Windows XP patched to avert new outbreaks from three more NSA exploits

[grimreeper132]

telling businesses and organisations to switch to windows 8.1/10 etc. and not to use XP is like telling someone to use a spoon rather than a can opener to open a can, it's possible but is very time consuming, the same goes with the OS switching, as most of the custom made programmes that are vital to the operation of the machines the XP PC controls requires XP as it is not supported by newer versions of windows, many businesses have been upgrading, but it's so time consuming that they haven't got round to completing the task yet, even though many have been doing it for years, even before XP became obsolete. It's not as simple for them to upgrade as it is for you, as they can't just plug a boot USB into their servers and PCs and expect all software to work, as normally it won't, ad because some of it's so vital to their operation, having the server/pc down for even a few minutes is devastating and cause so many issues, so everything needs to be checked to make sure it would work before the switch takes place. Hell with some of these programmes you need to make sure they are compatible with the patch's meaning many XP PCs might not be able to even upgrade to this new patch. It' anit as simple as you think it is

 

[leadeater]

6 hours ago, mr moose said:

Given it is only 5.6% XP market share (that's 112M pc's) don;t forget that many photo scan and copy stations, copy machines, interactive displays and so on run XP. It is not a stretch to assume many are not keeping XP by choice.

This statistic is taken from the number of XP machines detected on the internet, the majority of XP embedded systems and dedicated control workstations do not and have never connected to the internet and therefore not reflected in that number. There will be some, but no most of the truly problematic systems are not included in these numbers.

[mr moose]

14 minutes ago, leadeater said:

This statistic is taken from the number of XP machines detected on the internet, the majority of XP embedded systems and dedicated control workstations do not and have never connected to the internet and therefore not reflected in that number. There will be some, but no most of the truly problematic systems are not included in these numbers.

 

I did not know this.

[leadeater]

4 hours ago, LAwLz said:

What you also have to remember is that in the public sector they have a fixed budget, and every dollar spent on one thing is a dollar not spent on something else.

For example hospitals have to choose. Do we blow 500,000 dollars on a new MRI machine even though our old one works just fine, but it runs and outdated OS, or do we hire a few more personnel so that we can save the people currently in the waiting room from not dying? It's easy to assume that your area is the most important one and should take priority above all else, but that's why you have risk analysis to determine what things takes priority.

The computers that control MRI machines are external to the MRI and are software based. At worst the only hardware that would be required to be upgraded is the communications board, MRI machines are designed to be serviced like this.

 

The only issue upgrading a computer that controls an MRI would be the vendor officially supporting a more modern operating system, usually if this is not the case it's because upgrading to the current software version hasn't been done and some genius financial person decided to cut the yearly maintenance contract that included the rights to upgrade and went with the cheaper support issues only contract.

[LAwLz]

13 minutes ago, KuJoe said:

They aren't more vulnerable per se, they are more widely targeted because of their market share though so whether or not it was open source or proprietary wouldn't make it less of a target. Making a virus/malware/trojan for Linux/UNIX/Mac just isn't as profitable as it is for Windows.

That's not true.

Wanna know what would be profitable targets? Servers. Servers that very often runs GNU/Linux.

What do you think someone would profit the most from attacking:

1) My grandma's desktop where she keeps photos of me and my siblings.

2) A server containing a large amount of sensitive data.

 

Popularity can be one of the factors, but it's not the only one.

If you ask me, Windows has several issues which are related to security. Here are a few of them:

1) It was not designed for multi-users nor different privilege levels from the start. They have tried to move towards this which is why we ended up with things like UAC and access tokens. Those things works somewhat decently today, but they were turds Microsoft super-glued onto Windows and has then polished a lot.

 

2) It's needlessly complex and integrated with itself. Windows is about as modular as a brick. Things hook into each other left and right. That's why you end up needing to restart Windows so often after an update. It's just really badly designed. You should not have to restart your OS because your browser got updated for example, and yet in many cases of Windows you do.

 

3) It's closed source which means that many talented people who could help make it secure are left in the dark. I mean, just look at how many security issues are found in Windows every year. Those researchers would have an easier time if it was open source, and Microsoft could get more help as well.

 

 

1 minute ago, leadeater said:

-snip-

MRI stuff

-snip-

I just used MRI as an example for a machine. What I said might not apply to MRIs, but that was not really my point.

