Appalling Negligence: Decade-Old Windows XPe Holes Led to Home Depot Hack

Discussion in 'other software & services' started by Mayahana, Sep 24, 2014.

  1. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
  2. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    "More saving. More doing." How about a little less saving on security?
     
  3. allizomeniz

    allizomeniz Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    903
    According to the article, Windows Xpe is supported until 2016. Granted, it would probably be safer for retailers to upgrade to a Windows 7 based system, but If MS is supposed to be supporting XPe they have to take a lot of the responsibility. If the vulnerability has been known for a decade, what does that say for MS's so-called security patches?
     
  4. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,029
    Location:
    Lloegyr
    That's a good question. I think MS isn't being totally honest about a lot of security issues.
     
  5. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Is there any way to get a list of retailers who still run XPe?
     
  6. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    This applies to every MS OS, not just XP. And these days even more-so to the OS's of mobile devices it seems. It's like they don't even care about those customers.

    Also, without reading that article (admittedly), I'd be willing to bet that said vulnerabilities could have been thwarted with some host hardening and good old fashioned end user know how, along with perhaps the right 3'rd party support, without even needing patches. Most of the time it's as simple as not using Java, IE, or allowing 3'rd party scripts. That and disabling known/highly vulnerable services like Remote Registry can prevent most would-be vulnerabilities dead in their tracks without having to resort to waiting around on MS to patch their own F up's (if they ever do).

    The MOST "appalling negligence" I witness personally is on the side of the end user, and not the OS/software manufacturers. That's not to dismiss the responsibility on their end, I'm just saying they are often blamed for people's own stupidity/lack of knowledge/laziness. If they could be bothered to spend a fraction of the time learning their way around a computer that they spend surfing porn or downloading apps onto their I-devices, they wouldn't have these problems. But everybody loves to pass the buck in this country, not only due to their inflated egos/stubbornness, and unwillingness to admit fault, but also so that they can sue somebody and get a free lunch out of it.
     
    Last edited: Sep 28, 2014
  7. ChristineBCW

    ChristineBCW Registered Member

    Joined:
    Sep 27, 2014
    Posts:
    38
    Oh jeez... don't tell me you'd suggest they do a GOOD job, too, eh?!!
    :thumb::thumb:
     
  8. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Using a (still) supported OS doesn't seem like negligence to me... However, as luciddream said, there are probably other security mistakes they made that allowed the hackers access to their network.
     
  9. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    The problem here is malware use RAM scraping technique. Windows XP and its variants has weak memory protection (no ASLR for instance) therefore it is easy for compromised code to access the memory used by the POS software.

    Although Windows XPe may be supported until 2016, Microsoft has limited capabilities to fix the underlying problem. After all, it is an XP design issue. No amount of updates MS issue can adequately attempt to "fix" such a problem. This is the reason why not just MS but the security community that understand the issue recommends upgrading the OS as the successors are better equipped with technologies to thwart such attacks (imperfect but still better than none).

    The thing is the ones running the show at companies like Home Depot and Target are not security professionals. It is not within their field of knowledge to understand the impact. They are good at what they do - that is to optimize business profit. If the visible costs seem lower when the company chooses not to upgrade (at least while it's still "supported"), it is only natural that seems to be the sensible decision to make.

    It's 2 opposite forces working against each other. The end result is a compromise where the customers are the ones that get hurt. There's no easy way out of the situation unless the CIO decides to fork out the cash or MS decides to provide free upgrade. Even if that were to happen, there are things like compatibility issues that need to be considered.
     
  10. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    This. This is so absolutely true.

    From what I've seen, management typically wants to "maximize value" at all times. It is a continuous struggle for higher ranking IT staff to convince management that some things should be done because they are useful in the long run, provide intangible benefits, or are just morally obligatory.

    (And it's very rare for people to even mention the latter. Last time I mentioned ethics in an office setting, it drew gasps.)

    tl;dr the security situation can be summed up in one word: Dilbert.
     
Loading...