Microsoft will drop support of Windows XP on April 8, 2014, 12 ½ years after its birth on October 25, 2001 creating new security risks for SaaS vendors and IT. Computerworld predicts many hackers are waiting to launch Windows XP exploits after Microsoft ceases to address new vulnerabilities. Why would a hacker release malware before April 8, 2014 when they know any new exploit won’t be fixed after April 8?
A lot of PCs running Windows XP will be infected after April 9, 2014.
Is Anyone Not Getting Hacked?
Even before the potential Windows XP apocalypse, the number of breaches in large public websites is alarming.
| Date | What was Breached | Company |
| Jun-12 | 6.5 million passwords | |
| Jan-13 | Unauthorized email access | New York Times, Wall Street Journal |
| Feb-13 | Email addresses | Twitter, Pinterest, Tumblr, Zendesk |
| Feb-13 | Hacked by Anonymous | |
| Feb-13 | Servers compromised | |
| Mar-13 | Passwords | Evernote |
| Jul-13 | Passwords | Tumblr |
| Nov-13 | 110 million credit cards | Target |
| Nov-13 | Usernames & passwords | Facebook, Yahoo, LinkedIn, Twitter |
| Jan-14 | Usernames & phone numbers | SnapChat |
| Jan-14 | Credit card information | Neiman Marcus |
| Jan-14 | Passwords | Yahoo |
You don’t want to be the next company on the list…
What, me worry?
“As you may have read, there’s been a recent uptick in large-scale security attacks aimed at U.S. technology and media companies. Within the last two weeks, the New York Times and Wall Street Journal have chronicled breaches of their systems, and Apple and Mozilla have turned off Java by default in their browsers.”
Twitter blog post, February 1, 2014
If you think Microsoft no longer fixing Windows XP security exploits is not a problem for your organization, think again. Those Windows XP machines will be targeted for malware once Microsoft stops making security fixes. Those infected PCs will become “bots” aka zombies being controlled by nefarious organizations to launch digital attacks and deliver malware to other PCs and IT organizations.
Over 100 million PCs run Windows XP, including 95% of the ATMs, according to Bloomberg Business Week. The percent of PCs running Windows XP has been declining only about 1% per month, indicating there will be tens of millions of unprotected PCs beginning in April of 2014.
The January 2014 results by NetMarketShare actually indicated the World Wide market share from XP rose b6 .25% in January. This may not be statistically significant, but it is going in the wrong direction.
| Windows XP Market Share | December 2012 | December 2013 | Source |
| World Wide | 39% | 29% | NetMarketShare |
| China | 64% | 50% | StatCounter |
| United States | 15% | 12% | StatCounter |
China originates more digital attacks than any other country. China has more PCs running XP than any other country leading to the likelihood of even more bots from China attacking the Internet connected computing infrastructure. The origin of the attacks changes daily — China is far from the only source of digital attacks. What doesn’t change is the majority of the attacks target the U.S.
The animation below, provided by Google, shows the attacks each day over the last year.
The Nature of Botnet Attacks
Malware and digital attacks take many forms, but the common thread is that they are generally delivered by botnets. These botnet attacks include:
1) Scanning for insecure computing perimeter defenses (starting with open ports and increasing in sophistication from there).
2) Scanning for application vulnerabilities.
3) Perpetrating “Click Fraud” by simulating legitimate clicks.
4) Taking down websites through DDoS (Distributed Denial of Service) attacks.
In the case of scanning for vulnerabilities, once a potential exploit is identified, a directed attack is undertaken to steal information, take control of these systems or otherwise exploit them.
What to do?
The risks from the discontinuation of Window XP vulnerability fixes is substantial. Now is the time to up the security of your computing systems be it PCs or servers against the anticipated rise in attacks.
Secure Your Perimeter Defenses
Start with the basics – the perimeter defenses, such as firewalls (including Web Application Firewalls), Intrusion Detection and Prevention Systems (IDS/IPS), and load balancers should be hardened and verified to provide the first level of defense. It is important to do real-time packet inspection and analysis of traffic to detect early evidence of DDoS attacks. Software that identifies known attack sources and their signatures is another important tool for threat identification and remediation. It is important to keep web attack signatures up to date.
Other risks include Password Cracking where botnets attempt brute force attacks to guess common passwords and computationally based social engineering to gain access to “secure” systems.
Harden your Applications from Vulnerabilities
With more botnets in the wild, there will be more botnets scanning for application vulnerabilities. The recent breaches of credit card and personnel information from large retailers demonstrates that currently practiced security procedures have not prevented criminal organizations from inserting malware into systems believed to be protected. PCI-DSS compliance is clearly not sufficient on its own.
These botnets will scan for a variety of application vulnerabilities such as the two most widely exploited application vulnerabilities, SQL Injection and Cross Site Scripting. Now is the time to identify and fix these application weaknesses.
Protect against Click Fraud
Botnets are adept at impersonating humans for economic gain. CAPTCHA programs help separate real people from bots, though bots are becoming increasingly proficient at fooling these systems. It is important to use analytics to identify and eliminate click fraud through suspicious patterns of activity.
Increase your DDoS Defenses
Countermeasures should be in place to detect, block and deflect DDoS traffic. There are many choices of software and appliances to provide these defenses. Additionally, Content Delivery Networks (CDNs) may include DDoS defense mechanisms such as KONA by Akamai.
It is important to work with your hosting provider to validate strategy and infrastructure capabilities to protect your site against DDoS attacks.
Encrypt the Data
Beyond working to prevent unauthorized access to your company’s data, it is essential that access to the encrypted data doesn’t mean use of the unencrypted data.
There has been an unacceptable level of data breaches from companies who have not used best encryption practices in securing their customer’s data from LinkedIn to Evernote to Snapchat to Target. Password files should both be encrypted and salted to avoid brute force attacks on stolen password files that can reverse engineer common passwords.
Customer information should be encrypted both when stored and when transmitted. It is amazing often this is not done…
How Bad Will It Be?
We don’t know. What can be said with certainty is there will be more infected PCs hosting bots; therefore, more attacks are likely.
We didn’t know the impact of Y2K some years back. Planes didn’t actually fall out of the sky, but the proactive efforts to address the Y2K problem kept us from having a larger problem.
It is always prudent to harden your systems against malware threats as they continue to become more sophisticated. The likely increase of attacks after the end of XP security fixes is high.
A Little Good News
Microsoft announced on January 16 it would continue to provide virus signature updates until July 14, 2015. While this doesn’t solve the problem of new exploits targeting Windows XP, which won’t be prevented by Microsoft’s patches, it does help in that Microsoft will identify a number of these threats.
Conclusion
Security threats are a part of living in the digital world. The sophistication of the attacks increases every year while the IT community works to mitigate these threats in a never-ending cat and mouse game.
With the elimination of security updates to Windows XP on April 8, 2014 and the discontinuation of virus signature updates on July 14, 2015, assume the number of digital attacks will increase; Probably significantly.
Security is a complex area where experience and expertise are essential. Start with the basic and get your perimeter protected, your data encrypted, and your access methods fortified from both human and machine attacks.
Now is the time to work with your hosting provider and other security experts to devise a strategy to address the potential of an increasing level of threats.
It’s better to be safe than sorry. Just ask Target and their customers…