Every dollar spent on something is a dollar not spent on something else.

[KuJoe]

7 minutes ago, LAwLz said:

That's not true.

Wanna know what would be profitable targets? Servers. Servers that very often runs GNU/Linux.

What do you think someone would profit the most from attacking:

1) My grandma's desktop where she keeps photos of me and my siblings.

2) A server containing a large amount of sensitive data.

 

Popularity can be one of the factors, but it's not the only one.

If you ask me, Windows has several issues which are related to security. Here are a few of them:

1) It was not designed for multi-users nor different privilege levels from the start. They have tried to move towards this which is why we ended up with things like UAC and access tokens. Those things works somewhat decently today, but they were turds Microsoft super-glued onto Windows and has then polished a lot.

 

2) It's needlessly complex and integrated with itself. Windows is about as modular as a brick. Things hook into each other left and right. That's why you end up needing to restart Windows so often after an update. It's just really badly designed. You should not have to restart your OS because your browser got updated for example, and yet in many cases of Windows you do.

 

3) It's closed source which means that many talented people who could help make it secure are left in the dark. I mean, just look at how many security issues are found in Windows every year. Those researchers would have an easier time if it was open source, and Microsoft could get more help as well.

 

 

I just used MRI as an example for a machine. What I said might not apply to MRIs, but that was not really my point.

Every dollar spent on something is a dollar not spent on something else.

We'll agree to disagree then. 

[leadeater]

11 minutes ago, LAwLz said:

I just used MRI as an example for a machine. What I said might not apply to MRIs, but that was not really my point.

Every dollar spent on something is a dollar not spent on something else.

I realize why you were using it but I also felt it's a great example to also show how something can also needlessly be on something like XP as well. When it's simply down to something like you're not on the current latest version and you cannot afford to upgrade because the software upgrade fee is too high and you lost your rights to upgrades by reducing the support contract by 20% (random number for example), it's what I would define as not a legitimate reason to be stuck on XP. Sure it's a situation that someone is stuck with but it didn't have to be that way.

 

It can be hard to justify the cost of a more expensive support contract and if you are short staffed and not doing the regular upgrades that you are entitled to cutting back the contract cost looks like a good choice until the upgrade cost is 3+ times the total support contract over the time you cancelled it to the time you needed to upgrade.

 

Mind you I know of cases where Siemens has offered up complete software systems to hospitals for free, I also know of some that have turned it down.

 

Edit:

Also I do agree with your actual point

[mynameisjuan]

19 minutes ago, LAwLz said:

That's not true.

Wanna know what would be profitable targets? Servers. Servers that very often runs GNU/Linux.

What do you think someone would profit the most from attacking:

1) My grandma's desktop where she keeps photos of me and my siblings.

2) A server containing a large amount of sensitive data.

 

Meh sort of true. 

 

First of all servers are incredibly hard to infect or access remotely if setup properly and on top of that a good system admin will have a daily or weekly backup so once infected can easily be restored. 

 

Profitable? If setup improperly without back ups yeah it could be, could be really profitable. Most likely if wont be profitable at all. So no, focusing on targeting servers is not a valid or time worthy process, especially on a linux based server. BUT, on a side not most linux servers are never updated regularly as linux on servers tends to follow the process of set it up and never touch it, its very common.

 

But if I make a virus to infect your grandmas desktop and I encrypt her photos or fake a site and make $50 or whatever, thats not a bad profit. And this is more common to infect 100,000s of grandma machines which begins to add up quick. Taking advantage of non-techies+less security (between possible updates or maybe router improperly setup)+windows+widespread OS= better profits for less work. 

 

I still agree with @KuJoe that windows in general is more profitable. I mean the evidence is look how much "reported" money the wannacry debacle made (not sure what their sources were) but it wasnt that much even though it took a big hit on businesses with very sensitive and time critical data.

[Misanthrope]

9 minutes ago, mynameisjuan said:

Meh sort of true. 

 

First of all servers are incredibly hard to infect or access remotely if setup properly and on top of that a good system admin will have a daily or weekly backup so once infected can easily be restored. 

 

Profitable? If setup improperly without back ups yeah it could be, could be really profitable. Most likely if wont be profitable at all. So no, focusing on targeting servers is not a valid or time worthy process, especially on a linux based server. BUT, on a side not most linux servers are never updated regularly as linux on servers tends to follow the process of set it up and never touch it, its very common.

