Discussion:
Be Wary: Hackers are Readying Security Updates for XP Users
(too old to reply)
Steve Hayes
2014-03-28 09:50:32 UTC
Permalink
Be Wary: Hackers are Readying Security Updates for XP Users
Thursday, March 27, 2014
Contributed By:
Tripwire Inc

By: Katherine Brocklehurst

After April 8, you should be very watchful and wary of ‘security updates’ for
Microsoft systems and here’s why: Microsoft ends its support on that date for
Windows XP. Timothy Rains, director of trustworthy computing at Microsoft says
“the probability of attackers using security updates for Windows 7, 8, and
Vista to attack Windows XP is about 100 percent.”

The significance of this long-foretold moment may be felt hardest by the
financial, retail, and energy industries as well as government. The majority
of ATMs, many Point-of-Sale (POS) systems, lots of systems within our critical
infrastructure environments (and certainly our power grid), and a large
percentage of government systems are still running this version of Microsoft’s
2001 operating system (in many cases, it’s embedded XP, which Microsoft has
committed to supporting a while longer, but some do have regular XP OS in
place).

Approximately 40% of PC users still run desktop versions of Windows XP as
well. Windows XP has been regarded by many as the best version of Windows
ever. As with all Microsoft OS’s, it’s certainly been patched a lot. Check out
this list of XP CVEs. And in 2007 people flatly refused to upgrade even though
Microsoft tried to move people off of it then.

The good news is (per Microsoft) – there’s a fix! Upgrade to Windows 8.1 – an
OS that has been fraught with highly publicized vulnerabilities since it
launched. Or, potentially purchase support from Microsoft at a fat price tag.
(What are they quoting your organization for individualized XP software
support, and how encompassing is it? – I’d love to hear…I’ve heard that
support in year two could incur a five-times multiple!)

Here’s the bad news – ATMs are a sweet spot for hackers – and many
well-organized groups have hit the news with successful cash grabs, and now
they’re about to become an even easier target. Estimates are that 95% of bank
ATM machines will be vulnerable to XP hackers after April 8.

The ATM industry is a patchwork of thousands of terminals that range from
national banks and their satellite cash locations to individual
convenience-store, doughnut shop, beach-side delis, and out-moded ATMs on back
roads. It’s difficult to get these systems all upgraded at once, and many
machines cannot be updated remotely.

Many may require a complete physical replacement since they can’t be upgraded
due to lack of computing power. Aravinda Korala, CEO of ATM software provider
KAL, believes only 15 percent of ATMs in the U.S. will be upgraded by April 8.
Many banks are paying Microsoft to extend support for XP on cash machines
while they make the switch to Windows 7, according to Reuters.

So while it’s not quite the apocalypse, it is going to be a very sketchy
period of time for XP users. Hackers will have significant opportunity with
XP, and you should ready your organization. Suggestions are that if you can’t
securely upgrade before April 8, at least prepare to harden your
configurations as much as possible in advance, and definitely step up security
awareness within your user environment.

This was cross-posted from Tripwire's The State of Security blog.

