URGENT – Windows XP Advisory to the Caribbean Region
From Caribbean Cyber Security Center –
The Caribbean Cyber Security Center would like to urge all Caribbean businesses, governments, and home users running the Microsoft Windows XP operating system (OS) to aggressively plan to upgrade from Windows XP, which is no longer being supported by Microsoft as of April 8th 2014.
So what exactly does that mean to you as a Windows XP business, government or home user?
It means that Microsoft will not be doing two key things needed to protect your Windows XP computer in today’s rapidly expanding cyber war being waged against the Caribbean by cyber criminals and hackers, (1) Microsoft will not be providing any XP system or security updates which means that hackers and cyber-criminals will be able to compromise systems running Windows XP with growing ease, and (2) if you have problems related to Windows XP, Microsoft will not be providing any free support as you will now have to pay Microsoft for extended support.
It was recently reported that the U.S Internal Revenue Service (IRS) who missed their April 8th deadline to upgrade their systems running Windows XP had to pay Microsoft millions for extended XP support. Microsoft XP extended support is being reported at an estimated cost of $200.00US per system for the first year, which ironically is the approximate cost of upgrading to Windows 8.
In line with our Caribbean Cyber Security Predications for 2014 announced in January, Windows XP has been one of the most vulnerability operating systems for some time now, with known Windows XP enabled system breaches and compromises worldwide. Cyber criminals and hackers know the weaknesses in Windows XP and are expected to target Caribbean businesses and home computers running XP, as an easy operating system to hack and steal a wide range of business and personal data (bank account information, pins, passwords etc.).
To Put it in Simpler Terms
If you found out that thousands of criminals worldwide (not just in Barbados) had the keys to your house and knew your house address (IP (internet protocol) address in this case), would you not change all the locks right away no questions asked?
The same thinking applies to upgrading from Windows XP as cyber criminals know all the security holes and vulnerabilities with Windows XP, and how to breach them within minutes to gain access to your business or home computer. As part of the cyber-crime process a country the size of Barbados can be easily scanned within a matter of hours for those running Windows XP who are connected to the internet, therefore it is not hard for cyber criminals and hackers to find your Windows XP system if it is connected to the internet.
Take this Windows XP Alert Seriously?
Understanding that the Caribbean is in unprecedented economic times with smaller and smaller budgets on all fronts, it however remains critical that business\government leaders and the average home user, understand that being “penny wise” and not upgrading from Windows XP is also being “pound foolish” as the cost of a system breach or data theft can be (100) times more than simply upgrading your system.
The Caribbean Windows XP Critical Infrastructure Concern
Critical infrastructure is the backbone of our regional economy, security and health. We know it as the power we use in our homes, the water we drink, the communication systems we rely on to stay in touch with business partners, friends and family. Additionally it includes the supporting IT assets, systems, and networks, so vital to our region that their incapacitation would have a debilitating effect on security, national economic security. It is estimated that many critical infrastructure systems in the Caribbean may still have critical functions and applications running on Windows XP, therefore it is critical that regional governments migrate these systems from Windows XP upgrade as soon as possible.
The risk accepted by any regional critical infrastructure system owner running Windows XP prior to April the 8th 2014 had now significantly changed to a much higher risk profile.
So what MUST you do?
If having available funds to upgrade from Windows XP to Windows 7 or 8 is a challenge at the very minimum as a short term measure you should update your Windows XP system or systems to the latest service pack (which is service pack 3), and ensure that all previously released system and security updates are applies. However at the first opportunity you should upgrade to Windows 7 or 8. (2) All security experts agree that Windows XP users should take extra special caution when storing their most sensitive information on their PCs — such as banking and credit card data. At the very most, do not store sensitive information in documents or plain text files. This type of information should always be encrypted in order to help mitigate risk.
For those with the financial resources extended support for Windows XP is available but estimated to cost approximately $200.00US per system for the first year as previously stated. Although this may seem expensive, it pales in comparison to the likely costs of recovery or harm to brand reputation after an XP-enabled security incident occurs. Additionally as with all computers always make sure you are running a legitimate anti-virus, malware, and spyware program that is routinely updated.
Conclusion:
In some cases the potential business or government reputational damage that can occur as the result of a Windows XP enabled breach can be significant, costly, and extremely hard to recovery from. The last thing we in the region need right now is for investors to question our decision making abilities asking the question, “why did they not upgrade from Windows XP to prevent that network breach and data theft”. Simply saying you were “keeping IT cost down” or “it was not in the budget” which unfortunately is a common post security incident response from many IT manager, will not be a smart answer however you look at it.
