Be Wary: Hackers are Readying Security Updates for XP Users

[Steve Hayes]

Be Wary: Hackers are Readying Security Updates for XP Users
Thursday, March 27, 2014
Contributed By:
Tripwire Inc

By: Katherine Brocklehurst

After April 8, you should be very watchful and wary of ‘security updates’ for
Microsoft systems and here’s why: Microsoft ends its support on that date for
Windows XP. Timothy Rains, director of trustworthy computing at Microsoft says
“the probability of attackers using security updates for Windows 7, 8, and
Vista to attack Windows XP is about 100 percent.”

The significance of this long-foretold moment may be felt hardest by the
financial, retail, and energy industries as well as government. The majority
of ATMs, many Point-of-Sale (POS) systems, lots of systems within our critical
infrastructure environments (and certainly our power grid), and a large
percentage of government systems are still running this version of Microsoft’s
2001 operating system (in many cases, it’s embedded XP, which Microsoft has
committed to supporting a while longer, but some do have regular XP OS in
place).

Approximately 40% of PC users still run desktop versions of Windows XP as
well. Windows XP has been regarded by many as the best version of Windows
ever. As with all Microsoft OS’s, it’s certainly been patched a lot. Check out
this list of XP CVEs. And in 2007 people flatly refused to upgrade even though
Microsoft tried to move people off of it then.

The good news is (per Microsoft) – there’s a fix! Upgrade to Windows 8.1 – an
OS that has been fraught with highly publicized vulnerabilities since it
launched. Or, potentially purchase support from Microsoft at a fat price tag.
(What are they quoting your organization for individualized XP software
support, and how encompassing is it? – I’d love to hear…I’ve heard that
support in year two could incur a five-times multiple!)

Here’s the bad news – ATMs are a sweet spot for hackers – and many
well-organized groups have hit the news with successful cash grabs, and now
they’re about to become an even easier target. Estimates are that 95% of bank
ATM machines will be vulnerable to XP hackers after April 8.

The ATM industry is a patchwork of thousands of terminals that range from
national banks and their satellite cash locations to individual
convenience-store, doughnut shop, beach-side delis, and out-moded ATMs on back
roads. It’s difficult to get these systems all upgraded at once, and many
machines cannot be updated remotely.

Many may require a complete physical replacement since they can’t be upgraded
due to lack of computing power. Aravinda Korala, CEO of ATM software provider
KAL, believes only 15 percent of ATMs in the U.S. will be upgraded by April 8.
Many banks are paying Microsoft to extend support for XP on cash machines
while they make the switch to Windows 7, according to Reuters.

So while it’s not quite the apocalypse, it is going to be a very sketchy
period of time for XP users. Hackers will have significant opportunity with
XP, and you should ready your organization. Suggestions are that if you can’t
securely upgrade before April 8, at least prepare to harden your
configurations as much as possible in advance, and definitely step up security
awareness within your user environment.

This was cross-posted from Tripwire's The State of Security blog.

http://www.infosecisland.com/blogview/23696-Be-Wary-Hackers-are-Readying-Security-Updates-for-XP-Users-.html


--
Steve Hayes from Tshwane, South Africa
Web: http://www.khanya.org.za/stevesig.htm
Blog: http://khanya.wordpress.com
E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk

[Bubba]

You can bet that the scripted television "news" headlines are going
to pitch for Micro$oft using scare tactics to promote Windows 8x devices
and upgrades. These uber-corporations work absolutely in lockstep
with Big Brother, and Windows 8x is the line in the sand.

Tech gurus are emphasizing the importance of backing up all user files
on XP machines to portable storage media before the April 8th deadline,
and that people should backup their user files no matter what OS or
device they're using. But "cloud" storage? Not for me.

Over on the alt.comp.freeware newsgroup there's apt to be increased
discussion on what freeware programs can help to minimize security
risks on an XP machine connected to the Internet, e.g Firefox as the
default browser, hosts updates, disabling Java, and so forth. I would
imagine that Linux is going to get a lot more attention. I just wish
that Linux was more standardized and not divided into so many "flavors
of the month." Buying a new or used Windows 7 x64 machine or upgrade
might be another option. 500 million XP users are about to find out.

--
Bub

[Joe Zeff]

On Thu, 03 Apr 2014 19:21:55 +0200, Bubba wrote:

> I just wish that Linux was more standardized and not divided into so
> many "flavors of the month."

I'm a Linux user and I'm glad it isn't. If I don't like the direction
one distro or one DE is going in, I'm free to switch to a different one
that fits my needs better. As an example, when I learned what Gnome 3
was going to be like, I started looking around for an alternative and by
the time it came out, I'd migrated to Xfce. With Linux, it's all about
choice.