http://www.infosecisland.com/blogview/23696-Be-Wary-Hackers-are-Readying-Security-Updates-for-XP-Users-.html
--
Steve Hayes from Tshwane, South Africa
Web: http://www.khanya.org.za/stevesig.htm
Blog: http://khanya.wordpress.com
E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk
Bubba
2014-04-03 17:21:55 UTC
Permalink
Post by Steve Hayes
Be Wary: Hackers are Readying Security Updates for XP Users
Thursday, March 27, 2014
Tripwire Inc
By: Katherine Brocklehurst
After April 8, you should be very watchful and wary of ‘security updates’ for
Microsoft systems and here’s why: Microsoft ends its support on that date for
Windows XP. Timothy Rains, director of trustworthy computing at Microsoft says
“the probability of attackers using security updates for Windows 7, 8, and
Vista to attack Windows XP is about 100 percent.”
The significance of this long-foretold moment may be felt hardest by the
financial, retail, and energy industries as well as government. The majority
of ATMs, many Point-of-Sale (POS) systems, lots of systems within our critical
infrastructure environments (and certainly our power grid), and a large
percentage of government systems are still running this version of Microsoft’s
2001 operating system (in many cases, it’s embedded XP, which Microsoft has
committed to supporting a while longer, but some do have regular XP OS in
place).
Approximately 40% of PC users still run desktop versions of Windows XP as
well. Windows XP has been regarded by many as the best version of Windows
ever. As with all Microsoft OS’s, it’s certainly been patched a lot. Check out
this list of XP CVEs. And in 2007 people flatly refused to upgrade even though
Microsoft tried to move people off of it then.
The good news is (per Microsoft) – there’s a fix! Upgrade to Windows 8.1 – an
OS that has been fraught with highly publicized vulnerabilities since it
launched. Or, potentially purchase support from Microsoft at a fat price tag.
(What are they quoting your organization for individualized XP software
support, and how encompassing is it? – I’d love to hear…I’ve heard that
support in year two could incur a five-times multiple!)
Here’s the bad news – ATMs are a sweet spot for hackers – and many
well-organized groups have hit the news with successful cash grabs, and now
they’re about to become an even easier target. Estimates are that 95% of bank
ATM machines will be vulnerable to XP hackers after April 8.
The ATM industry is a patchwork of thousands of terminals that range from
national banks and their satellite cash locations to individual
convenience-store, doughnut shop, beach-side delis, and out-moded ATMs on back
roads. It’s difficult to get these systems all upgraded at once, and many
machines cannot be updated remotely.
Many may require a complete physical replacement since they can’t be upgraded
due to lack of computing power. Aravinda Korala, CEO of ATM software provider
KAL, believes only 15 percent of ATMs in the U.S. will be upgraded by April 8.
Many banks are paying Microsoft to extend support for XP on cash machines
while they make the switch to Windows 7, according to Reuters.
So while it’s not quite the apocalypse, it is going to be a very sketchy
period of time for XP users. Hackers will have significant opportunity with
XP, and you should ready your organization. Suggestions are that if you can’t
securely upgrade before April 8, at least prepare to harden your
configurations as much as possible in advance, and definitely step up security
awareness within your user environment.
This was cross-posted from Tripwire's The State of Security blog.
http://www.infosecisland.com/blogview/23696-Be-Wary-Hackers-are-Readying-Security-Updates-for-XP-Users-.html
You can bet that the scripted television "news" headlines are going
to pitch for Micro$oft using scare tactics to promote Windows 8x devices
and upgrades. These uber-corporations work absolutely in lockstep
with Big Brother, and Windows 8x is the line in the sand.

Tech gurus are emphasizing the importance of backing up all user files
on XP machines to portable storage media before the April 8th deadline,
and that people should backup their user files no matter what OS or
device they're using. But "cloud" storage? Not for me.

Over on the alt.comp.freeware newsgroup there's apt to be increased
discussion on what freeware programs can help to minimize security
risks on an XP machine connected to the Internet, e.g Firefox as the
default browser, hosts updates, disabling Java, and so forth. I would
imagine that Linux is going to get a lot more attention. I just wish
that Linux was more standardized and not divided into so many "flavors
of the month." Buying a new or used Windows 7 x64 machine or upgrade
might be another option. 500 million XP users are about to find out.
--
Bub
Joe Zeff
2014-04-03 18:18:24 UTC
Permalink
I just wish that Linux was more standardized and not divided into so
many "flavors of the month."
I'm a Linux user and I'm glad it isn't. If I don't like the direction
one distro or one DE is going in, I'm free to switch to a different one
that fits my needs better. As an example, when I learned what Gnome 3
was going to be like, I started looking around for an alternative and by
the time it came out, I'd migrated to Xfce. With Linux, it's all about
choice.
--
Joe Zeff -- The Guy With The Sideburns:
http://www.zeff.us http://www.lasfs.info
China. It's the new Nazi. :-) Reductio egg fu yung.
Auric__
2014-04-03 20:18:01 UTC
Permalink
Post by Joe Zeff
I just wish that Linux was more standardized and not divided into so
many "flavors of the month."
I'm a Linux user and I'm glad it isn't. If I don't like the direction
one distro or one DE is going in, I'm free to switch to a different one
that fits my needs better. As an example, when I learned what Gnome 3
was going to be like, I started looking around for an alternative and by
the time it came out, I'd migrated to Xfce. With Linux, it's all about
choice.
Within limits. A lot of things in Linux are "If you don't like it, write your
own."
--
Graffiti should be obscene and not heard.
Mark Warner
2014-04-03 20:47:44 UTC
Permalink
Post by Auric__
Post by Joe Zeff
I just wish that Linux was more standardized and not divided into so
many "flavors of the month."
I'm a Linux user and I'm glad it isn't. If I don't like the direction
one distro or one DE is going in, I'm free to switch to a different one
that fits my needs better. As an example, when I learned what Gnome 3
was going to be like, I started looking around for an alternative and by
the time it came out, I'd migrated to Xfce. With Linux, it's all about
choice.
Within limits. A lot of things in Linux are "If you don't like it, write your
own."
Perhaps. But many times that's the response given to those who refuse to
be satisfied with the available choices.
--
Mark Warner
...lose .inhibitions when replying
Bubba
2014-04-04 02:25:17 UTC
Permalink
Post by Mark Warner
Post by Auric__
Post by Joe Zeff
I just wish that Linux was more standardized and not divided into so
many "flavors of the month."
I'm a Linux user and I'm glad it isn't. If I don't like the direction
one distro or one DE is going in, I'm free to switch to a different one
that fits my needs better. As an example, when I learned what Gnome 3
was going to be like, I started looking around for an alternative and by
the time it came out, I'd migrated to Xfce. With Linux, it's all about
choice.
Within limits. A lot of things in Linux are "If you don't like it, write your
own."
Perhaps. But many times that's the response given to those who refuse to
be satisfied with the available choices.
I've never even tried Linux, but I've been reading more about it
with XP about to go bust. If I can stick with Windows I'd rather
do that because many of my programs require Windows to run them.
Plus, I'm an old dog who really doesn't want to learn new tricks.

My primary computer is using Windows 7 x64, so I may just take the
older XP off-line and call it a day. Some electronics stores sell
refurbished Windows 7 boxes with limited warranty, so that might be
the easiest option for those worried about XP being compromised.
Anyone thinking about doing that should do it soon before supplies
run out.
--
Bub
Joe Zeff
2014-04-04 06:17:33 UTC
Permalink
If I can stick with Windows I'd rather do that because many of my
programs require Windows to run them.
There's always Wine, an OSS recreation of the Windows API that lets you
run most (not all) Windows programs under Linux. Of course, if you're
happy with Windows, there's no reason to change.
--
Joe Zeff -- The Guy With The Sideburns:
http://www.zeff.us http://www.lasfs.info
I'll have to try and get an item written into the DR plan specifying a
run to Krispy Kreme for sysadmin fuel, since it'd no doubt be a long
night ahead.
technomaNge
2014-04-05 01:53:56 UTC
Permalink
Post by Bubba
My primary computer is using Windows 7 x64, so I may just take the
older XP off-line and call it a day. Some electronics stores sell
refurbished Windows 7 boxes with limited warranty, so that might be
the easiest option for those worried about XP being compromised.
Anyone thinking about doing that should do it soon before supplies
run out.
If you believe the hype, your XP box will be dead soon so you have
nothing to lose by trying Linux on it.

Download and burn an ISO to CD then boot the XP machine with it.
If you haven't played with Linux recently, you will be surprised.

If you take the plunge and install it (therefore wiping out your
Windows programs) there are lots of freeware Linux programs.
Post a list of your can't-live-without Windows programs, maybe
we here can recommend a Linux replacement.



technomaNge
--
Old dogs call me old!
Steve Hayes
2014-04-05 02:36:40 UTC
Permalink
Post by technomaNge
Post by Bubba
My primary computer is using Windows 7 x64, so I may just take the
older XP off-line and call it a day. Some electronics stores sell
refurbished Windows 7 boxes with limited warranty, so that might be
the easiest option for those worried about XP being compromised.
Anyone thinking about doing that should do it soon before supplies
run out.
If you believe the hype, your XP box will be dead soon so you have
nothing to lose by trying Linux on it.
Download and burn an ISO to CD then boot the XP machine with it.
If you haven't played with Linux recently, you will be surprised.
If you take the plunge and install it (therefore wiping out your
Windows programs) there are lots of freeware Linux programs.
Post a list of your can't-live-without Windows programs, maybe
we here can recommend a Linux replacement.
askSam, Inmagic, Family History System,

Bear in mind that the Linux replacement needs to be able to import all
existing data.

But this post was not about replacing one OS by another, but the danger that
users of Windows Security Essentials who do not disable it and use another AV
program may find that they are getting updates from crackers.
--
Steve Hayes from Tshwane, South Africa
Web: http://www.khanya.org.za/stevesig.htm
Blog: http://khanya.wordpress.com
E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk
technomaNge
2014-04-05 14:22:17 UTC
Permalink
Post by Steve Hayes
askSam, Inmagic, Family History System,
Bear in mind that the Linux replacement needs to be able to import all
existing data.
But this post was not about replacing one OS by another, but the danger that
users of Windows Security Essentials who do not disable it and use another AV
program may find that they are getting updates from crackers.
I'm declaring this to off-topic since I failed to follow the subject.

But for the record, askSam and Inmagic have been reported to work
in Linux using Wine.

Without further knowledge of the OP's programs, I can't make any
recommendations for Linux equivalents.



technomaNge
--
Mea culpa
Bubba
2014-04-06 00:45:01 UTC
Permalink
Post by technomaNge
Post by Steve Hayes
askSam, Inmagic, Family History System,
Bear in mind that the Linux replacement needs to be able to import all
existing data.
But this post was not about replacing one OS by another, but the danger that
users of Windows Security Essentials who do not disable it and use another AV
program may find that they are getting updates from crackers.
I'm declaring this to off-topic since I failed to follow the subject.
But for the record, askSam and Inmagic have been reported to work
in Linux using Wine.
Without further knowledge of the OP's programs, I can't make any
recommendations for Linux equivalents.
technomaNge
I do appreciate yours and everyone else's replies and suggestions.
I really am too old and lazy to learn another OS, and I know there
are many freeware alternatives to the old standby M$ programs, some
of which will run under Linux. Omnimix, for example, will not.

At this point, I'll take the wait and see approach. I've backed up
the user files on the XP box, and I've installed Firefox 28.0, the
latest hosts update, completely disabled and uninstalled Java, and
apart from that I don't know what else to bother with. I'm going to
wait until after April 8th to see if MSE is getting reports of being
hacked or having other problems. Switching to another AV/AM may not
be worth the trouble. I'd just as soon get a newer W7 PC.
--
Bub
PDFrank
2014-04-05 05:20:22 UTC
Permalink
I dug out my old Windows 98 SE disk. It still runs as great as ever.
Does everything I need. No one's writing viruses for Windows 98 anymore.

And if something bad happens, I'll just reinstall it again.

Runs all my older programs, too!

Still have my Windows 95 disk if I REALLY need it.
Joe Zeff
2014-04-04 06:15:01 UTC
Permalink
Post by Auric__
Within limits. A lot of things in Linux are "If you don't like it, write
your own."
That's more an issue with developers than with the OS itself. Remember,
most of the people are volunteers working on their own time on what they
want to work on, but if you look around, there's probably something out
there that does what you need.
--
Joe Zeff -- The Guy With The Sideburns:
http://www.zeff.us http://www.lasfs.info
By Grabnor's hammer, you *will* be avenged!
-Galaxy Quest
Alan Ralph
2014-04-03 20:03:04 UTC
Permalink
Post by Bubba
You can bet that the scripted television "news" headlines are going
to pitch for Micro$oft using scare tactics to promote Windows 8x devices
and upgrades. These uber-corporations work absolutely in lockstep
with Big Brother, and Windows 8x is the line in the sand.
To date, I've not seen that much TV discussions about the implications
of the impending end of support for XP here in the UK. Where there has
been advice, it has been to see if your existing machine can be upgraded
- even the cheapest new PC system is still a big outlay for some households.
Post by Bubba
Tech gurus are emphasizing the importance of backing up all user files
on XP machines to portable storage media before the April 8th deadline,
and that people should backup their user files no matter what OS or
device they're using. But "cloud" storage? Not for me.
Well, I'm glad that message is getting out. It baffles me that PC makers
are quick to flog online backup solutions with new PCs that may or may
not be effective if the customer doesn't have a fast broadband
connection, but don't think to include an external hard disk as part of
a system package.
Post by Bubba
Over on the alt.comp.freeware newsgroup there's apt to be increased
discussion on what freeware programs can help to minimize security
risks on an XP machine connected to the Internet, e.g Firefox as the
default browser, hosts updates, disabling Java, and so forth. I would
imagine that Linux is going to get a lot more attention. I just wish
that Linux was more standardized and not divided into so many "flavors
of the month." Buying a new or used Windows 7 x64 machine or upgrade
might be another option. 500 million XP users are about to find out.
Those are all worthwhile measures, and in fact all users should consider
taking steps to minimise their potential security risk, including those
of us with Macs.

