Category Archives: Security

Heartbleed – One Week In

Heartbleed – One Week In
By Mark Nunnikhoven

Heartbleed just got real.

The bug has been dominating headlines for the past week – and rightfully so. The scale of the impact of this issue is major. OpenSSL has been integrated into a significant number of development projects. It’s probably the most commonly used security library out there.

Late Friday night (the 11th of April 2014), the CloudFlare challenge was successfully beaten by both Fedor Indutny and Ilkka Mattila.

The challenge was simple. CloudFlare stood up a server that was vulnerable to Heartbleed. They then asked the community to retrieve the private key for the SSL certificate for the site by exploiting the bug.

Within the day, not one, but two people had successfully accomplished the task.

Megan Guess has more information over at Ars Technica, but you need to know that this provides hard evidence that Heartbleed poses a real, substantial risk. Up to this point, we – the information security community – knew that it was possible to retrieve the key from memory, but it was difficult to convince others without evidence. Now we have it.

What should I do?

We’ve pulled together this quick (4m 30s) screencast explaining heartbleed and what steps you should take to protect yourself and your users.

I’m a user; what can I do?

As a user, you need to ask yourself one simple question when visiting a web site or accessing an online application, “Is this site still vulnerable to heartbleed?”

If the answer is no, change your password immediately. Remember to use a unique password for each account you have. If you have a large number of online accounts, you might want to look into a password manager. That will make it much easier to have unique passwords for every service you use.

If the site hasn’t fixed heartbleed yet or hasn’t said anything about the bug, don’t change your password just yet. If you change you password while the site is still vulnerable to a heartbleed attack, your new password could be exposed.

Wait until the site fixes the issue before changing your password.

I run a web site; what’s my next move?

If you run a web site, you want to start talking to your users right away. Let them know you’re aware of heartbleed and are looking into the issue as quickly as possible.

Next, check to see if your site is using an affected version of OpenSSL (version 1.0.1 through 1.0.1f). If it is, take the following steps to fix the issue:

  • -Apply any heartbleed rules (CVE–2014–0160) to your intrustion prevention system
  • -Update your OpenSSL library to version 1.0.1g or higher
  • -Revoke your current SSL certificate
  • -Issue a new certificate using a new private key

If you site isn’t affected by heartbleed, make sure to tell your users. This issue is everywhere, and most people have heard of it. Letting your users know that your site was unaffected and their data is safe is a good step that reassures users.

Mark Nunnikhoven is the Vice President of Cloud and Emerging Technologies for Trend Micro where he meets regularly with clients (and prospective clients) to understand their security challenges and to share the research and vision for cloud and data center security. He speaks regularly on cloud computing, usable security systems, and modernizing security practices at conferences and events.

‘Windows XPocalypse’ and Security

‘Windows XPocalypse’ and Security
By Tim (TK) Keanini

Technical support and automatic updates for Windows XP will ended on Tuesday, April 8th, 2014. This has brought up some concerns around security, as patches for known issues were previously delivered via the now defunct automatic updates. What does this mean for Windows XP users?

The Basics

First it is important to note that on April 8th, only a few variants of the XP operating system were End-of-Support. End-of-Support means that there will be no new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates. Further details can be found on Microsoft’s web site, but I will summarize the changes here.

The systems that people must worry about are:

  • -Windows XP Home Edition
  • -Windows XP Media Center
  • -Windows XP Professional
  • -Windows XP Tablet PC Edition

When it comes to embedded systems (non-desktop versions of XP), the only one that people need to take urgent action on is Windows XP Professional for Embedded Systems. This product is identical to Windows XP, and Extended Support ended on April 8, 2014. If you have an XP variant for which support ended on 4/8/14, you need to treat it as if it were already dead and move quickly into getting it replaced. Pretend that it caught fire, and you will be moving with the right amount of urgency.

Here are some other variants of Windows XP that are going to receive updates after 4/8/2014. Organizations should still be planning now for cutovers on these systems.

  • -Windows XP Embedded Service Pack 3 (SP3). This is the original toolkit and componentized version of Windows XP. It was originally released in 2002, and Extended Support will end on Jan. 12, 2016.
  • -Windows Embedded Standard 2009. This product is an updated release of the toolkit and componentized version of Windows XP. It was originally released in 2008, and Extended Support will end on Jan. 8, 2019.

