Clock Counting Down on Windows XP Support

As Microsoft prepares to cut off support for Windows XP, hackers are sharpening their knives in anticipation of carving up the operating system’s carcass.

Web predators will pounce on XP 10 minutes after Microsoft pulls the support plug on the software, predicted one former military computer specialist and network engineer.

Indeed, it appears that information highwaymen are stockpiling ammunition for a series of assaults on the operating system.

“There are a number of zero-day exploits against Windows XP that have been already discovered but neither reported, nor used in order to be exploited after the support period has ended,” Bitdefender reported last week.

“These exploits could stay effective for years, causing damage to the user or company stuck with Windows XP,” the report warns. “If, up until now, XP customers had a bad time with malware because they were unable to apply hotfixes [for] different reasons, the situation will become worse as, even if the customers wanted, they would not have any new hotfixes to apply after April 2014.”

Feeding Frenzy

Stockpiles of zero day exploits aren’t the only vulnerabilities XP users will have to worry about after XP support disappears. Microsoft itself could provide hackers with weapons to attack the OS. That’s because each version of Windows shares code and logic from previous versions.

“If you were to find a defect in Windows 8, then that defect probably exists backwards to other Windows versions,” Adam Wosotowsky, a messaging data architect with McAfee, told TechNewsWorld.

So clever cybercriminals will be closely studying fixes for supported versions of Windows for clues to XP flaws.

“People can look at those patches and think, ‘What were they patching? I bet this same problem exists in XP, but it’s not patched because they’re no longer patching it,'” Wosotowsky said.

“The security of an operating system drops off a cliff when support ends. It’s not that defects exist in the code, it’s that they’re not getting patched,” he noted. “As Microsoft patches recent versions of Windows, it will become a feeding frenzy as hackers use those patches to attack XP.”

Office for iPad Security

Microsoft Office users who have longed for a version on their iPads had their wishes fulfilled last week.

Besides satisfying the desires of tablet users, the move also should be welcome by security pros, maintained Wolfgang Kandek, CTO of Qualys.

“The iPad is a much safer device than laptops and desktops. Software installed on it is controlled through the App Store, and the architecture is much newer than what you’d find on a typical Windows computer,” he told TechNewsWorld.

“Folding Office into the Apple ecosystem means it gets the same benefits as other apps in the ecosystem,” Kandek said.

“For example, you get a streamlined updating process. Many of the problems with software is that outdated, vulnerable versions are being used,” he explained. “We’d all be better off if we used the latest version of Office, which was engineered with malicious actors in mind.”

Dual Identities

Even with Apple’s walled garden model, though, some security concerns will continue to exist, especially since it will be easier to stuff sensitive corporate documents into an iPad and work on them there.

“If you’re working on Word docs and potentially sensitive PowerPoint presentations and storing them, then an enterprise needs to make sure those documents remain confidential and aren’t leaked,” Paul Madsen, a senior technical architect with Ping Identity, told TechNewsWorld.

As with native Apple apps, Microsoft is keen on linking what happens in Office for the iPad to its OneDrive cloud service. That too needs to be scrutinized in an enterprise environment.

“The security of how those documents are pushed up to Microsoft’s cloud is also critical,” Madsen said. “Identity management is necessary for both those pieces.”

To protect company Office files on an iPad that’s used for both work and personal tasks, it may be necessary to give the device a dual personality.

“If you want to reconcile the use of Office with Facebook, Angry Birds and personal email,” Madsen observed, “then the current trend is to turn that device into something that supports two identities: the dual persona model, where the enterprise can slice off a corner of the employee’s device, impose their own policy, and be confident of the security of their own data — but not impose Draconian rules on how the employee uses the rest of the device.”

Breach Diary

• March 24. Reports based on documents leaked by Edward Snowden reveal that the NSA spied on servers and executives of Chinese networking company Huawei Technologies.
• March 24. Microsoft reports vulnerability in its Word program that could allow a hacker to gain control of a computer. The flaw in RTF files can be activated without opening the file if viewed in Microsoft Outlook with its preview RTF files option enabled.
• March 24. Secure Domain Foundation, a multistakeholder organization, is launched to fight domain-based security threats.
• March 25. Cross-platform password manger LastPass releases version of its software for Android and Google Chrome in Android.
• March 25. French consumer group UFC-Que Choisir sues Google, Facebook and Twitter over data collection clauses in their privacy policies. It contends those provisions violate French law.
• March 25. Data breach notification bill introduced in New Mexico House of Representatives. Measure requires consumers be notified within 10 days of the discovery of a data breach that exposes unencrypted personal data of consumers.
• March 26. Two banks sue IBM company Trusteer claiming the company failed to adequately protect Target from hackers that breached the retailer’s systems last year and stole payment card and personal information of some 110 million customers. Trustmark National Bank and Green Bank N.A. are seeking US$5 million in damages from Trusteer and Target, also named as a defendant in the lawsuit.
• March 27. Yahoo reports government requests for information about its users declined in the second half of 2013 compared to the first half, to 21,425 from 29,740. Meanwhile, such requests jumped at Google to 27,477 from 25,879.
• March 27. Christian Decker and Roger Wattenhofer of the Distributed Computing Group at the Swiss Federal Institute of Technology Zurich release study discounting Mt. Gox bitcoin exchange operators’ claim that malleability attack was used to steal $500 million in bitcoins from the exchange.
• March 27. President Obama announces suspension of government’s bulk telephony metadata program. Data will remain with phone companies and may be only accessed by government agencies with a court order.