 

But if I make a virus to infect your grandmas desktop and I encrypt her photos or fake a site and make $50 or whatever, thats not a bad profit. And this is more common to infect 100,000s of grandma machines which begins to add up quick. Taking advantage of non-techies+less security (between possible updates or maybe router improperly setup)+windows+widespread OS= better profits for less work. 

 

I still agree with @KuJoe that windows in general is more profitable. I mean the evidence is look how much "reported" money the wannacry debacle made (not sure what their sources were) but it wasnt that much even though it took a big hit on businesses with very sensitive and time critical data.

Logistically it wouldn't work: Getting away with just 10 payments of 500,000 from different corporations you extortion is far easier than getting 100,000 distinct payments of about 50 each. End result is the same amount of money but you're creating a massive pattern of payments on the second, no matter how untraceable you attempt to make it you're leaving far too many bread crumbs leading back to you.

 

 

[leadeater]

Just now, Misanthrope said:

Logistically it wouldn't work: Getting away with just 10 payments of 500,000 from different corporations you extortion is far easier than getting 100,000 distinct payments of about 50 each. End result is the same amount of money but you're creating a massive pattern of payments on the second, no matter how untraceable you attempt to make it you're leaving far too many bread crumbs leading back to you.

It is done on a wide scale though but there are some really good people on youtube now baiting these kinds of people and taking control of their payment systems and turning control over of them to the required authorities/banks etc.

 

They are getting proper support by banks now to do it which is great.

[Misanthrope]

5 minutes ago, leadeater said:

It is done on a wide scale though but there are some really good people on youtube now baiting these kinds of people and taking control of their payment systems and turning control over of them to the required authorities/banks etc.

 

They are getting proper support by banks now to do it which is great.

Which again is something that wouldn't be as easy to detect if you stick to just large, juicy targets and not grandmas.

 

Which brings my next point: I have worked in tech support before and while it can be easy to sometimes extort something out of a grandma you'd be a fool if you think that's a fail proof scheme: Many grandmas are the living embodiment of stubbornness and fear of change, will never hand you cash to just do it and instead demand something crazy like "No young man, you need to send a technician to Middle-of-nowhere Bumblefuck, US I cannot do this over the phone, I cannot!"

 

But enough digressions for today.

[KuJoe]

One thing to note is that a lot of companies have policies in place to not pay out for blackmail/extortion/ransoms where as individuals do not have such a policy and rarely take backups making it more likely for an individual to pay up to get their data back in most cases.

 

Even if we were to argue that servers are more profitable, how do you infect a server? You infect the clients.

[mynameisjuan]

1 hour ago, Misanthrope said:

Logistically it wouldn't work: Getting away with just 10 payments of 500,000 from different corporations you extortion is far easier than getting 100,000 distinct payments of about 50 each. End result is the same amount of money but you're creating a massive pattern of payments on the second, no matter how untraceable you attempt to make it you're leaving far too many bread crumbs leading back to you.

 

 

Good luck getting a malware or breaking into even 10 corporations let alone 500,000. Unless you compromise a pc from the inside which is easy to do, you might get somewhere but most sensitive data is permission based and behind other security measures, and forget about attacking remotely. 

 

Also you are worried about breadcrums when these grandmas (this is not to pick on grandmas haha) have a pc with a basic router/firewall and if they lose money dont go to the authorities. While businesses has some sort of logging system with login addresses and if needed can go to the ISP (which I am a tier 2 tech at a ISP and is very common for us to trace a recent remote attack attempt) and get almost exactly who was the person or at least a location and time of attack. Do act like businesses can be extorted when they have plenty of backup. 

 

You are more likely to get caught attacking a business then a bunch of residential. Its easier, more profitable and easier untraced. But in the end I just wish people would stop this shit and actually work for money.

 

54 minutes ago, KuJoe said:

Even if we were to argue that servers are more profitable, how do you infect a server? You infect the clients.

You dont. Like you said, you need to compromise clients and then attempt to break in which is very hard with a proper setup.