Alan
Joe Zeff
2014-04-04 06:25:52 UTC
Permalink
Post by Alan Ralph
Well, I'm glad that message is getting out. It baffles me that PC makers
are quick to flog online backup solutions with new PCs that may or may
not be effective if the customer doesn't have a fast broadband
connection, but don't think to include an external hard disk as part of
a system package.
Agreed. Everybody should make regular backups to media that they
control. I have a 16GB flash drive that I reformatted to ext4 and use
for backing up my Linux box. Currently, it has 30.5GB of data and 8.3GB
of freespace. (No, that's not a typo; my backup software uses symbolic
links to back up files that haven't changed, and you can't do that on a
FAT or VFAT file system although I think you can on NTFS.)
--
Joe Zeff -- The Guy With The Sideburns:
http://www.zeff.us http://www.lasfs.info
Sometimes, if you wanted to go to the ball,
you had to be your own fairy godmother.
Mark Warner
2014-04-04 12:03:05 UTC
Permalink
Post by Alan Ralph
It baffles me that PC makers
are quick to flog online backup solutions with new PCs that may or may
not be effective if the customer doesn't have a fast broadband
connection
They're getting paid to do so.
--
Mark Warner
MEPIS Linux
Registered Linux User #415318
...lose .inhibitions when replying
Alan Ralph
2014-04-05 10:08:19 UTC
Permalink
Post by Mark Warner
It baffles me that PC makers are quick to flog online backup solutions
with new PCs that may or may not be effective if the customer doesn't
have a fast broadband connection
They're getting paid to do so.
In some cases, that is probably true. In other cases, where the online
backup services is branded to the manufacturer (e.g. Dell), I suspect
there's an element of revenue-sharing as well between the PC maker and
the provider of the online backup service.

Alan
Mr. Jo Jo
2014-04-10 21:57:39 UTC
Permalink
"Steve Hayes" wrote in message news:***@4ax.com...

Be Wary: Hackers are Readying Security Updates for XP Users
Thursday, March 27, 2014
Contributed By:
Tripwire Inc

By: Katherine Brocklehurst

After April 8, you should be very watchful and wary of ‘security
updates’ for
Microsoft systems and here’s why: Microsoft ends its support on that
date for
Windows XP. Timothy Rains, director of trustworthy computing at
Microsoft says
“the probability of attackers using security updates for Windows 7, 8,
and
Vista to attack Windows XP is about 100 percent.”

The significance of this long-foretold moment may be felt hardest by
the
financial, retail, and energy industries as well as government. The
majority
of ATMs, many Point-of-Sale (POS) systems, lots of systems within our
critical
infrastructure environments (and certainly our power grid), and a
large
percentage of government systems are still running this version of
Microsoft’s
2001 operating system (in many cases, it’s embedded XP, which
Microsoft has
committed to supporting a while longer, but some do have regular XP OS
in
place).

Approximately 40% of PC users still run desktop versions of Windows XP
as
well. Windows XP has been regarded by many as the best version of
Windows
ever. As with all Microsoft OS’s, it’s certainly been patched a lot.
Check out
this list of XP CVEs. And in 2007 people flatly refused to upgrade
even though
Microsoft tried to move people off of it then.

The good news is (per Microsoft) – there’s a fix! Upgrade to Windows
8.1 – an
OS that has been fraught with highly publicized vulnerabilities since
it
launched. Or, potentially purchase support from Microsoft at a fat
price tag.
(What are they quoting your organization for individualized XP
software
support, and how encompassing is it? – I’d love to hear…I’ve heard
that
support in year two could incur a five-times multiple!)

Here’s the bad news – ATMs are a sweet spot for hackers – and many
well-organized groups have hit the news with successful cash grabs,
and now
they’re about to become an even easier target. Estimates are that 95%
of bank
ATM machines will be vulnerable to XP hackers after April 8.

The ATM industry is a patchwork of thousands of terminals that range
from
national banks and their satellite cash locations to individual
convenience-store, doughnut shop, beach-side delis, and out-moded ATMs
on back
roads. It’s difficult to get these systems all upgraded at once, and
many
machines cannot be updated remotely.

Many may require a complete physical replacement since they can’t be
upgraded
due to lack of computing power. Aravinda Korala, CEO of ATM software
provider
KAL, believes only 15 percent of ATMs in the U.S. will be upgraded by
April 8.
Many banks are paying Microsoft to extend support for XP on cash
machines
while they make the switch to Windows 7, according to Reuters.

So while it’s not quite the apocalypse, it is going to be a very
sketchy
period of time for XP users. Hackers will have significant opportunity
with
XP, and you should ready your organization. Suggestions are that if
you can’t
securely upgrade before April 8, at least prepare to harden your
configurations as much as possible in advance, and definitely step up
security
awareness within your user environment.

This was cross-posted from Tripwire's The State of Security blog.

http://www.infosecisland.com/blogview/23696-Be-Wary-Hackers-are-Readying-Security-Updates-for-XP-Users-.html

*********************************************************************************

Personally, I'm happy to see it go. It was great in it's time.

Continue reading on narkive:
Loading...