Misleading, unhelpful “end of support for Windows XP” articles in the media

Impetus

The Irish Times published an item apparently written by a British newspaper – the Financial Times – “ATMs at risk of hacking and viruses as Windows XP support ends”.

ATMs are not (and certainly should not) be connected to the internet, any more than electric power station control systems, and other major infrastructure assets. The cessation of support for this operating system should therefore be irrelevant (from a computer security perspective) to ATMs.

The other big way to reduce security risks of internet connected PCs is not to run them as the super-user, using instead an ordinary user ID which has basic permissions.

If one was to use the internet to connect an ATM to a bank network, it should be firewalled and use a hardware VPN for the connection, which would again protect the Windows XP system from attack from the outside.

This article is pure FUD, probably based on ideas or copied from content published in the blogosphere. The Irish Times would provide a better service to its readers if it refrained from regurgitating “rubbishy, scary stories” like this.

The creation of an ordinary user account for day to day working is described on this Microsoft support document: http://support.microsoft.com/kb/279783

http://www.irishtimes.com/business/sectors/technology/atms-at-risk-of-hacking-and-viruses-as-windows-xp-support-ends-1.1728600

Professey Chin

They dont have to be connected to the internet.
ATMs have USB ports for maintenance work and criminals have been known to load exploits through these. Its been demonstrated more then once over the last year. Just because theres no direct internet connection doesnt mean they cant be compromised.

Impetus

If maintenance staff are using USB devices which contain malware, it doesn't say much for their professionalism. It is like a doctor who doesn't wash his/her hands between patients.

Whatever maintenance software is stored on USB drives should come from clean systems. ie the USB drives should never have been connected to the internet directly or indirectly.

All the code on a USB should be digitally signed, and these signatures checked at every use.

oscarBravo

Impetus wrote: »

If maintenance staff are using USB devices which contain malware, it doesn't say much for their professionalism. It is like a doctor who doesn't wash his/her hands between patients.

...and we all know that that never happens.

Professey Chin

Impetus wrote: »

If maintenance staff are using USB devices which contain malware, it doesn't say much for their professionalism. It is like a doctor who doesn't wash his/her hands between patients.

Whatever maintenance software is stored on USB drives should come from clean systems. ie the USB drives should never have been connected to the internet directly or indirectly.

All the code on a USB should be digitally signed, and these signatures checked at every use.

Its not just maintenance staff. Its very easy to cut a hole in plastic for anyone to get access to the ports.

Khannie

Impetus wrote: »

ATMs are not (and certainly should not) be connected to the internet, any more than electric power station control systems, and other major infrastructure assets.

In fairness, the assumption should be that someone is already inside your network because at some point they will be. If you have ATM's running with a known vulnerability, it's a security risk.

Disclaimer: I haven't read the article.

Impetus

Khannie wrote: »

In fairness, the assumption should be that someone is already inside your network because at some point they will be. If you have ATM's running with a known vulnerability, it's a security risk.

The NSA could also have code running in Windows XP, doing who knows what? And who is to say that any Microsoft support services will effectively remove what someone has running inside your network?

Anyway Windows ATMs run on XP embedded which is being supported until 31.12.2016. Which makes a nonsense of the article. In my view an end of life Windows XP article should focus on the potential impact of the security issue for users of mainstream releases of this product. I suspect that hackers are holding back on using their latest inventions until the support date has past, potentially causing a firestorm of malware to hit PCs.

https://www.microsoft.com/windowsembedded/en-us/product-lifecycles.aspx

Impetus

oscarBravo wrote: »

...and we all know that that never happens.

It depends on the country and the doctor! And whether or not the patient will tolerate "physical interaction" from the doctor until s/he has washed their hands in front of them.

ressem

Our favourite unsolicited 'Microsoft' phone call scammers have transitioned from selling antivirus cleanup to our parents and grandparents to selling an "XP upgrade".

Doesn't help that their scaremongering sounds so similar to that from the official radio campaign from MS.