[Misanthrope]

2 hours ago, mynameisjuan said:

Good luck getting a malware or breaking into even 10 corporations let alone 500,000. Unless you compromise a pc from the inside which is easy to do, you might get somewhere but most sensitive data is permission based and behind other security measures, and forget about attacking remotely. 

 

Also you are worried about breadcrums when these grandmas (this is not to pick on grandmas haha) have a pc with a basic router/firewall and if they lose money dont go to the authorities. While businesses has some sort of logging system with login addresses and if needed can go to the ISP (which I am a tier 2 tech at a ISP and is very common for us to trace a recent remote attack attempt) and get almost exactly who was the person or at least a location and time of attack. Do act like businesses can be extorted when they have plenty of backup. 

 

You are more likely to get caught attacking a business then a bunch of residential. Its easier, more profitable and easier untraced. But in the end I just wish people would stop this shit and actually work for money.

 

You dont. Like you said, you need to compromise clients and then attempt to break in which is very hard with a proper setup.

Again yes it is far more difficult but the rewards vastly outshine just personal users.

 

This is the difference between attempting to rob a bank vs mugging 10,000 people one by one on the street randomly.

 

Most people that need a large sum would attempt to rob a bank and yes they are far more likely to get caught robbing a bank and have high chances they won't get any money from it. But 10,000 individual muggins would positively take forever and will not be worth the effort.

 

It's called petty crime for a reason and yes in the digital world a kid might be able to get a few bucks here and there from the grandmas of the world but "career" hackers will attempt juicier targets even if substantially more difficult to pull off.

 

[dfsdfgfkjsefoiqzemnd]

10 minutes ago, Misanthrope said:

Most people that need a large sum would attempt to rob a bank and yes they are far more likely to get caught robbing a bank and have high chances they won't get any money from it.

That's because those people are doing it wrong.  Robbing a bank is real easy if you do your homework first

Step 1 : find a van with a transponder that can be altered to jam the dye packs.  Steal it and remove the transponder

Step 2 : get some geek to alter the transponder's frequency

Step 3 : Steal some hacking equipment

Step 4 : rob a military convoy to get some thermal charges

Step 5 : steal some getaway bikes and make sure you have an armored car stashed close to where you hide the bikes

Step 6 : rob the bank, run to the bikes, blow them up, grab the armored car and drive to your getaway boat.

....

Step 7 : profit

[mynameisjuan]

1 hour ago, Misanthrope said:

Again yes it is far more difficult but the rewards vastly outshine just personal users.

 

This is the difference between attempting to rob a bank vs mugging 10,000 people one by one on the street randomly.

 

Most people that need a large sum would attempt to rob a bank and yes they are far more likely to get caught robbing a bank and have high chances they won't get any money from it. But 10,000 individual muggins would positively take forever and will not be worth the effort.

 

It's called petty crime for a reason and yes in the digital world a kid might be able to get a few bucks here and there from the grandmas of the world but "career" hackers will attempt juicier targets even if substantially more difficult to pull off.

 

Comparing it to robbing people on the street is just incorrect. Its not time consuming and will not take forever because most of these hacks are automated. Its just ways to trick people into paying or by force with ransomware or anything similar. Its just deployed through the web and whoever falls victim just pays and theres the money. There in not much to do. Its not similar at all to running around robbing people one by one. 

 

Yes, hackers do try for bigger targets but the bigger the target the bigger chance you have of getting caught. Like exponentially. If you can hide your tracks well enough and try then go for it but I am positive you are just wasting your time because there is a bigger change you will get no money and ended up spending days to months executing the attack and attempting to run from the authorities and possible prison time if caught. I mean how many bank robberies actually worked vs the amount of petty crime that went uncaught?

[LAwLz]

6 hours ago, mynameisjuan said:

-snip-

Why do you assume I was talking about ransomware on file servers? That's just one type of attack on one type of server.

"Hard to access remotely", are you serious? Ever heard of websites or other things people from the outside needs to access? Also, backups doesn't matter if you are stealing information, rather than encrypting it.

[mynameisjuan]

1 hour ago, LAwLz said:

Why do you assume I was talking about ransomware on file servers? That's just one type of attack on one type of server.

"Hard to access remotely", are you serious? Ever heard of websites or other things people from the outside needs to access? Also, backups doesn't matter if you are stealing information, rather than encrypting it.