Point of Sale Systems

It turns out that Point of Sale (POS) systems run two types of Windows Embedded platforms, but those End-of-Support dates are not until 4/12/2016 and 4/9/2019. Businesses should, however, take immediate action to identify which version they have and put in motion a plan to migrate well before these deadlines.

These systems include:

  • -Windows Embedded for Point of Service SP3. This product is for use in Point of Sale devices. It is built from Windows XP Embedded. It was originally released in 2005, and Extended Support will end on April 12, 2016.
  • -Windows Embedded POSReady 2009. This product for Point of Sale devices reflects the updates available in Windows Embedded Standard 2009. It was originally released in 2009, and Extended Support will end on April 9, 2019.

Since POS systems deal with such sensitive information and have become such big targets for attackers, retailers should definitely already be working with vendors to plan for these upgrades to ensure that there are no lapses in security. Some have asked if retailers should switch from traditional POS systems to wireless tablets and smart devices to increase security. However, this is not an effective defensive strategy as the adversary is able to find weaknesses in all information technology. The best strategy is to maintain diligent and vigilant security measures for whatever systems a retailer is using to take payments.

Security Vigilance

As businesses leverage information technology to remain competitive and grow, there is an equal responsibility to manage the security of this infrastructure. An accurate inventory and maintenance schedule is fundamental, and if a business or technology partner does not know the End-of-Support schedules for critical devices, bad things are certain to happen.

Businesses need to know the End-of-Life/End-of-Support schedule not only for all of the items on their own asset list, but also for the systems used by partners. If you have partners with technology, or you are using a Value Added Reseller, ask them to produce a monthly report of their applications or appliances that are coming up for End-of-Life/End-of-Support in the next 24 months. Stay ahead of the game and minimize surprises.

Handling Windows XP End-of-Support – Feed it, kill it, but don’t starve it.

As you all know by now, on April 8th 2014, Microsoft stopped supporting some variants of XP. The software industry for years has operated this way with every system on your network having a predetermined service life, but given the current threat landscape, I would like to propose a change. You see, the problem is that on 4/8/2014, all of these systems that are End-of-Support will continue to work just as they did on days and years prior. This is a big problem because people don’t change their behavior when things are business as usual.

What I’d like to see happen when any information technology reaches End-of-Support – meaning no fixes will be issued for newly found security vulnerabilities – is that it stops working. That’s right, kill it!  Having an End-of-Support/End-of-Life technology alive and connected to the Internet makes it a liability for everyone online. It is called End-of-Life for a reason, and what I want to see happen is for the vendor to literally end the technology’s life. One of the rules in my personal playbook is: Feed it or kill it, but never starve it. Complex and dynamic systems do not deal with this lingering state very well, and it is time we make a change in how we handle the service life of a product.

Traditionally, the retirement phase of a product’s service lifecycle begins with the announcement of the End-of-Sale (meaning you can no longer purchase the product), followed by a period of time known as the End-of-Life that ultimately ends with the End-of-Support date when no more updates will be released. This is a critical stage for close-sourced products, because no one other than the vendor can issue fixes, and that vendor just told you they will never issue another update no matter what. Right here, kill it please. The implementation of this new policy must happen early in the service life, but if done well both technically and socially, the world will be a safer place because the right expectations and events will drive the right behavior.

No product should be online if there is no opportunity to fix newly found vulnerabilities. We have a problem on the Internet where a patch is available and yet people are still irresponsibly running old versions. At least in these situations, remediation is available via an update, but when there is no update, my position is that the technology should be killed immediately.

These expired versions of Windows XP will continue to work, and trust me, they will be targeted by attackers because what better investment can the adversary make? If they spend a week to develop a new exploit, they get to use it on expired technologies until the end of time, as no patches will ever fix it.

You can ask customers politely and even urgently to upgrade, but until their current version stops working, or worse, is part of a security-related catastrophe, they will typically do nothing. The reason Y2K drove a change in human behavior was because on that date, old code was going to fail – there was a clear and significant event approaching. On April 8th 2014, customers’ Windows XP systems worked just like they did on days prior. I predict that End-of-Support XP systems will still be on the Internet and will be used for botnets and other supply-side resources for adversaries.

Consider this problem five or ten years into the future when millions of devices brought on by the Internet of Things are allowed to remain online after their End-of-Support date. We cannot afford this, people! The change I’m pushing is good for everyone because Internet security is everyone’s problem.

Tim (TK) Keanini is the CTO of Lancope.

A Banking View on Windows XP and the End of Support: See It, Block It

A Banking View on Windows XP and the End of Support: See It, Block It
By Christopher Budd

We are a couple of days away from a proverbial red letter day: the end of security support for Windows XP on April 8, 2014.

For the past few months, we’ve been talking about this impending event. We’ve talked about what people can expect in terms of the number of vulnerabilities they may see when Microsoft stops issuing security patches. And we’ve tried to make very clear that this is a situation that can affect everyone, not just those running Windows XP.


When we talk about the dangers that people on Windows XP pose to others, there’s probably no single industry that faces a greater set of risks by users being on Windows XP than banking and finance. More than any other industry, banking and finance face significant risks of fraud and loss due to its customers’ making the unwise decision to stay on Windows XP. As an industry facing extraordinary, unprecedented risks around Windows XP, banking and finance should consider equally extraordinary, unprecedented steps to protect themselves by alerting customers who are on Windows XP of the risks and encouraging them to upgrade. In some cases, especially as time goes on, the banking and finance sector should consider taking steps to block customers still on Windows XP from their services entirely.

The reason that banking and finance are at so much at risk by its users being on Windows XP is that unpatched vulnerabilities will be found and attacked on Windows XP. And as we’ve shown in our 2013 Threat Roundup, online banking malware is a huge problem. From 2012 to 2013, detections of online banking malware more than doubled from 500,000 worldwide in 2012 to more than 1 million in 2013. And the United States and Brazil alone accounted for 50%, or 500,000 detections, of online banking malware. Skyrocketing online banking malware combined with a coming slew of never-to-be-patched vulnerabilities means that online banking on Windows XP is going to become incredibly dangerous soon. And while that is a risk to the users of those Windows XP systems, in aggregate and in the end, it’s those users’ banks and financial institutions that face the greatest risks.

From a technological point of view, when users go to websites, it’s a relatively simple matter to detect the browser and operating system that’s accessing the site. Using that information to create an alert to make people aware of the risks of being on Windows XP and what they should do about it is an easy way to help spread the word. And a step like this will reinforce actions that Microsoft themselves are taking to alert users through alert messages. The broader the net is spread to pass the word about these risks the better.

But warnings may not be enough. People tune warnings out and ignore them. We shouldn’t fool ourselves into thinking that warnings alone will be sufficient. And as time goes on, this situation will become worse and worse. Banks and financial institutions should also start considering the drastic measure of actively blocking users on Windows XP from using their online services entirely.

This is clearly an extreme measure as it will cause lost business. But this step may be justified, especially if the risks of financial losses from Windows XP users exceed the risks of losses from losing those customers. It’s not desirable to turn customers away, but businesses do it all the time in service of their larger concerns. The coming situation with Windows XP and the risks those users pose to their banks and financial institutions is a good example of when these larger considerations pertain.

Of course, in addition to online alerts or blocks, further education campaigns make sense. Notifying customers of the risks and what they should do, through email and online campaigns, can further reinforce the message. Banks and financial institutions (and really anyone) should feel free to disseminate our flyer that outlines these risks.

Banking and finance aren’t the only sectors that are particularly at risk starting next week. But it is the sector that may face some of the greatest impact over time as its users continue to refuse to switch. We’re getting down to the wire and time is running out. Increasingly, those still on Windows XP represent those who most stubbornly refuse to take action. Increasingly, organizations who are themselves at risk by the non-actions of these recalcitrant users will have to themselves take actions that seek to spur those users into action. In short, we have to make it more painful for these users to do nothing than to take action. And so, a viable tactic in support of this goal around Windows XP is if you see it, block it.

Christopher Budd is a communications manager with Trend Micro. His focus is on communications around online security and privacy threats to help people understand in plain English the risks they face and what they can do about them. In addition, he focuses on managing crisis communications utilizing a framework and processes he helped put in place.