of computer, including ones that use Microsoft Corp’s Windows, Apple Inc’s OS X and Linux, an operating system widely employed by corporations.

Computer users access Java programs through modules, or plug-ins, that run Java software on top of browsers such as Internet Explorer and Firefox.

The U.S. government’s warning on Java came after security experts warned on Thursday of the newly discovered flaw.

It is relatively rare for government agencies to advise computer users to completely disable software due to a security bug, particularly in the case of widely used programs such as Java. They typically recommend taking steps to mitigate the risk of attack while manufacturers prepare an update, or hold off on publicizing the problem until an update is prepared.

In September, the German government advised the public to temporarily stop using Microsoft’s Internet Explorer browser to give it time to patch a security vulnerability that opened it to attacks.

Java is so widely used that the software has become a prime target for hackers. Last year Oracle’s Java surpassed Adobe Systems Inc’s Reader software as the most frequently attacked piece of software, according to security software maker Kaspersky Lab.

Java was responsible for 50 percent of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according Kaspersky. That was followed by Adobe Reader, which was involved in 28 percent of all incidents. Microsoft Windows and Internet Explorer were involved in about 3 percent of incidents, according to the survey.

The Department of Homeland Security said attackers could trick targets into visiting malicious websites that would infect their PCs with software capable of exploiting the bug in Java.

It said an attacker could also infect a legitimate website by uploading malicious software that would infect machines of computer users who trust that site because they have previously visited it without experiencing any problems.

They said developers of several popular tools, known as exploit kits, which criminal hackers use to attack PCs, have added software that allows hackers to exploit the newly discovered bug in Java to attack computers.

Security experts have been scrutinizing the safety of Java since a similar security scare in August, which prompted some of them to advise using the software only on an as-needed basis.

At the time they advised businesses to allow their workers to use Java browser plug-ins only when prompted for permission by trusted programs such as GoToMeeting, a Web-based collaboration tool from Citrix Systems Inc.

Java suffered another setback in October when Apple began removing old versions of the software from Internet browsers of Mac computers when its customers installed new versions of its OS X operating system. Apple did not provide a reason for the change and both companies declined to comment at the time.

Adam Gowdiak, a researcher with Polish security firm Security Explorations, told Reuters he believes that Oracle fails to properly test its software fixes for security flaws. “It’s definitely safer for users to stay away from Java ’til Oracle starts taking security seriously,” he said.

(Reporting by Jim Finkle; Editing by Dan Grebler)