Because that is the only method of remotely viable to make a profit off. Stealing info wont get you shit for money because they wont pay you to keep it hush hush or using it maliciously knowing that you could just leak it anyway. Getting and stealing credit card data, addresses, account are still even a shot in the dark with making money on because if they are encrypted it makes it much more difficult to make use of the data. 

 

No shit servers have remote access. You act like its just a click and a login and boom, you are in. Remote access has limitation typically limited to LAN only and with almost NEVER have an outside connect remotely without VPN access. If a server has remote access from a public IP then they need to rethink their security or hire new IT because its basic security and in some cases its the law. Remotely access from the outside is next to impossible without big security holes.

 

Websites being compromised is another thing. I cant defend that because its usually an exploit in the hosting software that is taken advantage of. But, sensitive data should not be on the same web server. 

 

Like I said, stealing info doesnt net you much money at all. Breaches and leaks happen all the time but its not like they are using this data but there is almost no profit other than a few hundred bucks here and there on the dark web for people willing to buy this breached data.

 

This whole argument started about windows vs linux being a better target for malicious use because residential vs server. In the end targeting a server will not pay out at all. 

[LAwLz]

1 hour ago, mynameisjuan said:

Because that is the only method of remotely viable to make a profit off. Stealing info wont get you shit for money because they wont pay you to keep it hush hush or using it maliciously knowing that you could just leak it anyway. Getting and stealing credit card data, addresses, account are still even a shot in the dark with making money on because if they are encrypted it makes it much more difficult to make use of the data. 

Far from everyone attacks for the sole purpose of getting money.

 

1 hour ago, mynameisjuan said:

No shit servers have remote access. You act like its just a click and a login and boom, you are in. Remote access has limitation typically limited to LAN only and with almost NEVER have an outside connect remotely without VPN access. If a server has remote access from a public IP then they need to rethink their security or hire new IT because its basic security and in some cases its the law. Remotely access from the outside is next to impossible without big security holes.

Do you seriously think that I am talking about remote desktop or something like that? I'm talking about exploits, not someone using RDP/VNC/whatever and guessing a password.

 

1 hour ago, mynameisjuan said:

Like I said, stealing info doesnt net you much money at all. Breaches and leaks happen all the time but its not like they are using this data but there is almost no profit other than a few hundred bucks here and there on the dark web for people willing to buy this breached data.

2 hours ago, mynameisjuan said:

In the end targeting a server will not pay out at all. 

Again, not all attacks are made for the sole purpose of getting paid.

Want some other examples of why attacks might be made?

1) Political power. Compromising the system that controls votes would give you a lot of power.

2) Activism. Some people want to just watch companies die. Not because the activists wants to make money but because they think the company/organization they are attacking are evil and the world would be better without them.

3) Curiosity. A lot of people try and find exploits (and use them) just for fun.

4) Obtaining secrets. For example getting inside information about a competing company is very valuable without needing to resort to extortion. Another example would be for military purposes (see: NSA).

 

There are probably more reasons but those are the ones I can think of right now.

 

For those purposes I listed (maybe not number 1), attacking the servers is a lot better than attacking clients.

[spartaman64]

So its better for microsoft to let a bunch of people get malware putting them in danger 

[samiscool51]

the world's most used os....

dropped support for it in 2014

still a concern for microsoft to this day...

now thats dedication to an old piece of software, still gets updates!

[waterjug]

On 6/14/2017 at 10:19 AM, hey_yo_ said:

Actually it's less than 6% at the moment. I'd be happy if Microsoft just let XP die because it's not even the world's most used desktop OS at the moment. 

https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0 

 

Microsoft doesn't have to because XP is less than 6% of desktop OS worldwide. Just because you see a lot doesn't mean it applies to everyone. If PCs all over the world gets infected by a stronger ransomware variant, XP is just a small dent. 

it still is the 3rd most used os...

[ARikozuM]

53 minutes ago, wii8cookies said:

it still is the 3rd most used os...

3rd? 

[Dabombinable]

2 hours ago, ARikozuM said:

3rd? 

Technically, Windows 10 is just a second large service pack for Windows 8.

[mr moose]

3 hours ago, Dabombinable said:

Technically, Windows 10 is just a second large service pack for Windows 8.

And 7 is just a better optimised release of vista. 

 

TIL, we are all still using xp through a variation of major service packs and optimizations.