--
Joe Zeff -- The Guy With The Sideburns:
http://www.zeff.us http://www.lasfs.info
China. It's the new Nazi. :-) Reductio egg fu yung.

[Alan Ralph]

On 03/04/2014 18:21, Bubba wrote:
> You can bet that the scripted television "news" headlines are going
> to pitch for Micro$oft using scare tactics to promote Windows 8x devices
> and upgrades. These uber-corporations work absolutely in lockstep
> with Big Brother, and Windows 8x is the line in the sand.

To date, I've not seen that much TV discussions about the implications
of the impending end of support for XP here in the UK. Where there has
been advice, it has been to see if your existing machine can be upgraded
- even the cheapest new PC system is still a big outlay for some households.

> Tech gurus are emphasizing the importance of backing up all user files
> on XP machines to portable storage media before the April 8th deadline,
> and that people should backup their user files no matter what OS or
> device they're using. But "cloud" storage? Not for me.

Well, I'm glad that message is getting out. It baffles me that PC makers
are quick to flog online backup solutions with new PCs that may or may
not be effective if the customer doesn't have a fast broadband
connection, but don't think to include an external hard disk as part of
a system package.

> Over on the alt.comp.freeware newsgroup there's apt to be increased
> discussion on what freeware programs can help to minimize security
> risks on an XP machine connected to the Internet, e.g Firefox as the
> default browser, hosts updates, disabling Java, and so forth. I would
> imagine that Linux is going to get a lot more attention. I just wish
> that Linux was more standardized and not divided into so many "flavors
> of the month." Buying a new or used Windows 7 x64 machine or upgrade
> might be another option. 500 million XP users are about to find out.

Those are all worthwhile measures, and in fact all users should consider
taking steps to minimise their potential security risk, including those
of us with Macs.

Alan

[Auric__]

Joe Zeff wrote:

> On Thu, 03 Apr 2014 19:21:55 +0200, Bubba wrote:
>
>> I just wish that Linux was more standardized and not divided into so
>> many "flavors of the month."
>
> I'm a Linux user and I'm glad it isn't. If I don't like the direction
> one distro or one DE is going in, I'm free to switch to a different one
> that fits my needs better. As an example, when I learned what Gnome 3
> was going to be like, I started looking around for an alternative and by
> the time it came out, I'd migrated to Xfce. With Linux, it's all about
> choice.

Within limits. A lot of things in Linux are "If you don't like it, write your
own."

--
Graffiti should be obscene and not heard.

[Mark Warner]

Perhaps. But many times that's the response given to those who refuse to
be satisfied with the available choices.

--
Mark Warner
...lose .inhibitions when replying

[Bubba]

I've never even tried Linux, but I've been reading more about it
with XP about to go bust. If I can stick with Windows I'd rather
do that because many of my programs require Windows to run them.
Plus, I'm an old dog who really doesn't want to learn new tricks.

My primary computer is using Windows 7 x64, so I may just take the
older XP off-line and call it a day. Some electronics stores sell
refurbished Windows 7 boxes with limited warranty, so that might be
the easiest option for those worried about XP being compromised.
Anyone thinking about doing that should do it soon before supplies
run out.

--
Bub

[Joe Zeff]

On Thu, 03 Apr 2014 20:18:01 +0000, Auric__ wrote:

> Within limits. A lot of things in Linux are "If you don't like it, write
> your own."

That's more an issue with developers than with the OS itself. Remember,
most of the people are volunteers working on their own time on what they
want to work on, but if you look around, there's probably something out
there that does what you need.

--
Joe Zeff -- The Guy With The Sideburns:
http://www.zeff.us http://www.lasfs.info

By Grabnor's hammer, you *will* be avenged!
-Galaxy Quest

[Joe Zeff]

On Fri, 04 Apr 2014 04:25:17 +0200, Bubba wrote:

> If I can stick with Windows I'd rather do that because many of my
> programs require Windows to run them.

There's always Wine, an OSS recreation of the Windows API that lets you
run most (not all) Windows programs under Linux. Of course, if you're
happy with Windows, there's no reason to change.

--
Joe Zeff -- The Guy With The Sideburns:
http://www.zeff.us http://www.lasfs.info

I'll have to try and get an item written into the DR plan specifying a
run to Krispy Kreme for sysadmin fuel, since it'd no doubt be a long
night ahead.

[Joe Zeff]

On Thu, 03 Apr 2014 21:03:04 +0100, Alan Ralph wrote:

> Well, I'm glad that message is getting out. It baffles me that PC makers
> are quick to flog online backup solutions with new PCs that may or may
> not be effective if the customer doesn't have a fast broadband
> connection, but don't think to include an external hard disk as part of
> a system package.