At the end of the day it is critical that you upgrade your Windows XP system or systems to a supported Microsoft Windows operating system Windows 7 or 8, and apply all the available system and security updates. Don’t be penny wise and pound foolish as the Caribbean has been targeted and is under cyber-attack.
Cyber criminals and hackers are using our low regional level of cyber security awareness against us, which is why the Caribbean Cyber Security Center is doing our part to raise the overall level of cyber security awareness across the region. Additionally, they are using our cultural norm to be slow to act against us, which is why we at the Caribbean Cyber Security Center need your support to protect our cyber shores as effective cyber security is “everyone’s responsibility”.
Author: James Bynoe, Caribbean Cyber Security Center
CEO\Senior Cyber Security Consultant
Related story:
Windows XP is a much greater risk than Heartbleed
Heartbleed has dominated headlines for over week, but that one vulnerability pales in comparison to the threat from hundreds of millions of Windows XP systems.
You’ve probably noticed that the Heartbleed vulnerability in OpenSSL has gotten a ton of attention. You know a computer security issue is a big deal when even local news and late night TV hosts are talking about it. Despite the hype and hoopla, though, there’s another threat out there that makes Heartbleed seem trivial by comparison: Windows XP.
Heartbleed is significant because it could enable an attacker to expose or intercept sensitive information that should be encrypted. It’s a big deal when things like passwords and credit card information can be easily compromised. Andrew Storms, senior director of DevOps for CloudPassage, told me, “This is probably one of the more serious bugs I’ve seen in my 15 years of working in the security industry,” and that sentiment has been echoed by a number of security experts.
So, what makes Windows XP a bigger security concern than Heartbleed? Well, the same reason that the expiration of support for Windows XP was not a “Y2K” event, as some had described it.
When April 8, 2014, passed by and Windows XP machines continued working just like the day before, and the world didn’t come to a crashing halt, there were probably many businesses and individuals stubbornly continuing to use Windows XP who thought — or possibly even said out loud — “See? I told you it wasn’t a big deal.” However, that smug hubris will eventually come back to bite them and will have security implications for the rest of us who share the internet with them as well.
Just as Y2K was a specific event, Heartbleed was just one vulnerability. It was identified, a patch was developed, and the world was put on notice. Now, we can move on. It was an isolated moment in time.
Windows XP, on the other hand, is now a permanent, ongoing “zero day” vulnerability. If attackers are smart and stealthy, we may not even know how many vulnerabilities are discovered in Windows XP from this point on — or how critical they are. There won’t be any more patches or updates, so it’s permanently at risk.
We need to stop looking at security as a thing and more as a process — it is a verb, not a noun. There’s an ongoing circle of life where weaknesses and vulnerabilities are discovered and corrected in a co-evolution of attackers and defenders.
“XP, on the other hand, has stopped evolving and any vulnerability discovered from April 8, 2014, into the future will remain a danger to everyone connected to the Internet,” declares TK Keanini, CTO of Lancope. “The only solution for XP at this point is to make it go away — rid it from existence. Everyone needs to do their part to get rid of it, because if we don’t, in this connected world, it will ultimately be a bad thing for everyone.”
Tim Erlin, director of IT security and risk strategy for Tripwire, shared some thoughts as well. “No one is surprised by the Windows XP risk. Still, the risk presented by XP is going to get worse over time, not better. As a risk, Windows XP is much harder to mitigate than Heartbleed because replacing an entire platform is a more difficult task than updating a library.”
I spoke with Evolve IP CTO Scott Kinka, who explained the root of the problem. He told me, “At this point, our best prospects are actually our worst customers.”
To put it another way, the companies and individuals who most need the wakeup call about Windows XP are also the least likely to hear it or take action. Many cite financial reasons as a justification for not upgrading off of Windows XP, or investing in some sort of managed solution or virtualization platform to continue using Windows XP more securely, but the simple reality is that there will also be a significant cost of continuing to use Windows XP. At this point, spending no money isn’t really an option — it’s just a matter of whether you spend the money to proactively address the situation or spend it cleaning up the mess after it’s too late.
Keanini summed it up the pervasive threat of Windows XP: “Hunt down expired versions of XP and terminate it!”
For more on this story go to: