Heartbleed Bug - What you need to know

Posted on 4/29/2014

Be honest, don't you kinda wish we could just rub our collective eyes and all this Heartbleedbusiness would just disappear? Tough luck hombre, it's still here, and some kid's trying to steal your vacation photos (probably). When we spoke to the open source initiative about it recently, we got a less than reassuring reply -- that the problem is partly about resources. What is more reassuring this this: The Core Infrastructure Initiative. If that sounds like a conference you'd pay money to not attend, we're with you, but trust us, it's for your benefit. In short, some of the biggest names in tech (Facebook, Google, Amazon, Intel and many more) have pledged to work with the Linux Foundation to make sure something like Heartbleed doesn't happen again. How? Mostly with cold hard cash, with each of the 13 company's involved chipping in to the "multi-million" dollar project. But how's it actually going to work?

The Linux Foundation claims that the OpenSSL project (that makes the software exploited by Heartbleed) has received about $2,000 in donations "in past years." That's barely enough to buy the team a new embroidered polo shirts. The Core Infrastructure Initiative will divvy up the cash to similar projects that have been identified as needing proactive assistance, something that it hopes could prevent the next Heartbleed. Unsurprisingly, the first project to benefit from the scheme is OpenSSL itself. Worried that your Facebook stock dollars are funding "free" open source projects? Don't. So much of the internet relies on this technology that it's not a question of commercial strategy, it's common sense. As we're all finding out now, the hard way.

Windows XP support officially ends today, still used by over 25 percent of PCs

Posted on 4/8/2014

It's been over 12 years, folks: It's time to let that aging operating system go. In case the insistent cries of all your favorite applications and anyone who's used your computer recently weren't enough indication, we're here to make it totally clear that today is the day Microsoft ends official support for Windows XP. That means no more security updates and no more customer service calls. A paid option is available to organizations (think: governments, corporations, etc.) that offers "critical" patches and support, but even Microsoft suggests upgrading to a newer version of Windows instead of footing the bill.

We won't rib you too much for sticking to XP, though; over 25 percent of you are still running Microsoft's 2001 release, according to NetMarketShare. And that's to say nothing of the world's ATMs, 95 percent of which were still running XP as of two weeks ago. Egads!

Relax, y'all -- the company in charge of those ATMs, NCR Corporation, says it's in the process of upgrading and (as of last check-in a few weeks ago) should have one-third upgraded ahead of... today. After speaking with a rep this afternoon, however, the company is updating its upgrade estimate to "less than 20 percent." Not exactly a thrilling prospect when it comes to safety, though many banks are ponying up to Microsoft for ongoing updates.

A variety of countries are also still dependent on XP for governmental affairs, such as the United Kingdom and the Netherlands, both of which had to work out paid measures with Microsoft for continued security support. China's population is largely dependent on XP as well, with nearly half of the country's computer users running the aged OS. Still, between years of warning, financial incentives to upgrade and an update to XP that outright told users of today's news, it's hard to be upset at Microsoft. There was even free software for migrating content over.

So today we say goodbye to Windows XP: You were there for us back before the internet was cool, and you set the standard for desktop OSes.

Windows XP only the latest example of risky software, argues KPMG

Posted on 4/7/2014

The fact that millions of PCs and embedded systems will continue to run Windows XP beyond this week’s End of Life (EOL) deadline is only the latest example of obsolete, risky software that shouldn’t be used to stoke up unnecessary fear, KPMG analyst Stephen Bonner has argued.

As this week's deadline has approached, a wide range of firms including Microsoft have warned of the dire consequences of continuing to use an operating system that will no longer receive updates or patches so Bonner’s view runs counter to this conventional wisdom.

His view is pragmatic. XP cannot easily be upgraded on many embedded systems such as ATMs, ticketing, point-of-sale and military systems, which means that one way or another it will be with us for some time. Ditto consumers, with huge numbers around the globe simply indifferent to the fact that XP is about to become past tense.

“So XP will be with us for some time, and in some quite unexpected places. Little wonder banks and governments are paying millions of pound to extend support beyond April 8,” said Bonner.

This was absolutely predictable because a sizable minority of PC users already run many other types of obsolete software such as browsers, plug-ins and other software. Obsolete software is endemic and has been for years.

“It is worth remembering just how much obsolete software resides on our desktops. A survey of Java versions on a million end points last year found many had multiple versions of Java installed. On average organisations ran over 50 different Java versions, and more than half the organisations surveyed had Java software running which was over 5 years old,” he said.

Bonner has hit on one of the biggest weaknesses of the claim that running XP after this week represents an unfathomable risk – people already run a lot of risky software so is the operating system necessarily making this much worse?

“There has been speculation about cyber criminals holding back a large store of XP vulnerabilities ready to exploit obsolescent systems. I doubt that will happen - the incentive to exploit early and make money is just too great. However, I suspect some intelligence agencies might have a few zero days still in stock just in case.”

Legacy systems were in “difficult to reach places,” protected as much by physical as software security and so most of the risk was in the consumer sector. But this population already has major problems, something that running an out-of-date operating systems simply draws people’s attention to.

Bonner undoubtedly has a point but the fact t remains that the stats are against the hold-outs. With recent figures from security management firm Qualys reminding us that 70 percent of 2013’s Microsoft security bulletins affected XP, getting off this desktop is inevitable.

On the other hand, the industry’s real problem with XP is that it has never before had to confront the deep indifference to security that has been the backbone of the problems faced by Windows in the last decade. Having made little effort to deal with the issue of obsolescence before, future migrations had to be handled better than this one or the same pattern will be repeated.

“So let’s look beyond XP, but learn some lessons about the importance of managing obsolescence, removing obsolete software, and remembering to secure those out of sight computers.”

Earn Rewards!