Agreed. Everybody should make regular backups to media that they
control. I have a 16GB flash drive that I reformatted to ext4 and use
for backing up my Linux box. Currently, it has 30.5GB of data and 8.3GB
of freespace. (No, that's not a typo; my backup software uses symbolic
links to back up files that haven't changed, and you can't do that on a
FAT or VFAT file system although I think you can on NTFS.)

--
Joe Zeff -- The Guy With The Sideburns:
http://www.zeff.us http://www.lasfs.info

Sometimes, if you wanted to go to the ball,
you had to be your own fairy godmother.

[Mark Warner]

On 04/03/2014 04:03 PM, Alan Ralph wrote:
> It baffles me that PC makers
> are quick to flog online backup solutions with new PCs that may or may
> not be effective if the customer doesn't have a fast broadband
> connection

They're getting paid to do so.

--
Mark Warner
MEPIS Linux
Registered Linux User #415318
...lose .inhibitions when replying

[technomaNge]

On 04/03/2014 09:25 PM, Bubba wrote:

> My primary computer is using Windows 7 x64, so I may just take the
> older XP off-line and call it a day. Some electronics stores sell
> refurbished Windows 7 boxes with limited warranty, so that might be
> the easiest option for those worried about XP being compromised.
> Anyone thinking about doing that should do it soon before supplies
> run out.
>

If you believe the hype, your XP box will be dead soon so you have
nothing to lose by trying Linux on it.

Download and burn an ISO to CD then boot the XP machine with it.
If you haven't played with Linux recently, you will be surprised.

If you take the plunge and install it (therefore wiping out your
Windows programs) there are lots of freeware Linux programs.
Post a list of your can't-live-without Windows programs, maybe
we here can recommend a Linux replacement.



technomaNge
--
Old dogs call me old!

[Steve Hayes]

askSam, Inmagic, Family History System,

Bear in mind that the Linux replacement needs to be able to import all
existing data.

But this post was not about replacing one OS by another, but the danger that
users of Windows Security Essentials who do not disable it and use another AV
program may find that they are getting updates from crackers.

[PDFrank]

I dug out my old Windows 98 SE disk. It still runs as great as ever.
Does everything I need. No one's writing viruses for Windows 98 anymore.

And if something bad happens, I'll just reinstall it again.

Runs all my older programs, too!

Still have my Windows 95 disk if I REALLY need it.

[Alan Ralph]

On 04/04/2014 13:03, Mark Warner wrote:
> On 04/03/2014 04:03 PM, Alan Ralph wrote:
>> It baffles me that PC makers are quick to flog online backup solutions
>> with new PCs that may or may not be effective if the customer doesn't
>> have a fast broadband connection
>
> They're getting paid to do so.

In some cases, that is probably true. In other cases, where the online
backup services is branded to the manufacturer (e.g. Dell), I suspect
there's an element of revenue-sharing as well between the PC maker and
the provider of the online backup service.

Alan

[technomaNge]

On 04/04/2014 09:36 PM, Steve Hayes wrote:
>
> askSam, Inmagic, Family History System,
>
> Bear in mind that the Linux replacement needs to be able to import all
> existing data.
>
> But this post was not about replacing one OS by another, but the danger that
> users of Windows Security Essentials who do not disable it and use another AV
> program may find that they are getting updates from crackers.
>
>

I'm declaring this to off-topic since I failed to follow the subject.

But for the record, askSam and Inmagic have been reported to work
in Linux using Wine.

Without further knowledge of the OP's programs, I can't make any
recommendations for Linux equivalents.



technomaNge
--
Mea culpa

[Bubba]

I do appreciate yours and everyone else's replies and suggestions.
I really am too old and lazy to learn another OS, and I know there
are many freeware alternatives to the old standby M$ programs, some
of which will run under Linux. Omnimix, for example, will not.

At this point, I'll take the wait and see approach. I've backed up
the user files on the XP box, and I've installed Firefox 28.0, the
latest hosts update, completely disabled and uninstalled Java, and
apart from that I don't know what else to bother with. I'm going to
wait until after April 8th to see if MSE is getting reports of being
hacked or having other problems. Switching to another AV/AM may not
be worth the trouble. I'd just as soon get a newer W7 PC.

--
Bub

[Mr. Jo Jo]

"Steve Hayes" wrote in message
news:cchaj9h45dqsae34a...@4ax.com...

*********************************************************************************

Personally, I'm happy to see it go. It was great in it's time.