April 13, 2014    /    by

Fixing the Heartbleed Bug is essential: But don't forget Windows XP migration

Security pros are feeling the pressure. Are you ready for another action-packed week?

out of time clock

photo credit: Shutterstock

What a week!

Just as the clock was expiring on Microsoft Windows XP support this week, along came another headline-grabbing cyber story which Bruce Schneier called catastrophic. Mr. Schneier, the well-known security blogger, said, “On a scale of 1 to 10, this is an 11.”

All the world’s technology and cybersecurity experts agree: The Heartbleed Bug must be addressed as a top priority. Why?

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed Bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Most organizations learned about Heartbleed on Tuesday via Internet news reports. However, the steps to be followed in order to remediate the newly announced Heartbleed Bug came in to many state and local governments in emergency phone calls from the US CERT and MS ISAC late this week.

I must admit that I have never seen so many government entities engaged in resolving an issue before. (The number of people calling in for the nationwide MS ISAC conference call set a record.)

You can view those recommendations for organizations and users here. Here’s a brief excerpt:

• Patch all vulnerable OpenSSL systems.
• Revoke and reissue certificates that use OpenSSL/TLS.
• Force user password changes for all impacted accounts.
• Be alert for phishing scams.

The tech press is full of stories about Heartbleed. Here are a few of the articles and blogs I like:

CNET article on who has patched the Heartbleed Bug

ZDNet on how Azure escaped, but others were not so lucky

- The Boston Globe on how the new bug is as bad as the name suggests (with good video commentary)

As for advice for end users: Most experts recommend changing your passwords now and perhaps again after your Internet websites have patched their servers to protect against this Heartbleed vulnerability.

Our own ran this article with a Q/A section on Heartbleed.

Yesterday, ran this story on how Android devices are also vulnerable to the Heartbleed Bug.

But Don’t Forget Windows XP Migration

Meanwhile, in case you were distracted with millions of others, the Microsoft Windows XP end-of-support deadline came and went this week with minimal reported interruptions - so far.

Side note: The timing of the Heartbleed bug announcement was very interesting, in my view. This bug has existed for years. But the announcement coming right at the end of the Microsoft XP-end-of-support seems a bit suspicious to me. We may never know if there is some link to the timing of the announcement.

Prior to the Heartbleed Bug becoming public news, the XP stories were heating up regarding governments and businesses around the world. Here are just a few of the headlines I was following that involved governments and Windows XP.

- Connecticut: Many State Computers Still Run Windows XP As Microsoft Ends Security Updates

- South Carolina: State computers may face new hacking risk

- United Kingdom (UK): UK government buys last-minute lifeline with £5.5m Windows XP support deal

- April 1, but no April Fools joke – Why Feds are still buying IT that works with Windows XP

- BBC News – Windows XP demise gives small businesses tech headache

In Michigan, XP extended support costs drop - deadline pushed out

Of course, none of the Windows XP end-of-life news should come as a surprise to anyone. We knew about this problem years ago, and I even wrote this blog back in December 2013 which predicted this global XP headache - along with others.

In Michigan, like most other states, we still have a ways to go to be fully off of Windows XP – in both state and county governments. This report from WZZM-13 in Grand Rapids last Monday describes our program status in more detail, while providing a good overview of our state systems and the data we protect.

One video highlight… It was going to cost the State of Michigan over $2.1 million dollars to maintain Windows XP extended support for another years. Thankfully, Microsoft dramatically reduced the cost of that continued XP support to about $270K for one year.

Yes, this is still a lot of money, so the major push to get off Windows XP will continue with our business clients this year. One big problem has been applications that won’t run on newer operating systems, but that legacy-migration work is wrapping-up. We plan to be fully off of XP by the end of 2014.

In conclusion, there are plenty of hot cyber projects for security and technology pros to focus on right now. Besides your “normal” day jobs, new threats from the Heartbleed Bug or from any remaining Windows XP systems that are not patched will no doubt add to the workload for government and private sector professionals around the world.

Are you ready for another week yet?