Fixing the Heartbleed Bug is essential: But don't forget Windows XP migration

Security pros are feeling the pressure. Are you ready for another action-packed week?

by / April 13, 2014 0

out of time clock

photo credit: Shutterstock

What a week!

Just as the clock was expiring on Microsoft Windows XP support this week, along came another headline-grabbing cyber story which Bruce Schneier called catastrophic. Mr. Schneier, the well-known security blogger, said, “On a scale of 1 to 10, this is an 11.”

All the world’s technology and cybersecurity experts agree: The Heartbleed Bug must be addressed as a top priority. Why?

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed Bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Most organizations learned about Heartbleed on Tuesday via Internet news reports. However, the steps to be followed in order to remediate the newly announced Heartbleed Bug came in to many state and local governments in emergency phone calls from the US CERT and MS ISAC late this week.

I must admit that I have never seen so many government entities engaged in resolving an issue before. (The number of people calling in for the nationwide MS ISAC conference call set a record.)

You can view those recommendations for organizations and users here. Here’s a brief excerpt:

• Patch all vulnerable OpenSSL systems.
• Revoke and reissue certificates that use OpenSSL/TLS.
• Force user password changes for all impacted accounts.
• Be alert for phishing scams.

The tech press is full of stories about Heartbleed. Here are a few of the articles and blogs I like:

CNET article on who has patched the Heartbleed Bug

ZDNet on how Azure escaped, but others were not so lucky

- The Boston Globe on how the new bug is as bad as the name suggests (with good video commentary)

As for advice for end users: Most experts recommend changing your passwords now and perhaps again after your Internet websites have patched their servers to protect against this Heartbleed vulnerability.

Our own Govtech.com ran this article with a Q/A section on Heartbleed.

Yesterday, Bloomberg.com ran this story on how Android devices are also vulnerable to the Heartbleed Bug.

But Don’t Forget Windows XP Migration

Meanwhile, in case you were distracted with millions of others, the Microsoft Windows XP end-of-support deadline came and went this week with minimal reported interruptions - so far.

Side note: The timing of the Heartbleed bug announcement was very interesting, in my view. This bug has existed for years. But the announcement coming right at the end of the Microsoft XP-end-of-support seems a bit suspicious to me. We may never know if there is some link to the timing of the announcement.

Prior to the Heartbleed Bug becoming public news, the XP stories were heating up regarding governments and businesses around the world. Here are just a few of the headlines I was following that involved governments and Windows XP.

- Connecticut: Many State Computers Still Run Windows XP As Microsoft Ends Security Updates

- South Carolina: State computers may face new hacking risk

- United Kingdom (UK): UK government buys last-minute lifeline with £5.5m Windows XP support deal

- April 1, but no April Fools joke – Why Feds are still buying IT that works with Windows XP

- BBC News – Windows XP demise gives small businesses tech headache

In Michigan, XP extended support costs drop - deadline pushed out

Of course, none of the Windows XP end-of-life news should come as a surprise to anyone. We knew about this problem years ago, and I even wrote this blog back in December 2013 which predicted this global XP headache - along with others.

In Michigan, like most other states, we still have a ways to go to be fully off of Windows XP – in both state and county governments. This report from WZZM-13 in Grand Rapids last Monday describes our program status in more detail, while providing a good overview of our state systems and the data we protect.

One video highlight… It was going to cost the State of Michigan over $2.1 million dollars to maintain Windows XP extended support for another years. Thankfully, Microsoft dramatically reduced the cost of that continued XP support to about $270K for one year.

Yes, this is still a lot of money, so the major push to get off Windows XP will continue with our business clients this year. One big problem has been applications that won’t run on newer operating systems, but that legacy-migration work is wrapping-up. We plan to be fully off of XP by the end of 2014.

In conclusion, there are plenty of hot cyber projects for security and technology pros to focus on right now. Besides your “normal” day jobs, new threats from the Heartbleed Bug or from any remaining Windows XP systems that are not patched will no doubt add to the workload for government and private sector professionals around the world.

Are you ready for another week yet?

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso