Defence finally ditches XP for Windows 10

Moving right along (back on topic) -- I get my medical care from a hospital/clinic which is part of a huge HMO (Health Maintenance Organization) that has facilities in several major cities spread throughout the mid-western & far-western states of the United States. I was amazed to find that their record system was still running under Windows XP Pro. I spoke to their IT in the Hawaii location (of course, their "Chief" IT is with their main offices on the Mainland USA).

The local IT said the Chief IT won't upgrade from XP because he feels it's an unnecessary cost. The guy has been challenged by other ITs within the HMO, because of security implications, but to no avail because (a) the HMO's system has never been compromised (yet), and (b) the HMO's money managers are quite happy to NOT spend the $$$ that would be necessitated by an upgrade from XP.

I would guess the HMO has at least a few thousand "seats" using their XP-based system. I wonder how much (approximately) it would cost them to upgrade XP to Win10 (software cost, systemic changes, training of personnel, slowed productivity during the change-over phase, etc)?

As to their system never having been compromised, I wonder if their ITs are really smart or if they are, instead, really lucky. Hmmmm....

 

This:

 

Hmmm... Are you implying that there are absolutely NO possible safeguards that a skilled group of ITs could install in order to render an XP-based system relatively immune to major-breaches-VIA-electronic-means, apart from compromise by hands-on access or compromised passwords?

 

I'm implying they're lucky, really lucky as you well said. That's it.

 

No they can't. Too many vulnerabilities. And some already discovered won't be even patched.
Using outdated OSes is a crime, but seems for many, spending money to secure more valuable datas is the crime... Ignorants...those guys restricting their IT for cost-savings purposes should be fired.

 

@Sampei Nihira

you without doubt have the smarts and skills necessary to run XP or any O/S air tight secured against any of the threats out there these days. In the hands of most, it's dangerous to run it, but in your hands, you've nothing to worry about I've read enough of your posts over the years to know this.

 

He won't do much against an obfuscated kernel exploit delivered via network or an hacked legitimate "supposed-to-be-safe" installer...

 

I believe you. So does my IT friend at the HMO's local hospital/clinic.

But here's a conundrum: one of America's biggest financial institutions had its Win10-based system breached several days ago, and it was reported that millions of customer records were compromised. Millions! And it was Win10, not XP. Isn't it a fact that NO OS is completely bullet-proof? Also, I wonder if hackers aren't concentrating more on Win10-based systems? (In other words, isn't obscurity a security app, of sorts?)

There never was a horse that couldn't be rode.
There never was a rider that couldn't be throwed.

Windows 95 forever!!!

 

Installing an OS isn't enough, if the admin is a noob or laxist in security, he will eventually get owned.

You use updated modern OS because they are immune to known vulnerabilities unlike the previous ones, then the admin has to deploy proper policies and restrictions, no software and more importantly OSes, should be left at default settings.

Sadly many admins I met are not better in security than a newcomer in Wilders.
When i ask an admin using Win10ent how he blocks LOLbins, his answers was "lol what?"

 

If the exploit can't even gain a foothold because of secure policies in place , then does it really matter how weak the O/S is? Isn't the attached at least somewhat representative of the early stages of an exploit in action? Sorry, I'm no expert, not even close, at this subject matter, but I want to ask. BTW, I actually had to first add to OSArmor's exclusion list (free software) before my SRP policy could leap into action and stop it.

 

@wat0114 you are blocking some LOLbins, good sadly for us, all exploits/malware don't need to use those on your systems, some will embark their own interpreter and run them in memory which most security software except pure anti-exploit will not protect against.

OSA is a good post-exploitation tool but won't protect against said exploits.

 

In my example, SRP didn't even block the LOLBin (wscript.exe), but it did block the script, although I guess OSArmor blocks it. I just tried to manually simulate someone clicking on a malicious download, or even landing on a drive-by web site. What doesn't seem to get discussed in these forums is how to simply stop the exploit from even triggering in the first place. All discussion is about how damaging the exploits are after they're triggered. However, they don't just materialize out of thin air. There is an entrance way to the potentially targeted device before it can trigger and render damage. Stop it in its tracks at the entrance and there should be no problems. At least that's the way I see it. If it can't execute, it can't infect. The last statement is old school; I realize exploits - some at least - are more complex than ever.

 

it should and your SRP as well if you configured it properly.

that only ine of the attack vector, sure the most used.

pure anti-exploits: MBAE, HMPA, Win10 built-in Exploit Guard or those built in some security suites. (considering a kernel exploit didnt run).

network, email attachments, weaponized legit installers (like the Ccleaner issue), malicious pages, etc...
remember Wannacry attack, its infamous Kernel exploit (Eternal Blue) spread to the entire network via SMB protocol , no security soft can stop it to inject its code into lsass.exe (because Kernel Exploit). Only an OS patch fixed the vulnerability.