Upcoming Security Events

• April 1-2. SecureCloud 2014. Amsterdam RAI Convention Centre, Amsterdam, Netherlands. Registration (includes VAT): Through Feb. 14, 665.50 euros, government; 847 euros, business; After Feb. 14, 786.50 euros, government; 1,089 euros, business.
• April 1-3. 13th European Security Conference & Exhibition. World Forum, the Hague, the Netherlands. Registration: ASIS members, 970 euros; non-members, 1,170 euros.
• April 4-5. BSidesPR 2014. San Juan, Puerto Rico. Free.April 5. BSidesROC 2014. German House, 315 Gregaory St., Rochester, N.Y. Free with registration.
• April 5-6. BSides Orlando 2014. Wyndham Orlando Resort, Orlando, Fla. Ticket: $20.
• April 5-14. SANS 2014. Walt Disney World Dolphin Resort, Orlando, Fla. Job-based long courses: $3,145-$5,095. Skill-based short courses: $575-$3,950.
• April 7-9. InfoSec Conference & Expo 2014. Disney’s Contemporary Resort, Orlando, Fla. World Pass, $3,795; world Pass with Hands-On Track, $3,995.
• April 8. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• April 8-9. IT Security Entrepreneurs’ Forum. Computer History Museum, 1401 North Shoreline Boulevard, Mountain View, Calif. April 8 workshops and April 9 forum and reception, $595. Forum and reception only, $495. Government employees, free. Students, $195. April 11-12. Women in Cybersecurity Conference. Nashville, Tenn.
• April 8-9. Secureworld Expo. DoubleTree by Hilton Hotel Philadelphia, Valley Forge, Pa. Registration: Conference, $295; with training, $695; exhibits and free sessions, $25.
• April 8. Impacts of Affordable Care Act on Patient Data. 2 p.m. ET. Ponemon Institute webinar. Free with registration.
• April 11-12. Women in CyberSecurity Conference. Nashville Airport Marriott, 600 Marriott Drive, Nashville, Tenn. Registration: student, $40; academic faculty, $100; corporate, $250.
• April 15-16. Secureworld Expo. Cobb Galleria Centre, Atlanta. Registration: Conference, $295; with training, $695; exhibits and free sessions, $25.
• April 17-18. Suits and Spooks Monterey. Monterey Institute of International Studies. Irvine Auditorium. Registration: members, $323; non-members, $380; government, military and academics, $175.
• April 26. BSides Chicago 2014. The Abbey Pub, 3420 W. Grace, Chicago. Free.
• April 27-28. BSides Dubai 2014. Free.
• April 29. BSides London 2014. Kensington & Chelsea Town Hall, Horton Street, London. Free.
• April 29. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• April 29-May 1. InfoSecurity Europe. Earl’s Court, London. Admission: Free.
• April 30. Secureworld Expo. Hood Center, 452 South Anderson Rd., Rock Hill, SC. Registration: one day pass, $165; SecureWorld Plus, $545; VIP, $315; exhibits and open sessions, $25.
• May 9-10. B-Sides Boston 2014. New England Research & Development Center, Kendall Square, Cambridge, Mass. Fee: $20.
• May 9-10. B-Sides Algiers 2014. Ecole Nationale Suprieure d’Informatique, Oued Smar, Algiers. Free.
• May 10. B-Sides San Antonio 2014. Texas A&M, San Antonio-Brooks City Base. Fee: $10.
• May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
• June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
• June 21-30. SANS Fire. Hilton Baltimore, 401 W. Pratt St., Baltimore. Courses: by April 30, $1,249-$4,695; by May 14, $1,249-$4,845; after May 14, $1,249-$5,095.
• Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595.
• Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
• Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50. Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.
• Oct. 29-31. RSA Conference Europe. Amsterdam RAI, Amsterdam. Registration: through Oct. 27, 1,095 euros plus VAT; after Oct. 27, 1,295 euros plus VAT.