True Fileless malware and other in-memory only malware don't need to be located and write on the disk to compromise your system, so how a soft monitoring stuff in the disk only can stop it?
Luckily, they are are and wont be especially crafted to target home users, home users are often collateral damages.

 

you are ms thompson and you did it?
your answer is totally wrong
https://www.nytimes.com/2019/07/29/business/capital-one-data-breach-hacked.html

"she" hacked aws, not C1. so amazon to blame.

about CTF where some means he is secure:

to repeat - you can lock down functions or calls but this wont fix any vulnerability. and if it is needed there are more ways to rome.

using old firefox means using an exploitable build. the fix came very late with v68.0.x / 60.x esr and was not reversed for other builds. and its not possible to fix this flaw for pre-v57 versions because those are not compatible to the current javascript engine. this include any palemoon or basilisk and other clones. the bugzilla ticket is not accessible because its currently ITW - it ist already in use and there is nothing some can do or prevent (or lock down - lol)

 

https://www.cvedetails.com/product/24264/Palemoon-Pale-Moon.html?vendor_id=12592

https://www.cvedetails.com/product/3264/Mozilla-Firefox.html?vendor_id=452

 

How do they know that they've never been compromised?

 

palemoon had no fixes since 2018? lol
sounds logical because development for the old firefox stopped in 2018, any current changes for quantum have to be ported back.

anyhow palemoon is based on firefox - so if a fix was built for firefox it might be usable for palemoon. so i assume the # are additional flaws in palemoon if you dont have evidence that not. ok?

 

Every security vulnerability in Pale Moon inherited from Firefox is fixed.
Including Firefox <68 vulnerabilities:

http://www.palemoon.org/releasenotes.shtml

https://www.cvedetails.com/vulnerab...roduct_id-3264/year-2019/Mozilla-Firefox.html

This with Pale Moon 28.6.1.
New Moon also incorporates these security fixes:

 

@Brummelchen -- in your post #89 you wrote in part: "you are ms thompson and you did it? your answer is totally wrong"

No offense, but to whom are you addressing these 2 statements, and which "wrong answer" are you referring to?

 

Fileless malware: lockdown Powershell and WMI
SMB: Use a firewall or disable SMB file sharing ports
email attachments or links: don't fall for them
File downloads: don't download infected ones

All that matters to me is ensuring I don't let the exploit gain even a slight foothold. I don't advocate using outdated O/S', only that in skilled hands like Sampei's they can probably be thoroughly secured. Obviously in his case, it is. I'm willing to bet @guest , @Brummelchen , and @bellgamin , if challenged, could also run XP securely. Others in this forum as well, but you guys posted so I mention you.

 

i'd still be using xp if it were supported by vendors. but you cannot run any reliable sw on it anymore. it's deprecated, that's all there's to it.

 

Thanks for the mention but I'm not even close to being as knowledgeable as guest & Brummelchen when it comes to computers in general, and security in particular.

My main security "trick" is that I image my hard drive (HD) every day or 2 to an external HD, & I retain images (FIFO) for several months. I also have 1 "immortal image" that I made when my computer was brand new and virginal.

The Imager is the backbone of my security, together with OSA, MBAE, & a somewhat outdated HIPS. I run Win7, by the way, & plan to replace it when Win 11 comes along (or not).

 

I've been trying to figure how to write this without heating up the conversation. Not sure, but here it is.
Which OS is safe?
Seems like most criticisms of win xp also apply to all the windows OSs.

 

I have an additional main trick,virtualize the OS immediately after the AV software is updated. At least twice something restarted this computer, but it was gone after the restart. Once was a kid trying to demonstrate one of those logmein type softwares, another was a perfectly harmless looking link to an article. Can't know what would have happened if the OS had not been virtualized, but nothing bad did happen.
I'm surely not in the "knowledgeable" category, but I cobbled this setup together starting with XP sp2 and it has not failed yet.

 

Not even close, Windows 10 is actively maintained with security patchs and its architecture is vastly superior to the obsolete Windows XP.

Windows 10 has kernel patch protection (PatchGuard), system-wide mandatory ASLR, secure boot support with UEFI, Windows Defender Exploit Guard mitigations, a much better firewall, a native decent modern antivirus solution, Microsoft Edge security (it will soon have Chromium technology), Device Guard, system-wide reputation file check (SmartScreen), Registry Virtualization, User Access Control (not a security boundary), USB worms nightmalware fixed, Windows Sandbox, huge superior identity management, inumerous deprecated vulnerable resources, Integrity levels (used by Chromium Sandbox for example) and much much more.

Anyway Windows XP is a relic, you cant even run a decent SSD in it (no TRIM) and there is no support for modern powerful CPUs (gotta love the new Ryzen 3000 series).